Home
BlogContact Us
Solutions  /  Security & Compliance  /  BDDK Compliant Penetration Testing
Compliance · Banking

BDDK-compliant
independent penetration testing

We carry out the mandatory annual penetration test under the Regulation on Banks' Information Systems and Electronic Banking Services in a format ready for BDDK audit.

At least once a yearIndependent teamRegulation Article 18TSE 13638 certified
Legal Basis
BDDK · Banking information systems
RegulationBSEBYBanks' Information Systems & E-Banking
Official Gazette15.03.2020No. 31069
ObligationArticle 18At least one pentest per year
Non-bankCommuniqué 30737Leasing · Factoring · Financing
01 — Overview

What is BDDK Penetration Testing?

The Regulation on Banks' Information Systems and Electronic Banking Services (Official Gazette 15 March 2020, No. 31069), issued by the Banking Regulation and Supervision Agency (BDDK), requires banks to have their information systems penetration-tested by independent teams at least once a year. Senior management is responsible for ensuring these tests are performed periodically.

The same approach applies, under the relevant communiqué, to financial leasing, factoring, financing and savings financing companies supervised by BDDK. The goal is to detect vulnerabilities in internet/mobile banking, core banking, card and payment systems and outsourcing touchpoints before they can be exploited.

02 — In Scope

Who Is Required to Comply?

BDDK regulations cover most financial institutions under its supervision:
Deposit, participation, development and investment banks
Financial leasing companies
Factoring companies
Financing and savings financing companies
Asset management companies and other BDDK-licensed institutions
Outsourcing providers delivering information systems services to these institutions
Payment and electronic money institutions are supervised by the Central Bank (TCMB) under Law No. 6493 and follow a separate information systems regime; fintech solutions integrated with a bank are assessed within the bank's outsourcing scope. Refer to the relevant authority's regulations for current obligations.
03 — Technical Scope

BDDK Penetration Testing Scope

A holistic test scope from customer channels to core infrastructure, from the card environment to outsourcing.

Internet and Mobile Banking

OWASP-based security testing of customer-facing electronic banking channels, mobile applications and open banking APIs.

Core Banking and Internal Network

Internal penetration testing of core banking systems, internal network and server infrastructure under authenticated and unauthenticated scenarios.

Card and Payment Systems (PCI-DSS)

Testing of card storage and processing environments to satisfy BDDK and PCI-DSS expectations together.

PCI-DSS compliant

Authentication and Authorization

Audit of multi-factor authentication, session management and privilege escalation controls, including insider threat scenarios.

Outsourcing and Third Parties

Assessment of cloud, outsourcing providers and integration points within BDDK's outsourcing expectations.

Logging, Traceability and Reporting

Review of critical transaction logs, log integrity and reporting of findings in a format suitable for BDDK audit.

04 — Methodology

Testing Process

Our independent penetration testing process under the regulation spans from scoping to BDDK-ready reporting.
1

Scope and Regulatory Analysis

The information systems inventory is mapped; Article 18 obligations and the external/internal, application and infrastructure scope are clarified.

2

External and Internal Penetration Testing

Penetration testing is performed on internet-facing assets and the internal network under unauthenticated and authenticated scenarios.

3

Application and Card Environment Testing

The security of internet/mobile banking, open banking APIs and card/payment environments is tested.

4

Validation and Re-testing

A closure validation (re-test) is performed after the identified vulnerabilities have been remediated.

5

BDDK-Format Reporting

Findings are mapped to BDDK requirements; the report is delivered in a form that can be submitted to the audit.

05 — Deliverables

Audit-ready deliverables

Every test results in documents that both the technical team can act on and that can be submitted to BDDK audit.

Detailed technical penetration test report mapped to the regulation
Executive summary and risk rating matrix
Prioritized remediation recommendations and re-test results
Compliance documentation suitable for BDDK audit and PCI-DSS assessment
06 — FAQ

Your questions

Is BDDK penetration testing legally mandatory?
Yes. Under Article 18 of the Regulation on Banks' Information Systems and Electronic Banking Services (Official Gazette 15 March 2020, No. 31069), banks must have their information systems penetration-tested by independent teams at least once a year, and senior management is responsible for this.
How often should penetration testing be performed?
The regulation requires penetration testing at least once a year. Additional testing is recommended after significant system or infrastructure changes.
Who can perform the test?
The test must be performed by independent teams that have no role in the design, development, implementation or operation of the systems being tested. As industry best practice, the test is expected to be conducted by firms certified to the TSE 13638 standard.
Which institutions are in scope?
Deposit, participation, development and investment banks, as well as financial leasing, factoring, financing and savings financing companies, are within scope.
Are payment and fintech institutions also subject to BDDK?
Payment and electronic money institutions have moved to Central Bank (TCMB) supervision under Law No. 6493; their information systems obligations follow TCMB regulations. However, fintech solutions integrated with a bank may be assessed within the bank's outsourcing scope.
What does the test cover?
External and internal network penetration testing; internet/mobile banking and open banking APIs; card and payment environments; and authentication and authorization controls are typically in scope.
Can Netlore perform BDDK penetration testing?
Yes. Netlore performs independent penetration testing aligned with the regulation's expectations and is a penetration testing firm certified by TSE; it reports findings in a format suitable for BDDK audit.
Contact

Contact Us for BDDK Compliant Penetration Testing

Meet your obligations under the regulation and protect customer and financial data.

Request a Quote

Cookie Usage

We use cookies to improve your experience on our website. By continuing, you accept the use of cookies.

Cookie Policy