The Payments Association of South Africa (PASA)‚ international card schemes (Visa and MasterCard) and South Africa’s major banks have taken immediate steps to prevent a further leakage of card details because of a security lapse at a company processing online transactions.
Walter Volker‚ the CEO of PASA‚ said there was no need for undue concern by cardholders. There are indications at this stage that only a limited number of card details have been accessed by outside organisations‚ and as a result limited fraud has been perpetrated.
However‚ he appealed to all card users to report any suspicious transactions to their banks for urgent investigation.
The situation came to light in the past few days‚ when PASA was made aware of a potential breach of card data stored by a card payments processor for online transactions. This payments processor serves a number of large online merchants and these transactions are acquired at all major banks.
“The card data emanating from these online transactions seems to have been stored in a manner which does not meet the stringent security standards expected by PASA‚ the international card schemes and the banks.” Volker said.
The industry has taken immediate and pro-active steps to identify the extent of the potential exposure and to carefully monitor transactions on the cards involved in order to detect possible unusual activity. Fortunately‚ to date‚ there seems to be evidence of only very limited fraud being perpetrated as a direct result of the exposure.
“PASA has been working with the banks and the card schemes to implement immediate measures to block the potential exposure of the card data and bring the integrator to a state of full compliance to the Payment Card Industry Data Security Standards (PCI DSS) requirements. “There is certainly no need for concern by cardholders. It is important to be aware of the fact that the issuing and acquiring banks in the South African payments environment all have very well developed and sophisticated fraud and risk management systems in place‚ and that monitoring of any heightened levels of potential fraud which might result from this would be a normal activity with no need for additional systems‚” Volker said.
It is left to individual banks and card issuers‚ however‚ to decide whether they would be contacting their customers with a view to replacing any cards that might have been exposed‚ or rather to place these cards on a heightened level of monitoring before any action is taken.
Should fraudulent transactions be perpetrated on any of these cards as a result of the data compromise‚ cardholders would not be exposed to any losses – as is the case under normal circumstances.
Cardholders who have any general concerns or are suspicious of any transactions appearing on their card statements or of which they are alerted though their SMS/ email “in contact” service should contact their issuing institution directly and immediately. - I-Net Bridge