HomeResourcesCase StudiesMalaysia Bank SWIFT CSP + PCI DSS
SWIFT CSP + PCI DSSBankingBanking · Malaysia

Malaysian Bank Achieves SWIFT CSP and PCI DSS in Single Engagement

A BNM-regulated bank needed both SWIFT CSP attestation and PCI DSS compliance before year-end. EIC delivered both in a unified 16-week engagement — eliminating duplicate effort across overlapping controls.

SWIFT CSP + PCI DSS · BNM RMiT
2
Frameworks in Single Engagement
16wk
Timeline
30%
Effort Saved
Zero
Findings
BNM
RMiT Ready
Industry
Banking & Financial Services
Service
SWIFT CSP Assessment + PCI DSS Compliance
Timeline
16 weeks — dual framework engagement
Technology
CardIntel + SWIFT KYC-SA
The Challenge

Two Compliance Deadlines, One Budget, One IT Team

A BNM-regulated Malaysian bank faced two compliance deadlines converging within the same quarter: the annual SWIFT CSP KYC-SA attestation deadline and PCI DSS compliance renewal. The bank's compliance team had previously engaged separate firms for each assessment — a SWIFT CSP assessor and a PCI DSS QSA — resulting in duplicated effort, overlapping evidence requests, and assessment fatigue for the IT team that supported both engagements.

The bank's CISO estimated that the prior year's separate engagements had consumed approximately 1,200 person-hours of IT team time — nearly 30 full working weeks spread across two parallel assessments. Network security evidence, access control documentation, vulnerability management records, and incident response procedures were collected and presented twice, in different formats, to different assessment teams.

BNM's Risk Management in Technology (RMiT) policy added a third compliance dimension. Many of the controls assessed under both SWIFT CSP and PCI DSS also satisfied RMiT requirements. The bank needed a unified approach that could produce evidence packages for all three compliance obligations simultaneously, rather than treating each as an independent exercise.

The budget constraint was real. Two separate assessments had cost the bank approximately MYR 380,000 in the prior year. The CISO needed to demonstrate cost efficiency to the board while maintaining compliance quality across both frameworks — and ideally improving the bank's overall compliance posture rather than simply meeting minimum requirements.

  • SWIFT CSP and PCI DSS deadlines converging in the same quarter
  • 1,200 person-hours consumed by duplicate evidence collection in prior year
  • BNM RMiT alignment required across both frameworks
  • MYR 380,000 spent on two separate assessments in prior year
  • Single IT team supporting both assessments experiencing assessment fatigue
EIC's Approach

Unified Dual-Framework Assessment with Control Overlap Mapping

EIC designed a unified engagement that assessed both SWIFT CSP and PCI DSS requirements through a single evidence collection process, leveraging control overlaps between the two frameworks to eliminate duplicate effort.

Phase 01 · Weeks 1–3

Dual Scoping

SWIFT A2 architecture confirmed. CardIntel mapped PCI DSS CDE. Control overlap matrix produced: 14 SWIFT CSP controls directly satisfy PCI DSS requirements. Single evidence collection plan designed.

Phase 02 · Weeks 3–6

Gap Analysis & Remediation

Combined gap analysis across both frameworks. 5 SWIFT gaps and 7 PCI DSS gaps identified — 3 gaps overlapping. Remediation addressed once, evidenced for both frameworks.

Phase 03 · Weeks 6–14

Unified Assessment

Both assessments conducted by EIC's dual-qualified team. Evidence collected once, tagged for both frameworks. SWIFT CSP 25 mandatory controls + PCI DSS 12 requirement families assessed.

Phase 04 · Weeks 14–16

Dual Attestation

SWIFT CSP assessment report issued. KYC-SA submission completed. PCI DSS compliance report and AOC issued. BNM RMiT evidence package produced from unified evidence base.

Overlap Mapping

14 Overlapping Controls — Assessed Once, Evidenced for Both

The control overlap mapping in phase 1 was the key to the engagement's efficiency. EIC's dual-qualified assessment team (SWIFT CSP assessors who are also PCI QSAs) identified 14 SWIFT CSP mandatory controls that directly map to PCI DSS requirements. Network security controls, access management, vulnerability management, and incident response procedures were the primary overlap areas.

For example, SWIFT CSP Control 1.1 (SWIFT Environment Protection) requires network segmentation and access control measures that directly correspond to PCI DSS Requirement 1 (Network Security Controls). Under the prior year's separate assessment approach, the bank had collected network architecture documentation, firewall rule sets, and segmentation evidence twice — once for each assessor. Under EIC's unified approach, this evidence was collected once and tagged for both frameworks.

The 3 overlapping gaps — identified during the combined gap analysis — were particularly efficient to address. A single remediation action (such as implementing consistent MFA across both SWIFT operator and PCI DSS administrator accounts) satisfied requirements in both frameworks simultaneously. This eliminated the situation from the prior year where the bank had implemented slightly different MFA solutions for SWIFT and PCI DSS because two different assessors had provided different recommendations.

The BNM RMiT evidence package was produced as a by-product of the unified assessment. Rather than preparing a separate regulatory evidence package, EIC mapped the combined SWIFT CSP and PCI DSS evidence base to BNM RMiT requirements — identifying which evidence items satisfied which RMiT sections. The bank's next BNM examination preparation required minimal additional effort because the evidence was already organised and mapped.

Results

Measurable Outcomes

2
Compliance frameworks achieved in a single 16-week engagement
30%
Reduction in IT team effort vs prior year's separate assessments
Zero
Findings across both SWIFT CSP and PCI DSS assessments
16
Weeks for dual-framework engagement (vs 24 weeks separate in prior year)
"
Last year we ran two separate assessments with two firms and our IT team was exhausted. This year, one firm, one evidence collection process, both frameworks completed — and our team got 30% of their time back. The overlap mapping alone justified the change.
CISO, Licensed Commercial Bank, Malaysia
Services & Technology in This Engagement

Managing Multiple Compliance Frameworks?

Schedule a 30-minute scoping call and we'll assess your framework overlap and recommend a unified assessment approach.