PKF AvantEdge

Category: PCI-DSS (Page 20 of 20)

PCI-DSS: Challenges faced in Malaysia

November 17, 2013 / / 0 Comments

What began as separate compliance programs by major card brands, are now under a unified umbrella called PCI-DSS (Payment Card Industry Data Security Standard). PCI-DSS serves to protect the cardholder data and also the interest of the card brands. VISA, AMEX, MasterCard, JCB, and Discover (Diners Club) established the Payment Card Data Security Standards Council (PCI SSC). The goal of PCI SSC is now to guide any institution, especially the financial institutions to have better security surrounding their credit & debit card businesses.

Is there a need for yet another compliance program? The short answer is a resounding yes. According to StatiscsBrain[1], as of 18th of June 2013, in the United States itself, businesses have suffered more than 11 thousand cases of card fraud with an average loss of $4,930 for each case of card fraud. In total, it has cause a financial loss of around $ 21 million on average.

In Malaysia itself, we are now faced with an alarming rise of card fraud cases. According to Bank Negara Malaysia (BNM), [2] while the cases of fraud have decreased overall, the fraud volume still remains high. If the customer, merchant and the banks do not put in a concerted effort to fight these fraud cases, many more will fall victim to increasingly sophisticated attacks. This is also supported by The United States Security Council (OSAC)[3] stating: “credit card fraud has decreased but still continues to become a problem”. In short, the frequency might be less but the amount that each case brings is still a problem to the authorities.

In terms of the PCI DSS certification, a majority of large financial institutions in Malaysia, especially banks and larger service providers are still undergoing the process. Some have taken more than 3 years to be certified. PCI DSS is already a difficult compliance to begin with, with more than 300 plus controls to deal with. Financial institutions are pressured by card brands to ensure that PCI DSS become their utmost priority, both internally as well as for any service provider or merchants dealing in card business.

In some cases, one of the reason for certification delay is the lack of documentation done on each system in the PCI scope, causing a lack of proper maintenance on the system. This covers from software to hardware and network devices. This will affect the certification in the remediation phase where the administrator really needs to identify each data flow concerning card data and needs to clean up to ensure that unnecessary rules, ports and services are disabled. The amount of legacy rules, unmanaged inventory are significantly large, especially for banks that own distributed branches. The undertaking is intimidatingly difficult.

Furthermore, the implementation of Malaysian Electronic Payment System (MEPS) which allows the sharing of ATM networks, gives the ability for customers to withdraw their money via a different ATM bank using a debit card. Debit cards are under the PCI purview, and is often doubled as an ATM card that can be used to make purchases just by deducting the account balance by swiping it. These have enabled the storing of user Primary Account Number (PAN) in the institutions and to some extent in clear text for settlement purposes which violates the requirements in PCI DSS. The transmission of the card data must also be addressed, as the card data might travel through non-secured channels such as normal emails, or open channels that can cause the data to be intercepted in transmission. Therefore controls have to be taken to ensure that all networks in and out are secured

Another point of concern is the PCI DSS exercise budget. Every organization big or small, private or public listed have a certain amount of budget allocated. While IT budgets have grown significantly, it has to be reminded that PCI is NOT an IT initiative. It is a business initiative and might take a large portion of the said budget. The budget would be used for the engagement of third party experts or actual products to mitigate the concerns. Due to budgeting, companies often overlook certain areas by cutting down the budget such as avoiding expert consultancy. They opt to do the certification or the remediation process by themselves in order to save some portion of the budget. This has short term yield but sacrifices the long term goals. Taking on PCI is akin to journeying through an uncharted maze. Having a guide is therefore critical especially for first timers in a relatively large company.

