How long does a Bank Negara RMiT pentest scope take for a Malaysian e-wallet?

For a mid-size e-wallet with a single mobile estate and roughly 30 backend services, plan on four to six weeks for the assessment itself and a further two to four weeks for remediation and retest. Faster timelines are achievable when the engagement is launched alongside a regulator deadline, as in this case study, but only with daily standups and pre-allocated developer capacity.

Does a fintech pentest cover both PCI DSS and RMiT in one engagement?

Yes. Both frameworks share substantial control overlap around access management, change control, vulnerability management and incident response. nCrypt scopes a single engagement that produces dual evidence packs — one mapped to PCI DSS v4.0 testing requirements and one mapped to BNM RMiT 10.49 to 10.66 — without doubling the field time.

What is the typical cost of a fintech VAPT in Malaysia?

Mobile-and-API engagements with a regulator deliverable typically range from RM 60,000 to RM 180,000 depending on platform count, microservice depth and whether red-team objectives are included. Published ranges are summarised in our guide on penetration-testing cost in Malaysia.

Will the assessment disrupt live wallet operations?

No. We segment exploit-class testing to a dedicated staging environment that mirrors production, and limit production-side activity to read-only reconnaissance during low-traffic windows agreed with the operations team.

Can nCrypt assist if Bank Negara has already issued a finding?

Yes. We have supported multiple licensed payment institutions through post-audit remediation, including evidence preparation, control re-design and independent retesting. Engagements can begin within five business days of contract signature.

Back to Case Studies

Fintech & PaymentsPCI DSS v4.0BNM RMiT

Tier-1 Malaysian E-Wallet Cleared RMiT & PCI DSS Inside 30 Days

How nCrypt delivered an integrated mobile, API and infrastructure pentest covering both Bank Negara Malaysia's RMiT and PCI DSS v4.0 scope under a non-negotiable licence-renewal deadline. Client identifying details have been anonymised under the engagement non-disclosure agreement.

30 days

End-to-End Engagement

Critical / High Findings

14 days

Median Remediation

100%

Retest Pass Rate

Audit Findings on Resubmission

CREST-Certified Consultants

The Client

A Licensed E-Money Issuer Serving Millions of Wallets

The client is a Bank Negara Malaysia–licensed e-money issuer operating a consumer wallet, a peer-to-peer transfer rail and a merchant-acquiring product across Peninsular Malaysia and East Malaysia. Daily transaction volume sits in the seven figures, with a long tail of small-ticket QR payments and a smaller volume of high-value cross-border remittances.

Engineering is organised across roughly thirty backend microservices written in Go and Java, fronted by REST and gRPC gateways, with native iOS and Android client applications maintained by an in-house squad of around fifteen mobile engineers. The wallet stores a primary account number on file for card-funded top-ups, placing the gateway, vault and reconciliation services squarely inside PCI DSS scope.

The engagement was triggered by an upcoming annual licence renewal from Bank Negara, with the additional pressure of a pending PCI DSS v4.0 attestation due to the acquiring bank within the same calendar quarter. A single integrated assessment was required to satisfy both regulators without consuming two separate field windows.

Engagement Summary

Sector: E-Money / Payments
Regulators in Scope: BNM RMiT, PCI DSS v4.0
Field Window: 30 calendar days
Targets: iOS & Android apps, REST/gRPC APIs, AWS infrastructure
Methodology: OWASP MASVS, OWASP ASVS L2, PTES

The Challenge

A Compressed Window With Zero Tolerance for Findings on Resubmission

The client had been issued a conditional licence-renewal notice with a thirty-day window to submit independent testing evidence covering both RMiT 10.49 to 10.66 and the relevant PCI DSS v4.0 testing requirements. A previous internal assessment had been rejected by the regulator's technology supervision team on grounds of insufficient depth and missing evidence of mobile-specific controls.

The board had a clear instruction: any further finding on resubmission would trigger a material business impact, including potential restrictions on new merchant onboarding and on cross-border remittance volume. The engagement therefore had two non-negotiables — full RMiT and PCI DSS coverage with mobile depth, and a remediation plan that the in-house team could realistically deliver inside the same window.

