Application areas of digital identities:
Digitally representing — and protecting — physical identities
With the current development of the European Regulation on Electronic Identification and Trust Services (eIDAS), a recognised and secure digital identity can come about throughout Europe. Digital identities have been commonplace for a long time — from email accounts to social media to digital official transactions: The use of digital services requires proof of identity. The necessary identification and authentication is linked to different levels of protection, depending on the service used. Companies that want to offer services for which digital identities are necessary — for employees, partners and customers — must know the requirements.
A digital identity is the digital representation of a physical identity. The latter can be a person, but also an institution, a machine or a server. In the health sector, practices, hospitals or pharmacies, for example, can receive a digital identity. In this context, it represents a collection of attributes in electronic form that characterise a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of initial identification is transferred to the digital — for initial identification it requires registration; recognition is achieved through authentication. From a social perspective, there are three forms of identities: real, self-constructed and anonymous, with the latter playing a sometimes controversial role on social media, for example.
Possible uses of digital identities
Digital identities are necessary as a basis or digital representation for digital services and processes. They are used wherever digital services are offered and are personalised, which requires the collection, storage and processing of data. Digital services have various forms — from social media user accounts, to online accounts in e‑commerce, to online banking or digital official procedures via eGovernment offerings. As with the identity card, the scope of application of a digital identity can go beyond mere identification and, for example, an age check can be possible.
Increasing digitalisation is opening up further possible uses of a digital identity: The European eIDAS (Regulation on Electronic Identification and Trust Services) creates uniform framework conditions for the use of electronic means of identification and trust services across borders here. In 2020, the revision of the eIDAS Directive was launched, and it is currently not yet complete. The goal is to offer a secure EU identity wallet throughout Europe. The eID is thus the virtual equivalent of an identity card. It is supposed to enable identification and authentication, verification of validity by third parties as well as secure storage and representation of identities. In addition, it should make it possible to generate qualified electronic signatures. This digital counterpart to the signature allows legally valid contracts to be concluded on a digital level.
The eIDAS also stipulates that EU member states must make the digital identity available to citizens; the envisaged acceptance obligation may also contribute to the elimination of other digital identities. Shopping abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analogue processes; the user benefits greatly from simpler and more convenient handling, for example, when administrative procedures can be completed from home.
Unlike digital identities via Google or Facebook, the authorities can ensure that data protection is complied with in accordance with the Data Protection Regulation (DSGVO). In the health sector, digital identities on the smartphone are to replace the electronic health card in the future — but this cannot yet be realised.
Security and protection of the user
One possible attack scenario that particularly affects digital identities is theft in the form of impersonation or identity theft. The potential for damage ranges from hate comments on social media to access to and misuse of personal data, such as banking transactions or confidential health data. While the analogue identity card limits misuse by thieves because of the photo on it, the case is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or a two-factor authentication, as it already takes place in online banking, for example, with a password on the one hand and additional TAN generation on an external device on the other. The hardware token in smart cards represents the highest level of security as a certified version.
Standardised trust levels
The level of security depends on the purpose of the digital identity and is regulated in the Implementing Regulation (EU) 2015/1502. For example, in online banking or in the health sector, there are particularly sensitive, personal data that require a high level of protection. The regulation defines three standardised trust levels: low, substantial and high. A low level of protection corresponds to a one-factor authentication, as is common in social networks or forums. Substantial protection is provided by the aforementioned two-factor authentication. However, a high level of protection, for example when health data is involved, must be even more strongly secured, for example with a passport including a photo and biometric features. For example, identification can take place via video-identification or post-identification procedures.
However, the higher the security level, the more complicated its technical implementation. High-priced smartphones, for example, come with certified security components — while lower-priced devices are equipped with inferior biometric sensors that can be easily manipulated or bypassed. They therefore do not have protected memory areas. Smart cards in health cards, on the other hand, can use and store cryptographic key material with their chip processors. In this way, the infrastructures behind them ensure authenticity.
