The only thing that came out of the preposterous press conference held by social development minister Bathabile Dlamini on March 5, was that the government would definitely be paying grants come April 1.
But correspondence included in Cash Paymaster Services’ responding affidavit, filed with the Constitutional Court on Tuesday, indicated that this is certainly not the “done deal” referred to by the minister.
Understanding card software
The Sassa cards have two chips, or applications, on them. The EMV chip (which stands for Europay, Mastercard and Visa – the three companies that created the standard) allows the card to be used on the open loop – the National Payment System using the Grindrod bank account linked to the card. This means when you present the card at an “on-line” ATM or point-of-sale the EMV chip allows you to transact securely and in real-time.
The expiry date printed on the outside of the card, on the magnetic strip on the back of the card, and embedded in the EMV chip, are all the same – 31 December 2017.
The second application is the proprietary Net1 UEPS chip. This is the portion developed by Net-1 that supports biometric (fingerprint) verification and “offline” payments and withdrawals. In effect, Net-1 developed a “smart card” that acts like a bank account. The chip holds a wallet, or ledger if you will, that keeps track of transactions even when “offline” at Net-1 supported POS and ATMs. The card together, with the eco-system Net-1 provides in these isolated parts of the country where connection to the NPS is difficult or impossible, is the real value proposition Net-1 offers Sassa.
UNDERSTANDING NET-1’S UEPS TECHNOLOGY
Our native U.E.P.S. technology is designed to provide the secure delivery of these products and services in the most under-developed or rural environments, even in those that have little or no communications infrastructure.
Unlike a traditional credit or debit card where the operation of the account occurs on a centralized computer, each of our smart cards effectively operates as an individual bank account for all types of transactions.
All transactions that take place through our system occur between two smart cards at the POS as all of the relevant information necessary to perform and record transactions reside on the smart cards.
The transfer of money or other information can take place without any communication with a centralized computer since all validation, creation of audit records, encryption, decryption and authorization take place on, or are generated between, the smart cards themselves.
Importantly, the cards are protected through the use of biometric fingerprint identification, which is designed to ensure the security of funds and card holder information.
Source: Net-1 website
Along with the card’s EMV expiry, the UEPS software also has a termination date embedded in it which is set to expire on March 31, 2017. It is this expiry date that poses the biggest challenge to ensuring the cards work on April 1, 2016. There appears to be only two ways to solve this problem – replace the close to 10 million cards in issue before the expiry date, or update the software.
In CPS’s letter to Sassa, dated May 24, 2016, Net1 CEO Serge Belamant tells Sassa about this problem: “..the UEPS portion of the card software also terminates after five years. This portion was, and remains, critical to provide both biometric verification as well as offline payments (rural areas).”
Further along in the letter, it says: “Without updating these cryptographic keys, the cards would simply not be accepted by any acquiring bank or funds created for payment at mobile pay points.”
Belamant, in the same letter, rather chillingly writes: “I am extremely concerned that if this issue is not resolved within the next few weeks, we will run out of time and it may simply become impossible to extend the life of many cards which will result in major disruptions throughout the country.”
In his follow-up letter to Dlamini dated December 9, 2016, Belamant again refers to the technical issues of extending payments past the end of March. He also refers to a software update the company has developed for the update of the UEPS cryptographic key sets that would require specialised terminals at all Sassa branches, the hiring of new staff, and training in order to begin updating the cards.
But Belamant’s best guess scenario is that only 50% of the cards would be updated by April 1. “As a countermeasure, we have developed software that will allow for the update of the cryptographic key sets as required by MasterCard and UEPS. This step requires the roll out of specialised terminals in all Sassa branches and the employment of a minimum of 400 staff members. 400 Sassa branches need to be upgraded with the necessary hardware, terminal software and provided with staff training. We understand that this plan will not resolve the problem in its entirety by April 1, 2017, as not all beneficiaries’ cards can possibly be updated by this date. The problem, however, will be alleviated to some extent as we believe that 50% of all cards could be updated by April 1, 2017.”
But, to extend the life of the cards that cannot be updated through CPS/Sassa channels, Belamant refers to a number of “supplementary options” that could be used for “a limited period” that would weaken security including introducing risks like “financial risk, systemic risk, reduced card acceptance at merchant stores and possible fraud”.
These supplementary options are also only possible if a number of conditions are met. At the conclusion of the letter, Belamant gives Sassa a deadline of 19 December, 2016, to “ensure these plans can be implemented timeously to avoid disruption to the payment of grants….”. As we know, that deadline came and went, and the parties only formally met on March 1.
Moneyweb therefore approached various affected parties including Grindrod, the Payments Association of South Africa, MasterCard and Net-1 for an update on what progress was being made to ensure the cards remain functional post March 31 and if there is still a risk they won’t be, what plans are in place to mitigate the fall-out.
Mastercard’s response: “Should CPS be contracted by Sassa from April 1, the Sassa debit cards will continue to be fully operable at all Mastercard acceptance locations (ATMs and at Point of Sale) until they expire on 31 December, 2017. We can also confirm that it is possible to extend the lifespan of the Mastercard debit cards used for social grant disbursements from January 1, 2018, onwards, providing that Grindrod Bank secure the necessary approvals. The safety and security of these cards will remain consistent, as they will continue to be chip and PIN online transactions.”
But there seemed to be confusion around how the Net-1 and EMV chips worked together on both the National Payment System (“open loop”) and the closed system (CPS). Specifically, some parties were under the impression the Net-1 application was not necessary for the cards to connect with and work on the National Payment System, which directly contradicts what Belamant was saying to Sassa. Grindrod didn’t say much, but confirmed to us they had inquired with CPS and had been told the software updates had been completed that would allow the cards to continue to work.
CPS did not respond to multiple requests to discuss the matter and provide information on how and to what degree the software updates have been completed. Shouldn’t someone be verifying this and testing the assertions that CPS will, in fact, be able to effect transfers so that beneficiaries will be able to access and transact with them?
This remains to be seen.