The corona virus has reached our everyday life. The pandemic is directing our focus on what is now the most important thing: the protection of the health, safety and well-being of our employees, our partners, customers and families.
The vast majority of our employees use the opportunity to work from home; some are available at the locations to sign, receive mail and much more.
In the relatively short period of time it has already become apparent that the staff of SRC is very committed to ensure the continuity of the operational processes.
Especially in these difficult times, we pay special attention to the concerns of our customers. We are still in a position to support our customers, some of whom operate urgently needed critical infrastructures, comprehensively and with a maximum of flexibility. We will continue to meet our great responsibility and obligation towards our customers in these times.
Even if many of us are not at the SRC locations: We are still available for you via the usual communication channels.
We continue to do what we are good at.
As an alternative to on-site appointments we have, for example, developed procedures for remote support. We can …
- conduct consultations and interviews in the form of telephone conferences,
- Check system settings using web conferences,
- Carry out on-site inspections using video transmissions.
Please contact your contact person at SRC in order to coordinate the concrete procedure.
We at SRC are convinced that we will learn from the experiences of this situation for our future. We will emerge strengthened from this crisis.
Please pay attention to the health of your fellow men and families.
IT compliance through the introduction of an ISMS
Increasing compliance requirements
“The dependency of core and value-added processes on the IT infrastructure and the IT systems operated there is constantly increasing at credit institutions. This means that the associated compliance requirements are also increasing almost to the same extent”. In an article that has just been published on the specialist platform “Security Insider”, SRC expert Dagmar Schoppe explains the different regulatory and legal requirements that determine the daily business of credit institutions and how IT compliance is improved by the introduction of an ISMS.
Value creation processes are threatened
The protection of these value-added processes through compliance with regulatory and legal requirements, e.g. from BAIT, MaRisk or the IT Security Act, is a very topical issue. After all, the danger of hacker attacks is a real and current threat. This is one of the reasons why IT security is one of the central audit focuses of the BaFin. The TIBER-EU programme, which is intended to strengthen the resilience of the financial world against cyber attacks, also aims in this direction.
Holistic information security management system creates security
For a holistic approach to the protection of corporate values, the various organisational and technical aspects must be combined into a holistic concept. This leads to the introduction of an information security management system, e.g. on the basis of ISO 27001.
The experts of the SRC division Banking Compliance will gladly advise you on regulatory and legal requirements and their implementation, e.g. by introducing an information security management system (ISMS) or by carrying out TIBER tests. SRC is a member of the Cyber-Alliance.
New BSI guidance on evidence according to § 8a paragraph 3 BSIG
The IT Security Act (IT-Sig) in conjunction with the KRITIS regulation has been in use for over five years. The main objective is the regulation of KRITIS operators according to the BSI Act. The Federal Office for Information Security (BSI) accompanies law and regulation with the so-called BSI Orientation Guide to Evidence.
IT-Sig 2.0 — Is it coming or not?
Unfortunately, the topic “IT security law 2.0” has become very quiet lately. Therefore no amendment of the KRITIS regulation is to be expected in the short term. However, the current draft of the IT-Sig 2.0 can be taken from the present speaker draft. For example, the inclusion of waste management in the existing sectors is being considered. In addition, an expansion of the target group beyond the KRITIS operators to include companies in the special public interest (e.g. due to their economic importance) is also being considered. For these companies, the preparation of safety concepts, the obligation to report incidents, the registration and management of a reporting office and the trustworthiness of the employees in the area are important. The planned tightening of the framework for fines from the previous maximum of EUR 100,000 to a maximum of EUR 20,000,000 (or 4% of the total annual company turnover worldwide in the previous business year) is particularly striking.
New guidance on evidence
While IT-Sig 2.0 is still a long way off, in the second half of August the BSI published its new “Guidance on evidence pursuant to Section 8a (3) BSIG”. Version number 1.1 already suggests it: the changes include many concretisations and clarifications of the facts and requirements. In addition, there are further significant changes. For example, the new Form P combines the information contained in the previously used forms PD (test performance), PE (test results) and PS (testing body). In addition to the written submission, a digital/machine-readable copy is now also required. The list of safety deficiencies and the implementation plan are now combined in one document, while existing test results (maximum 12 months old) must be explicitly checked for topicality and stock. A clear innovation is the well-founded assessment of the maturity levels of the management systems for information security (ISMS) and business continuity (BCMS). The strong focus on the aspect of traceability is also very noticeable. This becomes visible at various points:
Even without IT-Sig 2.0, the new BSI orientation guide requires attention. SRC experts will be pleased to discuss the innovations and their effects with you and support you in the implementation of the extended requirements.
