Illustration: Colin Daniel

This article was first published in the fourth quarter 2016 edition of Personal Finance magazine.


When it comes to making A payment in an e-commerce transaction, you’re presented with an array of choices – to pay using your credit, debit or cheque card, via electronic funds transfer, MasterPass, or an app like SnapScan or Zapper. You’ll also see the logos of companies you might have never heard of before: the likes of PayU, PayFast, PayGate or MyGate. They are payment service providers, and there are about 90 of them in South Africa. Merchants pick which one to use, so you don’t choose which company processes your transaction. Should you be bothered which of them a merchant is using? And if so, do you need to familiarise yourself with all of them before trusting them with your personal information and your card details?

Fortunately, that’s not necessary. Walter Volker, the chief executive of the Payments Association of South Africa (Pasa), says that only half of all “system operators” – the term used by Pasa to describe non-bank providers of payment services – are card-enabled and even fewer are e-commerce card-enabled. (The rest do physical card processing or operate as bureaus for the processing of debit orders, or provide a combination of services.) Most importantly, they operate under authorisation by Pasa, which is recognised by the South African Reserve Bank as the management body of the national payment system.

Pasa authorises “system operators” in terms of a Reserve Bank directive that sets out the conditions under which such companies may participate in the payment system. System operators – also known as payment processors, payment service providers or payment gateways – have to comply with all the criteria as set out in the directive, including important security standards such as the Payment Card Industry Data Security Standard (PCI DSS), Volker says. PCI DSS is an international standard that stipulates how cardholder data must be handled. Furthermore, if merchants allow for card-not-present payments (which are essentially e-commerce transactions), they have to use 3D Secure, which is the system that results in your bank asking you for additional authentication, such as a one-time password or one-time PIN, before your money is released to make payment.

Jonathan Smit, the managing director of PayFast, explains the significance of the 3D Secure system.

“This means that, for every e-commerce transaction, additional authentication is required from the customer’s bank. Historically, in order to buy something online, one just had to enter the card details (card number, name, expiry date and CVV) to make payment, but anyone who had those card details (or had seen them) could do so. This might not have been the cardholder at all, but anyone who had been in possession of the card for a short period of time at any time.

“With 3D Secure, one has to provide the card details and, additionally, authenticate the purchase at transaction time through a one-time PIN sent to your mobile phone, or a different authentication mechanism offered by your bank.”

Volker says payment service providers that facilitate e-commerce transactions are required by Pasa to have the ability to process 3D Secure transactions, and all of them do. “We can also confirm that the majority of e-commerce merchants are processing 3D Secure transactions,” he says.


The middlemen

Smit says there are only about 10 “noteworthy” payment service providers in South Africa. And you don’t need to know each one intimately, or how the system works, before buying online.

“Payment processing is a large and fairly complex field and there are many processors working in various areas, such as point of sale, online, and so on. Some work more in the foreground and have their branding on the retailer’s website, whereas others work in the background, so that the customer doesn’t know which payment company is processing a transaction, only which merchant they are buying from.

“Payment processors exist even in situations where you might not realise it. They have become far more visible with the emergence of the internet, but the bulk of payments still happen in the physical world and payment processors were working there long before e-commerce came into being. Do you know the name of the payment service provider who processed your recent purchase at Spar or Checkers? Undoubtedly not. Payment processors often work behind the scenes, processing an immense amount of transactions daily to ensure that the wheels of commerce keep turning.”

Ultimately, the goal of payment processors is to process payments for all the parties concerned accurately, securely and swiftly, Smit says. “From that perspective, what they do for the payer is largely the same. There may be some distinguishing features among those processors who have a customer-facing brand – for example, they might offer to save card details to speed up future transactions, or increase security by not sharing card details with the merchants themselves.”

The choice of which payment processor to use lies with the online merchant and, provided that the merchant is a trusted brand, or has partnered with a trusted payment provider, it shouldn’t matter to you who is processing your payment, Smit says. Even if you don’t know who the trusted payment providers are, you are entitled to expect a trusted brand to partner with one such provider.

That said, there is nothing to prevent the consumer from advocating for a particular payment provider to be offered by the merchant, or choosing an alternative method of payment if they’re not comfortable with the payment provider being used, Smit says. “It’s your card details that are being provided and your money that’s being spent, and you should be comfortable before you go ahead.”


Identity check

Brendon Williamson, the head of sales and new business development at PayGate, has a different view. He says it should matter to you which payment service provider a merchant is using – even if you take some comfort from the fact that large retailers normally go through a rigorous process when they select a payment service provider, with security being a key component.

