Skip to main content




SWIFT Customer Security Controls Framework (CSCF) establishes a set of mandatory and advisory security controls for the operating environment of SWIFT users. SWIFT provides the global messaging system that financial organisations use to transmit information and instructions securely. Users can compare the security controls they have implemented with those listed in the CSCF to identify and remediate any compliance gaps. The version used in this section is CSCF v2021.


1_2. Operating system privilege account controls033. Restrict administrative access
095. Define users with privileges
1_3. Virtualisation platform protection062. Define standard configurations
222. Deny access to the host machine
1_4. Restriction of internet access249. Locate access points
2_1. Internal data flow security153. Out of band transactions
174. Transactions without a distinguishable pattern
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
2_2. Security updates262. Verify third-party components
353. Schedule firmware updates
2_3. System hardening266. Disable insecure functionalities
2_5. External transmission data protection153. Out of band transactions
2_6. Operator session confidentiality and integrity023. Terminate inactive user sessions
181. Transmit data using secure protocols
336. Disable insecure TLS versions
2_10. Application hardening266. Disable insecure functionalities
3_1. Physical security205. Configure PIN
232. Require equipment identity
266. Disable insecure functionalities
273. Define a fixed security suite
4_1. Password policy127. Store hashed passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords
333. Store salt values separately
4_2. Multi-factor authentication362. Assign MFA mechanisms to a single account
5_1. Logical access control035. Manage privilege modifications
096. Set user's required privileges
186. Use the principle of least privilege
5_2. Token management031. Discard user session data
305. Prioritize token usage
335. Define out of band token lifespan
357. Use stateless session tokens
362. Assign MFA mechanisms to a single account
5_4. Physical and logical password storage184. Obfuscate application data
185. Encrypt sensitive information
380. Define a password management tool
6_1. Malware protection155. Application free of malicious code
6_2. Software integrity178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
6_3. Database integrity172. Encrypt connection strings
330. Verify Subresource Integrity
6_4. Logging and monitoring075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level