The future potential of digital identities
Digitisation is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitalised and require proof of a digital identity, or when the health card is read in as an ID in doctors’ surgeries. Here, media disruptions are perceived as an obstacle, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they allow make the digitisation of such processes possible in the first place. In the area of eHealth, doctors can digitally sign and send invoices and prescriptions, for example.
Companies, in turn, can use digital identities widely for customers and employees, end customers or partners. This means, for example, that holiday applications can be made via a portal. Not to be neglected are also conceivable application possibilities for customer loyalty: After all, digital services that customers use can be used to gain information about their behaviour, which can be used to better tailor and optimise one’s own offer. However, companies must be aware of the different levels of security. User-friendliness is important, but so is digital protection against identity and data theft. If this is not guaranteed, serious consequences can be the result. A consulting firm like SRC GmbH can help here to shed light on solutions — both paid and open source — to check certifications and to ensure conformity and thus legal certainty.
Conclusion
Nothing works on the internet without digital identities — digital services require initial identification of the user and authentication for further use, for example, via passwords with additional TAN generation within the framework of multifactor procedures. The security requirements depend on the type of service and the data used, which is ensured via three levels. Companies that want to use digital services must therefore know the requirements in order to use the application potential for customers, partners or suppliers.
___________________________________________________
Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH
Further information: https://src-gmbh.de/
Press contact:
Patrick Schulze
WORDFINDER GmbH & CO. KG
Lornsenstrasse 128–130
22869 Schenefeld
Phone +49 (0) 40 840 55 92–18
ps@wordfinderpr.com
www.wordfinderpr.com
SRC and DAkkS accreditation according to ISO/IEC EN 17025: An important step towards EUCC31. January 2024 - 12:23
SRC joins the German IT Security Association (TeleTrusT)4. January 2024 - 11:22
Our December blog post on PCI DSS v4.0: Targeted Risk Analysis4. December 2023 - 8:36
Certificate Course “Information Security Officer for Credit Institutions” — November 16 to 19, 2021
The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, availability, authenticity and confidentiality of data in their IT systems and processes. But secure and efficient IT is also absolutely essential for the economic success of a credit institution.
The new “Banking Supervisory Requirements for IT” (BAIT) formulate concrete expectations. Among other things, the Federal Financial Supervisory Authority calls for the newly established function of “information security officer” in its directive. This officer controls the information security process and reports directly to the management.
In cooperation with the publishing house Bank-Verlag, SRC has successfully completed multiple certificate courses to become an “Information Security Officer (ISB) for credit institutions” since 2016. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date for this four-day certificate course possible.
From 16th to 19th November 2021, you will again have the opportunity to train as an “Information Security Officer (ISB) for Credit Institutions”
on the premises of Bank-Verlag GmbH in Cologne.In a team with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Germany), the SRC experts Dagmar Schoppe, Florian Schumann and Dr. Deniz Ulucay will give a lecture and provide you with comprehensive information on the norms and standards according to ISO and IT-Grundschutz, as well as on all legal/regulatory requirements relevant for you as an ISB. In addition, the topics of IT risks and emergency precautions as well as business continuity management will be addressed.
After passing the final examination, you will receive the certificate “Information Security Officer for Credit Institutions”.
Optionally, you have the opportunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar on 15 November 2021
in Cologneprior to the event. This seminar deals with the basics, terms, encryption and IT security techniques in information technology.Information Security Management Systeme (ISMS) – myths, misconceptions and misconceptions
There are several myths, misconceptions and misconceptions surrounding Information Security Management Systems (ISMS) that can lead to incorrect assumptions or inadequate implementations.
In our latest blog article, we would like to briefly introduce some of them:
Myth #1: ISMS is only for large enterprises
It’s a common misconception that an ISMS is only for large enterprises. In fact, organizations of all sizes can benefit from an ISMS as it helps to become aware of threats, mitigate risks and meet compliance requirements. Regardless of the size of the organization, an effective ISMS helps address information security in all aspects of business operations, which ultimately helps strengthen overall business success and promote trust.
Myth #2: ISMS is just a technical matter
There is often a misconception that an ISMS is all about technical measures. However, the primary focus is on information and processes. Through these, both the technical and other organizational aspects, such as policies, procedures, training and awareness programs, then come into consideration. In other words, an effective ISMS requires a holistic approach that involves people, processes and technology to ensure and improve the security of information in the organization.
