HomeResourcesCase StudiesSingapore Bank PCI DSS
PCI DSSBankingBanking · Singapore

Global Bank Singapore Achieves PCI DSS Across 3 Processing Centres

A global bank's Singapore regional hub needed PCI DSS compliance across three distinct card processing environments. CardIntel reduced scoping complexity by 35%, and the assessment completed with zero non-compliances.

PCI DSS v4.0.1 · MAS Compliant
Zero
Non-Compliances at Assessment
3
Environments
35%
Scope Reduction
14wk
Timeline
MAS
Compliant
Industry
Banking & Financial Services
Service
PCI DSS Compliance Assessment
Timeline
14 weeks across 3 processing centres
Technology
CardIntel Platform
The Challenge

Three Card Processing Environments, One Compliance Deadline

A global bank operating its Asia-Pacific regional hub from Singapore was preparing for PCI DSS v4.0.1 compliance across three distinct card processing environments: a retail card issuing platform, a merchant acquiring system, and a corporate card management centre. Each environment had been built at different times, used different technology stacks, and had been managed by different teams — resulting in three separate cardholder data environments with no unified compliance view.

The bank's global compliance team had set a 16-week deadline for the Singapore hub to achieve PCI DSS compliance, aligning with the global bank's annual assessment cycle. The Singapore CISO faced a coordination challenge: each of the three environments needed separate scoping, gap analysis, and evidence collection, but the final compliance report needed to cover all three under a unified assessment.

MAS Technology Risk Management (TRM) guidelines added a regulatory layer. As a licensed financial institution in Singapore, the bank needed to demonstrate that its PCI DSS compliance programme aligned with MAS TRM expectations — particularly around vulnerability management, access control, and incident response. Any gaps between PCI DSS requirements and MAS TRM expectations needed to be addressed within the same engagement timeline.

The bank's previous compliance approach had relied on manual scoping across the three environments — a process that had taken 6 weeks in the prior year and produced inconsistent results between environments. The Singapore CISO needed a faster, more reliable scoping methodology that could handle the complexity of three distinct CDEs while producing evidence acceptable to both the QSA and MAS examiners.

  • Three distinct card processing environments under one compliance umbrella
  • 16-week global deadline aligned with annual assessment cycle
  • MAS TRM alignment required alongside PCI DSS compliance
  • Previous manual scoping took 6 weeks with inconsistent results
  • Different technology stacks and teams across environments
EIC's Approach

CardIntel Multi-Environment Discovery + Unified Assessment

EIC deployed CardIntel across all three environments simultaneously, producing a unified cardholder data flow map that reduced scoping time from 6 weeks to 10 days and identified 35% of previously assumed in-scope systems as out of scope.

Phase 01 · Weeks 1–2

CardIntel Discovery

CardIntel deployed across all 3 environments simultaneously. Unified data flow map produced. 35% scope reduction identified — tokenised systems and truncated PAN handlers confirmed out of scope.

Phase 02 · Weeks 2–4

Gap Analysis & Remediation

Gaps identified per environment. Retail issuing: 4 gaps. Merchant acquiring: 6 gaps. Corporate cards: 3 gaps. Prioritised remediation roadmap with environment-specific owners assigned.

Phase 03 · Weeks 4–12

Assessment & Evidence

All 12 PCI DSS requirement families assessed across 3 environments. Evidence collected via CardIntel with environment tagging. MAS TRM cross-reference documentation produced in parallel.

Phase 04 · Weeks 12–14

Compliance Report

Unified compliance report covering all 3 environments. Zero non-compliances. AOC issued. MAS TRM evidence package produced for regulatory examination readiness.

Scoping Detail

35% Scope Reduction Across Three Environments

CardIntel's automated discovery across the three environments completed in 10 days — compared to the 6-week manual scoping exercise from the prior year. The platform mapped cardholder data flows end-to-end within each environment and identified cross-environment data paths that the bank's teams had not previously documented.

The 35% scope reduction was distributed unevenly across environments. The merchant acquiring system contributed the largest reduction: 18 of its 52 originally scoped systems were processing only tokenised transaction references and never handled cardholder data. The retail issuing platform had 7 systems handling only truncated PANs for reporting purposes. The corporate card centre had 4 systems confirmed as out of scope.

The most valuable discovery was a set of cross-environment integration points that had been missed in previous manual scoping. Three API services shared data between the retail issuing and merchant acquiring environments — creating a scope connection that needed to be addressed in the compliance assessment. CardIntel identified these data flows automatically, preventing what would have been a significant finding during the formal assessment.

The MAS TRM alignment work ran in parallel with the PCI DSS assessment. EIC produced a cross-reference document mapping each PCI DSS requirement to its MAS TRM equivalent, identifying 8 areas where MAS TRM expectations exceeded PCI DSS minimum requirements. These additional controls — primarily in vulnerability management frequency and incident response notification timelines — were implemented during the remediation phase.

Results

Measurable Outcomes

Zero
Non-compliances at PCI DSS assessment across all 3 environments
35%
Scope reduction via CardIntel discovery (vs prior manual scoping)
14
Weeks from engagement to compliance report (vs 16-week deadline)
3
Card processing environments assessed under unified compliance
"
CardIntel found cross-environment data flows that three years of manual scoping had missed. The unified view across our three processing centres changed how we think about PCI DSS compliance — and we finished two weeks ahead of the global deadline.
Regional CISO, Global Bank, Singapore
Services & Technology in This Engagement

Multi-Environment PCI DSS Compliance?

Schedule a 30-minute scoping call and we'll assess your cardholder data environments and recommend a unified compliance pathway.