Encryption Laws Complicate Online Payment Security in China

Online payment processing in China represents a major opportunity for foreign-based financial services firms. However, as we discussed in our previous blog post, foreign-based financial services firms are required to follow strict regulations, as outlined by the People’s Bank of China (PBOC), making it more difficult for companies to enter the payment processing business in China.

These foreign-based companies are classified as critical information infrastructure (CII), meaning that these organizations store and process data that could threaten national security if it were disclosed, disabled, or damaged. One of the requirements for protecting this data properly requires these companies to maintain this data within mainland China. If it becomes necessary to send data overseas, there are stringent guidelines and authorization requirements they must meet. There are also significant penalties for sending data overseas without authorization. Under China’s cybersecurity laws, a company and its responsible personnel could be fined up to 100,000 yuan ($15,450 USD). If the offense is considered to be serious, the company could have its business license suspended or revoked and its website shut down. Therefore, online payment providers must establish data centers in China to store, process, and analyze sensitive information.

However, data localization isn’t enough to ensure security, other measures must also be taken. Generally, online transaction data is encrypted as it travels from an e-commerce site to an online payment processor and ultimately to the consumer’s financial institution or credit card account. However, China’s policies regarding encryption have long been complicated by the competing interests of commercial development and government control.

Understanding China’s Encryption Law

The competing interests between commercial development and government control have significantly changed with China’s new Encryption Law that went into effect in January 2020. This law replaced the complex regulations that controlled Chinese encryption products (foreign encryption products were strictly prohibited) and was designed to encourage the development of domestic technologies while allowing the government to monitor and access sensitive data.

When the new Chinese ​Encryption Law was introduced, most organizations were expecting it to further restrict any foreign encryption. It did exactly the opposite to everyone’s surprise by creating important distinctions between the encryption required in e-commerce and the encryption required to protect CII and state secrets. This encouraged foreign participation in the development of encryption technology. This step was necessary to continue developing China’s digital economy and leveraging other ground-breaking technologies, such as blockchain.

However, it is important to note that CII is excluded from these less stringent encryption requirements. CIIs must meet security requirements and be authorized by a government-designated institution. Therefore, third-party online payment providers have fewer options when it comes to encrypting transactions.

Certification from China Financial Certification Authority (CFCA)

The China Financial Certification Authority (CFCA) was established in 2000 through a joint venture between 13 commercial banks under the authority of the PBOC with the intention to accelerate e-commerce. The CFCA has been approved by the PBOC and State Information Security Administration to serve as a national certificate authority (CA) for the financial sector. CAs issue digital certificates that verify the ownership of public encryption keys and allow organizations to trust the corresponding private keys.

Rahi recommends that any financial services firms that intend on doing business in China obtain digital certificates from the CFCA and maintain their encryption keys within China. Although the CFCA does have monopoly power, its acceptance by the PBOC may help streamline security audits and ensure regulatory compliance.

The Rahi team has extensive experience assisting online payment providers in building data centers in China, passing security audits, and meeting data protection and business continuity requirements. Our experts are ready to help financial services firms develop a strategy and execute their Chinese initiatives. Contact us today to learn how to expand your business into China.