Malaysian Bank Achieves SWIFT CSP and PCI DSS in Single Engagement
A BNM-regulated bank needed both SWIFT CSP attestation and PCI DSS compliance before year-end. EIC delivered both in a unified 16-week engagement — eliminating duplicate effort across overlapping controls.
Two Compliance Deadlines, One Budget, One IT Team
A BNM-regulated Malaysian bank faced two compliance deadlines converging within the same quarter: the annual SWIFT CSP KYC-SA attestation deadline and PCI DSS compliance renewal. The bank's compliance team had previously engaged separate firms for each assessment — a SWIFT CSP assessor and a PCI DSS QSA — resulting in duplicated effort, overlapping evidence requests, and assessment fatigue for the IT team that supported both engagements.
The bank's CISO estimated that the prior year's separate engagements had consumed approximately 1,200 person-hours of IT team time — nearly 30 full working weeks spread across two parallel assessments. Network security evidence, access control documentation, vulnerability management records, and incident response procedures were collected and presented twice, in different formats, to different assessment teams.
BNM's Risk Management in Technology (RMiT) policy added a third compliance dimension. Many of the controls assessed under both SWIFT CSP and PCI DSS also satisfied RMiT requirements. The bank needed a unified approach that could produce evidence packages for all three compliance obligations simultaneously, rather than treating each as an independent exercise.
The budget constraint was real. Two separate assessments had cost the bank approximately MYR 380,000 in the prior year. The CISO needed to demonstrate cost efficiency to the board while maintaining compliance quality across both frameworks — and ideally improving the bank's overall compliance posture rather than simply meeting minimum requirements.
- SWIFT CSP and PCI DSS deadlines converging in the same quarter
- 1,200 person-hours consumed by duplicate evidence collection in prior year
- BNM RMiT alignment required across both frameworks
- MYR 380,000 spent on two separate assessments in prior year
- Single IT team supporting both assessments experiencing assessment fatigue
Unified Dual-Framework Assessment with Control Overlap Mapping
EIC designed a unified engagement that assessed both SWIFT CSP and PCI DSS requirements through a single evidence collection process, leveraging control overlaps between the two frameworks to eliminate duplicate effort.
Dual Scoping
SWIFT A2 architecture confirmed. CardIntel mapped PCI DSS CDE. Control overlap matrix produced: 14 SWIFT CSP controls directly satisfy PCI DSS requirements. Single evidence collection plan designed.
Gap Analysis & Remediation
Combined gap analysis across both frameworks. 5 SWIFT gaps and 7 PCI DSS gaps identified — 3 gaps overlapping. Remediation addressed once, evidenced for both frameworks.
Unified Assessment
Both assessments conducted by EIC's dual-qualified team. Evidence collected once, tagged for both frameworks. SWIFT CSP 25 mandatory controls + PCI DSS 12 requirement families assessed.
Dual Attestation
SWIFT CSP assessment report issued. KYC-SA submission completed. PCI DSS compliance report and AOC issued. BNM RMiT evidence package produced from unified evidence base.
14 Overlapping Controls — Assessed Once, Evidenced for Both
The control overlap mapping in phase 1 was the key to the engagement's efficiency. EIC's dual-qualified assessment team (SWIFT CSP assessors who are also PCI QSAs) identified 14 SWIFT CSP mandatory controls that directly map to PCI DSS requirements. Network security controls, access management, vulnerability management, and incident response procedures were the primary overlap areas.
For example, SWIFT CSP Control 1.1 (SWIFT Environment Protection) requires network segmentation and access control measures that directly correspond to PCI DSS Requirement 1 (Network Security Controls). Under the prior year's separate assessment approach, the bank had collected network architecture documentation, firewall rule sets, and segmentation evidence twice — once for each assessor. Under EIC's unified approach, this evidence was collected once and tagged for both frameworks.
The 3 overlapping gaps — identified during the combined gap analysis — were particularly efficient to address. A single remediation action (such as implementing consistent MFA across both SWIFT operator and PCI DSS administrator accounts) satisfied requirements in both frameworks simultaneously. This eliminated the situation from the prior year where the bank had implemented slightly different MFA solutions for SWIFT and PCI DSS because two different assessors had provided different recommendations.
The BNM RMiT evidence package was produced as a by-product of the unified assessment. Rather than preparing a separate regulatory evidence package, EIC mapped the combined SWIFT CSP and PCI DSS evidence base to BNM RMiT requirements — identifying which evidence items satisfied which RMiT sections. The bank's next BNM examination preparation required minimal additional effort because the evidence was already organised and mapped.
Measurable Outcomes
Last year we ran two separate assessments with two firms and our IT team was exhausted. This year, one firm, one evidence collection process, both frameworks completed — and our team got 30% of their time back. The overlap mapping alone justified the change.