Credit card fraud is still rife in South Africa, but merchants and customers using credit cards still have some comfort in the knowledge that their transactions are protected by the Payment Card Industry Data Security Standard (PCI DSS). The key tenets of PCI DSS is to prevent fraud.
For example, it requires that if you are going to store credit card information, you cannot put it somewhere where there is easy access to it – it needs to be protected with password protection and other encryption and you cannot simply download a database and walk away from it.
“While this gives a level of security for anyone doing credit or debit card transactions, no prevention scheme is perfect,” says Karl Westvig, the CEO of Retail Capital, a company which provides working capital to businesses based on turnover data from their credit card transactions.
Generally, most payments online, if done through a legitimate company, are safe and PCI DSS compliant, and credit card details that are captured are encrypted. Where people run into problems is with phishing, where they give their details to illegitimate sites which collect details and use them in other transactions.
The PCI DSS relates specifically to debit and credit cards and the protection of names, card numbers, passwords and pins. It provides both a measure of compliance and of security to anyone dealing with credit cards through 12 compliance requirements, which include protecting stored cardholder data and having secure systems and applications. While the 12 steps are universal, Westvig says there may be different practical implementation in different environments.
“It is a global standard and any issuer or acquirer is subject to it,” he says. “Essentially, anyone who stores and transmits card information between parties and processes transactions has to comply with this one standard.”
The DSS rules are set by the big credit card associations like Visa, Mastercard, American Express and Discover. South African banks are issued licenses by these associations to be an issuer (who issues the credit cards) or an acquirer (who provides the actual credit card terminal) – they are already strongly regulated and therefore secure.
“It must be encrypted so if you are storing credit card information on a database, you shouldn’t use common passwords and should limit access,” says Westvig.
The code is updated all the time as new methods of bypassing security are discovered, e.g. the introduction of chip cards and authentication using pins in recent years after the older magnetic stripe technology was found not to be secure enough. “Now banks are moving to two-factor authentication, where you have to put in a one-time pin separately,” he says. “As they bring out new authentication processes like voice, fingerprint, or iris recognition, the PCI standards will be updated.”
Westvig says it is interesting to note that if an individual has done everything required and there is still fraud on their card, they can dispute it if any amounts are deducted from them. “The risk doesn’t always lie with the consumer,” he says, “although the banks may try to push it back to them.”
He adds that transacting online per se is not risky, as the end user should not be at risk if they have gone through the process as required. “But it is important that you know what a phishing site looks like. Call the company to ensure the site you are on is legitimate, look for spelling mistakes, see if the graphics are not as good quality as they should be and check if the website and email addresses look appropriate and legitimate.”
Being educated and aware applies equally to retailers, who in many cases end up losing in the process if they not implementing the proper procedure.