Month: February 2015

IPAY88 is now PCI-DSS Level 1 Certified


Congratulations to IPAY88 for getting certified under PCI-DSS Level 1!

The PCI journey had been an interesting one. We did the gap assessment back in late 2013 and had to chase the compliance for 2014. The major roadblock was that first time PCI-DSS companies often underestimate the amount of work and type of audit required. A lot of companies make the mistake of treating PCI as how they treat ISO27001 (ISMS). These are vastly different animals.

For ISO27001, in general,  a lot of risks can be justified by management. The idea is to sense that there is a ‘management system’ in place. Not so much of a standard. If the management system claims that counting lima beans for customers in their data centre is an acceptable risk, then it is an acceptable risk. Of course, that’s an extreme example – the ISMS auditor still have a say in that obviously.

However, for PCI-DSS, its 300+ controls, in which if you decide that you want to store credit card data, then all of which will apply to you. There is no “Wait, my management accepts the risk of non encryption and storing PAN in a text file.”.

Precisely, the data here is not the company’s. It belongs to the card brands. From PCI perspective, its a standard that benefits only the card brands – VISA, Mastercard, Amex, Discover and JCB. This is the reason why we don’t have Business Continuity in PCI. PCI does not care whether your business can continue or not, it just cares that the credit card data is safe.

To IPAY88’s credit, they adjusted very quickly. They called us in midway into their remediation and we did a sweep of their infrastructure again and started to put their remediation program in place. Policies and procedures is one thing – but you have a whole lot of other things to do as well – penetration test, VA, firewall reviews, training, risk assessments, log reviews, HR review etc. We chased those down within 2 months and managed to hit the onsite audit in October, and successfully navigated the compliance by December.

A special thanks to IPAY88 management and PCI team for such a collaborative and great experience together! For more information of our PCI-DSS program, please email us at

MSC status for Rakuten Malaysia


Congratulations, Rakuten Malaysia for attaining your MSC Status!

One of our services is to provide consultancy and program management for MSC application and attainment. It helps that we have gone through the MSC status approval ourselves, but in general, any company intending for MSC needs to be aware that there is some work involved.

In general, you need to understand that you can do this on your own. There is no requirement whereby an independent third party is needed. That being said, in order to smoothen out the process, usually, someone who has gone through the process should be able to assist in a lot of areas. We are pretty flexible in how we work with our clients. For some, our involvement is very heavy, from writing business cases to financial projections etc. For others, we basically advise and manage the communications between MDEC and the company – which is less hectic, but more work for the client. Mostly, our clients come to us because they want MSC due to the tax breaks, and they have better things to do than to go back and forth with MDEC to iron out the business plan and stuff. For us, this IS our ‘better thing to do’, so you get a complete focus and a guarantee success fee attached to our quote.

Once you have decided to go for MSC, we will sit with you to decide on which is the best sector to go in for. Infotech, Creative Multimedia, Global Outsourcing, with each breaking up into subsets of their own. It’s easier said than done actually, because (strangely) sometimes the MSC activities might not be your core focus activities. For instance if you are a reseller, then trading cannot be part of your activities. If you are training, you cannot put that into your activities. However, if you have a branch out R&D or software development, you could technically park those as MSC.

After the decision, we fill in a pre-application form, then follow up with the business analyst. Not all BAs are created equal. We know because we have dealt with a whole train of them. Some are better than others – and we generally jostle to get the better ones for our client.

From there the bulk of the work is in defining the business and financial plan. There is more work than meets the eye here, because there will be a lot of back and forth with the BA before he/she is comfortable to present it. You generally will face some issues – we have faced more than our share – and having a good BA and a good rapport with MDEC is key to get things done here, both of which we will attain.

Once the BA is more or less ready – in general you are fine. However, like in this case, there were still a lot of clarifications to be done. I had to meet with the strategists and head of programs for MDEC in order to push our approval through, in terms of explaining to them our viewpoint. Where MDEC needs to improve is in how they view different business models and revenue models, especially in dynamic environments like cloud applications and such.

Overall, we give up to 75% of our fees as success based (means, no payment until certification). In some special cases, it’s even 100%, means there is no outlay (except for the RM2000 application fee direct to MDEC), until you get your cert.

If you need more information, feel free to contact us at

Agrobank Launches Agro Visa Debit-i Card


Today, we attended Agrobank’s launch of their Visa Debit-i Card at Wisma Tani, Putrajaya. It was an early event, at around 9 am, but even so, the hall was packed with media, vendors (like ourselves) as well as Agrobank’s personnel. It was a big event.

The fact of the matter was that we’ve been with Agrobank on this journey for more than a year. I recall when we first met and I sat opposite a panel of evaluators and them asking me why our compliance program was the best. I answered frankly, because we are completely devoted to our services to our clients. We might not always make all the right moves all the time, and there might be some hiccups along the way of a very long compliance journey for a bank – but what we can guarantee is a fanatical customer support and customer experience. That’s all we have. We are not a big company with a big name to hide behind.

To me – the satisfaction of being invited to one of their biggest event of the year is a testament to their satisfaction of us.

After the event, our Agrobank account manager heading the card services thanked us personally despite her being pulled by other urgent matters, and media activities.

Sometimes, simple thank yous are good signposts and indications that we are doing something right in our business. Here’s looking to a great 2015.

Preferred Qualified Security Assessor (QSA) for Maybank PCI-DSS Program

maybank pci

Great news!

Control Case International, with Malaysia representative PKF,  have recently been awarded as one of the preferred QSAs by Maybank Merchant Business to assist their merchants in attaining PCI compliance. PCI DSS is a contractual obligation whereby Maybank merchants agree to abide by PCI DSS through the terms of their merchant agreement with Maybank. This extends to any entities storing, processing or transmitting credit card data. As a Maybank merchant, you can enjoy significant savings on compliance by participating in this PCI compliance program.

Merchant are categorised under different merchant levels based on your annual volume of credit or debit card transactions. The following table describes the categorisation:


Depending on your merchant level, our compliance program is here to assist you in achieving PCI compliance through what we believe is the most cost-effective and resource-efficient service in the market. Our updated 2017 compliance program rates are as follows:


We can further clarify and explain these offerings either through our email, phone call or through our websites defined below:

Mr Stevie Heong: +6019 278 8629

About ControlCase International and PKF Malaysia
ControlCase International (“ControlCase”) is a United States based company with headquarters in McLean, Virginia and PCI centre of excellence in Mumbai, India. ControlCase focuses on compliance services and solutions related to regulations such as PCI, ISO27001, Sarbanes Oxley, GLBA and J-Sox globally. PCI compliance services are the core focus for ControlCase and the company has PCI experience on all sides of the card business, acquiring as well as issuing. ControlCase’s Malaysia representative, PKF is a top 10 international business advisory firm and we work closely with ControlCase to ensure efficient and local support is provided to all our clients.

© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