Myth #3: An ISMS is a one-time task
An ISMS is not merely a one-time task. While it is sometimes assumed that an ISMS can be implemented once and then operated on the side, it is actually a continuous process that requires constant monitoring, review and improvement to keep pace with changing threats and business needs. This process fosters an enduring culture of information security in the organization that is focused on proactive risk mitigation and constant adaptation to new security challenges.
Myth #4: Conformance guarantees security
Conformance to standards such as ISO 27001 does not automatically mean that an organization is fully protected. An ISMS should be viewed as a continuous improvement process that goes beyond mere compliance. It’s about creating awareness of information security throughout the organization, improving the ability to respond to changing threats, and ultimately establishing a sustainable security culture.
Myth #5: ISMS is for marketing purposes only
While sales and marketing departments certainly won’t disagree, an effective ISMS primarily helps organizations mitigate risk, meet compliance requirements, and build trust with customers and partners. Overall, such a system promotes a security-conscious culture and improves business practices.
Would you have known?
By clearing up these myths, misconceptions and misconceptions, organizations can gain a better understanding of how to effectively implement and use an ISMS to protect their information and drive business success.
We at SRC Security Research & Consulting GmbH can actively support you in the process from consulting to certification, feel free to contact us.
Contact us:
Christoph Sesterhenn
E‑Mail
Application areas of Digital Identities: Digitally representing — and protecting — physical identities
Application areas of digital identities:
Digitally representing — and protecting — physical identities
With the current development of the European Regulation on Electronic Identification and Trust Services (eIDAS), a recognised and secure digital identity can come about throughout Europe. Digital identities have been commonplace for a long time — from email accounts to social media to digital official transactions: The use of digital services requires proof of identity. The necessary identification and authentication is linked to different levels of protection, depending on the service used. Companies that want to offer services for which digital identities are necessary — for employees, partners and customers — must know the requirements.
A digital identity is the digital representation of a physical identity. The latter can be a person, but also an institution, a machine or a server. In the health sector, practices, hospitals or pharmacies, for example, can receive a digital identity. In this context, it represents a collection of attributes in electronic form that characterise a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of initial identification is transferred to the digital — for initial identification it requires registration; recognition is achieved through authentication. From a social perspective, there are three forms of identities: real, self-constructed and anonymous, with the latter playing a sometimes controversial role on social media, for example.
Possible uses of digital identities
Digital identities are necessary as a basis or digital representation for digital services and processes. They are used wherever digital services are offered and are personalised, which requires the collection, storage and processing of data. Digital services have various forms — from social media user accounts, to online accounts in e‑commerce, to online banking or digital official procedures via eGovernment offerings. As with the identity card, the scope of application of a digital identity can go beyond mere identification and, for example, an age check can be possible.
Increasing digitalisation is opening up further possible uses of a digital identity: The European eIDAS (Regulation on Electronic Identification and Trust Services) creates uniform framework conditions for the use of electronic means of identification and trust services across borders here. In 2020, the revision of the eIDAS Directive was launched, and it is currently not yet complete. The goal is to offer a secure EU identity wallet throughout Europe. The eID is thus the virtual equivalent of an identity card. It is supposed to enable identification and authentication, verification of validity by third parties as well as secure storage and representation of identities. In addition, it should make it possible to generate qualified electronic signatures. This digital counterpart to the signature allows legally valid contracts to be concluded on a digital level.
The eIDAS also stipulates that EU member states must make the digital identity available to citizens; the envisaged acceptance obligation may also contribute to the elimination of other digital identities. Shopping abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analogue processes; the user benefits greatly from simpler and more convenient handling, for example, when administrative procedures can be completed from home.
Unlike digital identities via Google or Facebook, the authorities can ensure that data protection is complied with in accordance with the Data Protection Regulation (DSGVO). In the health sector, digital identities on the smartphone are to replace the electronic health card in the future — but this cannot yet be realised.
