Category: IT Compliance (Page 16 of 17)

PCI-DSS Landscape in Malaysia

pci-compliance

2014; this was the year where PCI DSS really took off for many companies and organisations in Malaysia. More and more banks have pushed their merchants to be compliant and certified with PCI DSS.  While a few merchants require Level 1 certification or Level 2 validation, a bulk of them will fall under Level 3 and Level 4 Merchants. That means a lot of ASV scans, and a lot of Self-Assessment Questionnaire (SAQ) Advisory. I was asked this question: why are these banks, who are traditionally so dormant and make corporate decisions slower than a crippled sloth, half blind and halfway to the grave, now have suddenly become so actively engaged in PCI DSS? Perhaps this is due to the pressure they get from the card brands – especially VISA and MasterCard.

After what happened to the infamous Target retailer during the 2013 – 2014 and other high profile hacks, card brands are now in caution mode and have become more stringent to entities connecting to them. This, in line with the new PCI-DSS V3.1 means that controls are more stringent and auditees are more frustrated. Like everything in PCI – it’s a top down domino effect – VISA insists on banks being certified – banks claim that they cannot be certified but they are in the process, and they in turn insist their third party processors or merchants be compliant. I call this ‘passing the buck’ philosophy. It’s an open secret that no banks in Malaysia are certified. They will claim they are compliant, the same way my 25 year old refrigerator is compliant to green and environmental friendly regulations. It’s not.

Because banks push this compliance downstream, this “passing the buck” effect has caused many entities to start actively looking in every direction to be certified or compliant because they don’t want to lose connection with the bank. Is it fair? As one of our merchant client bluntly puts it: “It’s like being blamed by tobacco companies for polluting the planet with our smoking.” While drawing in a long drag on his Marlboro Lights and looking wistfully into space.

Should banks be certified? Of course.

However, for them to get certified in a specified period of time is difficult due to their ever changing business nature and an overly large scope of systems, people and processes under PCI requirements. Therefore they will need more time to remediate all the gaps and guess what – one of gaps would invariably be getting their third parties (like my client with his Marlboro Lights) certified.

At the end, the service providers and merchants and payment gateways are forced to be more aware that PCI is needed for them to ensure the continuity of their business especially if it involves VISA and MasterCard. So why aren’t they getting certified?

The answer lies in the implementation cost. Smaller to medium merchants, emerging payment gateways who have limited funds, limited clients – they might consider that the cost of them to pay for any breach is lower compared to certification. For example the need for an IDS/IPS (Intrusion Detection/Prevention System), the need for a system logging server, the need to perform daily log review and review reports.  All of these require either additional effort or cost in terms of time, human resource or investment to acquire new devices.

With problems, there will always be solutions. We are keenly aware not all clients can afford the expensive solutions such as having separate devices for IDS, FIM (File Integrity Monitoring), syslog and etc. Or to build a Security Operation Center ground up. We have crafted out different solutions to serve our customer’s needs, from providing an all in one system for compliance to even having them outsource their compliance headache to us. Yes, we love to transfer headaches from clients to ourselves. We call our solution PCI Panadol. Just kidding, but it’s a great name.

Our solution starts with this question: How do we get you compliant with the least effort, least time and least money possible – and to maintain compliance with these 3 LEASTS (effort, time, money)?

Overall, awareness of PCI DSS has grown a lot in Malaysia. PKF Avant Edge does monthly PCI Awareness training (HRDF Claimable) and we have served large clients through such training.  As for implementation, it is just as important to know what is UNNECESSARY for PCI than what is necessary. It starts with the scope. Start right, and you might just cross the other side of certification and celebrate with a party. Start wrong, and you are looking at a very, very, very long journey with very little happiness in it.

For PCI scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Wafiy Karim, PCI Consultant.

PCI v3.1 is out and so is SSL!

ssl-farewell

On 15th April, PCI became 3.1 versions old.

The ‘dot’ 1 from the version 3 that was just released around a year ago seeks to address the myriad of issues stemming from the old and dignified SSL protocol.

Ah, SSL. How I will miss thee. SSL itself had undergone its own transformation from a little protocol used by a little firm called Netscape to be one of the most used transmission protocol in the history of the entire universe. OK, that’s a little overstating it, but this is like the god father of Transmission Protocols. It’s like Don Vito’s father’s father. I will probably write another Ode to this wonderful protocol in another article, but suffice to say, SSL is no longer allowed in PCI. If Heartbleed hurt the protocol, POODLE killed it.

A lot of systems support both SSL 3.0 and TLS 1.0 in their default configuration. Newer software may support SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. In these cases the software simply needs to be reconfigured. Extremely older software, dated back to the days when the T-Rex was still alive, may only support SSL 2.0 and SSL 3.0. This is an extremely rare sighting, and is often considered on par as the sighting of the Yeti himself.

On a more serious note, anyone still on SSL, even version 3.0 should consider migrating now to more secured protocols, such as TLS1.2. Like WEP, SSL and early versions of TLS will no longer be acceptable by PCI-DSS. The changes are requirement 2.2.3, 2.3 and 4.1. Current reviews for PCI will no longer accept these protocols. Passed certifications will be given a grace period until June 30th 2016 to change these protocols. Just use TLS1.2 and above (I know, you argue TLS1.1 is still secured, and it is, and it still can be used, so if you are using 1.1, then stick with it, else, might as well upgrade to 1.2)

OK, goodbye SSL and thanks for all the fish!

Don’t Break the Bank for PCI-DSS

Over the past couple of months, the team has been busy working on PCI-DSS related projects. Since 2010, we’ve been in touch with Control Case International, an international QSA based in Virgina, USA, that has its center of excellence in Mumbai, India to serve the ME and Asia Regions.

