Stage 1 — the "real-name" signup requirement
Sign up for a Western website and you usually need an email address. Sign up for a Korean one and, historically, you'd be asked for your legal name, date of birth, gender, and phone number — sometimes even your national ID digits. Korea's "limited real-name verification" law was introduced in 2007. In 2012, the Constitutional Court ruled it unconstitutional; the underlying provisions were formally deleted from the law in 2014. But the habit never went away — most Korean sites kept collecting the same data anyway, out of pure institutional inertia.
That data pile became a liability — fast
In 2014, three major Korean card issuers — KB Kookmin Card, Lotte Card, and NH Nonghyup Card — were breached simultaneously. The leaked personal records exceeded 100 million — more records than Korea has people.
The certificate itself — a licensed, protected market
The security certificate you're forced to install and renew every year or two can only be issued by a small set of government-designated authorities (Korea Financial Telecommunications & Clearings Institute, Koscom, and a few others). New entrants can't just compete their way in — it's a licensing gate, not an open market. Users pay a renewal fee every few years and click through multiple authentication steps for a single bank transaction. Korean security researchers have long pointed out that these extra steps don't demonstrably make transactions safer — the friction is real, the security benefit is unproven.
When things do leak, the fine is a rounding error
Korea caps privacy-violation fines at 3% of related revenue. Compare what regulators elsewhere have actually charged the same companies for similar violations:
Korea — largest privacy fine ever (Google, 2022)
₩69.2B
≈ $50M
EU — Amazon (GDPR, 2021)
€746M
≈ $810M / ₩1.23T
US FTC — Meta/Facebook (2019)
$5.0B
≈ ₩6T, for leaking 87M users’ data
Same companies, comparable violations — the penalty isn't in a different range, it's a different order of magnitude. When the expected fine is smaller than the cost of fixing the underlying system, under-investing in security becomes the economically rational choice.
The bottom line:nothing about this is a law today. The real-name requirement was struck down in 2012. The certificate mandate was repealed in 2015. What's left is pure inertia plus a protected licensing market that a small number of institutions have no reason to dismantle — and a penalty structure too weak to force anyone to modernize. If you've ever given up trying to buy something from a Korean website with a foreign card, this is the regulatory fossil record of why.