Security and protection of the user
One possible attack scenario that particularly affects digital identities is theft in the form of impersonation or identity theft. The potential for damage ranges from hate comments on social media to access to and misuse of personal data, such as banking transactions or confidential health data. While the analogue identity card limits misuse by thieves because of the photo on it, the case is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or a two-factor authentication, as it already takes place in online banking, for example, with a password on the one hand and additional TAN generation on an external device on the other. The hardware token in smart cards represents the highest level of security as a certified version.
Standardised trust levels
The level of security depends on the purpose of the digital identity and is regulated in the Implementing Regulation (EU) 2015/1502. For example, in online banking or in the health sector, there are particularly sensitive, personal data that require a high level of protection. The regulation defines three standardised trust levels: low, substantial and high. A low level of protection corresponds to a one-factor authentication, as is common in social networks or forums. Substantial protection is provided by the aforementioned two-factor authentication. However, a high level of protection, for example when health data is involved, must be even more strongly secured, for example with a passport including a photo and biometric features. For example, identification can take place via video-identification or post-identification procedures.
However, the higher the security level, the more complicated its technical implementation. High-priced smartphones, for example, come with certified security components — while lower-priced devices are equipped with inferior biometric sensors that can be easily manipulated or bypassed. They therefore do not have protected memory areas. Smart cards in health cards, on the other hand, can use and store cryptographic key material with their chip processors. In this way, the infrastructures behind them ensure authenticity.
The future potential of digital identities
Digitisation is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitalised and require proof of a digital identity, or when the health card is read in as an ID in doctors’ surgeries. Here, media disruptions are perceived as an obstacle, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they allow make the digitisation of such processes possible in the first place. In the area of eHealth, doctors can digitally sign and send invoices and prescriptions, for example.
Companies, in turn, can use digital identities widely for customers and employees, end customers or partners. This means, for example, that holiday applications can be made via a portal. Not to be neglected are also conceivable application possibilities for customer loyalty: After all, digital services that customers use can be used to gain information about their behaviour, which can be used to better tailor and optimise one’s own offer. However, companies must be aware of the different levels of security. User-friendliness is important, but so is digital protection against identity and data theft. If this is not guaranteed, serious consequences can be the result. A consulting firm like SRC GmbH can help here to shed light on solutions — both paid and open source — to check certifications and to ensure conformity and thus legal certainty.
Conclusion
Nothing works on the internet without digital identities — digital services require initial identification of the user and authentication for further use, for example, via passwords with additional TAN generation within the framework of multifactor procedures. The security requirements depend on the type of service and the data used, which is ensured via three levels. Companies that want to use digital services must therefore know the requirements in order to use the application potential for customers, partners or suppliers.
___________________________________________________
Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH
Further information: https://src-gmbh.de/
Press contact:
Patrick Schulze
WORDFINDER GmbH & CO. KG
Lornsenstrasse 128–130
22869 Schenefeld
Phone +49 (0) 40 840 55 92–18
ps@wordfinderpr.com
www.wordfinderpr.com
SRC goes GEAR (Global Executive Assessor Roundtable)!
PCI SSC and SRC
The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that develops and promotes the use of information security standards for secure payments. It is responsible for 15 globally recognized and widely used standards for securing electronic payment processes — from payment card production and issuance to payment at the point of interest or in web & app, to the processing of payments in the background.
SRC has been assessing the use of those information security standards since PCI SSC was founded by means of corresponding assessments and product evaluations. The PCI SSC attaches great importance to the exchange between different stakeholders and uses various committees and activities for this purpose. SRC has so far participated in Special Interest Groups and Task Forces as well as in Community Meetings and Request for Comment phases.
Global Executive Assessor Roundtable
The PCI SSC has been giving experienced assessor companies the opportunity to advise its senior management since 2018 through the Global Executive Assessor Roundtable (GEAR). We are excited that our company has been selected this year to be part of the interfaces between leadership of the PCI SSC itself and leadership of the assessment companies by this responsible membership. This will enable us to contribute our years of experience in a direct way. The nomination is valid for the next two years and gives us the opportunity to play an influential role in the further development of specifications for assessment procedures, new training programs and qualification requirements for future assessors. Other GEAR responsibilities include finding ways to promote assessors’ engagement in emerging and new markets, and optimizing assessors’ skills to add value for payments companies
We are proud to be included in this circle and see it as a recognition of our past performance and relevance in the payments security market. At the same time, we are aware of our responsibility to act as a representative for a large community of assessment companies and take this as an additional incentive for the future.