Back in 2010, nobody really cared too much about PCI-DSS. We’ve heard it bandied around our clients, and after researching on it, decided as a company to move forward with it as one of our core services. The first thing we did was to clarify our agreement with Control Case. While remaining independent of their audit, reports and opinion, we also want to know how they work so that we can assist our customers better in our project management services. Things like submission of evidences format, scheduling, expectation setting and budgeting were just as critical as the actual audit performed by the QSA.  We then trained and shadowed Control Case on assignments, eventually building up the technical skill base for consultancy and advisory work.

PCI-DSS isn’t rocket science. Neither is it a stroll in the park. But with proper planning, understanding and project management, you will be able to navigate PCI-DSS without breaking the bank.

Invariably, one of the first things our potential clients ask us is: How much will it cost?

While there is no simple answer, most will skirt the subject and says that it depends. And they are right. It really depends. However, the ballpark figure, from our perspective should still make economic sense. The first thing really is to figure out what is in scope and try to get only the necessary items in scope: cardholder data environment (CDE). The simplest suggestion is to move any function not related to card processing out of scope: either through plunking it into another network segment or moving it out altogether. Once done, you should be able to elicit some sort of price estimation from your QSA or consulting provider.

The rule we try to impose is to keep the gap assessment and certification below RM50K. This is a tall order, but quite possible, especially if the scope has been narrowed down to firewall->DMZ->App Server/Database server concept, without too complicated a CDE. But you shouldn’t be looking over 100K for gap and certification. Of course this applies to generally payment service providers, not banks. For banks, you’re probably looking out at forking RM100 – RM200K for gap and certification. Recurring fees are also applicable, so remember to ask as well…each year, there is a review, how much would that be? There should also be supplementary services like pentest, ASV scans etc. It generally should be the same or slightly less than first year compliance.

The reason why I write this post is that I’ve seen fees bandied around for service providers to the excess of RM120 – RM160K and for banks RM400 – RM500K. Now, I know things are varied, but some of these are just ridiculously high, after knowing the scope. And this is not including the remediation and implementation portion! The implementation portion is variable of course, depending on how much involvement we’re looking at. For instance we just completed a policies and procedures project between 30 – 35K for roughly one month, starting from scratch for a medium service provider. Your mileage may vary in implementation, but again, if you have in house expertise, then do it, else, look for consultants…and make sure the consultants include training and workshops to pass down their capability to you!

The short of the matter is, shop around and get quotes. Get references as well, and make sure they have local partners to help out and assist during the remediation period…you will need it. Oh, also, if you get external providers to help, keep in mind the with holding tax involved. That’s why we’ve evolved PKF  to be the PCI-DSS advisory of choice from gap to certification for Malaysia payment service providers looking for a cost effective and quality PCI-DSS services. While we do work with Control Case in a lot of our projects, there are many times we have worked with other QSAs or ControlCase  worked with other advisory, making us truly independent.

Drop us an email at avantedge@pkfmalaysia.com and we can work out a PCI-DSS package for you that won’t break your bank!

PKF IT Opportunities

One of the main reasons we moved the IT advisory function out of internal audit was the fact that IT encompassed so much more than just doing an audit.

I believed in the exponential growth of IT based on the simple belief: IT is integral to efficient and effective businesses. Businesses that do not leverage on IT will go nowhere. So it only makes sense that IT will get more complex and more critical as each year goes by.

Back in 2010, PKF Malaysia realised this pattern. By staying stagnant and doing what the other firms were doing: Internal Auditors doing IT audits, we were going to simply die off. The first thing we realised was that, while Internal Auditors were OK doing IT audits, these were two different animals. We didn’t want to do checklist audits. We didn’t want someone  doing IT audit who didn’t even know what the heck was an AAA server or how to do a simple VLAN config on a Cisco router. We didn’t want someone who would go up to the Audit Committee, put someone else’s career at stake by giving ridiculous recommendations and reports, based on ‘previous experience’ and ‘industry best practices’, when they don’t even know head or tail on what Active Directory is used for, or what’s the basics of DNS poisoning or IP spoofing. We needed serious technical people who have been on both customer and consulting end, and we needed to separate from the Internal Audit group….simply because we want an audit to be done differently.

We moved quickly into ISO27001 (ISMS) and PCI-DSS, we went through ISO27005 for risk assessment, we did COBIT 4.1 training and enablement and got everyone at least CISA certified. Most of us, like me, have multiple certs, for instance in IT forensics, IT ethical hacking, IT management, Project management and so forth.

We moved quickly to become MSC status to be a serious player in 2011, and we started strategic collaborations for different purposes. We joined workgroups with government and private agencies, opening channels to MOSTI, MIMOS, Bank Negara and so on, to conduct knowledge sharing sessions. For free. I am a great believer that contribution back to the industry should be done as part of our professional duty, and not as an engagement service.

So here we are, at the precipice of change. PKF itself has undergone some tremendous changes over 2012 and 2013. This week, we had our PKF Asia Pac Conference, where different countries got together, to explore different areas and opportunities. We’re excited, as we see the work we’ve done in the past 3 years to build our knowledge and reputation, possibly coming to fruition. I am also a big believer that PKF requires an IT function regionally. There should be a Center of Excellence, not just to do IT audit but to do Technical Services like penetration testing and forensics, or troubleshooting and service management; and also project management.

This is where we are. We still have a long way to go, but with the extension of our services into the other firms in PKF, we’re set to stay for a long while.

Here is the link to the presentation we did to the other PKF Firms last week.

PKF Avant Edge – Partner Presentation

« Older posts Newer posts »

© 2025 PKF AvantEdge

Up ↑