Payment Security in South Africa: A Discussion with Stakeholders
The PCI SSC Security Summit of South Africa, an online event took place this week with more than 315 payment security practitioners from South Africa discussing the latest in payment security and standards. Here we talk with Jeremy King, PCI Security Standards Council VP Regional Head for Europe, Naniki Imelda Ramabi, Chief Risk Officer Payments Association of South Africa (PASA), and Sandro Bucchianeri, Group Chief Security Officer ABSA, about payment security trends, highlights from the Security Summit of South Africa, and industry involvement opportunities for the region.
Why did the PCI SSC hold this Security Summit of South Africa?
Jeremy King: South Africa has long been a market the PCI SSC has been involved in as it is a country with rapid growth in technology, e-commerce and mobile payment acceptance. The consequence of this rapid growth unfortunately has led to South Africa being a top target for cyber criminals. The PCI SSC held well supported in-person events for payment stakeholders in Cape Town in 2017 and 2018. This year we hosted a security summit that was virtual and included discussions on a range of important payment security topics with key South African payment stakeholders including the Payments Association of South Africa (PASA) and ABSA.
At the summit you provided an update on PCI Standards and Programs. What do you see as some of the most relevant initiatives for South Africa right now?
Jeremy King: The global pandemic has profoundly changed the way we live, work and pay for products and services. For our industry in South Africa and around the world, issues such as new and emerging threats, working remotely, remote assessments, and terminal cleanliness have been among the many challenges we have had to confront during this difficult time. The PCI SSC responded to requests for help by getting information on many of these topics out to our industry. Much of the discussion at our summit was around where we have been, where we currently are, and where we are headed when dealing with payment security.
The state of payment security during the COVID-19 pandemic was a key theme in discussions at the Security Summit of South Africa. What are some of the key threats and trends for the South African payment card industry?
Sandro Bucchianeri: COVID-19 has shifted most work and commerce environments online which has created new and unique opportunities for criminals. According to a 2020 study by Accenture, South Africa has the third-highest number of cybercrime victims worldwide, losing approximately R2.2 billion (US$147 million) a year to cyberattacks. Those numbers are likely to get worse during the COVID-19 pandemic. The main reason for the dramatic uptick in cyber-crime is due to the growth in technology and the increased use of the internet and smartphones in South Africa. As more and more of South Africa begins to connect to the internet for the very first time, criminals will look to exploit new opportunities for attacks.
Naniki Imelda Ramabi: Technological advances as well as the global pandemic has led to a significant increase in e-commerce and mobile payments throughout South Africa. According to a November 2020 survey by McKinsey & Company about 79 percent of South Africans have tried a new shopping behavior, and most intend to continue usage beyond the crisis. This has led to greater economic opportunities for online merchants but at the same time has led to more threats and more cyber-attacks. According to the Accenture 2020 study, there was a 100 percent increase in mobile banking application fraud and card-not-present (CNP) fraud on South African-issued credit cards remained the leading contributor to gross fraud losses in the country, accounting for 79.5 percent of all losses.
A panel of payment professionals shared experiences and insights on the current state of payment security and the future of payment security. What were some of the key takeaways?
Naniki Imelda Ramabi: One key takeaway was the importance of the transition from the Payment Application-Data Security Standard (PA-DSS) to the PCI Secure Software Standard. The PCI SSC is transitioning out the PA-DSS program on Oct 28, 2022 and the deadline for submission of new payment applications for PA-DSS validation will be accepted until June 30, 2021. These dates are very important for our industry as we move to a new, more dynamic program. Overall, the PCI Secure Software Standard, and associated validation program, allow for improved flexibility to accommodate various software management approaches, streamlined assessment processes, and simplified listings management. It allows for expanded program eligibility for payment software that is not eligible for validation under PA-DSS.
Sandro Bucchianeri: Software will be key to the future of payment security. Our industry has embraced many different and modern innovations for accepting payments. We’ve seen significant growth in the use of cloud services for e-commerce payments acceptance and third-party developers for developing mobile payment applications. Payments software has also gotten significantly more complex. As more and more organizations rely on third-parties for payment security services, it will be important to provide businesses a way to independently verify the security and protection of payment data.