Link to GEAR: https://www.pcisecuritystandards.org/about_us/global_executive_assessor_roundtable/
8 digit BINs and PCI DSS
On April 1, 2022, the payment brands Visa and Mastercard will expand the BIN (Bank Identification Number) of their cards worldwide from 6 to 8 digits. In future, the first 8 digits of a 16-digit credit card number (Primary Account Number, PAN) will be used to identify the card issuer. The BIN is used in many occasions where the use of the full PAN is not necessary — e.g. for routing of transactions, or for reporting.
BINs and PCI DSS
Wherever a full PAN is used, the systems, environments, processes and people must meet the requirements of the data security standard PCI DSS (Payment Card Industry Data Security Standard). As useful as the protection of the PAN by the PCI DSS is – it is not necessary for the BIN. The PCI DSS therefore describes the conditions under which parts of the PAN do not require the same protection as the full PAN. If not the full PAN is stored, processed or transmitted, but only parts of it, the PCI DSS refers to “truncation”. If the full PAN is stored in the background, but not all digits are displayed in an application, the PCI DSS refers to the display as “masking”. In everyday life, the term “crossing out” is also used for the two different measures; from PCI DSS point of view, however, they have to be differentiated.
The following rules previously applied to truncation and masking:
Changed rules for truncation and masking
However, due to the switch to 8‑digit BINs and the need for many companies to process them, the payment brands have now changed their specifications. The current summary in the PCI SSC FAQ entry now defines that “first 8, any other 4” is permitted for truncation for 16-digit PANs. The (test) card number 4012888888881881 is then allowed to be stored and processed in the form 40128888xxxx1881, for example — it is sufficient if any four digits are crossed out after the BIN. Only for shorter PANs, the existing rules “first 6, any other 4” (Discover) or “first 6, last 4” (American Express) remain in place. A corresponding adjustment of the PCI DSS requirement for masking is expected with the change to PCI DSS v4.0.
From a security point of view, removing so few digits is not an improvement — but from a business perspective, the change is probably necessary. It is to be hoped that, overall, this will be offset by other security measures.
In any case, the requirements of the PCI DSS will not prevent the use of 8‑digit BIN in the future.
Caution when combining different formats
Regardless of the length of the BIN, merchants and service providers who work with truncated card data should take care not to weaken the protection by mixing different formats.
This also applies if different formats are used for masking and truncation.
PCI DSS v4.0 is coming — an overview
The PCI DSS (Payment Card Industry Data Security Standard) is well known as a comprehensive data security standard for payment card data of the international payment brands. The Payment Card Industry Security Standards Council (PCI SSC) keeps revising the standard throughout the years to address evolving risks and threats to payment data, to keep pace with the ever changing IT and payment landscape, and to reinforce security.
The PCI SSC has been working on the new, fundamentally revised version 4.0 of the standard for a long time now. After three RFC phases throughout the years, the new version will now be officially published on the PCI SSC website in March 2022.
Several changes have already been announced and are listed hereafter.
New validation options
PCI SSC plans to add more flexibility to the standard. Traditionally, the intended way of fulfilling a PCI DSS requirement is to follow it word by word. Now, the PCI SSC plans to add a choice: For nearly each requirement, an entity can either choose the traditional way of fulfilling it word by word, or they can use a customized validation.
For each requirement in the standard, the objective that is intended to be reached with it will be given. If an entity thinks that they want to use another way of meeting this intention than following the requirement word by word, they can document how they do this. This includes a risk assessment to verify the appropriateness of the customized way. This documentation, including the risk assessment, is then provided to the assessor, and the assessor identifies suitable testing procedures to verify the implementation of the customized controls.
