Are you ready to certify your NextGenPSD2 implementation?
The revised Payment Services Directive (PSD2) requires banks to allow authorized third parties access to customer data. These third party payment service providers (TPP) are to be granted access via a programming interface (XS2A) with the customer’s consent. With this data, TPPs will be able to offer innovative payment initiation and account information services. The NextGenPSD2 certification promotes the implementation of a uniform standard.
Most banks and API providers in Europe implement the XS2A interface using the NextGenPSD2 framework of the Berlin Group. This is an open and Europe-wide harmonized solution for implementing the PSD2 requirements for the XS2A interface.
The correct implementation of the XS2A interface relieves the institute from implementing a fallback interface solution. The NextGenPSD2 Implementation Support Program (NISP) offers the participants a testing framework with test concept, test case catalog, compliance best practices and test tool requirements. The implementing institute evaluates its own work. As a result, the implementation is completed. It remains to be seen if this self-assessment will be considered sufficient by the supervisory authority (NCA).
Why should you undergo the NextGenPSD2 certification?
The self-assessment of the NextGenPSD2 implementation already offers a high level of quality. However, different interpretations of the specification can lead to interoperability problems. There is currently no documented agreement between banks and third-party providers on the exact implementation of the XS2A interface. This increases the probability that the responsible supervisory authority of the banks will refuse the exemption from the implementation of a fallback interface solution.
SRC has extensive and detailed expertise from its involvement in the specification and implementation of the XS2A interface as part of NISP. On this basis, we have developed the NextGenPSD2 certification for you.
How does the NextGenPSD2 certification process work?
Requirements for the NextGenPSD2 certification are the test case catalogue, the implementation profile and the test specification of the implementing institute. SRC uses these requirements to carry out a complete functional, security and performance audit of the NextGenPSD2 implementation.
Audit Validation
During validation, the implementation is reviewed with respect to the requirements of the documentation.
Functional part
In the functional part, the test specifications are executed and the results are verified.
Non-functional part
In the non-functional part, the availability of the implementation (stress test) is determined and evaluated at relevant points.
Security test
In the security test, methods of penetration testing are used. It is evaluated if the implementation of the XS2A interface offers sufficient protection against fraud attempts on customer data and transactions.
The certification is documented in a final report. If all requirements are at least sufficiently fulfilled, the institute receives an SRC certificate. With this certificate, the conformity of the implemented XS2A interface can be demonstrated to third parties and the supervisory authority. Based on the first certification, regression audits can be carried out in the future.
SRC consulting services for development optimization or for creating the test specification can be used to prepare for the NextGenPSD certification.
Why SRC?
As a co-editor of the NextGenPSD2 Framework and the NISP Testing Framework, SRC has a deep understanding of the NextGenPSD2 standards and all tasks associated with testing. In addition, SRC has many years of experience in developing test environments with many licensed auditors for multiple functional and security evaluations according to formal certification schemes. As a result, SRC is able to carry out a high-quality audit with manageable effort.
Are you interested in NextGenPSD2 certification? Then please contact us at info@src-gmbh.de.
SRC and DAkkS accreditation according to ISO/IEC EN 17025: An important step towards EUCC31. January 2024 - 12:23
SRC joins the German IT Security Association (TeleTrusT)4. January 2024 - 11:22
Our December blog post on PCI DSS v4.0: Targeted Risk Analysis4. December 2023 - 8:36
Unternehmenstag 2019 — SRC participates again!
Unternehmenstag 2019 — The Career Fair for Students and Career Starters
The end of the studies is in sight. The degree is within reach. At the latest now, students and graduates need contact to their future employer. SRC is looking forward to this contact. Two days at the University of Applied Sciences Bonn Rhein-Sieg on the campus in Sankt Augustin. This is where the Unternehmenstag 2019 takes place on 13 and 14 November.
The job fair will be rounded off with a wide range of offers relating to careers and career planning. These include lectures, application photos, job boards and much more.
Career in IT — SRC provides an insight into exciting areas of responsibility
SRC will also be happy to give students and graduates the opportunity to gain an insight into and exchange views on the diverse topics of IT security at the Unternehmenstag 2019. The SRC experts will explain everyday life and the challenges in the assessment of security-relevant IT technologies. A selection of current topics are, for example, mobile payment methods, artificial intelligence and critical infrastructures. We expect our new colleagues to have a strong instinct for potential sources of error in complex technologies, the competence to find solutions and the assertiveness to represent the results of their work to clients.
