If you are a member of the SWIFT network, as of today, you have less than 90 days to declare your compliance status against the 16 mandatory controls of its Customer Security Program (CSP). Aside from reporting whether your company is, is not, or will be compliant, it’s important that you don’t just treat this as a ‘tick-box’ exercise, and rather that you embrace the spirit of the programme.
Raising the bar on payment security across the industry is critical. With sensational stories in the media surrounding highly customised payment frauds everywhere you look, it’s clear that you need to implement a solid security strategy which proactively protects your organisation against the ever-increasing threat of fraud. This does not just mean a strategy which helps you prevent the next attack – it is about having one which protects you well into the future.
In response to cyber-related payment frauds, earlier this year, SWIFT issued a set of core security standards and an assurance framework, including mandatory controls for all SWIFT members. Your job here is to review them, understand them, and implement changes as needed within your payment processing environments to become fully compliant.
As a SWIFT member, you and your company are responsible for reviewing your infrastructure and self-attesting by the end of 2017.
It’s important to note that your compliance status will be made visible to counterparties whom you have granted access; so they are able to see your compliance status against each control. Additionally, as these and other security requirements continue to evolve, it is important that you progress quickly, so you can cater for additional changes and an ever-evolving threat landscape.
Here are some basic steps to ensure you’re on track:
- Set up the project and your team: Job one and a really urgent item, make sure all people involved in the process have SWIFT.com credentials and can actually login – the last thing you want is to discover on New Year’s Eve that you’ve done all the hard work and cannot submit your attestation because Donald didn’t register! Involve your security team early on, and agree who will take ownership of which elements of the CSP.
- Do an assessment and understand what your level of compliance is: Sit down with your team to clearly understand your status. Ultimately, you will need to ensure compliance to the 16 mandatory controls. However, with regard to the 11 advisory ones, some organisations view them as optional, but it is highly recommended that these are assessed based on their necessity for your organisation. Many of them are common sense measures that should be part of a comprehensive security plan anyway, so you may find it just makes sense to comply with all 27 controls. Also, it is worth considering the fact that as the threat landscape evolves, controls that are currently advisory may end up becoming mandatory anyway.
- Take the necessary steps to get compliant: Keep in mind that the CSP programme is a positive step in the direction for defining a strong baseline of security standards for the SWIFT community. Build on it as a foundation for a broader security playbook designed to stop fraudulent payments before they happen, meaning that fraudulent transactions can be flagged and stopped before they are processed. To effectively protect against both internal and external threats in today’s world, it is essential to proactively monitor user behaviour as well as the transactions.
It would be a mistake to view having to comply with the CSP as a distraction from the real focus of your business. Instead, embrace it and use the next 90 days as an opportunity to increase your organisation’s overall security procedures – this is a perfect chance to evaluate whether or not security is up to the challenge of protecting your payments against modern threads. Fraudsters are using every tool and trick available to them. Are you doing the same?