Skip to main content




SWIFT Customer Security Controls Framework (CSCF) establishes a set of mandatory and advisory security controls for the operating environment of SWIFT users. SWIFT provides the global messaging system that financial organizations use to transmit information and instructions securely. Users can compare the security controls they have implemented with those listed in the CSCF to identify and remediate any compliance gaps. The version used in this section is v2024.


1_2. Operating system privilege account control
033. Restrict administrative access
095. Define users with privileges
1_3. Virtualization or cloud platform protection
062. Define standard configurations
222. Deny access to the host machine
1_4. Restriction of Internet access
249. Locate access points
2_1. Internal data flow security
153. Out of band transactions
174. Transactions without a distinguishable pattern
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
2_2. Security updates
262. Verify third-party components
353. Schedule firmware updates
2_3. System hardening
266. Disable insecure functionalities
2_5A. External transmission data protection
153. Out of band transactions
2_6. Operator session confidentiality and integrity
023. Terminate inactive user sessions
181. Transmit data using secure protocols
336. Disable insecure TLS versions
2_10. Application hardening
266. Disable insecure functionalities
3_1. Physical security
205. Configure PIN
232. Require equipment identity
266. Disable insecure functionalities
273. Define a fixed security suite
4_1. Password policy
127. Store hashed passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords
333. Store salt values separately
4_2. Multi-factor authentication
362. Assign MFA mechanisms to a single account
5_1. Logical access control
035. Manage privilege modifications
096. Set user's required privileges
186. Use the principle of least privilege
5_2. Token management
031. Discard user session data
305. Prioritize token usage
335. Define out of band token lifespan
357. Use stateless session tokens
362. Assign MFA mechanisms to a single account
5_4. Password repository protection
184. Obfuscate application data
185. Encrypt sensitive information
380. Define a password management tool
6_1. Malware protection
155. Application free of malicious code
6_2. Software integrity
178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
6_3. Database integrity
172. Encrypt connection strings
330. Verify Subresource Integrity
6_4. Logging and monitoring
075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.