PASA, the Payment Association of South Africa, discovered the breach earlier in the week.
This of course amounts to a direct breach of Personal Information, which in terms of the Protection of Personal Information Bill (POPI) once enacted, would amount to the breach of various sections contained therein.
The company which processed the online transactions "serves a number of large online merchants", PASA said.
"The card data emanating from these online transactions seems to have been stored in a manner which does not meet the stringent security standards expected by PASA, the international card schemes and the banks," Volker, CEO of PASA said.
The 7th condition in POPI states that companies, or parties responsible for the processing of personal information, must have adeqaute security safeguards in place to protect the confidentiality, integrity and availibility of information under its control.
It still stuns me on a daily basis to realise that basic security flaws (physical and logical) are the norm across most organisations where the average consumer should at least have an expectancy of trust. Without even the barest amount of security there can be no privacy and without privacy, no trust.
Why does this still happen?
The answer is simple - many an organisation is still underspending on data / information security to save on its operational costs. Basic common sense however would lead you to realise that such "savings" would eventually lead to the company's downfall - from a legislative and more importantly, reputational perspective.
Although POPI is not yet enacted, KING III, the National Credit Act (NCA), the Consumer Protection Act (CPA), the Promotion of Access to Information Act (PAIA) as well as the Regulation of Interception of Communications Act (RICA) make provision for everybody's right to privacy and access to information as enshrined in the Constitution.
Until now, companies are slow to implement and react to these responsibilities. With the formation of the Information Regulator in terms of the Protection of Personal Information Act (POPI), I sincerely hope that individuals, companies, organisations and government alike, who knowing or unknowingly bear the responsibility of safeguarding citizens and consumers' personal information, will justifiably be encouraged and forcebly be compelled by the workings of POPI and the functions of its Regulator to pay due attention to their paramount duty of safeguarding what can in all essence be regarded as the core DNA of any modern day human - his / her personal information.