In conclusion, there is still a long way to go for Malaysian companies to abide 100% to the requirements of PCI-DSS. For that, they need to  fully understand the  requirements and ensure proper scoping is done (as there are cases where one can OVERDO the compliance). For a free scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

Article by: Wafiy Karim

PKF Avant Edge Sdn Bhd

PKF Avant Edge in the ASEAN Financial Institution Conference Hanoi

September 28, 2013 / / 0 Comments

I was invited to attend the 2013 ASEAN Financial Institution Conference in Hanoi as one of the speakers. My presentation (done in a video scribing mode) was on “Navigating the PCI-DSS Journey”. It was a topic close to heart of course, with many of our clients either undergoing PCI-DSS or starting the PCI DSS journey.

Overall, it was a great experience. I went with my Project Management Director, CB Chan, and met up with our PKF colleagues in Vietnam, who also joined us in the conference. We managed to not just meet with other technology partners and conference speakers, but also representatives from other banks in Vietnam.

As always, networking is vital for the survival of our business. The experience itself was an added bonus as Hanoi was a bustling city packed with motorbikes and people.

Possibly not the most photogenic people (we are technologists and accountants after all, not models) but we’re still proud of our little space for consultation and advisory.

Aside from those listed, where PKF is proudly the only consultation and advisory firm, Cybersecurity and MDEC were also represented from the Malaysian contingent.

Other mugshots we had:

 

Don’t Break the Bank for PCI-DSS

June 10, 2013 / / 0 Comments

Over the past couple of months, the team has been busy working on PCI-DSS related projects. Since 2010, we’ve been in touch with Control Case International, an international QSA based in Virgina, USA, that has its center of excellence in Mumbai, India to serve the ME and Asia Regions.

Back in 2010, nobody really cared too much about PCI-DSS. We’ve heard it bandied around our clients, and after researching on it, decided as a company to move forward with it as one of our core services. The first thing we did was to clarify our agreement with Control Case. While remaining independent of their audit, reports and opinion, we also want to know how they work so that we can assist our customers better in our project management services. Things like submission of evidences format, scheduling, expectation setting and budgeting were just as critical as the actual audit performed by the QSA.  We then trained and shadowed Control Case on assignments, eventually building up the technical skill base for consultancy and advisory work.

PCI-DSS isn’t rocket science. Neither is it a stroll in the park. But with proper planning, understanding and project management, you will be able to navigate PCI-DSS without breaking the bank.

Invariably, one of the first things our potential clients ask us is: How much will it cost?

While there is no simple answer, most will skirt the subject and says that it depends. And they are right. It really depends. However, the ballpark figure, from our perspective should still make economic sense. The first thing really is to figure out what is in scope and try to get only the necessary items in scope: cardholder data environment (CDE). The simplest suggestion is to move any function not related to card processing out of scope: either through plunking it into another network segment or moving it out altogether. Once done, you should be able to elicit some sort of price estimation from your QSA or consulting provider.

The rule we try to impose is to keep the gap assessment and certification below RM50K. This is a tall order, but quite possible, especially if the scope has been narrowed down to firewall->DMZ->App Server/Database server concept, without too complicated a CDE. But you shouldn’t be looking over 100K for gap and certification. Of course this applies to generally payment service providers, not banks. For banks, you’re probably looking out at forking RM100 – RM200K for gap and certification. Recurring fees are also applicable, so remember to ask as well…each year, there is a review, how much would that be? There should also be supplementary services like pentest, ASV scans etc. It generally should be the same or slightly less than first year compliance.

The reason why I write this post is that I’ve seen fees bandied around for service providers to the excess of RM120 – RM160K and for banks RM400 – RM500K. Now, I know things are varied, but some of these are just ridiculously high, after knowing the scope. And this is not including the remediation and implementation portion! The implementation portion is variable of course, depending on how much involvement we’re looking at. For instance we just completed a policies and procedures project between 30 – 35K for roughly one month, starting from scratch for a medium service provider. Your mileage may vary in implementation, but again, if you have in house expertise, then do it, else, look for consultants…and make sure the consultants include training and workshops to pass down their capability to you!