Current job offers on our career portal
Whether as a working student in our customer management or as a scanworker in the pentest team — completing diverse and exciting tasks while studying is no problem for us. But also graduates will get what they are looking for — we are looking for pentesters, consultants and analysts for different areas in our company.
Students and graduates are welcome to inform themselves in advance on our career portal about vacancies at our company. We will be happy to answer any questions you may have at the Unternehmenstag! You also have the option of submitting your application documents directly to us on site.
SRC invited to inova 2019
SRC introduces the company at the career forum at TU Ilmenau
The inova will take place in October 2019 at the TU Ilmenau in Thueringen. Within the last 20 years, inovailmenau has become one of the most important career forums in Germany. Exclusively selected companies can engage in direct dialogue with students and establish contacts. As a selected company, SRC GmbH will be on site in central Germany and will offer interested students an insight into the diverse topics of an IT security company and the corresponding career opportunities.
Career in IT? Not only as the ” classical ” computer scientists
Frequently, you meet unsettled students when it comes to “what you want to do with your concrete degree in the future”. Certain occupations in certain sectors, such as IT, struggle with the prejudice of only hosting and hiring the ” classical ” computer scientists. However, this is not the case in our industry.
SRC uses inova 2019 to give students at the TU Ilmenau, whose courses of study are strongly characterised by engineering science, an insight into and an exchange on the diverse subject areas of IT security. The SRC experts explain the challenges of technology assessment using examples such as mobile payment methods, artificial intelligence and similar topics. This requires a strong instinct for potential sources of error in complex environments, the competence to find solutions and the will to implement them. Especially students with engineering, economic, mathematical and scientific backgrounds bring these valuable qualities with them.
The inovailmenau 2019
This year’s inovailmenau will take place at the TU Ilmenau from 22 to 23 October 2019, from 10 am to 4 pm. With over 5200 visitors, the inovailmenau is the most important student career forum in central Germany. The number of interested companies is constantly growing, giving the inova team the opportunity to exclusively handpick companies. We at SRC GmbH are therefore particularly pleased to be able to personally get in touch with the students of the TU Ilmenau in October and to inspire them with our company and career opportunities. You are welcome to browse through our topics and our career portal in advance — we will be happy to answer any questions in a personal dialogue on site or in advance via our numerous contact options.
SRC at ICPS 2019 in dialogue with physics students
SRC attends the ICPS 2019 Jobfair
Physics students will meet for the 34th time at ICPS 2019 in Cologne. The “Jobfair” taking place on Tuesday, August 13, 2019, will provide the setting.
SRC uses the ICPS 2019 to provide physicists with insights into and an exchange on the diverse topics of IT security. The SRC experts explain the challenges of technology assessment using examples such as mobile payment methods, artificial intelligence and similar topics. This requires a strong instinct for potential sources of error in complex environments, the competence to find solutions and the will to implement them. Especially students with a physical background bring these valuable qualities with them. Dr. Max Hettrich already reported in the interview “From quantum physicist to security analyst at SRC” on how a career can develop from these qualities.
By students for students — The ICPS 2019
The ICPS finds a new home every year. More than 500 physics students and doctoral candidates from more than 50 nations not only have the opportunity to exchange their knowledge; they also get to know the culture and mentality of the host country. The ICPS is organised by the respective student associations of the host country. This year, the organisation team consisting of members of the young German Physical Society, the Institute for Theoretical Physics of the University of Cologne and the Bonn-Cologne Graduate School of Physics and Astronomy who have prepared a programme that will last 8 days.
Matthias Dahlmanns is the project coordinator of ICPS 2019 and a working student at SRC. “Coordinating the organisation of the ICPS 2019 is a great experience. The participation of SRC makes me personally very happy”, says Matthias Dahlmanns. Dr. Benjamin Botermann, Senior Consultant Test & Quality Assurance, is also looking forward to the exchange with the many interested physics students: “I am very excited about the ICPS Jobfair. As a physicist, I find myself absolutely at home working at SRC. I am looking forward to the exchange with the prospective physicists. In a personal conversation, I would like to talk about the various fields of activity at SRC and answer the numerous and detailed questions”.
How secure is IT in our hospitals?
Digitisation poses IT security challenges for hospitals
Cloud computing, networked communication, virtual teamwork — digitisation offers hospitals and other healthcare facilities enormous potential for optimisation. The effects on the profitability of medical facilities and on patient care are sustainably positive. If it weren’t for IT security. How well protected are healthcare networks? Can sensitive data be lost during transmission or in the course of collaboration? Or even worse: be intercepted? Can IT security in hospitals keep pace with the tempo of digitalisation?