We know you are all champions for greater training and education for payment professionals. What can be done in this area to increase the number of cybersecurity professionals within the industry?
Jeremy King: A well trained and well-educated work force is one of the very best defenses against cyber-attacks related to payment security. The PCI SSC operates programs to train, test, and qualify organizations and individuals who assess and validate compliance, in order to help merchants successfully implement PCI standards and solutions. The PCI SSC also qualifies payment hardware and software so that merchants select and implement approved solutions for securing payment data and systems.
In 2020, the PCI SSC adopted a new eLearning platform to move all informational and certification programs online. Informational training is a valuable way for individuals to understand how to protect payments and learn how to effectively demonstrate that security requirements have been met. Our training offers a way for those who would like to increase their knowledge of a certain subject or standard, without the need to obtain certification. This training is a great fit for anyone who may want a deeper understanding of what the standards and programs entail or what to expect from an assessment. It’s also just a great way to stay current on what’s new in the payments industry. With simple and sophisticated cyber-attacks on the rise around the world, and especially in South Africa, training is more important than ever.
Also on the blog: PCI SSC Offers Informational Training via New eLearning Platform
Naniki Imelda Ramabi: A shortage in cybersecurity professionals does not just impact the payments industry or South Africa – it is a global problem across all industries. In South Africa it is especially challenging. PASA hears from business professionals frequently about how recruiting to fill a cybersecurity position is increasingly difficult. It is a topic we continue to shine a spotlight on and will continue to address with our community. It is a problem that can only be solved by working together with innovative near and long term solutions.
Sandro Bucchianeri: Addressing the global shortage of cybersecurity professionals is an urgent challenge. The estimated shortfall of 3.5 million jobs worldwide provides a startling statistic and a unique opportunity to make a difference. This gap must be filled to support the projected growth of the world’s cybersecurity sector over the next couple of years, but the talent pool is simply not keeping pace. In South Africa, the problem is compounded, as those who are trained in cybersecurity do not stay, as they are headhunted by global counterparts for premium packages.
In South Africa we have the chance to contribute to tackling the global cybersecurity skills shortage while addressing the unemployment of our youth and, in so doing, making an impact on people and the societies in which we live.
To address its skills shortage, Absa has collaborated with the Maharishi Institute (MI) to set up the Absa Cybersecurity Academy. The programme is an externally focused, corporate social responsibility initiative aimed at empowering marginalised South African youth, who would otherwise not have had access to a tertiary education. The learners who participate become certified cybersecurity analysts.
In your role, a key focus is working to increase industry participation from South African stakeholders in the PCI Security Standards Council. What are some of the key opportunities for involvement?
Jeremy King: Our Participating Organizations (PO) program is a terrific starting point for organizations who want to be a part of the payment security community. Being a PO allows an organization to collaborate with others in the payment industry and have a voice in the development of our standards and programs. The heart of the PCI SSC mission is bringing together payment industry stakeholders to develop and drive implementation of data security standards and resources. For more information about becoming a PO please review our PO brochure and visit our website.
The PCI SSC also recently launched a new Corporate Group Training opportunity that offers a great way to train your entire team at once on any of PCI SSC’s 15 existing standards and programs. Corporate Group Training offers organizations the ability to learn directly from PCI SSC trainers, exclusively with the peers in their company. Our trainers offer instruction with hands-on experience assessing merchants and/or service providers. We offer most of our courses (for qualification or informational) in Corporate Group Training format. Currently, these are eLearning courses organized as remote, instructor-led sessions tailored to fit your organization. When it is permissible, our trainers will come to you and deliver the classes at your facility. We have found that Corporate Group Training offers all the benefits from a typical class, and we can cater the course to be convenient for your organization in whatever format works best for your needs. For more information on this exciting new program please read our recent blog post or visit our website.