Connect your Application to our Production Environment
Before you connect your App into our production environment we have to ensure you meet our security baseline requirements. These requirements ensure we meet our obligations as a regulated financial institution and help give other regulated financial institutions comfort that you can do the same.
We’ll commit to keeping these standards up to date to ensure everyone stays compliant.
You’ll be required to attest to meeting these requirements annually.
Encryption key management
Ensure effective key management is implemented to protect client data.
Verify that your app meets these requirements for OAuth token management.
Encryption in transit
Ensure that sensitive client data in your app is protected during the transport process.
(MANDATORY) App server is configured to support only TLS version 1.1 or higher.
Web application endpoints that receive sensitive customer information and/or authentication tokens in URL parameters must not return content via an HTTP Response Body and you must implement a 302 Found redirect for these requests.
This is to prevent sensitive customer information from being accidentally leaked to 3rd parties in the subsequent HTTP Referrer request headers.
Ensure that users who access your app are authenticated.
Ensure that strong customer authentication is enabled (minimum two step authentication or single sign on).
Indirect access to data
Ensure that unauthorised third-parties are unable to access customer data.
Third party access to customer data must be clearly stated within applicable policies and/or terms and conditions, and have a justifiable business need.
App server configuration
Ensure that your app server is secure.
Ensure your server’s configuration follows industry accepted hardening practice for example:
Ensure that your app is secure against the common vulnerabilities.
Follow an industry accepted standard for secure code development such as OWASP Top 10 to protect against vulnerabilities such as:
Encryption at rest
Ensure that sensitive client data in your app is protected while at rest.
Encryption at rest using NIST Cryptographic Mechanisms is mandatory for data repositories that hold or manage sensitive commercial or personal information. Examples may include; full-disk, container, application or database level encryption techniques.
Ensure appropriate audit logging functionality is implemented and maintained.
Audit logging should include both application level (access logs) and event based actions.
Audit logs must be retained for as long as appropriate to enable future investigation. In most cases logs should be kept for a minimum of one year. Logs must be immutable and secure.
Ensure client data is not hosted in high risk areas.
Consideration needs to be given to country, legal, contractual, access, sovereignty and counter-party risks.
Security monitoring practices and breach reporting
Ensure you have security monitoring practices in place to detect and manage threats.
You need to be able to demonstrate that you scan your environment for threats and that you take appropriate action where you detect anomalies. Monitoring can be at the: network / infrastructure, application or transaction (data) layer.