Secured integration to the future

Secured integration to the future

SWIFT payment system. What requirements do I need to fulfill?

PCI PIN Security

01.05.2023
To ensure reliable cyber security of payments, the SWIFT system has requirements that all banks must meet. Let's pay a little attention to this topic and discuss these requirements!
SWIFT is the Society for Worldwide Interbank Financial Telecommunications.
SWIFT is an international interbank information transfer and payment system founded in 1973 in Brussels. The system is not a payment system; it does not perform settlement and mutual clearing functions between participants. The SWIFT system is a monopoly.
The co-founders are 248 banks from 19 countries. SWIFT is headquartered in La Julpe, Belgium. SWIFT is a cooperative society established under Belgian law and is owned by its members.
Every year, more than 10 billion payment orders are processed through the SWIFT system, which is growing yearly. Naturally, the entire SWIFT system must be reliably protected from various hacker attacks and other cyber threats.

The management of the SWIFT payment system has long paid little attention to protecting against cyber threats. The situation changed radically in 2016 when unknown hackers stole USD 81 million from the Central Bank of Bangladesh through a vulnerability in SWIFT software.

After the event, SWIFT announced that interbank payments and software security would be the company's top priority for the next few years.

SWIFT released a set of requirements for all banks and service providers in April 2017. These requirements are called the SWIFT Customer Security Controls Framework (CSCF).

Documents describing the procedure for banks to confirm their compliance with these requirements were also issued in 2017. A software system was developed and implemented to allow all SWIFT users to upload audit reports.

The SWIFT (CSCF) requirements are unique and have been developed based on the experience of international standards such as PCI DSS and ISO 27001.

A comparative table of PCI DSS, NIST, ISO 27001, and SWIFT requirements can be found in the appendix to the SWIFT (CSCF) document.

In total, SWIFT (in CSCF v2023) has published 32 requirements (24 mandatory and 8 recommended), which are grouped as follows - three objectives and eight principles.

Objective One: IT infrastructure security.
This goal includes 4 principles, such as:1) Restrict access to the Internet.2) Separate critical systems from the bank's general IT infrastructure.3) Limit opportunities for hacker attacks and eliminate vulnerabilities.4) Restrict physical access to IT systems.
Objective Two: to control everyone who has access to the system.
This goal includes the following 2 principles:1) Prevent compromise of credentials.2) Manage credentials and differentiate access levels.
Objective Three: Detect attacks and respond to incidents.
This objective also includes 2 principles:1) Detect anomalous activity in IT systems and transaction records.2) Plan incident response and share information about incidents with the SWIFT user community.
The most significant of all SWIFT requirements (CSCF) can be grouped into the following items:
● Implement firewalls to separate SWIFT components from other banking systems;● Limit the powers of system administrators and ordinary users as much as possible;● All actions are carried out only within the limits of certain official powers;● Strictly record all significant changes to the IT infrastructure;● Encrypting critical data when it is transmitted over the network;● Setting up all IT systems in a secure manner, by the recommendations of their manufacturers;● Implementing strict password requirements and using multi-factor authentication to access critical systems;● Ensure the integrity of databases and applications is monitored;● Protecting against viruses and ransomware;● Development of incident response procedures. Detecting incidents and abnormal activity in IT systems;● Protecting networks and systems, in particular physically;● Regular vulnerability scans and penetration tests;● Training staff and increasing their readiness to deal with all cyber attacks.
Each bank is unique in its structure and organization, so meeting any of these requirements can take time.
IT Specialist has been successfully building information security systems in banks for many years in accordance with the requirements of international standards and financial regulators.

We will help your bank meet all the requirements of the SWIFT system quickly and reliably. We invite a representative of your bank for a free consultation.