Digital Retail Africa 2023 hosted by IT News Africa - Carrie Peter speaks on Balancing User Experience and Security Compliance at Scale at the Digital Retail Africa 2023 conference. #retailtech #ecommerce #customerexperience #onlineshopping #securitycompliance
2. The cost of getting it wrong
Cyber incidents, data breaches and business interruption
• The average cyber incident costs an organisation $ 400 000.00
• ENS Africa Hit with Costs (R5.5 mil) for Online Security Hack
• Recent GDPR data breach fines and pay-outs:
• T-Mobile $350 Million pay-out - Personal data breach
• Equifax $700 Million pay-out - Personal data breach
• Interserve € 5 Million fine - Insufficient technical and organisational measures to ensure
information security
• Clearview AI - € 20 Million fine per country - Insufficient fulfilment of data subjects rights
• Meta Platforms - € 405 Million fine - Non-compliance with general data processing
principles
• https://www.enforcementtracker.com/
• Some companies have taken years to recover from data breaches
• Recovering from the reputational damage of a public incident
4. Your Opportunities
Getting it right from the start to prevent opportunities for
fraud, abuse and data security violations
5. Digitizing from the first interaction
eSignatures allow processes that are usually paper based to be digitized from the start
6. Customers don’t have to
feel the complexity of
your need for identity
certainty
Welcome,
to sign this
securely we
need to verify
you!
Here’s your
agreement,
please keep this
safe!
We need to
make sure it’s
really you!
The information
in this
agreement is
private!
Do we have
your consent?
1 5
4
3
2
Customers are more likely to grant consent for intrusive
biometric verification as part of the onboarding process
Digital Identity in 5 steps
7. Maximizing the value of a single interaction
eSignatures allow single touch interactions to enable multiple digital processes
8. Prevent fraud before it starts
Learn from our Insurance customers experience
Certainty of identity & non-repudiable
contracting
Propensity for fraud, credit checks, sim
swap & bank account verification
Automation, auditability, AI driven
processing & voice lie detection
Manual validation, fraud investigation
& evidence for prosecution
9. Integrations and platforms
Embedded and connected with subject matter experts
Microsoft Ecosystem
• Word
• Excel
• Outlook
• SharePoint
• One Drive
• Adobe
Process Management
• Sybrin Onboarding
• AppWorks
• Oracle
• Salesforce
• SAP
• XDS
• Striata
Document Management
• Sybrin Nitro
• OpenText
• OnBase
• DocFusion
11. Credit Relevant Legislation Cases
Credit compliance spans several pieces of RSA legislation
The National Credit Act describes which particulars need
to be included on every credit agreement.
Section 2.
(3) If a provision of this Act requires a document to be
signed or initialled by a party
(a) (a) an advanced electronic signature, as defined in
the Electronic Communications Act, 2002 (Act No.
25 of 2002); or
(b) (b) an electronic signature as defined in the
Electronic Communications Act, 2002 (Act No. 25 of
2002), provided that-
(a) (i) the electronic signature is applied by each
party in the physical presence of the other party
or an agent of the party; and
(b) (ii) the credit provider must take reasonable
measures to prevent the use of the consumer’s
electronic signature for any purpose other than
the signing or initialling of the particular
document that the consumer intended to sign
or initial.
Advanced Electronic Signatures are defined in the
Electronic Communications and Transactions Act, 2002
(Act No. 25 of 2002) as:
• An electronic signature which results from a
process which has been accredited by the
Accreditation Authority.
