A claim has been raised that the personal information of Korean consumers could be leaked to China through the payment devices that Toss (Viva Republica) has supplied to more than 200,000 stores nationwide. Unlike existing value-added network (VAN) companies, Toss manufactures its devices at the Chinese factory of a Chinese company. To manufacture the devices, the security keys used to encrypt or decrypt customer payment information are also sent to China, and critics say there is a risk these could be misused to leak personal information.
According to reporting compiled by ChosunBiz on the 22nd, Toss Place, the subsidiary of Toss in charge of the offline payment institutional sector, has contracted SUNMI Technology in China to produce its payment devices. Among existing VAN companies, none outsource device production to Chinese firms.
Since the late 1980s, the VAN industry has reportedly continued to use domestic manufacturers as a measure to prevent customer information from being leaked overseas. Typically, a VAN company that outsources payment device production to a factory also hands over the company's unique "security key" to the factory. A security key is a type of algorithm needed to encrypt customer card information. Production is complete only after the factory installs various systems, such as the operating system (OS), as well as the security key on the device.
When a customer inserts a card into the payment device to make a purchase, the card information is transmitted via the VAN company to the card issuer. If the payment is approved through the card company's system, that information is sent back to the device and the payment is completed. The role of the security key is to encrypt customer information traveling between the payment device, the VAN company, and the card issuer so it is not hacked.
If this security key is misused, it becomes possible to decrypt and view customers' card information. A person identified as A, who worked as a programmer at a domestic VAN company for 18 years, said, "The security key is encrypted when it is sent to the factory, but that is meant to prepare for a situation where the security key leaks to a third party other than the VAN company and the factory," adding, "To install the security key on the device, you have to decrypt it no matter what, so in the production process someone among the factory staff inevitably sees the original security key." They added, "If the original security key is misused, customer payment information can be output in a decrypted state to a separate server and siphoned off."
ChosunBiz asked Toss multiple times whether Toss Place hands over security keys to the Chinese company, but Toss did not respond. The company also did not answer the question of whether anyone at the factory sees the original security key.
Other VAN companies also have to hand over security keys to factories. However, except for Toss, all produce their payment devices at domestic firms, so even if a security key leaks, it is easier for law enforcement to get involved. Naver Pay, which released a payment device late last year, is producing devices at a domestic company's factory in China, but is reportedly planning to shift production to a domestic factory this year.
Because VAN companies serve as an "information conduit" between customers and card issuers, they have long been targets for hackers. In 2017, a North Korean hacking group broke into automated teller machines (ATMs) at convenience stores and banks and stole 230,000 pieces of personal information from customers who used those machines.
When more than 100 million pieces of personal information were leaked in 2014 at three card companies—NH Nonghyup, KB Kookmin, and Lotte—VAN companies were identified as a major route of leakage. It was revealed at the time that employees sold customer personal information stored on servers to illegal credit information dealers for money.
Some warn that a "second Coupang incident" could erupt. The Coupang incident refers to a case in which a Chinese former Coupang employee exploited an externally leaked security key to steal more than 30 million pieces of personal information. A VAN industry official said, "Concerned about a potential leak of customer information, we asked Toss, and they responded along the lines of, 'There are Toss employees stationed in China, so there is no problem.'"
A Toss official said, "The Chinese company does not have access permissions to customer data." As for why it chose a Chinese company, the official said, "To secure a stable production system and cost competitiveness to meet market demand, we are using Chinese factories that have been verified as production bases," adding, "It is a very common choice for global manufacturers to use China as a major production hub."