Protection of sensitive patient information is required
If one thinks about the most sensitive data of a society, then patient information certainly belongs to it. The need for protection is therefore particularly high. In the meantime, the legislator has also recognised this and created a clear legal situation. At the latest, IT security in the healthcare sector will become a playing field for liability risks and claims for damages. This is why IT security is a top priority in hospitals. Several hospitals have already painfully discovered that absolute security can hardly be achieved. In particular, the attack with the ransomware “Wannacry” in 2017 had an enormous impact on hospital IT worldwide. Examinations had to be postponed, operations had to be cancelled and the financial damage was immense.
The electronic patient file, telemedicine and cross-sector information logistics make it extremely demanding to manage data securely. But IT security is no longer just a technical issue. It also concerns the awareness of the employees, the intensified data protection and the growing requirements of the legislator. Examples are the Medical Devices Ordinance (MDR) and the audits according to § 8a of the BSI Act.
SRC expert Dr. Deniz Ulucay talks to the KU Gesundheitsmanagement Magazine
In an interview with Birgit Sander, editor of KU Gesundheitsmanagement Magazine, Dr. Deniz Ulucay, SRC expert for IT security in healthcare, gives detailed insights into potential threat scenarios and adequate defense strategies. The title of the article asks: “How secure is IT in our hospitals? It can be downloaded here (German).
IT-Security Congress 2019 — Arne Schönbohm welcomes SRC
The IT-Security Congress 2019 again offered SRC the platform for dialogues with manufacturers, partners and representatives of public authorities. The motto of the event was “IT security as a prerequisite for successful digitization”. The topics are as varied as the visitors: artificial intelligence and its fields of application, Common Criteria certifications of micro-kernel operating systems and professional perspectives for scientists and computer scientists at SRC. Almost all SRC services were in demand at the stand, whether penetration tests, consulting and certification of information security management systems or support for product manufacturers in evaluations according to Common Criteria.
Sandro Amendola’s lecture at the IT-Security Congress 2019, entitled “Legal Security Requirements for Payment Procedures for Customer Authentication Using Mobile Devices”, was widely discussed. The high pace of innovation on the one hand and the parallel development of regulatory requirements on the other hand provide continuous material for discussions and forecasts of future trends.
The host of the IT-Security Congress 2019, the Federal Office for Information Security (BSI) (see photo), also stopped by our stand. Thilo Pannen is responsible for Business Development at SRC. “We at SRC are delighted that we have been able to support the BSI for many years with a range of experts,” said Thilo Pannen in his welcoming address. The extensive discussion with BSI President Arne Schönbohm touched all aspects of the extensive cooperation with the BSI. Be it the preparation of studies, the support in the various BSI projects or the work of SRC as a BSI-recognized testing laboratory. In its function as a testing laboratory, SRC does not only assess according to Common Criteria. The requirements for the technical domains “Smartcards and similar Devices” and “Hardware Devices with Security Boxes” are also fulfilled by SRC.
Such extensive and complex cooperation in such a dynamic environment requires constant adaptation of the processes. “If we at BSI can contribute to further good cooperation, please let me know,” said the BSI President at the end of his visit to the SRC stand.
SRC contributes to the German IT Security Congress 2019
IT security as a prerequisite for successful digitalisation
This is the motto of this year’s German IT Security Congress, which is held every two years by the Federal Office for Information Security (BSI). The congress will take place from 21 to 23 May 2019 at the Stadthalle Bonn — Bad Godesberg. The aim of this year’s congress is to examine the topic of IT security from different perspectives, to present and further develop possible solutions.
SRC is at the German IT Security Congress
As a BSI-approved evaluation body for evaluations according to Common Criteria (CC) and various other technical guidelines, SRC will also be present with a booth at the German IT Security Congress in 2019. Thus we offer the experts of customers, partners and those of the BSI once again the well-established contact point at the German IT Security Congress. This concept has proven itself over many years. The stable personal network between the participants offers the optimal platform for the transfer of complex technical and regulatory aspects.
SRC expert Sandro Amendola talks about compliance, mobile payment procedures and customer authentication
The triumphal march of mobile payment procedures seems unstoppable. The legislator has also intensively considered the security of these procedures and the necessary customer authentication. Sandro Amendola will talk about “Legal security requirements for payment procedures for customer authentication using mobile devices” on Thursday, 23 May 2019 at 11:00 a.m. in the main hall.
