POL00396887
POL00396887
Weekly Highlight Report
PCI Compliance - HNG-X & BP Sales I Programme
number
Essential Information
Sponsor David Smith Reporting =I 25/07/08 -
period 01/08/08
Owner David X Gray
Programme Connie G. Penn mic Key Team
Manager members
Change Card Scheme Compliance for Card Acceptance
Objective:
Tracking Summary
Measurable for
HNGX
Rating I Comments (Reason for RAG rating)
Time
This section is red because we are unable to meet
the deadline for PCI compliance - December
2008.
Cost
Costs generally are managed by the HNGX
programme.
e In addition there is a cost to eliminating Track 2
from the daily submission file to appease Visa.
Business case passed for £25,000. This work
will not impact HNG-X timeframes
e Costs for eliminating Track 2 from the audit log
to make it PCI compliant will be higher; we are
currently trying to find a solution. Then we will
measure cost.
e Cost of File Integrity Monitoring has finally been
agreed at £175,000.00, £37.000.00 over
original estimate.
QUALITY
Project documentation produced so far meets the
requirements of the auditor
Measurable for
BP Sales
Comments
TIME
¢ The BT Buynet {PSP} integration for the RMG
Portal now reporting directly into the IT
POL00396887
POL00396887
e Roadmap.
e Progress - The PM has finally been appointed.
Meeting scheduled 27/08.
COST ¢ Cost for the compliance for the RMG portal
resides with RMG.
e There is no cost to POL for compliance where
the POL! Third’Party has its own direct
relationship with an acquirer.
Quality Doug Warwick attempting to set up meeting with
BOI compliance. Keith Woollard supporting the
initiative. Reported red as so far they have not
received a satisfactory response/engagement with
Bol. However there was a major breach on an Irish
e-commerce site reported in Irish papers 08/08/08.
This may prompt more focus on the subject.
Progress Summary
What went well this week:
1. POL asked by the BRC to write up how they secure their PEDs at Point of Sale.
The POL process to be published as a “Best Practice”
2. Meeting with Matt Hibbard, [Andrew Carter’s replacement] in Chesterfield went
extremely well. He is keen to forge ahead with the Streamline relationship.
3. Meeting with Alan Green training in Rugby. He is in the last stages of
completing the training package for security and keen to start the training
package for Operations.
What did not go so well this week:
e Deborah Howarth did not turn up for the meeting in Chesterfield to conclude the
review of their mapping of PCI into the ISO standards, due to personal reasons
e Despite having failed to deliver on a number of documents end of July, Fujitsu
proposed next meetings for beginning of September, completely passing over
August. Pulled back dates to 22" August.
e PCI project team meeting. There is just so much to do and everybody has so
little time. Do not feel we are making progress.
e No progress with the QSA, so the contract negotiations are still stalled.
Key Activities planned for next week:
e Meeting in London with M. Burley to review PCI project. He is concerned with
lack of progress on project.
e Conference call with legal and security re making the historical audit logs PCI
compliant while maintaining their integrity for prosecution purposes.
POL00396887
POL00396887
e Updating the Audit documentation. This is now the main focus of the project and
the detail over the 12 requirements will take a great deal of time and effort.
e Updating the status of ~Fujitsu’s deliverables. Many documents and information
for the audit were due for delivery 230/07/08 and have not been delivered, so
they need to move into red and start to be chased for new delivery dates.
Update the delivery milestones.
Issues and Risks
e There is now an issue with Fujitsu’s failure to deliver promised documents and
information. Need to work on a strategy to pull this back. Some action already
planned
1. Direct communication with Fujitsu and meeting set for 22/08/08. Earliest
available date due to holidays in Fujitsu.
2. Despite Fujitsu’s failure to make a PCI update meeting in July, the “Fujitsu
meeting record” document has been updates to reflect the current status of
project on 10/08/08
3. Separate meeting scheduled with J. Sweeting also for 22/08/08. This
meeting is between Dave King and J. Sweeting and John Halfacre. I have
given D. King a complete list of items OS. So Dave King has a complete
written record of the status of each item and our expectations from Fujitsu on
each individual item, particularly in relation to J. Sweeting’s deliverables and
have requested a detailed update in writing on actions and dates agreed at
the meeting
4. Torstein Godeseth has also been given a list of the deliverables that have
been delayed and he is also aware from the PCI team meeting and the
records of the PCI team meeting of the items that have been delayed. He will
raise the subject directly with J. Sweeting’s manager.
