Continuous PCI security compliance Program
One year (2017-2018)
Project Brief: Performing PCI DSS activities and provide support to other teams
regarding PCI DSS requirements such as
o Assist with PCI compliance assessments, determine control gaps, and
develop recommendations for meeting compliance requirements.
o Implementation support like configuration and documentation of all related
systems in PCI scope.
o Maintaining PCI DSS scope.
o Collect all required evidences for the audit along with audit facilitation.
o Conducting regular internal Vulnerability assessments for PCI Scope.
o Conducting firewall rule set review for PCI scope.
o Conducting regular card discovery scan for PCI Scope.
o Conducting physical security review for PCI scope.
o Developing data flow diagrams.
o Support NCB team by explaining and verifying systems configuration required
to comply with PCI DSS controls (e.g., Active Directory, Microsoft Windows
Server System software, Linux/UNIX servers, applications, databases, and
networking equipment such as firewalls, switches, and routers, etc.).
o Identifying and recommend improvements in existing processes and
o Maintaining technical proficiency, sharing knowledge throughout the Bank
Handling PCI DSS training initiatives
• The team are performing the following activities:
o External vulnerability scan
o Internal/External application penetration security testing
o Quarterly Wireless Scanning & reporting on NCB different locations
o Annual Internal/External Network Penetration Security Testing
o Quarterly Cardholder data discovery
o Firewall review – Managed –Semi Annually
o Review of overall Information Security Policies and Procedures
o Branch Visit assessment
o PCI ATM security assessment
o Review of PCI Network Diagram, OS patch management ,users access, card
printing machine, Logs and evidence collection
o Network Segmentation review for CDE
o Review IS Awareness program
o Risk Assessments
o Assist with Pre-audit activity
o Assist with PCI DSS official audit with QSA
-Business Requirement Addressed:
All PCI requirement being complied and central bank compliance approval
-Business Value Achieved:
Being recertified of version 3.2 and This achievement reflects the NCB’s
ongoing commitment to protecting critical payment card data for our customers.
The consequences of being non-compliant can do an irreversible damage to the bank brand’s reputation. The non-compliance with the security standard PCI-DSS can result in penalties by both central bank of KSA and the credit card companies.
Achieving PCI DSS compliance may is an expensive, time-consuming process, but it encourages better security practices and thereby avoidance of the massive costs associated with major breaches. And in order to achieve quality and timeline we follow below:
- Assign Program ownership and get management support of assigned mission
- Provide a single point of contact from IT during the assignment to support the activity and facilitate the work and logistics.
Prepare the plan and strategy to guide the team through the implementation of defined program
Executing PCI Compliance program that cover several of technical security assessment and evidence collection to fulfill the PCI requirements
- Open communication between IT and security team
- Weekly and monthly with meeting to the IT to remediate the high risks
- Report all security risks to the top managements
Invite all key business and operation after getting the certificate of compliance to discuss the success/failure and recommendation to improve future activity.
Being certified with f latest PCI version to comply with central bank and being the first bank in the region that adopting of PCI –DSS which reflects the NCB’s ongoing commitment to protecting critical payment card data for our customers.