Simoun UngChairman, AmCham Security Disaster Resource Group
CommitteeVice Chairman, Bastion Payment Systems Corporation
Approved by BSP 1 AUG 2013 Board approved migration plan must be
submitted to BSP no later than 1 FEB 2014, six months from circular date
Compliance required no later than 1 JAN 2015
Enhanced information-technology risk management (ITRM) framework;
Updates I.T. related portions of current Manual of Regulations for Banks (MORB);
Aims to strengthen the retail electronic payment infrastructure of the nation;
Aims to enhance protection against ATM and credit card fraud.
The new regulation covers: All banks; Non-bank financial institutions; Electronic money issuers; Other non-bank entities subject to BSP
supervision or regulation.
Requires overall alignment of IT governance and models with overall business strategy and risk management/mitigation;
Requires maintenance of a risk identification and assessment process to continually look at threats and address them;
Establishment of an overall IT risk mitigation strategy, customized to the threats likely to face the institution: Information security; Project management, acquisition and change management; I.T. operations; I.T. outsourcing and vendor management; Electronic products and services.
3 DES: Triple Data Encryption Algorithm applied thrice to each data block Requires
implementation of end-to-end Triple DES for all ATMs by 1JAN2015
New ATMs installed should be Triple DES compliant
EMV: Europay, MasterCard and Visa originated standard for integrated circuit cards EMV Chip cards must
be implemented by 1JAN 2017;
Implementation plans must be submitted by 1FEB2014, six months from date of circular.
Cloud security and its affect on our services and security;
Payment Card Industry Data Security Standards (PCI DSS)
Card Not Present Transactions; EMV Security and Organized Criminal
Groups; ATM Security and Organized Criminal
Groups; Other threats