TechCentral revealed on Tuesday that South Africa’s banks have suffered tens of millions of rand in losses due to a major breach of customer card data by criminal syndicates that infected electronic point-of-sale (POS) devices using a variant of a malicious software tool called Dexter.
The malware infected POS terminals in a wide range of fast-food retailers and restaurants, prompting the Payments Association of South Africa (Pasa) and banking risk information centre Sabric to involve the South African Police Service, Interpol and Europol in an investigation.
Pasa has now issued a statement about the data breach, seeking to reassure banking clients that their money is safe. A full, slightly edited copy of the statement is pasted below. TechCentral’s original article is here.
Pasa, international card schemes Visa and MasterCard, and South Africa’s major banks are aware of a data compromise at a number of South Africa’s restaurant chains and franchises.
As a result of the compromise, card details were accessed by an unauthorised international organisation through custom-written virus software. Immediate steps have been taken to secure the relevant systems and to prevent further leakage of card details.
The industry has taken immediate and proactive steps to identify the extent of the potential exposure, clean up confirmed sites with effective custom antimalware software and carefully monitor transactions on the cards involved in order to detect possible unusual activity.
Pasa is working with the banks and the card schemes to implement immediate measures to block the potential exposure of card data and bring merchants to a state of full compliance to the Payment Card Industry Data Security Standards, or PCI DSS. There is certainly no need for concern by cardholders. It is important to be aware of the fact that the issuing and acquiring banks in the South African payments environment all have very well developed and sophisticated fraud and risk management systems in place and that monitoring of any heightened levels of potential fraud which might result from this would be a normal activity with no need for additional systems.
Pasa and the acquiring banks have actively been working with the industry to ensure that all companies that process card transactions implement and comply with PCI DSS.
It is left to individual banks and card issuers, however, to decide whether they would be contacting their customers with a view to replacing any cards that might have been exposed, or rather to place these cards on a heightened level of monitoring before any action is taken.
There is no need for undue concern by cardholders. However, all card users should report any suspicious transactions to their banks for urgent investigation.
Should fraudulent transactions be perpetrated on any of these cards as a result of the data compromise, cardholders would not be exposed to any losses – as is the case under normal circumstances.
Cardholders who have any general concerns or are suspicious of any transactions appearing on their card statements or of which they are alerted though their SMS or e-mail “in-contact” service should contact their bank directly and immediately.