BarCamp “Information Security Management in Credit Institutions” — 19 September 2019
In cooperation with SRC Security Research & Consulting GmbH, Bank-Verlag GmbH hosts a BarCamp on the subject of “Information Security Management in Credit Institutions”. The event will take place on 19 September 2019 at the premises of Bank-Verlag in Cologne.
The Federal Financial Supervisory Authority (BaFin) has also defined the new function of the Information Security Officer with the “Banking Supervisory Requirements for IT” (BAIT). He or she controls the information security process and reports directly to management. What this theory looks like in practice will be examined in more detail on 19 September at the BarCamp “Information Security Management in Credit Institutions”.
The BarCamp Principle
A BarCamp is an open conference with practical workshops. The workshops serve the exchange and discussion among the participants. At the beginning, the participants themselves develop the contents and the agenda, which they then develop further. There are no predefined speakers or procedures to be found in a BarCamp. Instead, this principle relies on the (moderated) exchange of experience.
BarCamp “Information Security Management in Credit Institutions
The BarCamp “Information Security Management in Credit Institutions” gives Information Security Officers as well as all those responsible for information and IT security management at credit institutions the opportunity to exchange information on topics such as BAIT audits, service provider management or risk management. In addition, contacts can be established and expertise expanded. The coffee breaks can be used for individual discussions. At the end of the event, a “get-together” provides an in-depth exchange among the participants.
The SRC Speakers
Four experts from different areas of SRC will share their knowledge and expertise with the participants.
Sandro Amendola, deputy head of the evaluation body at SRC, is responsible for the topic “IT compliance in the banking industry”. In addition, he develops security concepts and security requirements for payment transaction procedures on behalf of the German banking industry, among others.
Jochen Schumacher is responsible for communications at SRC. He concentrates on product management, the technical and editorial support of the website as well as the planning, implementation and moderation of events.
Florian Schumann is Head of IT at SRC. In addition, he is an information security consultant and qualified auditor according to § 8 (a) BSIG for critical infrastructures.
Dr. Deniz Ulucay works at SRC as a consultant for information security. His focus is on the development of ISMSs, in particular for operators of critical infrastructures. He is also responsible for the development and implementation of security concepts.
Registration & Schedule
Further information about the registration and the course of the BarCamp on the topic “Information security management in Credit Institutions” can be found in this flyer (GER) and on the website of Bank-Verlag. Here you can register directly online for the event and bring in the topics that are important and interesting for you and thus help to determine the course and outcome of the BarCamp “Information Security Management in Credit Institutions”.
For further questions Mrs. van Kessel is at your disposal (Tel. 0221/5490–161, andrea.vankessel(at)bank-verlag.de).
Certificate Course “Information Security Officer for Credit Institutions” — November 19 to 22, 2019
BAIT-Compliance: Use of an Information Security Officer (ISB)
The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, availability, authenticity and confidentiality of data in their IT systems and processes. However, secure and efficient IT is also essential for the economic success of a bank. The new “Banking Supervision Requirements for IT” (BAIT) formulate concrete expectations. Among other things, the Federal Financial Supervisory Authority (BaFin) is calling for the newly created function “Information Security Officer for Credit Institutions” (ISB) in its guideline. They control the information security process and report directly to the management.
6th Certificate Course “Information Security Officer (ISB) for Credit Institutions
In cooperation with Bank-Verlag, SRC has already successfully completed five certificate courses on “Information Security Officer (ISB) for Credit Institutions”. After the great response and the continuing demand, we are pleased that Bank-Verlag has made another date possible for this four-day certificate course.
From 19 to 22 November 2019, you will once again have the opportunity to receive further training as an “Information Security Officer (ISB) for Credit Institutions” on the premises of Bank-Verlag GmbH in Cologne.
Training by skilled experts
In cooperation with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Germany) the SRC experts Sandro Amendola, Florian Schumann and Dr. Deniz Ulucay will give lectures. In this course, the experts inform you comprehensively about the norms and standards according to ISO and IT-Grundschutz, as well as about all legal/regulatory requirements relevant to you as an ISB. In addition, the topics IT Risks and Emergency Prevention as well as Business Continuity Management are dealt with.
After passing the final examination, you will receive the certificate “Information Security Officer for Credit Institutions”.
Optionally, you have the opportunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne on 18 November 2019 prior to the event. This course deals with the basics, terms, encryption and IT security techniques in information technology.
