Information Security award entry

Project Title:
Continuous PCI security compliance Program

Project Duration:
One year (2017-2018)

Project Brief: Performing PCI DSS activities and provide support to other teams
regarding PCI DSS requirements such as
o Assist with PCI compliance assessments, determine control gaps, and
develop recommendations for meeting compliance requirements.
o Implementation support like configuration and documentation of all related
systems in PCI scope.
o Maintaining PCI DSS scope.
o Collect all required evidences for the audit along with audit facilitation.
o Conducting regular internal Vulnerability assessments for PCI Scope.
o Conducting firewall rule set review for PCI scope.
o Conducting regular card discovery scan for PCI Scope.
o Conducting physical security review for PCI scope.
o Developing data flow diagrams.
o Support NCB team by explaining and verifying systems configuration required
to comply with PCI DSS controls (e.g., Active Directory, Microsoft Windows
Server System software, Linux/UNIX servers, applications, databases, and
networking equipment such as firewalls, switches, and routers, etc.).
o Identifying and recommend improvements in existing processes and
o Maintaining technical proficiency, sharing knowledge throughout the Bank
Handling PCI DSS training initiatives
• The team are performing the following activities:
o External vulnerability scan
o Internal/External application penetration security testing
o Quarterly Wireless Scanning & reporting on NCB different locations
o Annual Internal/External Network Penetration Security Testing
o Quarterly Cardholder data discovery
o Firewall review – Managed –Semi Annually
o Review of overall Information Security Policies and Procedures
o Branch Visit assessment
o PCI ATM security assessment
o Review of PCI Network Diagram, OS patch management ,users access, card
printing machine, Logs and evidence collection
o Network Segmentation review for CDE
o Review IS Awareness program
o Risk Assessments
o Assist with Pre-audit activity
o Assist with PCI DSS official audit with QSA

-Business Requirement Addressed:
All PCI requirement being complied and central bank compliance approval

-Business Value Achieved:
Being recertified of version 3.2 and This achievement reflects the NCB’s
ongoing commitment to protecting critical payment card data for our customers.

[pdf-embedder url=””]

The consequences of being non-compliant can do an irreversible damage to the bank brand’s reputation. The non-compliance with the security standard PCI-DSS can result in penalties by both central bank of KSA and the credit card companies.

Achieving PCI DSS compliance may is an expensive, time-consuming process, but it encourages better security practices and thereby avoidance of the massive costs associated with major breaches. And in order to achieve quality and timeline we follow below:

  • Assign Program ownership and get management support of assigned mission
  • Provide a single point of contact from IT during the assignment to support the activity and facilitate the work and logistics.

Prepare the plan and strategy to guide the team through the implementation of defined program

Executing PCI Compliance program that cover several of technical security assessment and evidence collection to fulfill the PCI requirements

  • Open communication between IT and security team
  • Weekly and monthly with meeting to the IT to remediate the high risks
  • Report all security risks to the top managements

Invite all key business and operation after getting the certificate of compliance to discuss the success/failure and recommendation to improve future activity.

Being certified with f latest PCI version to comply with central bank and being the first bank in the region that adopting of PCI –DSS which reflects the NCB’s ongoing commitment to protecting critical payment card data for our customers.

An entry for you to assess

2017 Submission: Heading
This is the main picture that will appear at the top of your entry. At least 1200 pixels wide is recommended.
Maximum upload size: 2.1MB
Please use the internet address of a picture (it should end in .png or .jpg or similar) that will be visible to people outside your organisation until after the awards end.
No more than 10 words please.
No more than 25 words please

Save this tab if you have made any changes

Another organisation

Please provide the internet address of the organisation's logo
For inclusion in our publicity about this entry if nominated
Information will be required about the start and end date of, size of investment in and geographical scope of your initiative where appropriate

About your Entry

The information you provide here will help determine the suitability of your submission and the best shortlist for your entry if nominated

The investment on this initiative from its initial conception to now, excluding elements that would have been required for other reasons anyway, and excluding aspects that do not impact this entry. We may use this when finalising the shortlists to split a popular category into two categories by project size. Also judges take this into account when assessing Impact, and so if you can disclose this information it can only be helpful for both of these processes.
initiative's focus
Which region(s)?
Which nation?
Covering which countries?


Let us know here if you would like some aspects of your entry kept confidential
We may wish to include your entry in publicity about shortlisted entries.
If you would like the candidate's organisation's name to not be mentioned by us then please ensure that it is also not mentioned in your text, images, videos or PDFs included in your entry.

Save this tab if you have made any changes

Your Entry

Here you describe your initiative or strategy; what you did and why you did it, how it was successful and what your fellow professionals could learn from your experience. You can use a mix of text, pictures, video and PDFs etc. to convey your ideas and engage the interest of judges. We recommend that you include a concise overview for judges spending less time reviewing entries, with greater depth also provided for those that wish to know more. You will be able to fine-tune (edit) your materials up until the time that judging starts.

Any background or confidential information that you would like the organisers to take into account when considering this entry for nomination. This will not be published.
Your entry in full.
If you have a video you would like included with your entry description, upload it to YouTube and paste the link here
Maximum upload size: 2.1MB
If you have a PDF you would like included with your entry description, upload it here

About the following

These input blocks for Impact, Innovation and Inspiration are provided in case you would wish to provide additional information for the judges, to help them understand the strength of your submission in terms of each of our three judging criteria.

The difference made in target communities and benefits to the organisation - good anecdotal or metric evidence of real outcomes rather than reams of stats.
If you have a video you would like included with your impact statement, upload it to YouTube and paste the link here
What's distinctive about this entry and how being creative has helped you overcome challenges - a good idea that your fellow professionals might not have thought of.
If you have a video you would like included with your innovation statement, upload it to YouTube and paste the link here
Hints and tips from your real experience to help your fellow professionals (the judges) adopt your good ideas and apply them to suit their circumstances.
If you have a video you would like included with your inspiration statement, upload it to YouTube and paste the link here

Save this tab if you have made any changes