A second constraint came from the operations team. The wallet processes a peak transaction rate during evening peer-to-peer transfer hours that could not be disrupted. Any production-touching activity had to be read-only, narrowly time-boxed and pre-cleared by the on-call lead.

Finally, the assessment had to produce two distinct evidence packages — one for Bank Negara's technology supervision team mapped explicitly to RMiT control objectives, and one for the acquiring bank's qualified security assessor mapped to PCI DSS v4.0 testing requirement 11.4. Re-using a single field exercise to produce both was a commercial requirement, not a stretch goal.

Our Approach

Parallel Workstreams With a Single Evidence Spine

nCrypt staffed a five-consultant team led by a CREST-certified Registered Tester with prior experience as the technology lead for a Malaysian licensed payment institution. The engagement was structured as four parallel workstreams running over a fixed three-week field window, with a final week reserved for retesting and evidence finalisation.

The mobile workstream covered both iOS and Android binaries against OWASP MASVS, including static reverse engineering of the production builds, dynamic instrumentation on rooted devices and a focused review of the in-app SDK responsible for payment authorisation. The API workstream covered all internet-facing endpoints against OWASP ASVS Level 2, with particular attention to authorisation logic, rate limiting and idempotency on transfer and refund flows.

The infrastructure workstream covered the AWS production accounts using a combination of authenticated configuration review, IAM privilege-graph analysis and segmentation testing from the cardholder data environment outwards. The compliance workstream ran in parallel, mapping every finding into both RMiT control objectives and PCI DSS v4.0 testing requirements as it landed, so that the evidence pack was being assembled live rather than after field work closed.

Daily fifteen-minute standups with the client's engineering leadership ensured that critical and high findings were triaged into the development backlog within twenty-four hours of identification. This compressed the traditional report-then-remediate cycle into a continuous flow that turned out to be the single biggest factor in hitting the thirty-day window.

Findings

Five Categories That Mattered to the Regulator

Critical

Payment Authorisation Bypass via Insecure Direct Object Reference

A combination of weak server-side authorisation checks and predictable transaction identifiers allowed an authenticated user to read and partially mutate other customers' wallet transactions through a single payment-history endpoint.

Critical

Mobile Binary Lacked Anti-Tampering and Pinned TLS

Both iOS and Android builds shipped without root/jailbreak detection or certificate pinning. A modified APK could be repackaged and signed, then used to capture cleartext OAuth refresh tokens on any rooted device on the same network.

High

OAuth Refresh-Token Replay Window

Refresh tokens were valid for 30 days with no device-binding. Combined with the pinning gap above, a stolen token granted persistent access until a manual revoke.

High

RMiT 10.49 Logging Gaps in Backend Microservices

Two of nine production microservices forwarded logs to local disk only. Required RMiT control objectives around centralised audit logging and tamper-evident retention were not met.

Medium

Insufficient Rate Limiting on KYC Photo Upload

Lack of per-account upload throttling allowed automated submission of forged identity documents at a rate sufficient to abuse the manual-review queue.

Outcomes

Cleared on First Resubmission

Every critical and high finding was remediated and retested inside the thirty-day window. The two regulator-facing evidence packages were submitted on day twenty-eight, with both Bank Negara's technology supervision team and the acquiring bank's qualified security assessor accepting the submission without follow-up clarification requests — a material improvement on the previous internal-testing cycle that had triggered the conditional renewal notice in the first place.

Beyond the regulator outcome, the engagement produced lasting capability uplift. The mobile team adopted certificate pinning and binary-tampering detection as default controls in their CI pipeline; the platform team rewrote the centralised logging forwarder as a sidecar to close the RMiT 10.49 gap permanently; and the security engineering team adopted the IAM privilege-graph tooling that nCrypt used during field work as part of their quarterly review cycle.

Twelve months on, the client has retained nCrypt for a continuous-assurance retainer covering quarterly mobile retests, monthly external attack-surface monitoring and an annual red-team exercise mapped to the same RMiT and PCI DSS scope.

Related Work