The days are long gone when you could protect your bank accounts by keeping your PIN number safe, says PayGate IT director David Beukes – these days the business of security is a lot more complex and best left to experts.
“We all instinctively believe that if something is close to us, it’s under our control and secure,” he says. “But as financial transactions have become more complex and abstract, the balance is shifted: it’s now safer to entrust sensitive information to a reliable third party and keep it at arm’s length.”
He says the rise of personal password vaults is a good example: “Nowadays we all have so many logins and passwords it’s impossible to remember them all. Many people are tempted to have just one or two passwords and use them everywhere, but that’s a security nightmare waiting to happen. Instead it’s better to use a password manager like LastPass or 1Password, that can generate and store complex passwords easily.”
In the same way, he says, “we want the lowest possible number of people to have access to our credit card details. The technology and processes needed to keep this information secure are complex and expensive: only banks, specialist payment gateways and very large retailers can afford it.”
The lesson for almost all online retailers, he says, “is don’t try to do it yourself. Don’t process your own payments, and don’t ever let customer card details pass through your own servers. Rather integrate with a payment service provider you can trust to keep that information secure – and delete it promptly when they no longer need it.”
Compliance with the global Payment Card Industry Data Security Standard (PCI DSS) is the current gold standard, he says. “South Africa’s banking system is sophisticated and our banks take security very seriously – at PayGate it’s notable that the banks have been following up with us on our levels of PCI compliance, conducting audits and beefing up their own internal security teams. This is all a very good sign.”
For consumers, he says, “the lesson is to deal only with online retailers who are either PCI compliant themselves – which is only possible for the very largest organisations – or hand off all their transaction processing to a PCI-compliant service provider. Nothing is ever 100% secure, but that is the best protection available.”