Amendment of BAIT 2021- The new requirements for financial institutions
The amendment of BAIT for 2021 means new requirements for credit institutions. In contrast, BaFin faces the challenge of implementing the Guidelines on security measures for operational and security risks under the PSD2 and the Guidelines on ICT and security risk management of the EBA in Germany. This is to be completed by 31 December 2020 with an amendment to the BAIT (banking supervisory requirements for IT). First drafts have already been discussed and commented on in the institutes and associations.
BAIT 2021 focuses on IT security
With a separate and new chapter, operational IT security is moving further into focus. The requirements formulated there can only be fulfilled with a Security Information and Event Management System (SIEM). This also includes the establishment and operation of a Security Operations Centre (SOC). Regular operational checks are required. These include:
The new requirements of BAIT 2021 lead to the establishment of a professional cyber security infrastructure. This means extensive and independent internal information security structures.
The management assumes overall responsibility
It is noticeable that the draft already refers not only to the responsibility of the management. The management is even required to explicitly acknowledge the overall responsibility for information security. This also includes regular information about their concerns and the decision to deal with security risks appropriately.
Requirements for IT emergency management are consolidated
We expect further changes in the area of IT emergency management. The requirements from BAIT will be consolidated with those from section AT7.3 of MaRisk. This creates uniform national requirements. In addition, we expect to tighten and specify the requirements with regard to emergency planning and prevention, BCM, disaster recovery and backup strategies. In our view, outsourcing to service providers will also be covered by the revised version.
Financial institutions face major challenges
According to the assessment of the SRC experts for bank compliance, the expected changes will pose great challenges for the affected institutions. This concerns especially the required know-how and the limited resources on the labour market.
SRC-Expert Ehlers: Standards of the Payment Card Industry (PCI)
“PCI compliance requires know-how and resources.” SRC expert Jana Ehlers explains the different PCI security standards in an article which has just been published on the professional platform “All About Security”.
In view of the increasing number of card payments in pandemic times, the protection of payment card data is a very current topic.
All PCI standards aim at protecting payment card data of international payment systems. The most well-known standard alone, PCI DSS, has around 250 individual requirements. If these are already taken into account when setting up networks and structures, there is often no need for complex and expensive retrofits. But also the permanent maintenance of PCI DSS conformity poses challenges for companies.
SRC examines and advises on PCI standards since their emergence in 2006. This experience can be used to correctly understand and consider the intentions of the PCI standards. SRC accompanies through the whole process. Thus, not only PCI-conformity can be achieved in an understandable way, but also a great deal more security for the customers’ payment card data worthy of protection.
Frenchsys, Elitt and SRC found the EPay Standards Consortium
Together with the French partners Frenchsys and Elitt, SRC founds the EPayStandards Consortium, a cooperation to expand the consulting and support of international customers in the European payment traffic.
As a subsidiary of Cartes Bancaires, Frenchsys significantly supports the technical and functional specifications as well as the integration in the French acquirer market.
Elitt focuses its activities on the development of test case catalogs and test tools for terminals. Elitt also stands for innovative payment solutions.
SRC supports development and maintenance of the German girocard system. This includes the creation of functional and security specifications for all system components involved. Also the conception of innovative solutions for mobile payment is part of SRC’s service spectrum.
All three companies know the world of payment transactions as essential carriers of European standardization initiatives such as nexo, CPACE and the Berlin Group.
The EPayStandards consortium gives the international market for payment transactions access to bundled technical and strategic consulting services. The cornerstone of the cooperation is laid with workshops for customers with cross-border operations such as terminal manufacturers and processing service providers.
In recent years, the European standards for payment transaction terminals have developed further. This offers opportunities especially for internationally active acceptors to harmonize their terminal infrastructures across borders. SRC and Frenchsys contribute detailed knowledge of these new standards and the two largest European payment transaction markets and systems. Elitt completes the cooperation with its expertise in the technical preparation of implementations and certifications. Thus, the international market for payment transactions benefits from the combination of the strengths of the consortium partners.
Despite Corona — the support of SRC is certain!
The corona virus has reached our everyday life. The pandemic is directing our focus on what is now the most important thing: the protection of the health, safety and well-being of our employees, our partners, customers and families.
The vast majority of our employees use the opportunity to work from home; some are available at the locations to sign, receive mail and much more.
In the relatively short period of time it has already become apparent that the staff of SRC is very committed to ensure the continuity of the operational processes.
Especially in these difficult times, we pay special attention to the concerns of our customers. We are still in a position to support our customers, some of whom operate urgently needed critical infrastructures, comprehensively and with a maximum of flexibility. We will continue to meet our great responsibility and obligation towards our customers in these times.
Even if many of us are not at the SRC locations: We are still available for you via the usual communication channels.
We continue to do what we are good at.
