Vietnamese Bank Achieves PCI DSS Compliance in 12 Weeks
A SBV-regulated commercial bank achieved first-time PCI DSS compliance ahead of a card network deadline — CardIntel accelerated scoping by 40% and the assessment completed with zero critical gaps remaining.
Card Network Deadline, First-Time PCI DSS, No Prior Assessment
A SBV-regulated Vietnamese commercial bank had received a compliance directive from its card network acquiring partner requiring PCI DSS compliance within 16 weeks. The bank had never undergone a PCI DSS assessment and had no existing compliance documentation against the PCI DSS framework.
The bank's card processing operations had grown significantly over the preceding three years. What had started as a domestic debit card programme had expanded to include Visa and Mastercard credit card issuing, an e-commerce payment gateway for Vietnamese merchants, and a growing ATM acquiring network. Each expansion had added systems to the cardholder data environment without a corresponding update to the bank's security compliance posture.
The card network deadline was not negotiable. Failure to demonstrate PCI DSS compliance by the deadline would result in escalating non-compliance fees and, ultimately, suspension of the bank's card issuing licence — a commercial outcome that would affect the bank's retail banking strategy and an estimated 180,000 cardholders.
The bank's IT security team was experienced in SBV regulatory requirements and core banking security, but had no PCI DSS-specific expertise. The gap between the bank's general security posture and PCI DSS-specific requirements needed to be identified quickly and remediated within the available timeline.
- 16-week card network deadline — first-time PCI DSS assessment
- No existing PCI DSS compliance documentation or prior assessment
- Card processing expanded across issuing, acquiring, and e-commerce gateway
- 180,000 cardholders dependent on maintained card issuing licence
- IT security team experienced in SBV requirements but not PCI DSS-specific
CardIntel-Accelerated Scoping + Parallel Remediation
EIC deployed CardIntel for rapid CDE discovery followed by a parallel-track assessment and remediation approach designed to compress the typical 20+ week first-time PCI DSS timeline into 12 weeks.
CardIntel Discovery
CardIntel mapped all cardholder data flows across issuing, acquiring, and e-commerce gateway systems. CDE boundaries defined. Scope 40% smaller than the bank's initial manual estimate.
Gap Analysis
9 compliance gaps identified across Requirements 2 (hardening), 3 (stored data), 6 (patching), 8 (access), 10 (logging), and 11 (testing). Prioritised remediation roadmap produced.
Assessment + Remediation
All 12 PCI DSS requirement families assessed. Remediation ran in parallel — critical gaps addressed first. ASV scanning programme established. Penetration test completed.
Compliance & AOC
All 9 gaps confirmed remediated. Final evidence review. Compliance report issued with AOC. Delivered 4 weeks ahead of card network deadline.
Nine Gaps Closed While Assessment Continued
The parallel-track approach was essential to meeting the 12-week timeline. Rather than completing all remediation before starting the formal assessment, EIC assessed requirements in priority order — beginning with areas where the bank was already compliant while remediation work continued on the identified gaps. This approach required careful coordination between the assessment team and the bank's IT teams, but it compressed the timeline by approximately 4 weeks compared to a sequential approach.
The most significant remediation was stored cardholder data protection (Requirement 3). The bank's e-commerce gateway database contained full PANs that were encrypted in transit but stored with an encryption approach that did not meet PCI DSS key management requirements. EIC's advisory team worked with the bank's database administrators to implement compliant encryption with proper key rotation — a change that required careful migration planning to avoid disrupting live transaction processing.
System hardening (Requirement 2) required configuration changes across 23 servers in the CDE. The bank's servers were running with default configurations that had not been hardened to CIS benchmarks or equivalent standards. EIC provided hardening templates specific to the bank's operating systems and applications, and the bank's system administrators implemented the changes during scheduled maintenance windows over a 3-week period.
The logging and monitoring improvements (Requirement 10) established the bank's first centralised log management capability for the CDE. Previously, logs were retained on individual servers with no centralised collection or alerting. The bank deployed a SIEM solution during the engagement, with EIC configuring the initial rule set and alert thresholds specific to PCI DSS monitoring requirements.
Measurable Outcomes
We had 16 weeks and a card processing operation that had never been assessed. EIC's parallel approach — assessing what was ready while fixing what wasn't — is the only reason we finished in 12 weeks instead of the 20+ we were told to expect.