40
GHL Systems Berhad
(293040-D)
5. Risk Management (Cont’d)
b. Risk Department
In readiness for the Transaction Payment Acquisition (“TPA”) business, the Group has established a Risk
Department that is tasked with monitoring the risks associated with the merchant acquiring business.
The Risk Department acts as the control point for monitoring merchant performance risk. It does
this by evaluating, monitoring, classifying and mitigating potential risks arising from merchants that
have been contracted for card payments. In performing this task, the Risk Department is responsible
for ensuring that the internally set policies and procedures with regard to merchant acquiring are
adhered to. As part of the monitoring process, the Risk Department is responsible to review and verify
cardholders’ transactions and merchant settlement that is deemed suspicious or high risk based on
predetermined risk rules to ensure adherence with the group’s internal credit risk policy.
c. Managing risks relating to integration process of GHL and e-pay
During 2014, the Group completed the acquisition of e-pay Asia Limited (“e-pay”), a leading player in
the provision of electronic top up services mainly for mobile prepaid users. In view of the size of and
nature of business of e-pay, the Company engaged an external business consultant to facilitate the
integration between GHL and e-pay. Key deliverables arising from this was a blueprint on strategic
roadmap; that had identified strategic business opportunities, alignment of organizational structure
and staff benefits with a defined path and timeline of the integration journey. In addition, internal audit
reviews and specific business process improvement exercise were carried out on key areas of e-pay’s
business.
6. Information Technology Controls and Security
a. Disaster Recovery Backup Plan
A Disaster recovery (“DR”) backup plan has been established for the processing aspects of the business
in Malaysia in order to ensure continuity of the business operations in the event of IT-disabling disaster
strikes. The DR outsourced to external service provider is tested from time to time and enhanced
whenever required. The technology division continues to enhance the DR capability which covers all
key aspects of the business, including our overseas subsidiaries.
b. Payment Card Industry Data Security Standard (“PCI DSS”)
PCI DSS is an actionable framework established by Payment Card Industry Security Standards Council
(“PCI SSC”) to ensure the safe handling of cardholder information at every step. PCI DSS covers systems,
policies and procedure around the followings:
• Building and maintaining a secure network
• Data privacy and information security policy
• Maintaining a vulnerability management program
• Implementation of strong access control
The Company first obtained the Certificate of PCI DSS 2.0 Compliance in 2012 by meeting all the
requirements on above mentioned controls set out by PCI SSC for payment software industry. In 2014,
the Company was reassessed by PCI SSC qualified security assessor; as part of the annual certification
exercise and continues to be PCI DSS 2.0 compliant. The Company acknowledges that maintaining
high security standards is indispensable to its business and will continue implement these best practices
embedded within the security standard.
STATEMENT ON RISK MANAGEMENT
AND INTERNAL CONTROL
