Of the 37% of retailers accepting online orders in SA, too many think ‘compliance’ equals cybersecurity

By Martin Petrov, Chief Technology Officer, Payments Compliance at Integrity360

For e-commerce enterprises in a booming, R130-billion and counting industry, it is tempting to view payments compliance as the finish line, a signal that a business is secure. But in practice, compliance is just the starting point. There are many who don’t realise that.

Payment compliance provides a baseline security level, not a digital fortress. Standards are designed to raise the floor and eliminate obvious vulnerabilities, but they cannot cover every emerging threat or nuance. That is where organisations risk becoming complacent.

For South African businesses, that distinction matters more than ever. Online retail continues to grow, having reached market value in excess of R130 billion in 2025, capturing 10% of all retail sales. On average, 37.4% of all South African retail enterprises now accept online payments. For some, like those in accommodation, that figure rises to almost 70%, according to Statistics South Africa.

At the same time, fraud is an ever-present reality. SABRIC’s most recent report says card-related fraud continued to be dominated by Card Not Present (CNP) transactions, which made up 85.6% of gross fraud losses on South African-issued credit cards. True security demands a harder question than “are we compliant?”. It demands: “Would this stop an attacker today?”

That answer demands understanding not just what a control requirement states, but why it exists. Compliance must be interpreted in context: against the weakest vendor, the most exposed system, and the riskiest business process. Too many breaches have exploited gaps that audits never covered because compliance became the ceiling, not the floor.

The costly supplier slip-up

One of the most persistent myths in payments is that using a reputable third-party provider means a merchant is automatically covered. In reality, outsourcing payment processing can significantly reduce compliance scope, risk and cost, but not completely. There is still residual risk, and in many cases residual compliance responsibility too. Many businesses assume the provider has taken care of everything, when in fact the merchant environment can still affect the security of cardholder data.

This is especially relevant for merchants relying on SAQ A, which is often seen as the simpler route to PCI DSS compliance. SAQ A can significantly reduce the burden, but it does not mean the merchant has no responsibilities left. In many cases, the issue is not that the payment gateway itself has failed. The weakness sits in the journey leading to it. To use a simple analogy, the gateway may be the fortress, but the card data can still be intercepted on the way to the fortress if the merchant website has already been compromised. That is why merchants cannot afford to relax simply because a payment provider is validated and trusted.

One of the most urgent blind spots is the supply chain. Checkout pages often rely on multiple third-party tools, from analytics and marketing tags to chat widgets and embedded scripts. Each one can create another attack vector. Many merchants cannot clearly say what is running on their own payment page, whether supplier compliance attestations are current, or whether controls put in place a few years ago still reflect the reality of their environment today.

What good is a lock if no one checks the door?

One of the easiest traps for modern security teams is assuming that tools alone provide protection. But no matter how advanced the platform or how rigid the policy, it is people and processes that hold it all together or let it fall apart. This is especially true in payments compliance, where new platforms and integrations emerge faster than policies can adapt.

The same principle applies in physical retail. Point-to-point encryption is powerful technology, but it does not make operational controls optional. Criminals do not need to break the encryption if they can simply exploit the process around it. A convincing maintenance visit, an unchecked terminal swap, or a staff member trying to be helpful can undo the protection the technology was designed to provide. That is why terminal inventories, inspection routines, ID checks, work-order verification and staff training remain so crucial.

For South African businesses, the stakes extend beyond fraud losses. A serious payment-related breach can also trigger regulatory scrutiny and reputational damage. Under POPIA, responsible parties must promptly notify both the Information Regulator and affected individuals of a security compromise, and since 1 April 2025 those notifications must be submitted through the Regulator’s eServices portal.

Compliance is not the end of the story

The gap between being compliant and being protected has never mattered more. Payments compliance standards offer a necessary starting point, but they cannot keep pace with every new integration, supplier dependency, or emerging threat. Resilient organisations recognise this. They treat compliance as one layer in a broader strategy, one that includes human awareness, supplier oversight and operational discipline. The difference shows up not in the paperwork, but in the response to real threats. Because at the end of the day, it is not about being compliant. It is about being resilient.