NAIROBI, Kenya, Dec 13 – Entities offering e-commerce services online will soon be required to have their virtual systems audited annually, if a proposal by the Ministry of Information and Communication is approved by the Central Bank of Kenya (CBK).
If the proposal goes through, corporates or individuals that store, transmit or process credit cardholders’ data will be required to be compliant with PCI Data Security Standard (PCI DSS), which is the global benchmark for security.
“PCI DSS would force, practically, everyone offering services through the virtual networks to make sure that every year they have done an audit of that system. We would hope that CBK would move forward with this proposal in order for us to improve security,” Ministry of Information and Communications Permanent Secretary Bitange Ndemo said.
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
The standard provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.
The Information Permanent Secretary was speaking during a banking security conference on Tuesday that drew players in the ATMs, cards and mobile banking markets from the East African region.
The ministry has already embarked on a Cyber Security Master Plan with the United States Trade and Development Agency (USTDA) that will be ready for implementation by April next year.
The National Cyber Security Master Plan will provide a framework for the government to defend and secure its digital infrastructure, as well as recommend minimum cyber security standards for Kenya’s private networks.
The master plan, Ndemo noted, will establish the Public Key Infrastructure (PKI) that will require $4 million to implement, will create virtual identities for all parties carrying out transactions online.
“We will begin implementation of the PKI in the coming year to make sure that we have safeguarded the interests of our customers in this country,” he said.
However, once the PKI framework is in place, Ndemo said the lack of a structured physical address system in the country, will present challenges in providing traceability especially for individuals who have been involved in fraudulent crimes.
“Physical address is a big issue. We have requested postal corporation to begin to use GPS locations. We’ll begin from estates that are identifiable. But when it comes to places like Kibera it becomes a headache,” he said.
High dependence on technology has been identified as one of the major risks facing commercial banks in East Africa, according to a PricewaterhouseCoopers (PwC) Kenya survey conducted on 33 banks in Kenya, Rwanda, Uganda, Tanzania and Zambia earlier this year.
Often banks in the region, have to keep up with technology upgrades to meet customer satisfaction, however, lack of adequate training on how to secure the activities that occur at ATMs using cards and mobile banking methods is a major challenge.
A report released by Deloitte earlier this year indicated that bank fraud more than tripled in 2010 to approximately Sh3 billion compared to 2009 with the methods of fraud ranging across different platforms.
Credit card usage grew marginally to 117,835 from 111,383 as at June 2010, with the value of transactions increasing by 26.40 per cent to Sh555.2 billion.