POL00396887
POL00396887
Deliverable Responsible I POL Dependencies/notes Planned] Forecast) R/A/G
Owner Date Actual I @@@
Date I¥
Incident Response Plan— POL Draft Alan AS 30/05/08 I 22/05/08 I /
Simpson
Incident Response Plan—FS __ Draft Pete AS Peter Sewell in FS, working on it. Progress 30/05/08 I 30/07/08 I @
Sewell update 28/07
Network diagrams Draft J. DMK 30/03/08 I 26/04/08 I /
Sweeting
Permeation Maps/ Clear View Cardholder J. DMK 30/06/08 I 26/04/08 I /
Environment, incl. all touch points and FIM Sweeting
locations Draft
POL [CISP] Policies Draft S. Lowther ICGP I On schedule. Reviewed on 21/07 within POL I 30/07/08 I 30/08/08 I ®
Information Security and PCI. Further review
scheduled 17/08
FS [RMGA] Policies " Draft H. CGP 01/05/08 I 30/06/08 I®
Prichard
Review RMG Policies Awaiting next steps from PWC review 30/07/08 I 30/08/08 I @
FS Security Architecture Document Draft J CGP I V1.4 of Security Architecture received and 30/06/08 I 30/08/08 I ®
Sweeting initial review done. Detail being incorporated
into PCI audit document. Second review done
& submitted, Response promised end of Aug
Key Management Documentation Draft Pete CGP _ I J. Sweeting says not being done, as he has 01/05/08 I 30/08/08 I ®
Sewell not received a formal request to do it. This is
not PCI specific. It is part of the architecture
and operational process of Horizon and
HNGX. HP has asked P. Sewell of FS to get
involved. HP will revert with new delivery
date.
FS to Start internal audit for ISO 27001 prep I H. CGP _ I Started internal audits 01/04/08. Due to 07/07/08 I 15/10/08 I ®
for BSI Audit Pritchard conclude 30/08/08. BSI audit has been
delayed, as internal audit delayed due to
illness. But reviews now underway again.
Networks, HR and Access being reviewed
currently.
POL00396887
POL00396887
BSI start Audit in FS H. CGP 30/10/08 I 30/10/08 I @
Pritchard
BSI to issue ISO 27001 Certificate H. CGP 27/10/08 I 27/10/08 I @
Pritchard
Operating Procedure around PCI Sign- Off CG Penn I CGP 29/08/08 I 29/08/08 I @
Sign off the full Cryptographic key T TG 30/10/08 I 30/10/08 I @
management process Godeseth
POL Change Control Documents A. SL 30/09/08 I 30/09/08 I ®
Banacheck
FS Change Control Documents H. CGP _ I Output from FS ISO 27001 certification 30/09/08 I 01/10/08 I @®
Prichard
Removal of Track 2 from RBS Submission T CGP_ I Scheduled for Aug 08, 30/08/08 I 30/08/08 I @
File Godeseth
Removal of Track 2 from Audit Log C.G. CGP _ I Cant occur until Belfast in live operation & 30/04/09 I 30/04/08 I @
Penn pilot HNG-X
CCN 1202 Development Starts HNGX TG External dependency for PCI 04/08/08 I 04/08/08 I @
CCN 1202 Completion HNGX TG External dependency for PCI 06/03/09 I 06/03/09 I @
Data Centre testing commence HNGX TG External dependency for PCI 19/01/09 I 19/01/09 I @
Data Centre testing complete HNGX TG External dependency for PCI 06/03/09 I 06/03/09 I @
HNGX Pilot (model Office) HNGX TG External dependency for PCI 30/03/09 I 30/03/09 I @
HNGxX Pilot (live Offices) HNGX TG External dependency for PCI 30/03/09 I 30/03/09 I ®
Network Diagrams Sign-off D King DMK Completion cannot happen until Belfast 30/01/09 I 30/01/09 I @
completes testing
Permeation Map Signed Off J DMK Completion cannot happen until Belfast 30/01/09 I 30/01/09 I @
Sweeting completes testing
Key Management Signed Off CGPenn_I CGP 30/01/09 I 30/01/09 I @
Bladeframe: IRM sign-off the controls Fujitsu I QSA CGP 30/11/08 I 30/11/08 I @
propose to put in place separating live and
test [Data Segregation on Bladeframe]
PCI Security Incident Planning Sign-Off S Lowther 09/10/08 I 09/10/08 I @
Security Architecture Sign-Off J 30/11/07 I 01/07/08 I @
Sweeting
Agree audit plan with FS and QSA CG Penn 27/06/08 I 27/06/08
Agree Audit date with Streamline CG Penn 30/10/08 I 30/10/08 I @®
POL00396887
POL00396887
Give formal notice of audit to Fujitsu CG Penn Data Centre testing commence 30/10/08 I 30/10/08 [@
Agree remediation on Portal and plan for T Simms PM not yet appointed. 14/03/08 I 14/07/08 I ®
implementation
Get sign-off of all SAQ for RMG Portal Central New PSP and New UI on Portal 29/10/08 I 29/10/08 I @
Audit
Agree remediation on EDG11 and get plan CG Penn 74/08/08 I 14/08/08 I@®
for implementation
Get sign-off of future approach and Central 29/10/08 I 29/10/08 I @®
procedures for dealing with 3rd parties Audit
Agree remediation for relevant 3° parties and I Central 29/10/08 I 29/10/08 I @
plan for implementation Audit
Central Audit sign off PCI Compliance for Central CGP 29/10/08 I 29/10/08 I ®
Portal Audit
Start Audit for HNGX HNGxX Pilot (live Offices) 13/04/09 I 13/04/09 [@
RoC from Auditor for POL infrastructure HNGx Pilot (live Offices) and completion of 01/11/09 I 01/11/09 I@
PCI Audit