In a bid to fight increasing card fraud, which is estimated to have cost $11.27 billion worldwide in 2012 (a 14.6% increase year-on-year)1, leading wireless data company, FastNet, announced it has achieved Payment Card Industry Data Security Standard (PCI DSS) compliance as a Level 1 service provider.
This follows recent stipulation by the Payments Association of South Africa (PASA) that all system operators and Level 1 merchants must adhere to PCI DSS by February 2014.
Duncan Ellison, New Business Manager at FastNet, says if a malicious person obtains sensitive card information from the systems that process card transactions, it is possible to perform fraudulent transactions with such information.
“The purpose of PCI DSS is to protect cardholder information and therefore minimise the likelihood of data compromises happening by ensuring the highest level of security for card transactions. Failure to comply with PCI DSS can expose entities dealing with card information to criminal cyber attacks and the reputational and financial risk that goes with such an attack.”
Ellison explains that PCI standards are set and maintained by the PCI Security Standards Council (PCI SSC) and that the PCI SSC is made up of representatives from the major international card schemes, ie, AMEX, Discover, VISA, MasterCard and JCB. “Each of these companies had their own standard and decided to come together to agree on an industry-wide best practice (PCI DSS) to mitigate the risk of card fraud.”
While the focus in South Africa has been for system operators and Level 1 merchants (generally the large multiple retailers) to be compliant with PCI DSS, PASA recommends that network providers (companies that carry card data over their networks) are subjected to a PCI DSS evaluation to assess the applicability of PCI DSS to their environment, says Ellison. “This is why FastNet not only performed the original evaluation, but also decided to pursue PCI DSS compliance – to make the compliance process easier for our clients.”
Depending on an entity’s classification or risk level, a qualified security assessor (QSA) may be required to perform on-site security assessments for verification of compliance with PCI DSS. The QSA takes a large number of factors into account when doing an assessment, including but not limited to: the physical security of credit card information at the till; where the card numbers are stored; the security of the card numbers; whether the terminal equipment is easy to hack; and whether others can easily hack into the network and see credit card data passing by, says Ellison. “The PCI assessment process refers to 12 requirements that in practice, translates to over 350 questions to which the merchant must provide detailed responses.”
To ensure PCI DSS compliance, FastNet undertook actions such as introducing additional levels of firewalls and network monitoring; introducing internal staff procedures to limit the number of people that can access sensitive data; and introducing a quarterly procedure to scan its network internally and externally for weaknesses.
“In our opinion, the focus on PCI DSS compliance is long overdue in South Africa. We decided it was the right thing to do for our clients and their customers, especially as we carry a large percentage of the national credit card traffic,” concludes Ellison.