The recent credit card breach involving PayGate, a local payment service provider, has exposed a weakness in the national payment system that the regulator, the banks and service providers are fixing, fast.
international syndicate responsible for the hack may have accessed the
card details of hundreds of thousands of users. But the banks say
there’s no need to panic: they are covering any losses you incur from
fraud related to this incident – and if you’re at risk, your bank is
monitoring your credit card account.
The Payments Association of
South Africa (Pasa), the body responsible for regulating the national
payment system, is checking the compliance of about 50 operators that
facilitate payments from your bank account to a retailer’s bank account
when you shop online.
Walter Volker, the chief executive of
Pasa, says one of the “major lessons learned” is that there’s a need for
a better way of checking the compliance of operators such as PayGate,
which fell victim to a hacker’s attack.The term 'hands free access control' means the token that identifies a user is read from within a pocket or handbag.
“Unfortunately,Argo Mold limited specialize in Plastic injection mould
manufacture, in this case PayGate was acquired by four of the major
banks and it seems that each assumed that compliance was taken care of.
This is one of the major lessons learned. We need a more formalised,
explicit way of checking compliance.
“We have a set of criteria
that covers a number of things, but the plan is to extend that list to
ensure adherence to the Payment Card Industry Data Security Standards
The PCI-DSS is a security standard for the payment card industry.
says while there is a weakness in regulating operators, ultimately “the
risk is with the banks. And we expect our banks to comply with
He says Pasa is in the process of reviewing
Pasa-registered operators that are card-enabled, to determine how many
are PCI-DSS-compliant. He says once this is done, those operators that
aren’t yet compliant will be given a deadline to comply.
is not yet fully compliant with PCI-DSS, and the hack occurred three
months before the company was due to be audited, Peter Harvey, managing
director of PayGate, says.
Harvey says PayGate reported its
compliance status to the major banks on a regular basis, and in 14 years
the company has never had an incident.
“We’re optimistic we
caught it quickly and locked it down 100 percent,” he says. The breach
was by way of hidden files found on PayGate’s server, which has
subsequently been replaced. Since the breach, PayGate has had two
PCI-DSS companies run scans on the system and has passed both, he says.
you’re one of the “hundreds of thousands” of customers whose credit
card details were on the database that was compromised, you won’t
necessarily be notified of this by your bank.An indoor positioning system (IPS) is a term used for a network of devices used to wirelessly locate objects or people inside a building.
has given the individual banks the discretion to decide whether to
contact you with a view to replacing cards that might have been
exposed,A stone mosaic
stands at the spot of assasination of the late Indian prime minister.
or rather placing your cards on a “heightened level of monitoring”.
week, Pasa issued a media release that broke the news of the security
breach, which, Harvey says, took place in August. He says the banks and
the card associations were notified at the time.
This week, the message from the banks was unanimous: there is no need to panic; the number of incidents is “limited”.
of the banks is willing to divulge how many of their customers have
been victims of credit card fraud as a result of the breach, and nor
will they disclose the extent of their losses.
chief executive of First National Bank’s credit card division, says
disclosing such information will only “create unnecessary panic”.
not that we’re withholding information, but it would create panic if we
were to alert every customer on that list,” he says.
are not seeking to hide anything from customers, he says, but they have
to exercise discretion because an investigation is under way.Thank you
for visiting! I have been cry stalmosaic since 1998.
The commercial crime unit is investigating the incident.
says the incident has presented “massive learnings” for the banking
industry and highlighted the need for tighter regulations in the payment
“There will definitely be some changes and a tightening
of regulations,” Maree says. “We have to close the gaps. As an
industry, we can’t let this happen again.”
In response to online
news reports, some customers have said their banks ought to have
notified them about the breach sooner, and at least one lawyer has said
that Pasa and the banks are fortunate that the Protection of Personal
Information Bill (POPI) is not yet law.
An “operator” (such as
PayGate) or a “responsible party” (such as your bank) can face fines of
up to R10 million or up to 10 years in jail for failing to comply with
the POPI law.
Although Absa elected to contact all of its
customers whose details were on the list of credit card users affected
by the breach, Arrie Rautenbach, head of retail markets at Absa, says a
statement notifying customers in general would be “highly irresponsible”
in the circumstances. “Mass communication to all customers would have
been counter-productive, as this would have exposed more customers to
opportunistic fraud attempts, causing concern for the large percentage
of customers who were not affected,” he says.