Welcome to our podcast series, Coffee with the Council. I'm Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. Today, we'll meet one of the Council's newest employees, our Regional Vice President of Asia-Pacific, Yew Kuann Cheng. Yew Kuann is based in Singapore and spent 15 years as the Senior Director of Risk, Strategy, and Operations in Asia-Pacific for Visa. Thank you for joining us today, Yew Kuann, and also welcome to the team.
Yew Kuann Cheng: Thank you so much for the introduction, Alicia. So excited to talk to you today. When I first met you in-person in Toronto, I mentioned to you that I'm a long-time fan of your podcast, and in fact I did a quick check of all the episodes, and other than the podcast that was in Portuguese, which I don't understand, I've listened to every single one of your podcasts.
Alicia Malone: Well, thank you so much, Yew Kuann. That's quite a nice compliment and I'm so glad that you're a fan.
Yew Kuann Cheng: Very cool.
Alicia Malone: So, your new role as Regional Vice President of Asia-Pacific is also a new position at PCI Security Standards Council. Tell us a little about what this new role is, and what you've been hired to do.
Yew Kuann Cheng: Cool. Well, I think I've got the coolest job. And really that's because I get paid to engage with stakeholders across the payment ecosystem to talk about my favorite topics: data security, payments, and risk management. So, to answer your question, my role at the Council is to enhance payment account data security by raising awareness of what we do at the Council, as well as all the various PCI security standards that we develop. And also, all of the supporting services that we have available for everyone.
And, as you know, Alicia, it's a really exciting time in the payment ecosystem with data security making the news almost every day. And I think, you know, what is really making me excited about this new role is I get to share the latest trends from a vantage point, and also the best practices that I've learned from all of the various stakeholders, so that everybody can play their part and protect our payment ecosystem.
Alicia Malone: Your background is in payments with a long tenure at Visa. Can you describe your career path in this industry, and how it led you to PCI SSC?
Yew Kuann Cheng: Right. Well, you're right. I've been working for a really long time. All the time I've worked - 22 years I've counted - for various organizations in Singapore mostly specializing in payments, risk management, and cybersecurity. And as you mentioned, a large proportion of this - 15 very long years - was spent with Visa's Asia-Pacific Risk Management Team, based in Singapore.
And thankfully, with very supportive bosses, those 15 years were not all spent doing the same thing, right? I've had the opportunity to be exposed to a wide area of risk management activities, and the latest role that I had to undertake was as the Risk Account Executive for some of the largest and most dynamic acquirers in Asia-Pacific.
So aside from guiding these acquirers and their merchants through various risk-related matters, some of them included PCI DSS compliance topics, I used to head the IT Security Team at one of the Fintechs. So, I've gone through the compliance side of PCI DSS, and I've also gone through being an entity that was assessed for PCI DSS.
Alicia Malone: What kinds of trends are you seeing in the payment industry in the Asia-Pacific region? What are the opportunities, and what are the threats to payment security there?
Yew Kuann Cheng: Yeah, so, I guess anyone who's really following any media, be it on mainstream or social media, you will already notice the regular coverage of data compromises, ransomware, that are happening all around the world. And any good fraud or risk management professional would tell you that there's really no silver bullet. You can't implement just one solution and hope that the problem will go away.
But at the end of it, I really believe that with any good multi-layered strategy, the most critical layer is securing your crown jewels, right? And that's what PCI SSC aims to do, right? To secure the payment data. And this is done through various standards; they're well-known for PCI DSS and the various requirements help to secure payment data.
And something that I've learned since I've joined the Council, is how involved the community was to develop these standards. And they’re really not developed just by a group of people in the Council in isolation, right? So, something that I really hope to achieve is to get more Asia-Pacific stakeholders involved so that they can participate, and also guide the development and maintenance of the security standards.
I think at the end of the day, it's really up to organizations to embed security practices into their operations. As I've told one of the largest merchants in Asia-Pacific, you can't really start allocating budget to secure your data after your company appears in the headlines for the wrong reason, okay?
And this made me remember one of the panel discussions that I attended remotely for the European Community Meeting where Tracey Long - she's the Council's Vice President of Programs - and one of the statistics that she cited really jumped out at me, right? And in the pie chart that she showed, she highlighted that 50% of the data breaches were attributed to failures, specifically to PCI DSS's Requirement Six. And just in case you haven't memorized all of your twelve requirements, Alicia, it is, "To develop and maintain secure systems and applications." And in the same discussion that Tracey led, one of the PFI's - the PCI Forensic Investigators - I noted his name was Chris Hague and he's from Foregenix, the Divisional Head of Technical Services, and he said that one of the reasons, when they investigated some of these data breaches, was because systems were not patched, right?
