Published on 26-Jun-2009
"The IBM Internet Security Systems solution fortified our security posture, reduced our exposure to risk and enabled us to avoid penalties by helping us to comply with the PCI Data Security Standard requirements before the deadline." - Hisham Mohy
Customer:
The United Bank
Industry:
Banking
Deployment country:
Egypt
Solution:
Managing Business Infrastructure, Security
Overview
A bank in Egypt improves its security posture and achieves PCI compliance when it implements an IBM Internet Security Systems solution.
Business need:
The United Bank in Egypt needed to become Payment Card Industry (PCI) compliant and had the challenge of meeting the deadline to become VISA PCI compliant by December 2008 in order to avoid penalties enforced by VISA.
Solution:
IBM Internet Security Systems (ISS) is part of IBM Global Technology Services - Integrated Technology Services and was able to help The United Bank perform a PCI gap assessment and successfully submit the needed requirements to VISA in order to meet the compliance deadline.
Benefits:
- Provided The United Bank with the necessary PCI compliance reports, which served as a guideline for the bank to implement the security solutions demanded by PCI VISA
- Enabled the bank to achieve the required security posture for its credit and debit card services
- Helped garner further confidence and trust from customers for its banking services
Case Study
A bank in Egypt improves its security posture and achieves PCI compliance when it implements an IBM Internet Security Systems solution.
The United Bank
Cairo, Egypt
http://213.212.212.245/wps/portal/enub
Industry
Banking
Products and services
IBM Internet Security Systems
“The IBM Internet Security Systems solution fortified our security posture, reduced our exposure to risk and enabled us to avoid penalties by helping us to comply with the PCI Data Security Standard requirements before the deadline.”
— Hisham Mohy, The United Bank
The United Bank provides large local groups, multinationals and financial institutions with expertise on capital markets and investment banking. It also provides traditional corporate banking services, small and midsize business services and personal banking, and it offers a special line of Islamic products and services for personal and business customers.
Challenge
The United Bank in Egypt needed to become Payment Card Industry (PCI) compliant and had the challenge of meeting the deadline to become VISA PCI compliant by December 2008 in order to avoid penalties enforced by VISA. The United Bank was classified by VISA as a Level 3 Issuer.
Solution
The new PCI data security standards outline best practices for credit card data that is stored, processed, or transmitted. All major credit card issuers, including Visa, MasterCard, American Express, Diners Club, and Discover, jointly developed these PCI standards. Most merchants are required to comply with this standard. There are 12 key requirements, listed under 6 categories, that retailers must implement to be compliant.
IBM Internet Security Systems (ISS) is part of IBM Global Technology Services - Integrated Technology Services and was able to help The United Bank perform a PCI gap assessment and successfully submit the needed requirements to VISA in order to meet the compliance deadline. The IBM ISS PCI consultant worked with The United Bank in order to provide the necessary reports to reflect its assessment of United Bank's compliance with the twelve PCI required domains of security. IBM ISS Qualified Security Assessor (QSA) was able to submit an IROC (report on compliance) and remediation plan to VISA before the target deadline.
VISA Payment Card Industry (PCI) Compliance:
Build and maintain a secure network:
1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults
Protect cardholder data:
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a vulnerability management program:
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement strong access control measures:
7. Restrict access to data on a need-to-know basis
8. Assign a unique ID to each person with access to the computer system
9. Restrict physical access to cardholder data
Regularly monitor and test networks:
10. Track and monitor access to network resources and cardholder data
11. Test security systems and processes on a regular basis
Maintain an information security policy:
12. Maintain a policy that addresses information security
These security requirements apply to all "system components" which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances and other security appliances.
The IBM ISS solution enabled The United Bank to successfully complete their PCI gap analysis and meet the Level 1 compliance deadline.
Benefits
Provided The United Bank with the necessary PCI compliance reports, which served as a guideline for the bank to implement the security solutions demanded by PCI VISA
Enabled the bank to achieve the required security posture for its credit and debit card services
Helped garner further confidence and trust from customers for its banking services
Products and services used
IBM products and services that were used in this case study.
Service:
GTS ITS Internet Security Systems: ISS Security Governance
Legal Information
Copyright IBM Corporation 2009 IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America May 2009 All Rights Reserved IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software. This document illustrates how one organization uses IBM products. Many factors have contributed to the results and benefits described; IBM does not guarantee comparable results elsewhere. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.