As South Africa’s e-commerce sector surges past R130 billion (over $7.7 billion) in 2025 — capturing nearly 10% of all retail sales — many businesses are treating payment compliance as the final tick-box for security. However, this mindset poses significant risks, according to Martin Petrov, Chief Technology Officer for Payments Compliance at Integrity360.
Petrov cautioned that while payment compliance standards, such as PCI DSS, provide an essential baseline, they are far from a complete defence against evolving cyber threats. “Compliance raises the floor and eliminates obvious vulnerabilities, but it cannot cover every emerging threat,” he said. “True security requires organisations to ask a harder question: ‘Would this actually stop an attacker today?’”
South African online retail has grown rapidly, with 37.4% of retail enterprises now accepting online payments on average — a figure that climbs to nearly 70% in the accommodation sector, according to Statistics South Africa. Yet this expansion has coincided with persistent fraud challenges. Card Not Present (CNP) transactions continue to dominate, accounting for 85.6% of gross fraud losses on South African-issued credit cards, as reported by the South African Banking Risk Information Centre (SABRIC).
Petrov highlighted several dangerous blind spots. One common myth is that outsourcing payments to a reputable third-party provider fully absolves the merchant of responsibility. In reality, residual risks remain, particularly around the merchant’s own environment. Even under simplified compliance routes like SAQ A, merchants retain important obligations, especially if card data can be intercepted before reaching the secure payment gateway.
ALSO READ: VODACOM TANZANIA TO INVEST $28M IN M-PESA PLATFORM UPGRADE
He pointed to supply chain vulnerabilities as another urgent concern. Modern checkout pages often incorporate multiple third-party scripts, analytics tools, chat widgets, and marketing tags — each potentially creating new attack vectors. Many businesses lack full visibility into what is running on their payment pages or whether supplier compliance remains current.
“People and processes ultimately determine whether security holds or fails,” Petrov emphasised. He noted that even advanced technologies, such as point-to-point encryption in physical retail, can be undermined by weak operational controls — for instance, through social engineering tactics like fake maintenance visits or unauthorised terminal swaps.
Beyond fraud losses, a serious breach can trigger regulatory consequences. Under the Protection of Personal Information Act (PoPIA), organisations must promptly notify the Information Regulator and affected individuals of any security compromise. Since 1 April 2025, such notifications are required through the Regulator’s eServices portal.
Petrov stressed that resilient organisations treat compliance as the foundation of a broader security strategy, not the ceiling. This includes continuous supplier oversight, human awareness training, robust operational discipline, and a proactive approach to emerging risks.
“The gap between being compliant and being truly protected has never been more critical,” he concluded. “In today’s fast-evolving payments landscape, success belongs to those who move beyond paperwork and build genuine resilience against real-world threats.”
