hbl pci dss remediation case study
TRANSCRIPT
![Page 1: HBL PCI DSS Remediation Case Study](https://reader031.vdocuments.us/reader031/viewer/2022021813/5885b5211a28abd2348b73bd/html5/thumbnails/1.jpg)
MIDDLE EAST FORUMDUBAI, UNITED ARAB EMIRATES 6 – 7 APRIL 2016
Case Study: Successful
Implementation Of PCI DSS In A Large Bank
Presenter :
Fareed Hosain, CIO
Habib Bank Ltd
![Page 2: HBL PCI DSS Remediation Case Study](https://reader031.vdocuments.us/reader031/viewer/2022021813/5885b5211a28abd2348b73bd/html5/thumbnails/2.jpg)
Pakistan’s largest bank
• Incorporated in 1941
• Deposits > PKR 2 Trillion
• 1600+ branches
• 1900+ ATMs
• 5+ million Debit & Credit Card holders
• Over 500k card based transactions daily
Major systems
• Core banking
• Debit Cards
• Credit cards
• ATM Switches
• Branchless Banking
• Card Production
• Call Centre
HBL Profile
![Page 3: HBL PCI DSS Remediation Case Study](https://reader031.vdocuments.us/reader031/viewer/2022021813/5885b5211a28abd2348b73bd/html5/thumbnails/3.jpg)
• Scope• Project initiated in 2013, work started in earnest from Jan 2015• Remediated over 52 Applications, 270+ servers, 26 network devices• 4 data centers ready for ISO 27001 certification• Updated over 1000+ controls (along with SIEM, FIM, DLP, 2FA, VA, PT etc.)• 25 core business processes changed to comply with the standard• Upgraded card production facility to be compliant
• Challenges• Delivering business solutions in parallel to this effort• Improving systems performance and extending banking hours• Rolling out more products, ATMs, etc.• Decommissioning legacy applications
PCI DSS at HBL
![Page 4: HBL PCI DSS Remediation Case Study](https://reader031.vdocuments.us/reader031/viewer/2022021813/5885b5211a28abd2348b73bd/html5/thumbnails/4.jpg)
Timeline 2015
May
28Mar
15Nov
5Feb
18Dec
20
Performed the scope validation & updated
the scope
Removed assets From all in scope assets to security
controls
Scope Revalidation
De-Scope Revalidate the Gaps
Remediation & Control
Implementation
Final QSA Audit
Performed revalidation of gaps by HBL PCI team & QSA
Evidence finalization & Final QSA audit
![Page 5: HBL PCI DSS Remediation Case Study](https://reader031.vdocuments.us/reader031/viewer/2022021813/5885b5211a28abd2348b73bd/html5/thumbnails/5.jpg)
• People• Training of staff• Hiring of specialized resources for remediation work
• Focus• Deferred all non-critical work• Froze system changes• Aligned staff goals and KPIs with remediation effort• Stakeholder engagement
• Project management discipline• Resources, execution, solve problems
Success Factors
![Page 6: HBL PCI DSS Remediation Case Study](https://reader031.vdocuments.us/reader031/viewer/2022021813/5885b5211a28abd2348b73bd/html5/thumbnails/6.jpg)
• It can be done• No matter size and complexity of one’s systems
• Analysis & Planning• You have to know what you are going to do – and not do
• Focus• Need commitment and focus to achieve results• Project management discipline
• Systemic improvements in Pakistan• Increased awareness in the banking sector• Vendor systems are PA-DSS compliant
Take Aways for other Institutions
![Page 7: HBL PCI DSS Remediation Case Study](https://reader031.vdocuments.us/reader031/viewer/2022021813/5885b5211a28abd2348b73bd/html5/thumbnails/7.jpg)
Thank you
HBL: The only bank in Pakistan that is PCI DSS Certified