Requirement changes
To make sure PCI DSS compliance is kept up throughout the year, additional requirements are announced by the PCI SSC, e.g. the necessity for
In addition, existing requirements will be adapted to threat and security evolvement. Changes to requirements on the following topics are forecasted:
Also the use of 8‑digit BINs will need to be addressed (see our blog entry).
Of course, the exact details of changes can only be given after the final publication.
Transition process
The PCI SSC has announced a transition period of two years, plus additional transition time for completely new requirements.
So after publication in March 2022, take your time to read the new PCI DSS version, identify the changes, and understand the impact on your environment. Use this year to plan migration to PCI DSS v4.0 and decide when is the right moment for your entity to switch from version 3.2.1 to 4.0.
Your PCI DSS consultant or assessor can help you understanding the intention of changes, your need for migration, and the validation requirements. Please do not hesitate to contact them. If you do not have direct contact to a PCI DSS expert, please contact SRC’s PCI DSS responsible.
To get a first overview of the changes to the standard, you can also join our free PCI DSS v4.0 webinar on 20th of April: Register here.
SRC specialist Oberender | 5G Security High Assurance
As part of the CAST forum hot topic: 5G Security, SRC specialist Oberender will give a presentation on 5G Security High Assurance. The CAST workshop is hosted by BSI unit SZ32 and will take place online on November 11, 2021.
5G technology will define digital life in Germany in the future and thus its security features directly protect the integrity of society and its citizens. The test procedure currently being developed by BSI is to consist of three parts: a test based on the 3GPP defined SECAM Evaluation Methodology TS 33.916, which is being refined at BSI as a Technical Guideline. Possible further tests will use the Accelerated Security Certification (ESC) and the Common Criteria (CC) certification scheme. The security assessor’s perspective here is quite unique. SRC has extensive experience in all testing methods and will provide insight into the advantages and disadvantages of the testing methods with regard to the testing of 5G and 6G communication platforms in this presentation. Dr. Jens Oberender presents the different test methods SECAM, BSZ and CC for the approval of 5G security and discusses their objectives and focus.
Mobile networks in Germany are currently entering their next evolutionary stage with 5G technology. This process is accompanied by security requirements and related certification activities. Germany needs secure and sovereign infrastructures for communications. Security features such as reliability and availability are essential factors for Germany’s economic development. The CAST workshop hot topic: 5G-Security provides an overview and outlook on the current status of 5G-Security and its future development.
SRC recognized as test center for accelerated safety certification (BSZ)
On 01 October the “Accelerated Security Certification (BSZ)”, the new certification procedure of the German Federal Office for Information Security (BSI) has started. Already on September 28, SRC was recognized by the BSI as a testing body for this new procedure. Sandro Amendola is head of the department Standardization, Certification and Security of Telecommunication Networks at the BSI. On behalf of the BSI he handed over the certificate of recognition to Peter Jung, who is responsible for the BSZ at SRC.
Accelerated Security Certification is the BSI’s new lightweight procedure for certifying the security of IT products. In contrast to a CC certification, a certification according to BSZ has several advantages: a considerably lower documentation effort, a significantly shortened implementation and thus a lower cost.
The certification scheme follows a risk-based approach. In this process, the security performance of the IT product is tested by a recognized testing body such as SRC within a fixed timeframe using conformance and penetration tests to determine its security performance and its resistance to attacks.
The user also benefits. He receives comprehensible documentation of the security performance and the promise that any vulnerabilities that occur are guaranteed to be remedied within the certificate’s validity period.
“After SRC has already carried out the first successful evaluation according to BSZ, we are very pleased about the recognition as a test center for this innovative certification scheme that has now taken place” says Peter Jung as representative of the test center and topic responsible for the Accelerated Security Certification BSZ at SRC.
SRC was one of the first test centers to be recognized for BSZ. SRC performed the evaluation of the LANCOM-1900EF, the first certified BSZ product ever.
The electronic share: A forward-looking step toward digital capital investments
Until now, securities could only be purchased as physical certificates. Since the beginning of June 2021, the Act on the Introduction of Electronic Securities (eWpG) has offered a paperless, digital alternative for investors and issuers.