Aspects of Common Criteria Certifications — Guest lecture at the Vienna University of Technology
Aspects of Common Criteria Certifications — this is the topic of the lecture that the experts of the SRC evaluation body for Common Criteria will address at the Vienna University of Technology. The lecture will take place on 10 May 2019 as part of the lecture IT Security in Large IT Infrastructures at the Institute of Information Systems Engineering.
Common Criteria in science
With the help of Common Criteria for Information Technology Security Evaluation (CC), IT products can be evaluated regarding their security according to general criteria. As an internationally recognised standard, Common Criteria is of interest to the scientific world. Initially, an evaluation is carried out by an evaluation body accredited by the German Federal Office for Information Security (BSI). SRC is accredited as such a CC evaluation body. The BSI then carries out the certification.
Guest lecture for students
The SRC experts will discuss the Aspects of Common Criteria Certifications at first hand. The lecture informs the students about the basic approach for product certifications according to Common Criteria. Infrastructures in the European Union that rely on Common Criteria certification will be highlighted. The formal side including the responsible certification and recognition bodies will also be considered. The comparison of Common Criteria with other concepts concludes the lecture. Certifications according to technical guidelines of the BSI, ISO27001 or the criteria of the Payment Card Industry (PCI) will be considered.
NextGenPSD2 certification | SRC launches audits for XS2A
Are you ready to certify your NextGenPSD2 implementation?
The revised Payment Services Directive (PSD2) requires banks to allow authorized third parties access to customer data. These third party payment service providers (TPP) are to be granted access via a programming interface (XS2A) with the customer’s consent. With this data, TPPs will be able to offer innovative payment initiation and account information services. The NextGenPSD2 certification promotes the implementation of a uniform standard.
Most banks and API providers in Europe implement the XS2A interface using the NextGenPSD2 framework of the Berlin Group. This is an open and Europe-wide harmonized solution for implementing the PSD2 requirements for the XS2A interface.
The correct implementation of the XS2A interface relieves the institute from implementing a fallback interface solution. The NextGenPSD2 Implementation Support Program (NISP) offers the participants a testing framework with test concept, test case catalog, compliance best practices and test tool requirements. The implementing institute evaluates its own work. As a result, the implementation is completed. It remains to be seen if this self-assessment will be considered sufficient by the supervisory authority (NCA).
Why should you undergo the NextGenPSD2 certification?
The self-assessment of the NextGenPSD2 implementation already offers a high level of quality. However, different interpretations of the specification can lead to interoperability problems. There is currently no documented agreement between banks and third-party providers on the exact implementation of the XS2A interface. This increases the probability that the responsible supervisory authority of the banks will refuse the exemption from the implementation of a fallback interface solution.
SRC has extensive and detailed expertise from its involvement in the specification and implementation of the XS2A interface as part of NISP. On this basis, we have developed the NextGenPSD2 certification for you.
How does the NextGenPSD2 certification process work?
Requirements for the NextGenPSD2 certification are the test case catalogue, the implementation profile and the test specification of the implementing institute. SRC uses these requirements to carry out a complete functional, security and performance audit of the NextGenPSD2 implementation.
Audit Validation
During validation, the implementation is reviewed with respect to the requirements of the documentation.
Functional part
In the functional part, the test specifications are executed and the results are verified.
Non-functional part
In the non-functional part, the availability of the implementation (stress test) is determined and evaluated at relevant points.
Security test
In the security test, methods of penetration testing are used. It is evaluated if the implementation of the XS2A interface offers sufficient protection against fraud attempts on customer data and transactions.
The certification is documented in a final report. If all requirements are at least sufficiently fulfilled, the institute receives an SRC certificate. With this certificate, the conformity of the implemented XS2A interface can be demonstrated to third parties and the supervisory authority. Based on the first certification, regression audits can be carried out in the future.
SRC consulting services for development optimization or for creating the test specification can be used to prepare for the NextGenPSD certification.
Why SRC?
As a co-editor of the NextGenPSD2 Framework and the NISP Testing Framework, SRC has a deep understanding of the NextGenPSD2 standards and all tasks associated with testing. In addition, SRC has many years of experience in developing test environments with many licensed auditors for multiple functional and security evaluations according to formal certification schemes. As a result, SRC is able to carry out a high-quality audit with manageable effort.
Are you interested in NextGenPSD2 certification? Then please contact us at info@src-gmbh.de.