The local media recently reported a major security breach at a Cape Town based ecommerce service provider. While the service providers name is not known, Ecentric Managing Director Mike Scott has confirmed that the service provider is not Ecentric.
According to reports, tens of thousands of credit card details (PAN, Expiry date and CVV) were hacked from the service provider’s database.
Customers of Woolworths Cards as well as the customers of Absa and other banks have discovered unauthorised purchases on their accounts.
While the extent of the fraudulent use of this database is unknown, it has moved Woolworths to cancel it’s customers cards and we can anticipate that the other banks are endeavoring to identify stolen card information and will be taking steps to minimize losses.
While this attack is bad news for the Payment Gateway service provider responsible, it also has a negative impact on the Ecommerce industry. It may prompt PASA (Payment Association of South Africa) which represents all the banks to institute more stringent regulations in granting licenses to Payment Operators. It may also turn people away from using their bankcards on the internet.
Once the service provider is known and the method the hackers used to steal the cardholder data is known, the industry will need to take the appropriate steps.
At Ecentric, we take the threat of an attack like this very seriously. Three years ago, we were the first Payment Systems Operator in the country to achieve PCI DSS (Payment Card Industry Data Security Standard) certification. This certification required 100% compliance to 290 test cases. These range from complex firewall access to shredding of cardholder data and all of us are aware of our responsibilities in regard to protecting cardholder data. But we don’t rest on our laurels of what we achieved 3 years ago, every 6 months the PCI DSS certification authority runs penetration tests to ensure that our defenses remain in place.
But irrespective of our PCI DSS certification, hackers are continually looking for ways to get in. The hackers tend to target those companies who do not have the required protection and tend to go for the easiest targets which include companies that leave their databases less protected. While we hope that they will leave Ecentric alone, we can take nothing for granted and all of you are urged to be vigilant and discuss any concerns you may have or ideas of how we can tighten up our systems with your manager.
As Ecentric continues to build our Ecommerce and mobile business, safety and security become paramount. One breach can be enormously damaging to our customers brand and even more damaging to the Ecentric brand. Let’s use this close example of payment card fraud to sharpen our awareness and work hard to prevent it happening to us or our customers.