The law on the introduction of electronic securities (eWpG)
The Act on the Introduction of Electronic Securities (eWpG), which recently came into force, is designed in particular to open up German law to electronic securities. Investors and issuers can now freely choose between the classic paper certificate or the digitized form. The Act also provides for a central electronic securities register for the registration of digitized securities. The crypto custody business, which is currently coming strongly to the fore, was by no means left out of consideration in the eWpG. This explicitly provides for the legal introduction of crypto securities, for example on a blockchain or general DLT basis. For this purpose, a separate crypto securities register is created, the keeping of which is now regulated as a further financial service under the supervision of BaFin within the meaning of the German Banking Act (KWG). To create legal certainty, the eWpG is to be concretized by an “Ordinance on Requirements for Electronic Securities Registries (eWpRV)”. A draft bill for the eWpRV from the Federal Ministry of Finance and the Federal Ministry of Justice and Consumer Protection is already available.
New opportunities through the interaction of innovative technologies
Cryptocurrencies and, in particular, cryptocurrency custody transactions continue to be among the red-hot digitalization topics. The Act Implementing the Amending Directive to the Fourth EU Money Laundering Directive added cryptocustody business to the KWG as a new financial service at the beginning of 2020. This created new market opportunities in the area of cryptocurrency services for banks and financial service providers. The issuance of electronic securities can also be carried out by using blockchain or DLT technology (crypto securities) through the new eWpG. This is associated with new (financial) services for which relevant fintechs are already ready. However, DLT applications offer IT service providers in the banking environment in particular new opportunities to develop forward-looking business areas. Furthermore, in the summer of 2021, the go-ahead was finally given for the digital euro, the introduction of which is to serve as a supplement to established payment methods. The trend toward further digitization of the financial industry is now being continued with the introduction of electronic securities.
In addition, the EU Commission recently launched a digital finance package, the contents of which include a separate regulatory proposal for crypto assets or even a pilot project for DLT-based securities.
Tapping market opportunities and overcoming challenges together
Investors are not the only ones who should already be taking a close look at this new topic. In particular, banks and financial service providers now have a renewed opportunity to occupy this promising market segment. However, these new opportunities also lead to new challenges. The SRC experts follow the exciting developments in the field of electronic securities, cryptocurrencies and the digital euro for you and support you in the realization of your services. We will be happy to inform you about the opportunities to get involved in this innovative sector and to master the new challenges together.
SRC expert Botermann | DLT for IT service providers in the banking environment
Crypto assets based on blockchains move many states, companies and the world of banks and their IT service providers.
Distributed ledger technology (DLT for short) is the term used to describe the technology of “distributed cash ledgers”. The key difference: transactions are legitimized in a decentralized manner and stored with the participants. As a disruptive technology, DLT makes numerous intermediation and clearing points redundant. Banks are threatened with the loss of their position as anchors for trustworthy transactions.
But this is precisely where the prospects for future business models lie, since it is precisely the banks that traditionally have expertise in the safekeeping of confidential information. The decisive technical trust anchor of every transaction via DLT is the customer’s private key. The trusted management of this private key may prove to be a perspective for the evolution of banks’ business models.
To summarize: DLT applications offer IT service providers in the banking environment good opportunities to adapt their own business models and also position themselves for the future. Services in the crypto custody business can be seen as a suitable entry point, which can be expanded and supplemented in the future.
How can business models in the banking environment be adapted to these developments? What opportunities does the crypto custody business offer? What technical and regulatory requirements must be met?
In the articles DLT for IT service providers in the banking environment (german), crypto custody business: starting point for business field expansion (german) and crypto custody business as a business area expansion for banks (german) published in gi GELDINSTITUTE and on cash.online, SRC expert Dr. Benjamin Botermann gives an insight and overview of challenges, opportunities and stopler stones of the crypto custody business with distributed ledger technology (DLT).
The SRC experts will follow the exciting developments in the field of cryptocurrency and digital euros for you and support you in the realization of your cryptocustody business. We will be happy to inform you about the possibilities to get involved in this innovative sector.