PayGate confirms credit breach

The company at the centre of a massive credit card security breach, that saw all four major banks up their security and re-issue thousands of new cards this week, has confirmed the breach – which actually occurred in August.

PayGate operates as an intermediary between online retailers and banks in online shopping transactions.

It has a large number of online merchants as clients, among them airlines, universities, Woolworths, iTickets and accommodation booking websites.

The Payments Association of SA (Pasa) said on Friday that “the card data emanating from these online transactions seems to have been stored in a manner which does not meet the stringent security standards expected by Pasa, the international card schemes and the banks”.

PayGate managing director Peter Harvey said yesterday that their systems were breached in August, exposing “some” credit card numbers to risk.

“We detected unauthorised activity on our server in August and immediately took action to secure our systems and protect our customers,” he said, adding that the company had worked closely with the card associations and international security experts to complete a “detailed forensic investigation”.

“We believe the breach was confined to August this year,” he said, and banks and card associations were monitoring all credit card activity during this period.

Cardholders would be contacted “if necessary”.

The company also said it did not store personal details like addresses and identity numbers, but did store e-mail addresses. As such, customers should beware of phishing attacks.

Absa, Standard Bank, Nedbank, First National Bank, as well as Woolworths, whose credit cardholders were also affected, moved yesterday to quell fears, saying any fraud as a result of the data leak would be covered by the banks.

All said they had implemented further security measures to minimise risk.

Johan Maree, chief executive of FNB’s credit card division, said in a statement on the bank’s website that the data theft had resulted in “the potential compromise of an isolated number of cards”.

They had added levels of security checks. He advised anyone who felt they may be at risk to change their card pin and register for the bank’s notification service, which alerts customers to any activity on their accounts.

Head of personal markets at Standard Bank, Sugendhree Reddy, confirmed that some of the bank’s customers had been affected. “All Standard Bank cards that may have been impacted have been placed under a heightened level of monitoring.”

Rene de Villiers, Nedbank’s head of card risk, said Nedbank was taking steps to ensure that PayGate became compliant with regulations. Where losses had been reported, clients had been refunded and new cards issued.

Absa’s head of card and consumer finance, James Campbell, said the bank was contacting customers to “provide information regarding the risk mitigation process”. This involved replacing affected cards and cancelling existing cards.

Woolworths said new cards would be issued to affected clients.