Paying by card: failure in security 'inevitable'
"Day Zero" is coming for the card payment industry, and South Africans making card and online payments need to be as vigilant about their data security as they are about their physical safety.
"Data breaches are inevitable," Andrew Henwood, CEO of global cybersecurity firm Foregenix, told delegates at a payment card security conference in Cape Town last week.
He says a significant uptick in cybercrime was recorded around the world over the past two quarters.
A 2016 Nielsen study calculated that global fraud would top $31-billion (about R374-billion) this year.
Fraudulent card payments are expected to amount to more than R234-million this year, and if all electronic payments are included, the bill rises to a formidable R2.6-billion, the Payment Card Industry Security Standards Council Middle East and Africa Forum in Cape Town was told.
Steve Marshall, of UK forensics firm Risk-X, acknowledges that the cost of implementing better security could be a stumbling block for small merchants, but emphasises that "everyone in the payment chain" needs to be serious about the security of their customers' data.
Data security breaches may be increasingly likely, but there is no formal legislation that protects your rights as a consumer when your data gets into the wrong hands, Henwood says.
Providers are not forced to disclose breaches, so you often don't know that your personal data has been breached, he says.
Last year, the personal details of millions of South Africans were exposed in a data leak from the web server of a Pretoria property company.
Jeremy King, international director of the PCI Security Standards Council, is upbeat about advances in payment card security such as better-educated merchants, increasingly sophisticated security technologies and elevated compliance standards.
If companies got 70% of their payment security basics right, they could probably eliminate 70% of the data breaches, King says. Among these strategies are no-brainers such as strong passwords, installing security patches (software updates) and secure remote access (accessing merchant payment systems from outside business premises).
Marshall believes you need to take responsibility for your own data protection. About 70% of card fraud happens in face-to-face situations in which you hand over your card to pay for something. "The ironclad rule is: never lose sight of your card." Another obvious precaution, Marshall says, is to check your bank statements regularly so you can spot fraudulent activity.
As more companies comply with PCI data security standards, fraudsters will follow the European trend and move to customer-not-present activities, Marshall predicts.