Section 37 and 38 of the Act stipulate the criteria for
accreditation:
(Section 38.1) - The electronic signature:
• is uniquely linked to the signer;
• is capable of identifying the signer;
• is created under a means that can be maintained
under the sole control of the signer;
• will be linked to the data or data message to
which it relates in such a manner that any
subsequent change of data or data message is
detectable;
*Advanced Electronic Signature is the South
African equivalent to QES
12. Consent & Agreement
The intersection of privacy and proof of intent
• Always keep a record of any consent, agreement or notification
• Don’t use consent where you should use a contract
• Don’t notify where you should get consent, always notify of data
processing activities
• Provide a closed loop process where agreements cannot be altered
• Track signatory’s interactions with the agreement to prove intent
13. Contracting parties & Identity
Compliance and trust require that all parties are identified
• Ensure that both or all parties to a contract are identifiable,
during and after the signing ceremony for the contract to be
valid
• Ensure that you know your customer or intended signatory
• Ensure that the agreement is only available to the intended
signatory
• Layer controls to ensure that only the signatory can access
and apply their signature
14. Restrict alteration after signing
Technical controls must be in place to ensure integrity
• Ensure that documents are stored in an immutable format, like PDF
• Digitally sign completed documents to prevent tampering
• Highlight any attempts at alteration or tampering after signing
• Provide technical proof of a document original with singing evidence
• Signatory identifying information
• Annotations made during signing
• Signing workflow or approvals
15. Provide proof of compliance
Proof of compliance is required from the sending party
• Understand consent and agreement requirements within existing
processes and solutions
• Create secure consent, agreement and approval processes that do not
allow for unintended intervention or alteration
• Provide technical proof of the signing process, workflow and signatory
interactions
• Make technical audit trails easily understood through a Chain of Custody
Certificate
16. Securely store records for legislated periods
Medical information is deeply sensitive and must be secured
• Understand what data must be kept for what period of time
• Ensure that communications around this data are sensitive and do not
reveal anything that can be used to identify the patient, or prejudice them
in any way
• Do not store data beyond its useful life or required period
• Destroy data that is no longer required
• Secure networks, systems and storage appropriately to prevent cyber
incidents
17. Presenting a New Standard | Cloud Signature Consortium (CSC) Membership
► How can digital trust services lead the way for digital transformation in your region? And,
how can CSC play a role?
We hold a valued membership at the Cloud signature consortium where we have seats on the
Technical, Advocacy and Marketing Committees.
Membership has afforded us the opportunity to participate in the development of a new
standard to check conformance with the CSC Conformance Checker, API v2.0.
Officially being released to the public XXXXX [Confirm Date]
Details can be found here:
https://cloudsignatureconsortium.org/join-us/associate-membership/
18. WebTrust Assurance
The WebTrust Audit program is based on the following Trust
Services Principles and Criteria
Security The system is protected against unauthorized access (both physical
and logical).
Availability The system is available for operation and use as committed or
agreed.
Processing Integrity System processing is complete, accurate, timely, and authorized.
Online Privacy Personal information obtained as a result of e-commerce is
collected, used, disclosed, and retained as committed or agreed.
Confidentiality Information designated as confidential is protected as committed or
agreed.
https://cabforum.org/wp-content/uploads/WTBR2_2.pdf
19. WebTrust Assurance
Standards and security control framework
3rd Party Annual Audit
• KPMG independent audit against
global framework
• Auditors are granted the right to
conduct the audit
• Evaluate controls for effectiveness,
and then evaluate actual
adherence to controls
Controls evaluated
• Physical & Logical security
• Availability & Business continuity
• Incident management
• System development & practices
• Risk management practices
• Asset classification & management
• Access management & Personnel
security
Standards
• ISO - International Organization for
Standardization
• ETSI - European Telecommunications
Standards Institute
• ANSI - American National Standards
Institute
• CAB Forum – Certificate
Authority/Browser Forum
27. Return on digitisation
A few of the things we’ve seen our customers achieve
• Improved process & regulatory compliance
• Entire company secretarial functions digitised
• Governance, Risk & Compliance function digitised
• Time savings through efficiencies
• Requirement for printing eliminated
• Signed documents returned within hours or days
• Operational processes reduced from weeks to hours
• Reduced costs
• Paper & printing – R3mil a month in a single division of Absa
• Cost savings passed to customers
• Administration staff redeployed into skilled roles
• Rapid implementation
• 2 – 3 weeks integrated deployment at many large customers
• Instant adoption on internal use
• Phased embedding into own infrastructure & environment
29. High level embedded architecture
Your People &
Customers
Document
Generation
Document
Workflow &
Approvals
eSignature
and Consent
Agree Module
Secure Integration Gateway
Smart
Document
Completion
EHR Systems
Record
Management
Systems
Service
Bus
Workflow
Systems
Your Internal Systems
Employee
Management
Systems
eSignature Platform
Trust
Onboarding
Digital Identity
Advanced
Managed PKI
Engage
Email
WhatsApp
USSD
In App
Web
Pad/Tablets
Manage
Analytics
Process Analysis
Audit
Servicing
3rd Party APIs
Additional
Modules
Your Infrastructure
31. Bonus Quiz
How many biometrics can you list?
Write it on your business card and drop it at the stand or scan
the code:
Free 3 year Impression licence at end of survey