Upload
simoun-ung
View
1.757
Download
5
Embed Size (px)
DESCRIPTION
The Bangko Sentral ng Pilipinas recently issued a circular requiring all BSP supervised institutions to implement 3DES and EMV in particular, along with reporting framework for improving IT security in general.
Citation preview
Simoun UngChairman, AmCham Security Disaster Resource Group
CommitteeVice Chairman, Bastion Payment Systems Corporation
Approved by BSP 1 AUG 2013 Board approved migration plan must be
submitted to BSP no later than 1 FEB 2014, six months from circular date
Compliance required no later than 1 JAN 2015
Enhanced information-technology risk management (ITRM) framework;
Updates I.T. related portions of current Manual of Regulations for Banks (MORB);
Aims to strengthen the retail electronic payment infrastructure of the nation;
Aims to enhance protection against ATM and credit card fraud.
The new regulation covers: All banks; Non-bank financial institutions; Electronic money issuers; Other non-bank entities subject to BSP
supervision or regulation.
Requires overall alignment of IT governance and models with overall business strategy and risk management/mitigation;
Requires maintenance of a risk identification and assessment process to continually look at threats and address them;
Establishment of an overall IT risk mitigation strategy, customized to the threats likely to face the institution: Information security; Project management, acquisition and change management; I.T. operations; I.T. outsourcing and vendor management; Electronic products and services.
3 DES: Triple Data Encryption Algorithm applied thrice to each data block Requires
implementation of end-to-end Triple DES for all ATMs by 1JAN2015
New ATMs installed should be Triple DES compliant
EMV: Europay, MasterCard and Visa originated standard for integrated circuit cards EMV Chip cards must
be implemented by 1JAN 2017;
Implementation plans must be submitted by 1FEB2014, six months from date of circular.
Cloud security and its affect on our services and security;
Payment Card Industry Data Security Standards (PCI DSS)
Card Not Present Transactions; EMV Security and Organized Criminal
Groups; ATM Security and Organized Criminal
Groups; Other threats