Skip to main content
Insights
Foundations4 July 2026 · 9 min read

Website security for South African businesses: the 2026 guide

By Matt Owen, Auto Alpha Security

Indigo topographic contour lines rising from a dark grid toward a lit horizon.

“Website security” gets used to mean an SSL padlock, a firewall, a WordPress plugin, and a proper security programme, often in the same sentence. For a South African business, it’s worth being precise, because one legal clause — POPIA §19 — sits underneath almost every real question in this space, and vague language is how businesses end up either under-protected or overpaying for the wrong thing. This guide is the map: what website security actually covers, what the law requires, what the market actually costs, and where to go deeper on each piece.

What website security actually means for an SA business

Website security is the set of measures that stop your live web application from being read, altered, or taken over by someone who isn’t supposed to have access — and, just as importantly, your ability to show that those measures exist and work. That second half is the part most guides skip. A firewall you installed and never checked again isn’t evidence of anything; it’s a claim. Real website security produces something you can hand to a bank, an insurer, or a regulator and say “here’s what we tested, here’s what we found, here’s the proof.”

In practice it splits into a few distinct activities that get conflated constantly: hardening (patching, configuration, access control), testing (finding out whether the hardening actually held), and compliance (the paper trail that proves both of the above to someone outside your business). This guide focuses on testing and compliance, because that’s where the real confusion — and the real legal exposure — lives for most SA businesses.

The threat reality, honestly stated

We’re not going to open with a scare-statistic pulled from a vendor report we can’t verify — that’s the opposite of the “we only report what we can prove” standard this site runs on. What we can say plainly: South African businesses run the same web stacks, the same payment integrations, and the same third-party plugins as everyone else, and the automated scanning tools attackers use don’t check your country code before probing your login form. A small e-commerce store and a national retailer are both reachable from anywhere, at any time, by tooling that costs the attacker nothing to run.

What’s different locally is the response infrastructure once something goes wrong. South Africa has a data-protection law with real notification duties (POPIA §22), an Information Regulator that can act on it, and a banking and insurance sector that increasingly asks for security evidence before extending facilities or underwriting cover. The threat itself is global and unglamorous — most breaches are still opportunistic exploitation of known, unpatched weaknesses, not a targeted nation-state operation. The stakes of getting caught out, though, are specifically South African: a regulator, a bank, and a client all asking the same “prove it” question in the same week.

There’s also a specifically South African cost dimension worth naming plainly, because it changes how businesses should think about the trade-off. Downtime, remediation, and reputational fallout from a web-app compromise are priced in rand, against rand-denominated revenue — and for a business already managing local load-shedding contingencies, connectivity costs, and thin margins, an avoidable breach is a materially harder hit to absorb than the same incident would be for a business with deeper reserves. That’s the actual argument for testing before something happens, rather than after: not fear of a headline, but the arithmetic of what an incident costs to clean up versus what a scan costs to run.

What POPIA §19 actually requires

If your business holds personal information — customer names, ID numbers, payment details, employee records, anything that identifies a living person — the Protection of Personal Information Act applies, and section 19 is the clause that governs security. It doesn’t name a technology or a checklist. It requires every “responsible party” to take “appropriate, reasonable technical and organisational measures” to protect that information, and — the part most businesses miss — to verify regularly that those measures still work as the underlying systems change.

POPIA §19 — the cycle

  1. Identifythe reasonably foreseeable risks to the personal data you hold
  2. Safeguardput appropriate, reasonable measures in place against them
  3. Verifyregularly check the safeguards are actually working
  4. Updateadjust as your app changes and new risks emerge
Section 19 is an ongoing cycle, not a one-time project. The loop is the point.

That last requirement is why a security assessment from eighteen months ago isn’t compliance today. Your web app has almost certainly changed since then — a new integration, a new payment flow, a new feature bolted on in a sprint — and §19 asks whether your safeguards kept pace, not whether you once had a report. We’ve written the full breakdown of what “appropriate and reasonable” means in practice, including where the breach-notification duty under section 22 kicks in, in our guide to cybersecurity compliance and why it matters. And because POPIA §19 isn’t the only standard businesses get asked about, we’ve mapped where it sits next to PCI DSS and ISO 27001 — and where each one stops — in which compliance standards actually matter for web application security.

