While hundreds of thousands of individuals' bank cards stand at risk of having been hacked, the Payments Association of SA (PASA) says there is no need for concern, as consumers face "no undue risk".
The statement from SA's payment system management body follows a breach of card data stored by PayGate, a third-party online payments facilitator, in August. PayGate serves a number of large online merchants, with transactions acquired at all of SA's major banks.
According to PayGate, the breach, three months ago, went under a forensic audit - the results of which were released on Friday. At this stage, according to PayGate MD Peter Harvey, the breach was confined to August.
PASA CEO Walter Volker says it is unclear exactly how many cardholders' details were accessed, but "at this stage only a limited number of card details" appears to have been retrieved. Volker says PASA, as well as international card schemes (Visa and MasterCard) and SA's banks took, "immediate steps" to prevent further leakage of card details.
Harvey says, while some credit card details may have been exposed, "the card associations and banks are proactively monitoring all credit cards processed during this period and will contact cardholders directly if necessary".
Volker says card users ought to report any suspicious transactions to their banks as a matter of urgency.
Lacking compliance
Volker says, prior to the recent security breach, PayGate did not appear to be fully compliant with Payment Card Industry Data Security Standards (PCI DSS) requirements. "The card data emanating from these online transactions seems to have been stored in a manner that does not meet the stringent security standards expected by PASA, the international card schemes and the banks."
He says PASA has been working with the banks and the card schemes to implement immediate measures to block the potential exposure of the card data and bring the integrator to a state of full compliance to PCI DSS requirements.
"There is certainly no need for concern by cardholders. It is important to be aware of the fact that the issuing and acquiring banks in the South African payments environment all have very well developed and sophisticated fraud and risk management systems in place, and that monitoring of any heightened levels of potential fraud which might result from this would be a normal activity with no need for additional systems."
Security upgrade
Since the breach scare, says Harvey, PayGate has upped its security measures.
"Our Payment Card Industry assessment company has conducted a detailed electronic scan of our systems and we have passed all these tests."
He further says PayGate only stores e-mail addresses - not any personal details like addresses or ID numbers. "As always, customers should be vigilant for phishing attacks."
Regardless of the security breach and PayGate's data systems security, says Volker, cardholders are not at risk of any losses as the applicable bank will compensate customers for this.
Share