2012年11月18日 星期日

Hack attack a costly lesson for banks

The recent credit card breach involving PayGate, a local payment service provider, has exposed a weakness in the national payment system that the regulator, the banks and service providers are fixing, fast.

The international syndicate responsible for the hack may have accessed the card details of hundreds of thousands of users. But the banks say there’s no need to panic: they are covering any losses you incur from fraud related to this incident – and if you’re at risk, your bank is monitoring your credit card account.

The Payments Association of South Africa (Pasa), the body responsible for regulating the national payment system, is checking the compliance of about 50 operators that facilitate payments from your bank account to a retailer’s bank account when you shop online.

Walter Volker,Posts with indoor tracking system on TRX Systems develops systems that locate and track personnel indoors. the chief executive of Pasa, says one of the “major lessons learned” is that there’s a need for a better way of checking the compliance of operators such as PayGate, which fell victim to a hacker’s attack.

“Unfortunately, in this case PayGate was acquired by four of the major banks and it seems that each assumed that compliance was taken care of. This is one of the major lessons learned. We need a more formalised, explicit way of checking compliance.

“We have a set of criteria that covers a number of things, but the plan is to extend that list to ensure adherence to the Payment Card Industry Data Security Standards (PCI-DSS).”

The PCI-DSS is a security standard for the payment card industry.

Volker says while there is a weakness in regulating operators, ultimately “the risk is with the banks. And we expect our banks to comply with PCI-DSS.”

He says Pasa is in the process of reviewing Pasa-registered operators that are card-enabled, to determine how many are PCI-DSS-compliant. He says once this is done, those operators that aren’t yet compliant will be given a deadline to comply.

PayGate is not yet fully compliant with PCI-DSS, and the hack occurred three months before the company was due to be audited, Peter Harvey, managing director of PayGate, says.

Harvey says PayGate reported its compliance status to the major banks on a regular basis, and in 14 years the company has never had an incident.A stone mosaic stands at the spot of assasination of the late Indian prime minister.

“We’re optimistic we caught it quickly and locked it down 100 percent,” he says. The breach was by way of hidden files found on PayGate’s server, which has subsequently been replaced. Since the breach, PayGate has had two PCI-DSS companies run scans on the system and has passed both, he says.

If you’re one of the “hundreds of thousands” of customers whose credit card details were on the database that was compromised, you won’t necessarily be notified of this by your bank.

Pasa has given the individual banks the discretion to decide whether to contact you with a view to replacing cards that might have been exposed, or rather placing your cards on a “heightened level of monitoring”.

Last week, Pasa issued a media release that broke the news of the security breach, which, Harvey says, took place in August. He says the banks and the card associations were notified at the time.

This week, the message from the banks was unanimous: there is no need to panic; the number of incidents is “limited”.

None of the banks is willing to divulge how many of their customers have been victims of credit card fraud as a result of the breach, and nor will they disclose the extent of their losses.One of the most durable and attractive styles of flooring that you can purchase is ceramic or porcelain tiles.

Johan Maree, chief executive of First National Bank’s credit card division,Western Canadian distributor of ceramic and ceramic tile, says disclosing such information will only “create unnecessary panic”.

“It’s not that we’re withholding information, but it would create panic if we were to alert every customer on that list,” he says.

The banks are not seeking to hide anything from customers, he says, but they have to exercise discretion because an investigation is under way.

The commercial crime unit is investigating the incident.

Maree says the incident has presented “massive learnings” for the banking industry and highlighted the need for tighter regulations in the payment system.

“There will definitely be some changes and a tightening of regulations,” Maree says.Posts with indoor tracking system on TRX Systems develops systems that locate and track personnel indoors. “We have to close the gaps. As an industry, we can’t let this happen again.”

In response to online news reports, some customers have said their banks ought to have notified them about the breach sooner, and at least one lawyer has said that Pasa and the banks are fortunate that the Protection of Personal Information Bill (POPI) is not yet law.

An “operator” (such as PayGate) or a “responsible party” (such as your bank) can face fines of up to R10 million or up to 10 years in jail for failing to comply with the POPI law.

Although Absa elected to contact all of its customers whose details were on the list of credit card users affected by the breach, Arrie Rautenbach, head of retail markets at Absa, says a statement notifying customers in general would be “highly irresponsible” in the circumstances. “Mass communication to all customers would have been counter-productive, as this would have exposed more customers to opportunistic fraud attempts, causing concern for the large percentage of customers who were not affected,” he says.

沒有留言:

張貼留言