Where is confidential credit card transactional data stored?
JOHANNESBURG – Ever wondered where every credit card transaction is recorded and stored and how secure that data is, especially after the hardware on which that data is stored reaches end-of-life?
If this data is compromised and lands in the wrong hands, it could have catastrophic consequences for not only the company concerned but for the banks and consumers alike.
Uber is facing a $148 million (R2bn) fine for failing to disclose a massive data breach in 2016, marking a costly resolution to one of the biggest embarrassments and legal tangles the ride-hailing company has suffered.
Experts say not many companies are aware of the Payment Card Industry Data Security Standard (PCI DSS) that requires them to follow the policies and procedures to protect this data. The Payment Association of SA (PASA) has been appointed by the government and the Reserve Bank to implement and regulate PCI DSS.
There is also an overlap with the Protection of Personal Information Act 2013 (PoPI) that stipulates how companies may collect, handle, store and discard information.
This regulation was largely driven by increased credit card criminal activity, cybercrime and data theft. These regulations come with heavy penalties for those that fail to comply.
Xperien business development manager Francois Engelbrecht says stolen data can permanently damage a company's reputation. “Not to mention creating a whirlwind of legal, financial and reputational problems. Some businesses never fully recover from a corporate data breach because of the punishing costs and destruction of the brand.”
“Old hard drives, backup tapes and Flash Drives are a major security threat for any business, they store a massive amount of confidential data that can easily be compromised. It is a major concern that a company needs to be compromised first before senior management takes action,” he explains.
Engelbrecht says if companies have adopted the PCI DSS concept of protecting data, they have a blueprint of how to protect the additional data that PoPI aims to protect. Customer data protection is every company's responsibility, management needs to be aware of these regulations and have the required skills and knowledge at the senior management level to be able to be proactive and not just reactive to when it comes to data security.
"An increasing number of government regulations, industry standards and internal risk mitigation policies require companies to sanitise storage media prior to disposal or reuse. There are numerous destruction options that guarantee privacy and also ensure a company's reputation will not be compromised. When disposing of these storage devices, one needs to ensure it is done in a responsible and professional manner “he concludes.
Companies are in for a rough ride with increased regulatory compliance and new legislations being introduced worldwide, the consequences for data breaches are severe and will cripple most businesses.
– BUSINESS REPORT ONLINE