Current electronic payment systems are, in most instances, inherently vulnerable to on-going cybercrime. This means that South African merchants may find themselves exposed to cyber theft if security measures are not improved.

This is the opinion of Vaughan Alexander, executive for Payments at Innervation.

“Following the widely publicised point-of-sale security breach caused by malware Dexter in South Africa last year, which cost the industry millions of rands, the Payments Association of South Africa (PASA) mandated that all level one merchants and switching providers be Payment Card Industry (PCI) DSS security compliant by the end of February 2014,” he says.

Innervation successfully completed all standards set out by the PCI Security Standard Council and has achieved full level one PCI compliance. The company is now equipped to lower the risk of breach and data compromise, offering retail customers the highest level of security standards as required by PASA and international regulatory payment bodies such as MasterCard, Visa, American Express, Discover and JCB.

“The result of the Dexter compromise was that merchants had to spend a huge amount of time, effort and money to protect the sensitive information they process, store and transmit to avoid future security breaches. One of the biggest travesties around PCI compliance is that the local industry has never been in a position to protect its customers’ information at the most vulnerable stage, which is at the point-of-sale interaction,” he says.

Ahead of the curve
In addition to being PCI compliant, Innervation is bringing to market a point-to-point encryption solution that enables even greater security in client payment processing.

This new standard, recently published by the PCI Security Standard Council, transmits transactional information securely between the in-store payment hardware and a secure data centre, making the data useless to cyber criminals. This, says Alexander, is currently being piloted by select retailers and banks, and will soon be introduced by Innervation to the broader South African market.

“By using point-to-point encryption devices, one automatically reduces the scope of PCI compliance requirements since it protects not only the card PIN but also all other sensitive card data. PCI will always be relevant when dealing with card payments as there are still processes that need to be in place to secure the storage, transmission and retrieval of card information,” he says.

Although the penalties for non-compliance are still unclear at this stage, the larger retailers are driving programmes to ensure they adhere to PCI compliance standards. “As a benchmark, PCI is fairly broad in terms of IT security, which means few retailers are adequately prepared. However, there has definitely been a shift by large retailers when it comes to moving to PCI compliance and laying the required foundations,” he says.

Alexander is confident that South Africa is still ahead of the rest of the world when it comes to card security, especially EMV-based chip and PIN transactions.

In the end, this is good news for consumers, especially when one considers that around 70% of South Africans still perform expensive cash-based transactions. As the cost difference between using cash and card payments declines, electronic transactions become significantly cheaper over time.

“More consumers will start to trust electronic transactions as payment mechanisms become cheaper, more secure and convenient. We predict the industry will evolve to a point where retailers will no longer have to worry too much about PCI compliance because the bulk of the compliance burden will instead be placed on payment service providers and the banks.

“This will mean that retailers can focus on what they do best, rather than concerning themselves with IT security and transactional compliance standards,” he says.