enhanced bank security requirements of bsp circular 808

Simoun UngChairman, AmCham Security Disaster Resource Group

CommitteeVice Chairman, Bastion Payment Systems Corporation

Approved by BSP 1 AUG 2013 Board approved migration plan must be

submitted to BSP no later than 1 FEB 2014, six months from circular date

Compliance required no later than 1 JAN 2015

Enhanced information-technology risk management (ITRM) framework;

Updates I.T. related portions of current Manual of Regulations for Banks (MORB);

Aims to strengthen the retail electronic payment infrastructure of the nation;

Aims to enhance protection against ATM and credit card fraud.

The new regulation covers: All banks; Non-bank financial institutions; Electronic money issuers; Other non-bank entities subject to BSP

supervision or regulation.

Requires overall alignment of IT governance and models with overall business strategy and risk management/mitigation;

Requires maintenance of a risk identification and assessment process to continually look at threats and address them;

Establishment of an overall IT risk mitigation strategy, customized to the threats likely to face the institution: Information security; Project management, acquisition and change management; I.T. operations; I.T. outsourcing and vendor management; Electronic products and services.

3 DES: Triple Data Encryption Algorithm applied thrice to each data block Requires

implementation of end-to-end Triple DES for all ATMs by 1JAN2015

New ATMs installed should be Triple DES compliant

EMV: Europay, MasterCard and Visa originated standard for integrated circuit cards EMV Chip cards must

be implemented by 1JAN 2017;

Implementation plans must be submitted by 1FEB2014, six months from date of circular.

Cloud security and its affect on our services and security;

Payment Card Industry Data Security Standards (PCI DSS)

Card Not Present Transactions; EMV Security and Organized Criminal

Groups; ATM Security and Organized Criminal

Groups; Other threats