MIDDLE EAST FORUMDUBAI, UNITED ARAB EMIRATES 6 – 7 APRIL 2016
Case Study: Successful
Implementation Of PCI DSS In A Large Bank
Presenter :
Fareed Hosain, CIO
Habib Bank Ltd
Pakistan’s largest bank
• Incorporated in 1941
• Deposits > PKR 2 Trillion
• 1600+ branches
• 1900+ ATMs
• 5+ million Debit & Credit Card holders
• Over 500k card based transactions daily
Major systems
• Core banking
• Debit Cards
• Credit cards
• ATM Switches
• Branchless Banking
• Card Production
• Call Centre
HBL Profile
• Scope• Project initiated in 2013, work started in earnest from Jan 2015• Remediated over 52 Applications, 270+ servers, 26 network devices• 4 data centers ready for ISO 27001 certification• Updated over 1000+ controls (along with SIEM, FIM, DLP, 2FA, VA, PT etc.)• 25 core business processes changed to comply with the standard• Upgraded card production facility to be compliant
• Challenges• Delivering business solutions in parallel to this effort• Improving systems performance and extending banking hours• Rolling out more products, ATMs, etc.• Decommissioning legacy applications
PCI DSS at HBL
Timeline 2015
May
28Mar
15Nov
5Feb
18Dec
20
Performed the scope validation & updated
the scope
Removed assets From all in scope assets to security
controls
Scope Revalidation
De-Scope Revalidate the Gaps
Remediation & Control
Implementation
Final QSA Audit
Performed revalidation of gaps by HBL PCI team & QSA
Evidence finalization & Final QSA audit
• People• Training of staff• Hiring of specialized resources for remediation work
• Focus• Deferred all non-critical work• Froze system changes• Aligned staff goals and KPIs with remediation effort• Stakeholder engagement
• Project management discipline• Resources, execution, solve problems
Success Factors
• It can be done• No matter size and complexity of one’s systems
• Analysis & Planning• You have to know what you are going to do – and not do
• Focus• Need commitment and focus to achieve results• Project management discipline
• Systemic improvements in Pakistan• Increased awareness in the banking sector• Vendor systems are PA-DSS compliant
Take Aways for other Institutions
Thank you
HBL: The only bank in Pakistan that is PCI DSS Certified