Johannesburg - The Payment Association of South Africa (Pasa) has excused banks from any blame as hundreds of thousands of their customers are estimated to have been affected by card fraud taking place in fast-food outlets.
“I can categorically state that the blame can’t be laid at the banks’ door,” Pasa chief executive Walter Volker said yesterday.
“Although so far all losses have been taken by the banks, it was not their responsibility.”
Yesterday the TechCentral website reported that data from customers’ bank cards had been compromised by international criminal syndicates that infected electronic payment terminals in South African fast food outlets with a malicious software bug called Dexter.
Comments were rife on social media after TechCentral published the report, with people blaming banks for the data compromise.
In a statement issued after the news broke, Pasa said the fraud did not take place because of second-rate data security standards in banks.
“It is important to be aware of the fact that the issuing and acquiring banks in the South African payments environment all have very well-developed and sophisticated fraud and risk management systems in place and that monitoring of any heightened levels of potential fraud which might result from this would be a normal activity with no need for additional systems,” Pasa said.
Volker said most of the fast food outlets affected by the fraud used third-party software for electronic payments. But he explained that the fraud did not take place at the point-of-sale devices per se, but at the back end, where it was not possible for retailers to detect it.
The malware was so sophisticated that it took the forensic team that Pasa had hired a couple of weeks to detect it.
The association said an unidentified international organisation, believed to be from Europe, planted the virus.
All the affected outlets had now been cleaned.
“They’ve now been cleaned completely but the outstanding issue now is that some card numbers might still be floating overseas and they will make new cards with them. But the banks are monitoring all transactions, especially from overseas,” Volker said.
Fast food retail chain KFC, which was singled out as the hardest hit by this fraud, said it was aware of the malware infecting its point-of-sale devices and was taking it “extremely seriously”.
“Our first priority is to make sure that the impact on our customers remains minimal,” said Doug Smart, the managing director of KFC South Africa.
Famous Brands, which owns fast food outlets such as Wimpy and Steers, said its exposure to this fraud had been practically non-existent because only two restaurants across its 2 180 restaurant network were affected.
Like others, Famous Brands was made aware of the problem by the SA Banking Risk Intelligence Centre and Pasa when the two bodies began investigating.
Standard Bank said the fraud had had an impact on the banking industry as a whole, and some Standard Bank debit, credit and cheque card customers had been affected. It was still identifying and taking steps to limit the extent of potential exposure to this fraud.
“All Standard Bank cards that may have been impacted have been placed under a heightened level of monitoring to detect possible unusual or fraudulent activity,” the bank said in response to queries.
“Should fraudulent transactions occur on any of these cards, cardholders will not be exposed to any losses and Standard Bank will replace the cards of affected customers.”
Absa spokeswoman Nobubele Mkhwanazi said the Dexter virus had been identified at a contained number of terminals across a number of merchants where Absa had had very limited exposure to date.
The bank was working with Pasa to resolve the matter and urged customers to be vigilant.
The banks detected the fraud after noticing higher transaction volumes from the fast food outlets earlier in the year. But it was difficult to deal with because this was not the standard Dexter malware, which has been around for a while.
Pasa said there that was no need for “undue concern” by cardholders and that no cardholders would be exposed to any losses. But it and the banks urged card users to check their bank statements and report any suspicious transactions for urgent investigation. - Business Report