BDDK-compliant
independent penetration testing
We carry out the mandatory annual penetration test under the Regulation on Banks' Information Systems and Electronic Banking Services in a format ready for BDDK audit.
What is BDDK Penetration Testing?
The Regulation on Banks' Information Systems and Electronic Banking Services (Official Gazette 15 March 2020, No. 31069), issued by the Banking Regulation and Supervision Agency (BDDK), requires banks to have their information systems penetration-tested by independent teams at least once a year. Senior management is responsible for ensuring these tests are performed periodically.
The same approach applies, under the relevant communiqué, to financial leasing, factoring, financing and savings financing companies supervised by BDDK. The goal is to detect vulnerabilities in internet/mobile banking, core banking, card and payment systems and outsourcing touchpoints before they can be exploited.
- Regulation on Banks' Information Systems and Electronic Banking Services — Official Gazette 15 March 2020, No. 31069; Article 18 requires penetration testing at least once a year
- The penetration test must be performed by independent teams that have no role in the design, development, implementation or operation of the systems being tested
- Communiqué on Information Systems of Financial Leasing, Factoring, Financing and Savings Financing Companies (Official Gazette 6 April 2019, No. 30737) imposes a similar obligation on non-bank financial institutions
Who Is Required to Comply?
BDDK Penetration Testing Scope
Internet and Mobile Banking
OWASP-based security testing of customer-facing electronic banking channels, mobile applications and open banking APIs.
Core Banking and Internal Network
Internal penetration testing of core banking systems, internal network and server infrastructure under authenticated and unauthenticated scenarios.
Card and Payment Systems (PCI-DSS)
Testing of card storage and processing environments to satisfy BDDK and PCI-DSS expectations together.
PCI-DSS compliantAuthentication and Authorization
Audit of multi-factor authentication, session management and privilege escalation controls, including insider threat scenarios.
Outsourcing and Third Parties
Assessment of cloud, outsourcing providers and integration points within BDDK's outsourcing expectations.
Logging, Traceability and Reporting
Review of critical transaction logs, log integrity and reporting of findings in a format suitable for BDDK audit.
Testing Process
Scope and Regulatory Analysis
The information systems inventory is mapped; Article 18 obligations and the external/internal, application and infrastructure scope are clarified.
External and Internal Penetration Testing
Penetration testing is performed on internet-facing assets and the internal network under unauthenticated and authenticated scenarios.
Application and Card Environment Testing
The security of internet/mobile banking, open banking APIs and card/payment environments is tested.
Validation and Re-testing
A closure validation (re-test) is performed after the identified vulnerabilities have been remediated.
BDDK-Format Reporting
Findings are mapped to BDDK requirements; the report is delivered in a form that can be submitted to the audit.
Audit-ready deliverables
Every test results in documents that both the technical team can act on and that can be submitted to BDDK audit.
Your questions
Is BDDK penetration testing legally mandatory?
How often should penetration testing be performed?
Who can perform the test?
Which institutions are in scope?
Are payment and fintech institutions also subject to BDDK?
What does the test cover?
Can Netlore perform BDDK penetration testing?
Other Compliance Penetration Tests
Contact Us for BDDK Compliant Penetration Testing
Meet your obligations under the regulation and protect customer and financial data.