“As the cardholder, you want to make sure that your personal and card details are securely handled,” Williamson says. “Many of the bigger retailers have ‘hosted integrations’ with their payment service providers – meaning that they [the retailers] manage and own the payment process. The page into which your card information is entered belongs to them. There is no redirect to the payment service provider’s payment page, so it makes it difficult for the cardholder to identify which payment service provider the retailer is using.

“The majority of e-commerce merchants make use of the payment service provider’s payment portal page – this is the page that customers are directed to to enter their card/payment information.”

This doesn’t mean that it’s unsafe to use an e-commerce site that doesn’t direct you to the payment service provider’s payment page; it just makes it harder for you to tell who is processing the payment, Williamson says. But if a merchant is collecting and storing your personal information and card data, you need to know it and give your informed consent.

Williamson says a payment service provider may store your information on behalf of the merchants, because not all merchants want to be bothered with onerous PCI DSS compliance requirements.

If you have concerns about the security of your payment details and you can’t see who the payment service provider is, you can contact the merchant and ask, he says. You can then check the payment service provider’s website for validation of their PCI compliancy, he says. “The payment service provider should readily be able to provide a copy of their PCI certification. You can also check the Visa and MasterCard registry to see if the service provider is registered and what level of compliancy they have.”

You can also check Pasa’s website to see if the payment service provider has been authorised as a system operator, including its PCI DSS status.

Some payment service providers force you to register with them, but this is not the norm, Williamson says. “Some may offer the cardholder the option of creating an account and storing your card information for future payments made within the merchant network of that specific payment service provider. As the cardholder, if you opt for such a service, make sure that the payment service provider is PCI compliant and that they have a valid certification.”

Smit says that, generally, registration is optional, but far from being a risk, it might make future payments easier and increase security. “PayFast doesn’t require registration, but does offer it. The benefit for the customer would be not having to enter card details for each purchase through a PayFast merchant. Obviously, the payment provider would save the customer’s card details plus a name and email address in order to offer this service. Provided the payment provider is PCI DSS Level 1 compliant [the highest level], as the reputable online e-payment providers in South Africa are, there are no major risks to the consumer,” he says.


Golden rule

The “golden rule” of shopping online is to ensure you buy from trusted merchants – the likes of Amazon, Takealot and Pick n Pay, Johan Dekker, the head of payments in Africa at PayU, says. “These are so popular because of the proxy of trust.”

Being connected online creates opportunity – such as the chance to shop online – but it also creates vulnerability, which has to be managed, Dekker says. “Look at how you secure your home; South Africans are very security conscious. We need to take that same consciousness online. You don’t walk around in areas you don’t know. Similarly, you wouldn’t buy a gold watch on the street, because you know it’s probably stolen.”

Williamson reiterates this point. “The biggest risk to the end user online is the dodgy ‘merchant’ who sets up a fake website with the sole intention of gleaning your card data.”

Aside from the risk of falling for a dodgy site, Dekker maintains that paying online is one of the safest methods of payment, because you do have recourse in the event of a fraudulent transaction: you can claim a “chargeback” through your bank. A chargeback is the process whereby your bank sends a request for a refund to the merchant's bank.

Chargebacks are usually claimed when the merchant fails to provide the goods you bought or services for which you paid. But you can also claim a chargeback when your account is used fraudulently following a data breach.

Among the biggest data breaches in recent history in South Africa are the KFC incident in 2013 and the hit on Standard Bank this year. In the KFC incident, criminal syndicates managed to “infect” KFC’s point-of-sale terminals with malicious software, enabling them to steal customers’ card data. And in the Standard Bank case, its computer system was hacked, resulting in customers’ credit cards being forged and the fraudulent cards being used to draw about R300 million from ATMs in Japan. In both cases, the banks carried the losses.

Notwithstanding such incidents, Williamson says that payment processors in this country are subject to a high degree of regulation and for this reason the consumer can feel safe shopping on South African websites.

The take-home message then is simple: payment processors must be PCI-compliant, and it’s relatively easy for you to check whether or not any particular one is. If it isn’t, report the company to Pasa. Merchants that accept payment online must offer 3D Secure. If they aren’t, report them to Pasa (www.pasa.org.za).


PAYMENT SERVICE PROVIDERS

The top (listed alphabetically) payment service providers in South Africa are: Ecentric, MyGate, PayFast, PayGate, PayU, VCS.