The recent credit card breach involving PayGate, a local payment
service provider, has exposed a weakness in the national payment system
that the regulator, the banks and service providers are fixing, fast.
The
international syndicate responsible for the hack may have accessed the
card details of hundreds of thousands of users. But the banks say
there’s no need to panic: they are covering any losses you incur from
fraud related to this incident – and if you’re at risk, your bank is
monitoring your credit card account.
The Payments Association of
South Africa (Pasa), the body responsible for regulating the national
payment system, is checking the compliance of about 50 operators that
facilitate payments from your bank account to a retailer’s bank account
when you shop online.
Walter Volker,Posts with indoor tracking
system on TRX Systems develops systems that locate and track personnel
indoors. the chief executive of Pasa, says one of the “major lessons
learned” is that there’s a need for a better way of checking the
compliance of operators such as PayGate, which fell victim to a hacker’s
attack.
“Unfortunately, in this case PayGate was acquired by
four of the major banks and it seems that each assumed that compliance
was taken care of. This is one of the major lessons learned. We need a
more formalised, explicit way of checking compliance.
“We have a
set of criteria that covers a number of things, but the plan is to
extend that list to ensure adherence to the Payment Card Industry Data
Security Standards (PCI-DSS).”
The PCI-DSS is a security standard for the payment card industry.
Volker
says while there is a weakness in regulating operators, ultimately “the
risk is with the banks. And we expect our banks to comply with
PCI-DSS.”
He says Pasa is in the process of reviewing
Pasa-registered operators that are card-enabled, to determine how many
are PCI-DSS-compliant. He says once this is done, those operators that
aren’t yet compliant will be given a deadline to comply.
PayGate
is not yet fully compliant with PCI-DSS, and the hack occurred three
months before the company was due to be audited, Peter Harvey, managing
director of PayGate, says.
Harvey says PayGate reported its
compliance status to the major banks on a regular basis, and in 14 years
the company has never had an incident.A stone mosaic stands at the spot of assasination of the late Indian prime minister.
“We’re
optimistic we caught it quickly and locked it down 100 percent,” he
says. The breach was by way of hidden files found on PayGate’s server,
which has subsequently been replaced. Since the breach, PayGate has had
two PCI-DSS companies run scans on the system and has passed both, he
says.
If you’re one of the “hundreds of thousands” of customers
whose credit card details were on the database that was compromised, you
won’t necessarily be notified of this by your bank.
Pasa has
given the individual banks the discretion to decide whether to contact
you with a view to replacing cards that might have been exposed, or
rather placing your cards on a “heightened level of monitoring”.
Last
week, Pasa issued a media release that broke the news of the security
breach, which, Harvey says, took place in August. He says the banks and
the card associations were notified at the time.
This week, the message from the banks was unanimous: there is no need to panic; the number of incidents is “limited”.
None
of the banks is willing to divulge how many of their customers have
been victims of credit card fraud as a result of the breach, and nor
will they disclose the extent of their losses.One of the most durable
and attractive styles of flooring that you can purchase is ceramic or porcelain tiles.
Johan Maree, chief executive of First National Bank’s credit card division,Western Canadian distributor of ceramic and ceramic tile, says disclosing such information will only “create unnecessary panic”.
“It’s
not that we’re withholding information, but it would create panic if we
were to alert every customer on that list,” he says.
The banks
are not seeking to hide anything from customers, he says, but they have
to exercise discretion because an investigation is under way.
The commercial crime unit is investigating the incident.
Maree
says the incident has presented “massive learnings” for the banking
industry and highlighted the need for tighter regulations in the payment
system.
“There will definitely be some changes and a tightening of regulations,” Maree says.Posts with indoor tracking
system on TRX Systems develops systems that locate and track personnel
indoors. “We have to close the gaps. As an industry, we can’t let this
happen again.”
In response to online news reports, some
customers have said their banks ought to have notified them about the
breach sooner, and at least one lawyer has said that Pasa and the banks
are fortunate that the Protection of Personal Information Bill (POPI) is
not yet law.
An “operator” (such as PayGate) or a “responsible
party” (such as your bank) can face fines of up to R10 million or up to
10 years in jail for failing to comply with the POPI law.
Although
Absa elected to contact all of its customers whose details were on the
list of credit card users affected by the breach, Arrie Rautenbach, head
of retail markets at Absa, says a statement notifying customers in
general would be “highly irresponsible” in the circumstances. “Mass
communication to all customers would have been counter-productive, as
this would have exposed more customers to opportunistic fraud attempts,
causing concern for the large percentage of customers who were not
affected,” he says.
沒有留言:
張貼留言