Scanning vs. penetration testing: choosing the right-sized test

Once the legal question is settled, the practical one follows immediately: how do you actually test a live web application, and which kind of test does your situation call for? A vulnerability scan is automated-first, fast, and inexpensive; a penetration test is a human-led exercise that goes deeper into business logic and costs — and takes — meaningfully more. Neither is universally “better”; they answer different questions. For most SA small and medium businesses evidencing POPIA §19, a confirmed scan is the right-sized answer. For card-data handlers under PCI DSS, or businesses with real business-logic exposure, a manual pen test is the one that actually satisfies the requirement. We break down exactly how to tell which is which in vulnerability scan or penetration test: which does your business actually need.

What it costs

Most of this market won’t show you a number — enterprise DAST platforms and pen-test consultancies default to “request a quote.” The honest range, published rather than hidden: a confirmed scan sits at R8,000–R20,000 once-off; a manual penetration test starts around R35,000 and runs well past R150,000 for anything comprehensive; a DIY SaaS scanner or open-source tool is cheap or free in licence cost but expensive in the time and skill it takes to run properly and separate real findings from noise. What actually moves the price within each band — app size, scope, one-off versus ongoing — and where our own Deep Scan sits in that spectrum is laid out in full in what a web-application security test actually costs in South Africa.

Fitting security testing into a compliance programme

A single test is a snapshot. A compliance programme is what turns that snapshot into something durable — a trigger for when testing happens (at release, after significant change, on a schedule), an owner, and a record that sits in your POPIA §19 register rather than a PDF nobody opens again. We cover exactly where scanning belongs in that cycle in how to fit web application security scanning into an existing compliance programme.

Security testing is also only one condition of POPIA §19 — it proves your technical measures held at a point in time. The organisational side, and the continuous monitoring of POPIA, B-BBEE, SARS, and FSCA obligations in between scans, is a different discipline that runs on a different cadence. That’s the gap Komply is built to close: where a Deep Scan gives you confirmed, re-runnable proof of your technical security at a moment in time, Komply keeps the broader compliance file current every day in between.

Sector notes: e-commerce and financial data

Two categories of SA business carry a materially higher bar. E-commerce stores handle customer payment flows, sessions, and input at scale — the exact surface most automated attacks target first — and the practical hardening steps (input handling, session management, access control, patching cadence, and where PCI DSS actually starts) are covered in our best-practices guide for data security in e-commerce. Any business handling card or banking data separately needs to understand that there is no standalone “Financial Data Protection Act” in South Africa — financial data is personal information under POPIA like any other, subject to the same §19 duty, with PCI DSS layered on top for the card-data slice specifically. That distinction, and where each law or standard actually reaches, is unpacked in financial data protection in South Africa: what the law actually requires.

What to do first

If you’ve read this far because you’re not sure where your business actually stands, here’s the honest order of operations, in the sequence we’d actually recommend rather than the sequence that sells the most product.

First, work out whether your obligation is POPIA §19 alone or POPIA plus a named standard like PCI DSS or a SOC 2 attestation — that single fact decides whether you need a scan or a pen test, and the scan-versus-pen-test guide linked above walks through exactly how to tell. Getting this step wrong is the single most common way businesses overpay: buying a five-figure pen test to answer a question a R10,000 scan already answers, or worse, buying a scan when a named standard genuinely required a human tester. Second, get a confirmed test of your live application rather than assuming last year’s review still holds — POPIA §19’s “verify regularly” language exists precisely because systems change faster than compliance paperwork does, and the app you tested in 2025 is not the app running today. Third, decide whether what you actually need is a point-in-time proof (a scan or a pen test) or an ongoing compliance file (continuous monitoring) — most businesses that take this seriously eventually need both, but they rarely need to buy both on day one, and we’d rather tell you which one is urgent for you specifically than sell you the bundle.

And if the honest answer is that your web application needs rebuilding, not just testing — a login flow with no rate limiting, an admin panel with no access control, an integration nobody’s touched since it shipped — that’s a build problem before it’s a scanning problem, and it’s worth fixing at the source rather than re-testing the same weakness every quarter. Auto Alpha Advisory is the team behind Deep Scan and builds the fix as well as confirming the flaw.

Whichever of these applies to you, we’d rather tell you honestly which one it is before you spend anything than sell you the wrong product. Send us your domain and we’ll tell you where you actually stand.