National Payment System Act, 1998 (Act No. 78 of 1998)

Notices

Directive in respect of Cybersecurity and Cyber-Resilience within the National Payment System

1. Definitions

Purchase cart Previous page Return to chapter overview Next page

 

1.1 In this directive,

 

1.1.1 critical service in the NPS;

 

1.1.2 compromise means a violation of the security of an information technology (IT) system;

 

1.1.3 cyber-attack means malicious attempt(s) to exploit vulnerabilities through the cyber medium to damage, disrupt or gain unauthorised access to assets;

 

1.1.4 cyber-event means any observable occurrence in an information system. Cyber-events sometimes provide an indication that a cyber-incident is actually occurring;

 

1.1.5 cyber-incident means a cyber-event that adversely affects the cybersecurity of an information system and/or the information that the system processes, stores or transmits, or which violates the security policies, security procedures and/or acceptable use policies of the payment institution, whether resulting from malicious activity or not;

 

1.1.6 cyber-resilience means the ability of a payment institution or an operator to continue carrying out its mission by anticipating and adapting to cyber-threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber-incidents;

 

1.1.7 cyber-risk means the combination of the probability of cyber-incidents occurring and their impact;

 

1.1.8 cybersecurity means the preservation of confidentiality, integrity and availability of information and/or information systems through the cyber-medium. In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved;

 

1.1.9 cyber-threat means a circumstance with the potential to exploit one or more vulnerabilities that adversely affects cybersecurity;

 

1.1.10 information asset means any piece of data, device or other component of the environment that supports information-related activities;

 

1.1.11 information system means a set of applications, services, information technology assets or other information-handling components, which includes the operating environment and networks;

 

1.1.12 information technology system means a set of hardware, software, network or other information technology components which is part of an IT infrastructure;

 

1.1.13 multi-factor authentication means the use of two or more authentication factors to verify the identity of a user or system;

 

1.1.14 payment institution means persons designated, authorised, registered or regulated under the National Payment System Act 78 of 1998 (NPS Act), including but not limited to clearing system participants, settlement system participants, third-party payment providers and system operators;

 

1.1.15 payment system Financial Market Infrastructure means a multilateral system among payment system participants, including the operator of the system, used for the purposes of clearing, settling or recording payments, and includes a systemically important payment, clearing or settlement system and a prominent payment, clearing or settlement system

 

1.1.16 operator means an operator of a payment system, including payment clearing house system operators, operators of settlement systems and the operator(s) of payment system financial market infrastructures (FMIs);

 

1.1.17 senior management means the chief executive officer or the person who is in charge of a payment institution;

 

1.1.18 sensitive information means information where loss, misuse, or unauthorised access to or modification of could adversely affect the public interest, a payment institution or the privacy to which individuals are entitled;

 

1.1.19 vulnerability assessment means a systematic examination of an IT system, including its controls and processes, to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures and confirm the adequacy of such measures after implementation.