How do China's data protection laws impact the fight against carding?

[Student]

To better understand the impact of Chinese data protection legislation on combating educational carding, I will provide an expanded analysis, including context, how the laws operate, case studies, and potential limitations and challenges. The response will be structured to cover both legal and practical aspects, with an emphasis on explaining complex concepts to a general audience.

1. Context: What is carding and why is it relevant in China?​

Carding is a type of cybercrime involving the theft, sale, and use of credit or debit card information to make unauthorized transactions. Card information is typically obtained through:

• Phishing: Fraudulent emails, websites, or messages that trick users into revealing information.
• Data leaks: theft of databases from banks, online stores or payment systems.
• Skimming: The use of devices to read card data from ATMs or terminals.
• Darknet markets: buying and selling stolen data on anonymous platforms.

In China, carding is a serious problem due to the scale of the digital economy:

• The growth of online payments: According to the People's Bank of China, mobile payment volume will reach 580 trillion yuan (~$80 trillion) by 2023. Platforms like WeChat Pay and Alipay process billions of transactions, generating a massive amount of financial data.
• Data black market: Before the introduction of strict laws in 2017–2021, data breaches were widespread. For example, in 2018, there were reports of personal data (including card numbers) being sold on the black market for pennies — from 0.1 to 1 yuan per record.
• Telecom fraud: Carders often use fake SIM cards and accounts for phishing, making them difficult to combat.

Example: In 2019, Shanghai police uncovered a network that sold the data of 200 million users, including financial information stolen from telecom operators and banks. This highlights the scale of the problem before stronger legislation.

2. Key laws and their provisions​

China has created one of the strictest data protection systems in the world, which directly impacts the fight against carding. Key laws:

2.1. Cybersecurity Law (CSL, 2017)​

• Objective: To ensure the security of networks and data, including financial data.
• Key points:
  • Operators of critical information infrastructure (including banks) are required to store data in China (data localization).
  • The implementation of leak protection systems and regular safety checks are required.
  • The illegal collection or sale of personal data is prohibited.
• Impact on carding:
  • Banks and payment platforms are required to encrypt card data and implement multi-factor authentication, making it more difficult to steal.
  • Data localization reduces the risk of data leaks abroad, where they could end up on darknet markets.

2.2. Data Security Law (DSL, 2021)​

• Objective: To regulate the management of data taking into account its importance to national security.
• Key points:
  • Data classifications are introduced: "routine," "critical," and "essential government data." Financial information (such as card data) is often classified as "critical data."
  • Companies are required to conduct risk assessments and report violations.
  • Cross-border data transfer requires government approval.
• Impact on carding:
  • Classifying financial data as "sensitive" requires enhanced security, making it more difficult to steal.
  • Restrictions on cross-border data exports make it difficult to resell on international darknet markets.

2.3. Personal Information Protection Law (PIPL, 2021)​

• Objective: To protect citizens' privacy rights, similar to the EU's GDPR.
• Key points:
  • Personal information (PI): any information relating to an identified individual (name, card number, address).
  • Sensitive personal information (SPI): data, including financial accounts, whose leakage could cause harm. Processing SPI requires the user's explicit consent.
  • Data Protection Impact Assessment (PIPIA): Mandatory for high-risk operations such as high-volume card data processing.
  • Fines: Up to 50 million yuan (~$7.8 million) or 5% of annual turnover for violations, including data breaches.
  • Liability extends to foreign operators processing data of Chinese citizens.
• Impact on carding:
  • Requiring data collection to be kept to a minimum (only the necessary fields) reduces the amount of information available for theft.
  • Explicit consent and strict SPI handling rules make phishing more difficult as users become more aware of data requests.
  • High fines motivate companies (such as banks) to invest in anti-fraud systems.

2.4. Additional measures​

• Criminal Code (Articles 177-1, 253-A): provides for up to 7 years in prison for theft, purchase or sale of card data, as well as for violation of data protection obligations (Article 286-1).
• Telecom Fraud Prevention Act (2021, draft): introduces real authentication for SIM cards and accounts, prohibits their resale for fraudulent purposes, and requires operators to warn about phishing.

3. How do laws impact the fight against carding?​

Chinese legislation creates a multi-layered protection system that covers all stages of the carding chain, from data theft to monetization. Let's look at the mechanisms and examples.

3.1. Data Leak Prevention​

• Data encryption and minimization: PIPL requires companies to collect only necessary data and encrypt SPI. For example, Alipay uses tokenization (replacing the card number with a unique token), which renders stolen data useless without the key.
• Regular audits: DSL requires companies to conduct security audits, which reduces the likelihood of breaches. In 2022, following Didi Global's $1.2 billion fine for leaking data from 550 million users, many companies strengthened their security.
• Example: In 2020, ICBC Bank implemented an AI-powered transaction analysis system that identifies anomalies (such as multiple transaction attempts from a single card) in milliseconds.

