Altech Card Solutions, part of Altron TMT, has announced that it has yet again received the Visa International and MasterCard stamp of approval with its recertification as a Payment Card Industry Data Security Standard (PCI DSS) approved service provider.

According to Derek Chaplin, MD of Altech Card Solutions, PCI DSS is a proprietary information security standard for service providers that manage cardholder information for the major debit, credit, prepaid, e-purse, ATM, and point-of-sale (POS) cards.

“Our financial transaction processing and switching platform and related services operate subject to the regulations imposed on system operators by governing bodies such as the South African Reserve Bank, the payments association of South Africa (PASA), MasterCard, Visa International, and others and includes on-going PCI DSS certification,” he says.

“The financial transaction information that passes through our system is extremely valuable and we have to comply with onerous security measures to ensure, for instance, that no individuals’ card details can be compromised during and after the transaction.

“We are also the only non-banking entity in South Africa that has the required certifications to operate and host a financial transaction solution in this space as an independent, third-party transaction processor,” he adds.

Altech Card Solutions received the PCI DSS certification for Payment Processing (POS), Payment Gateway/Switch, and Payment Processing Mail and Telephone Order (MOTO).

According to Craig Duggan, GM: Integrated Transaction Solutions at Altech Card Solutions, the PCI DSS standard is a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The standard was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.

“We go through an annual onsite assessment sanctioned by Visa and MasterCard to ensure that we are, and remain PCI DSS compliant. Validation of compliance is conducted by an external, qualified security assessor that creates a report on compliance for service providers handling large volumes of transactions and cardholder information for the major debit, credit, prepaid, e-purse, ATM, and Point of Sale cards,” says Duggan.

“The standard was introduced for entities that interact with card holder information to ensure that there was a global standard under which they operate and to ensure that the card holder’s information cannot be easily compromised. The fact that we have achieved compliance for two years in a row is a significant achievement given the amount of time and money that it takes to be compliant as it based on attaining various certifications and making sure that we are in a position to continue transacting,” Duggan adds.

“Compliance is important for us as it provides our customers with a level of trust and peace of mind in the way that we process our transactions and manage their information. It also provides the regulators with peace of mind as they need to reassure the community that it is safe to transact and use payment cards because their service providers have the necessary certifications in place and adhere to the strictest security standards.

“Furthermore, choosing a PCI DSS compliant service provider will reduce the risk of an account data compromise. While a service provider might tick certain boxes in terms of the services they provide, the most important box to tick is that of compliance and adherence to security standards,” says Duggan.

“Internationally the Visa and MasterCard working group analyse security breaches that take place throughout the world. From this they determine which service providers will no longer be supported and also determine what other security measures need to be included in the standard for compliance in the future. If you as a service provider are compromised and you are not PCI DSS certified, you will be shut down immediately.

“The consequential liability that your customers will suffer will also put you in a tremendously difficult position,” Duggan concludes.

PCI DSS certification specifies six major criteria:

* A secure network must be maintained in which transactions can be conducted. This requirement involves the use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors.
* Cardholder information must be protected wherever it is stored. Repositories with vital data such as dates of birth, mothers’ maiden names, identification numbers, phone numbers and mailing addresses must be secure against hacking. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way.
* Systems must be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions.
* Access to system information and operations must be restricted and controlled. Cardholder data must be protected physically as well as electronically.
* Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date.
* A formal information security policy must be defined, maintained, and followed at all times and by all participating entities.