PCI-DSS: Challenges faced in Malaysia

What began as separate compliance programs by major card brands, are now under a unified umbrella called PCI-DSS (Payment Card Industry Data Security Standard). PCI-DSS serves to protect the cardholder data and also the interest of the card brands. VISA, AMEX, MasterCard, JCB, and Discover (Diners Club) established the Payment Card Data Security Standards Council (PCI SSC). The goal of PCI SSC is now to guide any institution, especially the financial institutions to have better security surrounding their credit & debit card businesses.

Is there a need for yet another compliance program? The short answer is a resounding yes. According to StatiscsBrain[1], as of 18^th of June 2013, in the United States itself, businesses have suffered more than 11 thousand cases of card fraud with an average loss of $4,930 for each case of card fraud. In total, it has cause a financial loss of around $ 21 million on average.

In Malaysia itself, we are now faced with an alarming rise of card fraud cases. According to Bank Negara Malaysia (BNM), [2] while the cases of fraud have decreased overall, the fraud volume still remains high. If the customer, merchant and the banks do not put in a concerted effort to fight these fraud cases, many more will fall victim to increasingly sophisticated attacks. This is also supported by The United States Security Council (OSAC)[3] stating: “credit card fraud has decreased but still continues to become a problem”. In short, the frequency might be less but the amount that each case brings is still a problem to the authorities.

In terms of the PCI DSS certification, a majority of large financial institutions in Malaysia, especially banks and larger service providers are still undergoing the process. Some have taken more than 3 years to be certified. PCI DSS is already a difficult compliance to begin with, with more than 300 plus controls to deal with. Financial institutions are pressured by card brands to ensure that PCI DSS become their utmost priority, both internally as well as for any service provider or merchants dealing in card business.

In some cases, one of the reason for certification delay is the lack of documentation done on each system in the PCI scope, causing a lack of proper maintenance on the system. This covers from software to hardware and network devices. This will affect the certification in the remediation phase where the administrator really needs to identify each data flow concerning card data and needs to clean up to ensure that unnecessary rules, ports and services are disabled. The amount of legacy rules, unmanaged inventory are significantly large, especially for banks that own distributed branches. The undertaking is intimidatingly difficult.

Furthermore, the implementation of Malaysian Electronic Payment System (MEPS) which allows the sharing of ATM networks, gives the ability for customers to withdraw their money via a different ATM bank using a debit card. Debit cards are under the PCI purview, and is often doubled as an ATM card that can be used to make purchases just by deducting the account balance by swiping it. These have enabled the storing of user Primary Account Number (PAN) in the institutions and to some extent in clear text for settlement purposes which violates the requirements in PCI DSS. The transmission of the card data must also be addressed, as the card data might travel through non-secured channels such as normal emails, or open channels that can cause the data to be intercepted in transmission. Therefore controls have to be taken to ensure that all networks in and out are secured

Another point of concern is the PCI DSS exercise budget. Every organization big or small, private or public listed have a certain amount of budget allocated. While IT budgets have grown significantly, it has to be reminded that PCI is NOT an IT initiative. It is a business initiative and might take a large portion of the said budget. The budget would be used for the engagement of third party experts or actual products to mitigate the concerns. Due to budgeting, companies often overlook certain areas by cutting down the budget such as avoiding expert consultancy. They opt to do the certification or the remediation process by themselves in order to save some portion of the budget. This has short term yield but sacrifices the long term goals. Taking on PCI is akin to journeying through an uncharted maze. Having a guide is therefore critical especially for first timers in a relatively large company.

In conclusion, there is still a long way to go for Malaysian companies to abide 100% to the requirements of PCI-DSS. For that, they need to fully understand the requirements and ensure proper scoping is done (as there are cases where one can OVERDO the compliance). For a free scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

Article by: Wafiy Karim

PKF Avant Edge Sdn Bhd

[1] http://www.statisticbrain.com/identity-theft-fraud-statistics/

[2] http://www.bnm.gov.my/index.php?ch=8&pg=14&ac=1065

[3] https://www.osac.gov/pages/ContentReportDetails.aspx?cid=13812