PayGate has confirmed that it was the company behind the breach of credit card details for several hundred thousand South Africans.
The security breach occurred because the IT company, which processes credit card transactions for online retailers, including Woolworths, did not encrypt these details correctly.
As a result the information was hacked and the card details of an undisclosed number of card-holders were accessed.
Peter Harvey, founder and managing director of PayGate was not immediately available for comment.
Customers from all of the four-major banks and Woolworths are affected, but at this stage financial losses are small, the banks say.
“There is no need for undue concern,” said Walter Volker, CEO of the Payments Association of South Africa (PASA). “A limited number of card details were accessed.” PASA together with Visa, MasterCard, and the major banks have acted fast to prevent a further leakage of card details.
However, Volker urged all card users to report any suspicious transactions to their banks for urgent investigation.
The banks have adopted different strategies to deal with the matter. Absa is contacting all of its clients whose details were compromised and is delivering new cards to them free of charge. This is according to a customer who was contacted by the bank on Thursday.
Standard Bank has ring-fenced the cards that may have been impacted and has placed them under a heightened level of monitoring to detect unusual or fraudulent activity, said Sugendhree Reddy, head of personal markets at Standard Bank SA. “Should fraudulent transactions occur on any of these cards, cardholders will not be exposed to any losses and Standard Bank will replace the cards of affected customers.”
Nedbank Card clients have been refunded and reissued with new cards where fraud losses have been reported, said Rene de Villiers, head of Risk at Nedbank Card. “The number of reported incidents are limited and our systems are pro-actively monitoring card transactions routed via the third party processor.”
Similarly at FNB, should fraudulent transactions be perpetrated on any of these cards as a result of the data compromise, cardholders would not be exposed to any losses.
The situation came to light in the past few days, Volker said, but the security breach has been in existence for some time already. “An IT company that processes payments on behalf of a large number of online merchants did not store the card data emanating from these online transactions correctly. There are stringent security standards expected by PASA, the international card schemes, and the banks, and they did not adhere to these.”
The breach is similar to an incident that occurred in Europe in March this year where the credit card details of 1.5m Visa and Mastercard customers were acquired by hackers.
In that situation however the people compromised were people who had paid for a New York city cab ride in the weeks preceding the hack. In this situation those compromised are all online shoppers.
The South African payments environment is well developed with sophisticated fraud and risk management systems in place. Which just goes to show – one tiny hole can weaken the entire system.
“We will definitely step up our oversight role,” said Volker. “The systems are in place, we will take steps to ensure that everyone in the system is compliant.”