The Thai way of doing things | Bangkok Post: tech

Whether away of managing certain industries through threats of exclusion from bidding instead of proper rules, and seeing friends have to struggle juggling work with visa runs that benefit no one, the Thai way of doing things has often got me in bit of a mental pickle.

Why, why, why make things messier, harder and more complicated, when a little bit of common sense would do the job?

Is it a matter of lack of education or just the "mai pen rai" mentality that combines a powerful Somebody Else's Problem field with the concept of mind your own business?

Take, for instance, the use of credit cards. Issuers regularly offer discounts with their merchants for their cardholders, yet vendors in Thailand go to extreme lengths to avoid the two percent or so surcharge that banks levy.

Combine these two lines of thought and it is not uncommon to pay a bill at a restaurant, claim the discount by showing the credit card in question, and pay by cash anyway. Quite how this benefits the credit card issuing bank is unclear to me.

But worse is the way PCI is flaunted in this country. The payment card industry (from whence the PCI compliance standard gets its name) has gone to great lengths to make the credit card ecosystem secure.

Most of us are aware that the cards with their chips are secure, the acquiring terminals are hack-proof. The number on receipts are obfuscated so that a stray receipt will not open the door for fraud.

What we do not know is that PCI compliance puts in many more security checks for the company's IT systems, going as far as scanning the air for rogue access points and ensuring outbound mail does not have credit card information in it.

PCI came about when US retailer TJ Maxx's database was broken into and 45 million credit cards details were stolen.

PCI rules make the network and procedures secure so that such a theft should not happen again. Each data breach costs an average of $100-300 (3,110-9,330 baht) to rectify, taking into account the fraud and issuing new cards.

But while the big banks around the world are enforcing PCI compliance on their merchants, it is clear that Thai banks are not. PCI affects anyone with credit cards linked into their IT or POS system. Small vendors are pretty much free from PCI as they never store card data to begin with _ they only put the card in their credit card terminal, which transmits the data securely. If the terminal is PCI-compliant, they are pretty much in the clear.

But all too often in Thailand, the vendor will process the card, then take down card details on their POS system. This happened to me over the weekend at IT City and could only cringe when I saw them putting my card details into the POS PC.

Worse, I have used my card with smaller vendors and they asked for my ID card to photocopy. Raiding these vendors would then not only give criminals my credit card details but my address and date of birth, too.

Nokia Care centres also take down ID information, even if the customer is just buying an accessory.

Obviously they think that having ID means fraud does not happen, but by collecting all this information and keeping them in unaudited, probably not quite secure, servers, they are opening themselves up to data theft, identity theft and one big compensation bill. Not a comforting thought.

The sad thing is that nobody in Thailand seems to mind, yet many visiting foreigners, especially Europeans, seem to be genuinely concerned at the privacy risk.

The problem, I was told, lies with Thai banks. PCI _ the payment card industry _ requires banks to enforce PCI specifications on their merchants. But if the banks can choose not enforce PCI on their merchants if the cost is too high, and only then if there is a data breach, it is the banks who are liable to foot the bill.

Information is valuable, but storing it also is a risk. Why did the vendor need all my details in their database? I suppose the answer is "just because", that "obviously" they need the data in case there is a dispute or chargeback.

But if that were so, they could have just taken the transaction reference number instead. Having my ID in their system might sound like a good idea, but does it make sense on a macro level?

Does the lowering of fraud at the point of sale offset the increased fraud system-wide (nationwide) that comes from the ease of identity theft from hacking into that database?

How can providing my ID card to a website increase security? With that detail, the website can easily pretend to be me and register on another forum using my name. Obviously, the system has not been thought through.

Or, to take things to a silly level, I recently registered for an EZ Pass tollway electronic tag.

They asked for a copy of my ID, which I provided, but nowhere did they ask to see the original ID. Forging a blurry photocopy is much easier than forging (an already easy to forge) so-called "smart" ID card.

Or take another, more benign, example. When I top up my ToT 3G Sim on the 365 MVNO, they charge a number slightly less than the amount I want to top up. I then have to tell them how much that amount was. For instance, when refilling 200 baht, I am charged 199.06 baht and I have to tell them that the security code is 06.

The point is, this may make (some) sense for 365 and for its merchant bank, but does it benefit the system? Cashless societies make sense, with less idle cash and greater economic throughput, but the two percent fee makes people want to use cash instead, to the detriment for the economy on the whole.

Adding this verification step _ which is not uncommon in Thai e-commerce _ adds a huge drain on bank resources in the call centre. Who wins? Why can I not simply register a credit card like I can do on 3 or Virgin in the UK and have it top up my phone more or less automatically without all this fuss? It is the Thai way of doing things. It works, but it could work so much more efficiently.

On a non-IT note, the same could be said of the road system. Thailand has probably the most expensive, exquisitely built flyovers I have seen in the world. Anywhere else and they would just have a roundabout at a fraction of the cost and 10 times more efficient in guiding traffic. But because the people of Thailand do not (or refuse to) understand the principle right of way, because the police do not understand right of way, cheap, efficient roundabouts do not work and we have to have expensive, gridlocked flyovers instead.

The question is, does anyone even care that things could be better?

Why must we need a disaster to happen first to jolt people into doing things the right way, rather than the Thai way?