← AMS Home

🔐 Why Is Buying Anything Online in Korea So Painful?

One of the most digitally advanced countries on Earth still makes you install a security certificate to check out. Here's the actual regulatory history behind it.

🔬 The short version
The law requiring these certificates was officially repealed in 2015. Nine years later, most Korean banking and payment sites still require one anyway — because only a small, government-designated handful of institutions are licensed to issue them, and nobody with power over the system has an incentive to remove the requirement they profit from.

Korean original (covers more absurd Korean laws beyond payments): /absurd-laws

Stage 1 — the "real-name" signup requirement
Sign up for a Western website and you usually need an email address. Sign up for a Korean one and, historically, you'd be asked for your legal name, date of birth, gender, and phone number — sometimes even your national ID digits. Korea's "limited real-name verification" law was introduced in 2007. In 2012, the Constitutional Court ruled it unconstitutional; the underlying provisions were formally deleted from the law in 2014. But the habit never went away — most Korean sites kept collecting the same data anyway, out of pure institutional inertia.
That data pile became a liability — fast
In 2014, three major Korean card issuers — KB Kookmin Card, Lotte Card, and NH Nonghyup Card — were breached simultaneously. The leaked personal records exceeded 100 million — more records than Korea has people.
The certificate itself — a licensed, protected market
The security certificate you're forced to install and renew every year or two can only be issued by a small set of government-designated authorities (Korea Financial Telecommunications & Clearings Institute, Koscom, and a few others). New entrants can't just compete their way in — it's a licensing gate, not an open market. Users pay a renewal fee every few years and click through multiple authentication steps for a single bank transaction. Korean security researchers have long pointed out that these extra steps don't demonstrably make transactions safer — the friction is real, the security benefit is unproven.
When things do leak, the fine is a rounding error
Korea caps privacy-violation fines at 3% of related revenue. Compare what regulators elsewhere have actually charged the same companies for similar violations:
Korea — largest privacy fine ever (Google, 2022)
₩69.2B
≈ $50M
EU — Amazon (GDPR, 2021)
€746M
≈ $810M / ₩1.23T
US FTC — Meta/Facebook (2019)
$5.0B
≈ ₩6T, for leaking 87M users’ data
Same companies, comparable violations — the penalty isn't in a different range, it's a different order of magnitude. When the expected fine is smaller than the cost of fixing the underlying system, under-investing in security becomes the economically rational choice.
The bottom line:nothing about this is a law today. The real-name requirement was struck down in 2012. The certificate mandate was repealed in 2015. What's left is pure inertia plus a protected licensing market that a small number of institutions have no reason to dismantle — and a penalty structure too weak to force anyone to modernize. If you've ever given up trying to buy something from a Korean website with a foreign card, this is the regulatory fossil record of why.