3.2. Phishing complication​

• Real Authentication: The Telecom Fraud Act requires SIM cards and accounts to be linked to real IDs, reducing the possibility of creating fake profiles for phishing.
• User awareness: PIPL requires companies to inform users about data collection, which increases vigilance. For example, WeChat Pay sends notifications about suspicious data requests.
• Example: In 2021, Guangzhou police uncovered a phishing network using fake Alipay websites. Following the implementation of the Telecom Fraud Law, such schemes have become less common due to increased SIM card controls.

3.3. Increased penalties​

• Fines and criminal liability: High fines (up to 5% of turnover) and prison sentences motivate companies and employees to prevent data breaches. For example, in 2023, a bank employee in Shenzhen was convicted of selling the data of 10,000 clients.
• Social credit: Violators may be entered into the social credit system, which limits their access to credit and services, creating an additional deterrent.

3.4. Anti-fraud systems​

• Legitimate interests: PIPL allows data processing without consent to prevent fraud. This has enabled banks to implement AI systems for transaction monitoring. For example, Ping An Bank uses algorithms that analyze over 500 transaction parameters in 0.2 seconds.
• Example: UnionPay, China's largest payment system, reported a 30% reduction in fraudulent transactions in 2022 after implementing new PIPL and DSL rules.

3.5. Fighting the Black Market​

• Cryptocurrency restrictions: The ban on cryptocurrency transactions (2021) has made it more difficult to launder money obtained from carding.
• Cross-border controls: DSL restricts the export of data abroad, reducing its availability on international darknet markets.
• Example: In 2023, a police operation in Beijing resulted in the closure of a Telegram channel that was selling card data. This was made possible by enhanced network monitoring within the CSL.

4. Practical results and statistics​

• Reduced Leaks: According to the Cybersecurity Administration of China (CAC), the number of major data breaches has decreased by 25% since 2021 thanks to PIPL and DSL.
• Fraud Reduction: UnionPay reported a 30% reduction in fraudulent transactions in 2022–2023.
• Security Investment Rising: Companies including Tencent and Ant Group have increased their cybersecurity budgets by 15-20% annually after 2021.
• Criminal cases: More than 10,000 data theft cases were filed in 2022, 40% of which involved financial information.

Indicator	Until legal (until 2021)	After the Laws (2021–2023)
Data leaks	~200 major incidents/year	25% reduction
Fraudulent transactions	~1% of all transactions	30% reduction
Fines for violations	~100 million yuan/year	~2 billion yuan/year
Criminal cases	~5000 cases/year	~10,000 cases/year

5. Limitations and Challenges​

Despite the successes, the legislation faces problems:

1. Cybercriminal adaptation:
   • Carders are moving to the darknet and Telegram, where it is more difficult to track transactions.
   • Using AI to create more convincing phishing attacks (e.g. deepfake calls).
2. Balance between supervision and innovation:
   • Strict data localization and cross-border control requirements may make it difficult for foreign fintech companies to operate in China.
   • Small businesses may lack the resources to comply with laws, increasing their vulnerability.
3. Corruption and internal leaks:
   • Despite laws, company employees and officials sometimes sell data. For example, in 2020, the data of 1 million bank clients was sold by an employee for 10,000 yuan.
   • The social credit system and criminal penalties partially solve the problem, but do not eradicate it completely.
4. The global nature of carding:
   • Carders often operate from abroad, where Chinese laws don't apply. This requires international cooperation, which is limited by geopolitical tensions.

6. Educational conclusions​

1. Multi-layered approach: China demonstrates how a combination of technical, legal and administrative measures (encryption, fines, social credit) can reduce cybercrime.
2. The importance of awareness: Laws requiring user awareness increase user vigilance, which reduces the success of phishing attacks.
3. Global context: China's data protection model is unique due to its state control, but elements of it (e.g., data minimization, anti-fraud AI) are applicable in other countries.
4. Threat dynamics: Cybercriminals are adapting, requiring constant updating of laws and technologies.

Suggestions for study:

• Explore PIPL compared to GDPR to understand the differences in their approaches to data protection.
• Consider examples of anti-fraud systems (such as those from UnionPay or Ping An) to understand the role of AI in combating carding.
• Analyze cases of major breaches (e.g. Didi Global) to understand the consequences of non-compliance.

Conclusion​

China's data protection laws (CSL, DSL, PIPL) have created a powerful anti-carding ecosystem by strengthening data protection, increasing corporate accountability, and making fraudulent schemes more complex. While these laws have reduced data breaches and fraud, they haven't eliminated them entirely due to the adaptability of criminals and the global nature of cyberthreats. For educational purposes, it's important to understand that China's success is based on a combination of strict oversight, technology, and public awareness, but requires constant evolution to address new challenges.