As an alternative to on-site appointments we have, for example, developed procedures for remote support. We can …
Please contact your contact person at SRC in order to coordinate the concrete procedure.
We at SRC are convinced that we will learn from the experiences of this situation for our future. We will emerge strengthened from this crisis.
Please pay attention to the health of your fellow men and families.
Payment 2030 — The study on the future of payment in Germany
With the support of Z_Punkt — The Foresight Company, SRC has prepared the study Payment 2030. This study deals with the future of payment in Germany. It is the continuation of the study on Payment 2025 initiated in 2015. Besides updating the scenarios considered in 2015, the study primarily examines options for action for account-holding institutions that arise with regard to the payment process of the future. The basis for this is a comprehensive analysis of the trends and developments already emerging today.
The study Payment 2030 addresses many questions: In what way have the relevant framework conditions changed compared to the previous study? How can account-holding institutions react to new market participants? What do innovative solutions in payment traffic look like? What new revenue sources and value-added services are conceivable? And what opportunities and necessities for cooperation with partners within and outside the banking industry will arise in order to be prepared for “Payments 2030”?
Numerous experts from the banking industry, retail and technology providers were involved in the preparation of the study. In this way, the horizon of the study was broadened and a broad spectrum of potential developments was covered.
SRC provides you with the study Payment 2030 free of charge. Please understand the study as an invitation for dialogue. Therefore, we are looking forward to your comments, questions and suggestions. Please write to us at bezahlen2030@src-gmbh.de.
The study is available for download free of charge in German and English. Print copies are only available in German. They can be requested free of charge by stating the shipping address.
Transfer- und Perspektivworkshops
This workshop is a joint offer by SRC Security Research & Consulting and Z_punkt The Foresight Company.
SRC recognized by PCI SSC as SPoC and CPoC Security Lab
Today, the worldwide operating PCI Security Standards Council has recognized SRC as the fourth laboratory for the performance of security tests for SPoC and CPoC solutions.
With SPoC solutions (Secure PIN Entry on Commercial-off-the-Shelf devices) a merchant can accept payments with commercially available mobile devices.
While the SPoC program describes solutions with PIN entry, the CPoC program is aimed exclusively at contactless solutions that do not require PIN entry.
A SPoC solution consists of four core components
With CPoC, the PCI SSC has developed requirements for solutions for processing contactless payments without PIN entry (“Tap and Go”) on commercially available mobile devices (commercial off-the-shelf, COTS), such as smartphones or other mobile commercial off-the-shelf (COTS) devices with NFC interface.
With the SPoC and CPoC programs, the PCI SSC meets the increasing demand for new and secure acceptance solutions and ensures security in the acceptance of payments via mobile phones and tablets. The corresponding tests are now also carried out by SRC.
The recognition of SRC as a lab for the programmes SPoC and CPoC is an important signal to the market. Customers from this innovative environment can now also make use of SRC’s expertise for the development of secure payment solutions.
PCI DSS best practices guidance for large organizations published
SRC Security Research & Consulting GmbH contributed to the most recent PCI (Payment Card Industry) Security Standards Council Special Interest Group (SIG). The resulting guidance on PCI DSS for Large Organizations is now published.
Complex organizations, corporations and companies often face specific challenges when implementing PCI DSS (Payment Card Industry Data Security Standard) requirements: the heterogeneity of their infrastructures and processes, the constant change of corporate structures, and dealing with diverse requirements, responsibilities and management tasks.
The new guidance on PCI DSS for Large Organizations helps large and/or complex organizations coordinate and manage their PCI DSS activities across multiple environments.
SRC is partner of OMNISECURE 2020
As experts for IT security, we at SRC know that levels of protection are essential in the digitalization of industry and society. The experts from the industry will present the security concepts required for this at the annual OMNISECURE. As a partner of OMNISECURE, SRC traditionally enriches the discourse on these topics with the knowledge we have gathered in many projects. The OMNISECURE will take place in Berlin from 20 — 22 January 2020.
Electronic identification and the security required for it are one of the overarching topics at SRC and at the same time the core topic of the event. For SRC, the OMNISECURE provides an important platform for the cross-industry exchange of knowledge and experience with experts, specialists and executives from business, politics, public administration and science.
As a partner of OMNISECURE, SRC makes its contribution to provide participants with a comprehensive overview of new applications, hazards and solutions, technology trends, progress or delays in well-known, trend-setting projects. Ideas and relevant legislative projects are discussed in the same way as failures, from which one can always learn. The OMNISECURE offers a wealth of food for thought and encounters with renowned experts. It is not unusual for the foundation stones for future projects and decisions to be laid here.
We at SRC are looking forward to two rich days and to the varied and rich discussions with experts and customers.