The latest statistics from the South African Banking Risk Information Centre (Sabric) revealed that South Africa’s banking industry lost R366,8-million in 2013 due to South African-issued credit card fraud – a 22% increase from the previous year. This alarming rise of credit card fraud in South Africa highlights the importance of adherence to international security standards within the payments industry.
This is according to Duncan Ellison at FastNet – South Africa’s leading wireless point of sale (POS) service provider, who says it is imperative that retailers implement security measures to safeguard their clients’ credit card data, as well as to protect their own business revenue streams from fraudulent activity.
Payment Card Industry (PCI) Compliance is the industry standard for information security which stipulates rules and regulations to control and protect cardholders’ information. Created in 2004 by the Payment Card Industry Security Standards Council (PCI SSC), the standard was created to reduce credit card fraud through the exposure of bank cards and the transaction process between the card user and the banks.
Ellison says that retailers who don’t have PCI compliance place themselves at increased risk of losses that could be prevented with adequate fraud protection in place. “No consumer wants to feel that their credit card information could be compromised at any stage. Consumers pay with their cards thinking that they payment will be totally secure, but if the retailer does not have PCI Compliance payment systems in place, their card is passed over communications channels that might allow for the data to be compromised.”
Considered one of the largest data breaches in history, Ellison says that the Heartland Systems security breach in 2008/2009 is a prime example of some of the risks consumers and retailers face when using credit and debit cards.
“In this instance, the security breach within its processing system affected an estimated 100 million debit and credit cards and more than 650 financial services companies were compromised. The data stolen included the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards; with that data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.”
Ellison says that anywhere where ‘Cardholder Data’ is handled from the checkout operator to the bank has to be considered safe. “In order for retailers to be PCI compliant, they must have positive answers to about 350 questions, as published by the PCI in the current Data Security Standard (DSS). This process involves a multi-week audit across all aspects of the merchant’s business that handles credit cards.”
“Should retailers use network providers, they must ensure that the provider is PCI compliant. By using a PCI compliant network provider, the retailer can safely move transactions from the store to the bank and effectively bypass the 350 DSS questions within the networking audit procedure,” says Ellison.
PCI DSS must be implemented by all organisations that process, store or transmit cardholder data, but formal validation of PCI compliance is not mandatory for all retailers. Smaller merchants are not yet required to explicitly validate compliance with controls prescribed by the PCI; however, these retailers must still implement controls in order to maintain safe transactions, in order to avoid potential liability in the event of fraud.
“PCI compliance is one of the key methods to protect both consumers and retailers alike. It is therefore imperative that more retailers start seeing the value in PCI compliant systems in order to ensure safe card transactions at all times,” concludes Ellison.