So, often when systems are deployed - the same as we have to patch and update our iPhones regularly, our iPads regularly, and our tablets regularly, software systems have to be updated regularly, as well, right? So, this was one of the reasons he attributed for causing this large proportion of data breaches, just for this one requirement.
Alicia Malone: Those are all really good points, and I'm so glad that you've raised all of those issues. I think that those are valid points all around the world. Why is it important for PCI SSC to have dedicated representation, in a role like yours, in the Asia-Pacific region?
Yew Kuann Cheng: Right. Well, in my past role at Visa I've had the opportunity to support risk teams in various markets - the financial institutions in those markets. And something that I've always been reminded is every market is different, some of them more than others in their own complexities. So, by having somebody who's appreciative of these differences and complexities, I guess it really allows me to understand the challenges that the various stakeholders within Asia-Pacific are facing.
And, of course, having somebody in the time zone would allow a faster response. But having said that, you know, if somebody is planning to ask really technical questions about their HSM's, or how are they going about to encrypt their cryptographic key, I might need to ask for help from our subject matter experts in the other markets.
Alicia Malone: What are you most looking forward to in this new role?
Yew Kuann Cheng: Well, I think since I've joined something that I've really enjoyed is meeting colleagues and friends again, some of whom I've known for many, many years, and again, to talk about the favorite topics that I mentioned earlier: data security, payments, and risk management.
But, in addition, I think this new role has introduced me to many new friends in the industry and I really love meeting new people and having a chance to explore opportunities to help them secure payment data in their environment, and how the Council can help them from a security standard point of view.
Alicia Malone: So, PCI SSC's Asia-Pacific Forum is in just a couple of days. This will be an online event on November 16th. Can you talk to us about the importance of the Forum, and what you're hoping attendees will take away from it?
Yew Kuann Cheng: Right. Well, PCI SSC is a community, and AP Forum is one of many events that the Council holds to engage the various stakeholders so that we protect the ecosystem together. It will be online, as mentioned, given the different stages of COVID recovery in this part of the world - although many of the key markets in Japan have since opened up. And for all of the listeners of this podcast, do consider registering for the event, as I think that lots of useful information is going to be shared including top questions raised for PCI DSS v4.0; there's been a lot of interest in mobile payments and we have yet another acronym that we can pronounce: MPoC (Mobile Payments on COTS); and the various ways to engage with the Council.
There will also be deep dives into two key markets in Asia-Pacific: namely India and Japan. And, if you're interested, you can register by simply heading to the PCI SSC's website and the menu at the top, simply go to Events and register. It's really straightforward. And most importantly for people in Asia-Pacific, if you enjoy this work, the event is free this year.
Alicia Malone: And that is great news. So, Yew Kuann, outside of your day job, tell us a little about yourself. What kinds of things are you passionate about? What would you like others to know about you?
Yew Kuann Cheng: Right. Well, I'm a very hands-on dad - I'm very proud to say it – to two very lively teenagers, who always keeps me very busy. And given that I was brought up by a single mother, I'm still figuring things out as I go along, but I guess when they were younger, I was able to change their diapers in the dark. After all, I was trained by the Singapore military to go for night combat missions.
But other than my kids, I am also the guardian of two dogs who are rescued. And this also forces me to take very regular walks every day and that's where I get to listen to your podcast, Alicia.
Alicia Malone: That's excellent! And I love your comment about your night combat missions. That's great.
Yew Kuann Cheng: It feels like that.
Alicia Malone: It really does.
Alicia Malone: And, of course, I would be remiss if I didn't ask you how you take your coffee! Or, if you're not a coffee drinker, what do you prefer instead?
Yew Kuann Cheng: Right. Well, when you visit Singapore, I have to introduce you to our local brewed coffee. It is roasted with different beans. The beans are called Robusta beans, which are stronger and more bitter. This is different from what Starbucks uses, which is Arabica beans.
I think what would be interesting for you when I eventually persuade you to come to Singapore, is to use the code words to order your coffee. So, for example, in any of the coffee shops, that you enter in Singapore, you will be able to order a cup of coffee without milk and without sugar, by simply giving the codename, Kopi O kosong, which is a dialect to say that you want coffee black and you want it empty, so which means no sugar.
Alicia Malone: Oh, I love this. And I definitely want to come visit you in Singapore. This sounds amazing.
Yew Kuann Cheng: Very cool.
Alicia Malone: Well, thank you so much for joining us on Coffee with the Council. It's been such a pleasure getting to know you and I look forward to working with you at the Council.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor, Pocket Casts, or Google Podcasts. Coming soon, the podcast will also be available on Apple Podcasts and RadioPublic.