PCI DSS can be your PoPIA security blueprint

1 August 2020 Security Services & Risk Management

The Protection of Personal Information Act, 2013 (PoPIA), South Africa’s data privacy law, has come into effect and with 12 months to become compliant, those companies that aren’t acquiescent will definitely start feeling the pressure.

PoPIA is an important step in protecting data privacy as it stipulates that personal information must be protected and can only be collected or handled where there’s lawful justification for doing so. Put in laymen’s terms, PoPIA governs when and how organisations collect, use, store, delete and otherwise handle personal information.


Simeon Tassev.

For organisation, it poses quite a daunting task, and while there is still almost a year to become compliant, it will be no easy feat. The major challenge is that PoPIA requires the analysis of all personal information, therefore, where it came from and what organisations intend to do with it. It is a massive of amount of data that needs to be secured and analysed.

The good news is there is already a very mature standard in place that will provide organisations with tried and tested guidance on achieving PoPIA compliance and securing data. The Payment Card Industry Data Security Standard (PCI DSS), created by the Payment Card Industry Security Standards Council (PCI SSC) consists of 12 high-level requirements across six goals.

PCI DSS applies to all businesses that accept credit and debit cards and provides a myriad of standards and supporting materials such as specification frameworks, tools, measurements, and other resources. Ultimately, it presents the necessary framework for developing a complete sensitive data security process that encompasses prevention, detection, and appropriate reaction to security incidents.

Some of the requirements of PCI DSS can also be used to meet PoPIA compliance, such as goal number three: maintain a vulnerability management programme. Vulnerability management is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.

PCI DSS offers extremely specific parameters and controls; in the case of PoPIA, the definition of ‘cardholder data’ will fall under personal information and security will be extended to include all this sensitive information.

The PCI DSS self-assessment questionnaires (SAQs) also offer important guidance as they provide organisations with relevant self-assessment on whether their customers’ data is safe and secure. The relevant SAQ can take you one step closer towards preventing data breaches and minimising liability.

The reality is a lot of the measures of PCI DSS pertain to protecting IT networks and systems such as firewalls, antivirus, security testing of system and security policies – these disciplines can be leveraged to move all personal information into a secure environment.

Lastly, the local industry already has a number of PCI DSS experts that have assisted South African companies to meet the requirements set by the standard. These organisations are proficient and will become invaluable partners in helping organisations navigate the move towards PoPIA compliance.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Meeting compliance obligations
Issue 7 2020 , Security Services & Risk Management
Helping businesses in SA understand and meet their compliance obligations to local regulations.

Read more...
The time for resilience is now
Issue 7 2020, Galix Group , Healthcare (Industry)
With healthcare receiving more funding and grants due to COVID-19, it’s become a (perceived) easy target for cyber criminals.

Read more...
Industrialisation or imperialism?
Issue 7 2020 , Security Services & Risk Management
4IR has to be a matter of national agenda; national economic and political sovereignty and national security - necessitating commensurate prioritisation.

Read more...
Password vulnerabilities in South Africa
Issue 7 2020, Kaspersky , Security Services & Risk Management
Research from Kaspersky has shown that people are putting their online safety at risk by making bad password decisions and simple password mistakes that may have far-reaching consequences.

Read more...
The greatest crime-fighting weapon is predictably
Issue 7 2020 , Security Services & Risk Management
Predictability fuelled by artificial intelligence (AI) and big data has the ability to reduce violent crimes by 25% by 2023 according to Aura.

Read more...
Monopoly: AI edition
Issue 6 2020 , Security Services & Risk Management
Due to the inherent nature of artificial intelligence (AI), AI-powered industries naturally tend towards monopolisation.

Read more...
eVisa solutions for Botswana
Issue 6 2020 , Security Services & Risk Management
Travelers to Botswana will soon be able to complete visa applications online and ease their entry into the country.

Read more...
Three steps to kick-start POPIA compliance
Issue 6 2020 , Security Services & Risk Management
Complying with data privacy, security laws and regulations can be a daunting task for any organisation.

Read more...
Digital evidence handling in the cloud
Issue 5 2020 , Security Services & Risk Management
Investigate Xpress is a free, cloud-based digital evidence management solution designed to make police forces more efficient and productive.

Read more...
The evolution of security in residential estates
Residential Estate Security Handbook 2020 , Editor's Choice, Integrated Solutions, Security Services & Risk Management
Two large estates discuss their security processes and the ever-expanding scope of responsibilities they need to fulfil.

Read more...