The short of the matter is, shop around and get quotes. Get references as well, and make sure they have local partners to help out and assist during the remediation period…you will need it. Oh, also, if you get external providers to help, keep in mind the with holding tax involved. That’s why we’ve evolved PKF  to be the PCI-DSS advisory of choice from gap to certification for Malaysia payment service providers looking for a cost effective and quality PCI-DSS services. While we do work with Control Case in a lot of our projects, there are many times we have worked with other QSAs or ControlCase  worked with other advisory, making us truly independent.

Drop us an email at avantedge@pkfmalaysia.com and we can work out a PCI-DSS package for you that won’t break your bank!

PCI-DSS, ISO27001, COBIT and a Partridge in a Pear Tree

December 17, 2012 / / 0 Comments

We just secured another PCI-DSS deal today, and once the customary celebration has died down, we will set aside time to start planning for the project. For this project, PKF works with our QSA (Qualified Security Assessor) vendor, Control Case, to ensure that our clients get the best consultation and services possible, and to almost guarantee a certification in PCI-DSS. I say almost guarantee, because there are no such thing as 100% in this world. For instance, what if a meteor crashes on earth just as the PCI-DSS audit was about to start? Sure, we’ll all go the way of the dinosaurs, but was our client certified? No!

Anyway, jokes aside, we’re gearing up for the new year, with PCI-DSS, some ISO27001 and our normal COBIT assurances in the pipeline. The reason why we focus so much on these 3 standards and framework (COBIT is NOT a standard!) is because they are inter-related. ISACA and other groups have mapped all three to each other in a sort of matrix fashion, so that sitting down with a PCI-DSS guy and talking about the 12 requirements, you inherently can map COBIT controls on those 12 requirements, and hey, presto, to the 11 domains of ISO27001. PCI-DSS can be mapped against ISO27001 as well, especially to the holy Annex A controls of the ISO standard. The fact is, anyone that has ISO 27001 experience will be interlaced with PCI-DSS and COBIT as well. They are all siblings of the same mother, IT governance and audit.

Of the 3, both PCI-DSS and COBIT has taken major steps forward. PCI-DSS 2.0 came out 2 years back and added in virtualisation and a lot more clarifications on testing procedures. The big step forward was that now risk assessment documentation must be verified against accepted risk management methodology. Before this, there wasn’t such a need. In doing so, PCI-DSS is moving closer to his bigger brother, ISO27001, which is risk-based.

COBIT has always been risk based. Anyone that comes at you with a COBIT checklist should be questioned. We’re not saying checklist is wrong, but there must be a context of that checklist. We see a lot of “checklist based on industry benchmarks.” That’s one way. But each business is different. Not every IT division needs a IT strategic roadmap with a 5 year plan on IT investments. I know one of my client whose IT guy is basically the guy from Low Yat, doesn’t. That client needs more controls on information leakage and policies governing that Low Yat guy. Fix what’s priority. Fix what is highest risk. And in order to do that, you need to know, interact, interview with the client.

COBIT 5 takes this literally. For too many years, practitioners has been throwing COBIT controls like fireworks on Chinese New Year Eve. Comply to this, else we will give you a big fat zero! We’ve been using COBIT 4.1 for a long time now, and it still remains an ‘auditor’s framework’. With COBIT 5, we move up the ranks to IT governance. It’s a different way to audit. Here we look at the causal relationships of IT and business. The controls tie to the governance of IT within the context of the organisation, hence putting practitioners with risk experience to the forefront. Unlike the haphazard way of trying to tie RISK IT, VAL IT and COBIT together, COBIT 5 hopes to bring in a more uniform approach to IT auditing, one that will hopefully transpose the audit from the realm of the IT techies to the board.

With COBIT 5, the checklist wielding junior internal auditor whose knowledge of IT consist of facebook and farmville will, hopefully, go the way of the dinosaur, and be replaced by practitioners who has real world experience, management insights and the technical-business acumen to bridge technology into corporate relevance.

Newer posts »

© 2025 PKF AvantEdge

Up ↑