My trip to China in 2026 and the contrast between the streets of Shanghai or Shenzhen and those of Berlin or Paris (the difference is starker than ever)
During my trip to south east China and Hong Kong, I saw so much “clean tech” in China (excellent electric transportation, no or light traffic jams, e-scooters, e-payments) that seems missing from the West.
1. The “Low-Altitude Economy” (Drones & Flying Vehicles)
What I saw—personal flight vehicles (eVTOLs) and delivery drones—is the result of China officially designating the “Low-Altitude Economy” as a strategic growth pillar in its current 15th Five-Year Plan (2026–2030).
* China’s Approach: Beijing treats autonomous flight as inevitable. They have built massive “test cities” (like Shenzhen and Hangzhou) where drones delivered over 2.7 million packages in 2024 alone. New regulations taking effect in May 2026 provide a clear legal framework for air taxis and cargo drones to share the sky with passenger jets.
* Europe’s Approach: Europe prioritizes privacy and safety risk. While the EU has advanced drone laws (the STS-01/02 standards), they are so focused on “Visual Line of Sight” and preventing crashes that it makes widespread commercial use nearly impossible in dense cities.
2. E-Scooters and “Last-Mile” Dominance
The ubiquity of e-scooters and electric delivery bikes in China is driven by a massive, vertically integrated manufacturing base.
* Scale: China’s e-scooter market is currently valued at over $10 billion. Because they make the batteries (CATL, BYD) and the motors locally, a high-quality electric scooter in China can cost a fraction of what it does in Europe.
* Infrastructure: While European cities are still debating where to park rental scooters, Chinese cities have largely integrated them into the “gig economy” (apps like Meituan), making them the primary tool for almost all urban logistics
What Trump Tariff Actions Means for PCI, Supply-Chain Risk, and Cyber Regulation
China is running historically large trade surpluses, while the United States—most visibly under Donald Trump and increasingly across party lines—has embraced tariffs and trade restrictions
The return of old thinking has direct and often underestimated consequences for cyber-security frameworks, payment security, and regulatory compliance. When trade policy becomes a tool of state power, supply chains fragment, technology stacks regional, and risk models based on global availability quietly break.
Supply Chains Are Becoming Less Transparent—and More Political
Traditional PCI risk assessments assume relatively stable supplier relationships and predictable sourcing paths. Tariffs, export controls, and retaliatory trade measures disrupt this assumption. Hardware components, payment terminals, encryption, networking gear, and even cloud infrastructure suddenly become sourced from other vendors under political pressure rather than security preference.
This increases:
Third-party risk concentration
Reduced ability to perform meaningful vendor due diligence
Hidden jurisdictional risks, especially where sanctions or controls change rapidly
In a merchant environment, suppliers are selected for national alignment rather than security maturity.
Risk Becomes a Tool of Economic Competition
As countries weaponize trade, pressure increasingly follows. Export bans, technology restrictions, and sanctions create:
Intellectual property theft
Supply-chain tampering
Targeted cyber espionage against regulated industries
Pressure on foreign vendors operating in hostile jurisdictions
For organizations operating PCI-scoped environments, this means the threat model itself is shifting. Attackers are not only criminals seeking card data; in some cases they are state-aligned actors targeting infrastructure, vendors, or trust relationships.
PCI controls such as segmentation, monitoring, logging, and vendor management were designed for financial crime—but are now implicitly defending against geopolitical risk.
Regulatory Convergence: PCI, DORA, NIS2, and Trade Policy
Regulators are beginning to respond to this reality. Frameworks such as DORA (Digital Operational Resilience Act) and NIS2 in Europe explicitly address third-party dependency, operational resilience, and systemic risk—concepts that align closely with mercantile concerns about control and sovereignty.
PCI DSS does not exist in isolation anymore. Organizations are increasingly expected to:
Demonstrate resilience, not just compliance
Understand where their technology comes from
Prove they can operate securely under disruption scenarios
Show that outsourcing does not mean outsourcing accountability
Trade policy and cyber regulation are converging around the same principle: critical systems must remain trustworthy under stress.
The Strategic Shift: From Cost Optimization to Control
For years, global supply chains were optimized for cost and efficiency. The new environment prioritizes control, traceability, and political reliability. This has practical implications for PCI programs:
More scrutiny on hardware
Increased emphasis on vendor exit strategies
Stronger requirements for inventory accuracy and asset tracking
Greater regulatory interest in concentration risk
Security teams are being asked to solve problems that are no longer purely technical—they are geopolitical.
Final Thought: PCI as a Strategic Discipline
In a mercantile world, PCI compliance is no longer just about passing an audit or avoiding fines. It is part of a broader strategy to maintain trust, continuity, and control in an increasingly fragmented global system.
Organizations that still treat PCI DSS as a checkbox exercise find themselves compliant—but operationally exposed. Those that integrate PCI, supply-chain governance, and cyber-resilience into a single risk framework will be better positioned for the next phase of global economic realignment.
In today’s environment, payment security is no longer just about protecting card data—it is about protecting sovereignty, stability, and trust across borders.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy
