POPI and PCI–do you know how to ensure your personal information is safe ?
How many times have you given some stranger on the phone your date of birth to “verify” your account “before we can proceed” ? How many times have you had to give a copy of your ID to the bank or letter from your accountant to open a store account ?
But just how safe is all this personal data we are sending ?
I am not referring to the NSA who has nothing to better to do but know what we ate for lunch on Tuesday. I am referring to the various service providers we use regularly and simply trust that they have taken the correct precautions to protect our personal info.
Without putting on the tin-foil hat of conspiracy theories, how many times does a retailer need to have a copy of our ID which we faxed for the 14th time? What have they done with the other 13 copies we sent them? We seem to be faxing “3 month bank statements” to everyone and how do we know that only the authorised people see this info and not anyone walking past the fax machine?
Let’s be honest – lately we have seen more and more security breaches in high profile companies. We only need to look at some of recent headlines to realise that we should worry (at least a little bit):
- The City of Joburg website that was “hacked” in August 2013 where the “master hacker” simply took the URL of his personal invoice and added 1 to the invoice number and there was another person’s personal details. Not much of a hack, more a design flow by the City of Joburg website which exposed anyone’s info to anyone who cared to try. (story here)
- Sanral e-toll site, allowed anyone to look up any motorist personal info with a simple refresh of the screen. Again, a design flow in the system but exposed info nonetheless. (story here)
- Described as one of the worst breaches of customer card data in the country’s history when malware was inserted into point-of-sale devices at South African fast-food outlets. Banks lost millions. (story here)
- A former City Broker blew the whistle on Barclays bank that had exposed 27000 client files that contained passport number, national insurance numbers, earnings, savings, health issues and policies. (story here)
To address data theft and reduce our exposure, there are two acronyms we need to be aware of: POPI and PCI.
Bring on POPI
What we need is the ability for service providers to be responsible for our data. This hopefully will be achieved with the implementation of the Protection of Personal Information (POPI) bill where service providers have to account for the type on information they are collecting about us, why this is being collected and how they will protect this sensitive info. The definition of “Personal Information” is wide and can include anything from your name to your ID to your biometrics to even your health status and your family situation.
Are you PCI compliant ?
We all use our credit card in retail stores or online and at best we look for that little lock showing that the site is secure. This is not good enough. What we need to do is look more carefully at the companies that deal with credit cards and see if they are PCI DSS 2.0 compliant. This stands for: Payment Card Industry Data Security Standard which is a payment card industry data security standard that governs the transaction, processing and storage of card holder data on any platform.
In other words, a retailer that is PCI DSS compliant, has been audited by an independent Quality Security Assessor such as Trustwave who determines that the company is indeed secure and has the hardware, software, processes and procedures to be responsible with your transactional data.
Trustwave has a meticulous audit process whereby systems are probed to ensure that they have implemented security controls to protect payment card data. Unfortunately to have real security and earn this certificate is both a costly and an intensive process that most are not able to complete without making significant changes to their business. This leaves us, the customer, somewhat at risk.
Recognising that companies have a need (and an obligation) to be secure but might not have the resources to go through the certification process, iGroup, a South African eBusiness solution provider had embarked on the journey over 3 years ago to become PCI compliant. The aim was to be able to provide their customers with a platform that they could simply use and thereby inherit the compliancy and not fall foul of the law.
iGroup passed Trustwave’s audit and was issued a compliance certificate in December 2013.
Andrew Kirkland, Trustwave Regional Director in South Africa explains: “PCI DSS compliance is only achieved once a company conforms to a rigorous 12-step process. We congratulate iGroup for taking this essential step in improving its security posture. This achievement also assists iGroup in laying the foundation to address the requirements of the Protection of Personal Information (POPI), a new law imminent in South Africa, designed to protect personal information.”
iGroup has developed the zeroPoint platform which is an enterprise-grade framework allowing companies to choose modules that they require to run their business securely. Modules range from real-time debit card billing to coupons & vouchers to CMS to eCommerce to workflow. Modules are extendable and can be integrated with current business processes and existing software such as SAP and other applications for a 360° eBusiness solution. Essentially zeroPoint is a multichannel ecosystem that enables companies to manage their eBusiness in the online and mobile space.
According to Marc Seymour, CEO of iGroup, one way to improve data security is to help ensure that service providers or third parties are PCI DSS compliant as well: “For businesses, complying with PCI and POPI means taking the correct steps towards improving their security posture and that better controls are in place to help secure consumer data. For the consumer, working with such a company provides more assurance that their personal data will be processed and managed in a secure manner.”
In addition to PCI DSS compliance and POPI readiness, the iGroup zeroPoint platform and hosting environments adhere to the Electronic Communications and Transactions Act (ECT) and Consumer Protection Act (CPA).
We live in an information age where we are just worrying about our username and passwords thinking these are the keys to protect us. I’m afraid we are wrong. Hackers have so many username and passwords that they can’t even be bothered to sell them as a far more profitable commodity is creating a full profile file about you and your purchasing habits and selling that.
In an outsourcing, cloud-using, Software-as-a-service world, the route that iGroup has gone makes sense. iGroup’s zeroPoint is the outsourced platform system that takes away all the headaches of compliancy in one easy step. Companies such as the Apple iStore, Incredible Connection and Volpes are already active customers using zeroPoint to run their eBusiness.
Using a PCI compliant system will hopefully reduce the amount of hacking headlines South African businesses will endure and will even allow IT managers to finally have a good night sleep knowing that all our info is safe and not being sold on the Russian/Chinese black market.
More information: www.zeroPoint.co.za
*image from Shutterstock.com