Mobile financial applications have long been part of everyday life. Whether banking, payments, custody accounts or proof of identity – apps have long since changed many traditional processes. However, with the growing number of sensitive transactions on mobile devices, the demand for their security is also increasing. Until now, there was no uniform standard for this. This is now changing with the Technical Guideline TR-03174 from the German Federal Office for Information Security (BSI).
A new security framework for the financial sector
TR-03174 defines for the first time which security requirements should apply to applications in the financial sector, with a particular focus on mobile apps and their backend systems. The aim is to create a transparent and reproducible testing framework that helps developers and operators to demonstrate state-of-the-art security.
Among other things, the guideline deals with
- secure communication and cryptography,
- Protection against manipulation and reverse engineering,
- Storage of sensitive data on end devices,
- Integrity of app and server components,
- Data protection, logging and vulnerability management.
In short, it creates a common language for security and thus a basis that should create trust. Not only with users, but also with banks, payment service providers and supervisory authorities.
Still voluntary – but not without consequences for much longer
At the moment, the implementation of TR-03174 is still voluntary. But experience shows that it rarely stays that way. As soon as a BSI guideline is published, it quickly becomes the de facto standard – simply because the big players follow it. Anyone who only then takes a look and slowly begins to align their app with it will have a hard time: Subsequent adjustments to architecture, security mechanisms or logging structures are complex and expensive. That’s why we provide support right from the start.
It is better to start now. If you document security mechanisms early on, establish reproducible tests and create traceable processes, you will be prepared from the outset, save time and money later on and gain the trust of your partners long before it becomes mandatory.
Lessons learned from TR-03161
The healthcare sector has shown just how dynamic such developments can be. TR-03161 has created a framework that ensures security and interoperability in the telematics infrastructure. What was initially a recommendation is now a prerequisite. And this is also foreseeable with TR-03174.
SRC has been supporting this process for years as an inspection body in the TR-03161 environment: Those who take standards seriously at an early stage have an easier time later on – organizationally, technically and economically. TR-03174 follows the same logic, only this time for the financial sector.
Security becomes a prerequisite for entry
The more digital infrastructures are regulated, the clearer it becomes that security is no longer a bonus, but a basic requirement. In the long term, no provider will be able to avoid proving that their app complies with TR-03174 – whether as part of an audit, an approval or a market launch.
For banks, FinTechs and service providers, this means that security must be considered from the very beginning, right from the initial idea. If you do this now, you can gradually incorporate the requirements into agile development processes – instead of frantically following suit at a later date or completely redesigning the system. The guideline therefore not only brings new obligations, but also opportunities: it creates clarity, comparability and trust.
SRC accompanies the development
As a testing body for technical guidelines such as TR-03161 and a long-standing partner in BSI approval processes, SRC has been following the development of TR-03174 from the very beginning. The recognition process as a testing body is ongoing – not yet completed, but in the final phase. At the same time, our experts are already analysing the technical and organizational requirements that manufacturers and operators will have to meet.
Our aim is clear: to provide companies with guidance at an early stage so that they are prepared when TR-03174 becomes mandatory. Because at the end of the day, those who plan for safety early on will have a decisive head start later on.
Because when security becomes a prerequisite, preparation determines market access – and trust.
