Professional Documents
Culture Documents
S CST TST Pol
S CST TST Pol
This document provides specific conditions for performance or vulnerability testing of SWIFT services and products
and non-SWIFT services and products. This document covers stress tests, throughput tests, intrusion tests or
penetration tests, and any other types of performance testing or vulnerability testing.
23 June 2017
Customer Testing Policy Table of Contents
Table of Contents
Preface .................................................................................................................................................3
Introduction.........................................................................................................................................4
1 Vulnerability Testing ................................................................................................................5
1.1 SWIFT software and hardware for which customer testing is permitted ................................5
1.2 SWIFT services and products for which customer testing is not permitted ............................5
1.3 Customer testing of non-SWIFT services and products .........................................................6
1.4 SWIFT services and products for which customer testing requires SWIFT’s express prior
consent ....................................................................................................................................6
2 Performance Testing ................................................................................................................7
2.1 Stress tests .............................................................................................................................7
2.2 FIN stress tests .......................................................................................................................7
2.3 Stress tests in CUGs managed by service administrators......................................................7
3 General Principles for Customer Testing ..............................................................................8
Legal Notices ......................................................................................................................................9
Preface
Purpose of this document
This document sets out specific conditions for performance or vulnerability testing of SWIFT
services and products and non-SWIFT services and products. This document covers stress
tests, throughput tests, intrusion tests or penetration tests, and any other types of
performance testing or vulnerability testing.
Customers must not conduct any performance or vulnerability tests on or through SWIFT
services and products unless expressly permitted in this Customer Testing Policy.
This Customer Testing Policy is an integral part of the contractual arrangement between
SWIFT and its customers.
Intended audience
SWIFT intends this document for its customers.
In particular, the following persons should read this document:
• technical experts who operate the SWIFT service
• security experts
• business decision makers who deal with security, risk management, and exposure
management
Related documentation
• SWIFT General Terms and Conditions and other terms and conditions governing the
provision and use of tested SWIFT services and products.
SWIFT-defined terms
This document contains terms that have a specific meaning in the context of SWIFT
documentation (for example, customer, user, or SWIFT services and products).
The definitions of SWIFT-defined terms appear either in this document or in the SWIFT
Glossary. In this document SWIFT differentiates these terms as shown in this example:
SWIFT provides secure, standardised messaging services and interface software to
its customers.
Introduction
Performance and vulnerability testing by SWIFT and customers
SWIFT conducts regular tests to probe the availability, integrity, and confidentiality of SWIFT
services and products. SWIFT typically reports on such tests through SWIFT’s third-party
assurance framework such as SWIFT’s ISAE 3402 type 2 report.
SWIFT understands that, beyond SWIFT’s tests, customers may also wish to conduct
certain performance or vulnerability tests on or through SWIFT services and products.
Because such tests might adversely affect SWIFT’s operations or be indistinguishable from
real threats, customers must not conduct any such test unless expressly permitted in the
SWIFT Customer Testing Policy.
This policy applies to stress tests, throughput tests, intrusion tests or penetration tests, and
any other types of performance testing or vulnerability testing.
1 Vulnerability Testing
1.1 SWIFT software and hardware for which customer
testing is permitted
Subject to the conditions set out in this policy or elsewhere in the SWIFT Contractual
Documentation, customers are permitted to perform vulnerability testing on the SWIFT
software and hardware below.
SWIFT software
• Alliance Access, including custom modules built on Alliance Developers Kit (ADK) and
Alliance Access Integration platform (IPLA)
• Alliance Entry
• SWIFT Integration Layer
• Alliance Messaging Hub
• Alliance Gateway
• Alliance Web Platform
• Lite2 AutoClient
• SWIFTNet Link
SWIFT hardware
• Hardware Security module (HSM) box
• HSM Token
• HSM Card and Card reader
• 3SKey token
Without prejudice to other conditions governing the use of that SWIFT software or hardware
under other SWIFT Contractual Documentation, vulnerability testing on that SWIFT software
and hardware is permitted on the following supplemental conditions only:
• Any vulnerability testing must occur locally without any physical and logical connection
to the SWIFT network.
• Customer must test up-to-date and currently supported versions of software and
hardware only.
• SWIFT web sites, such as swift.com, and Internet/web based services or applications,
such as SWIFTRef or Sanctions Testing
• The SWIFT Certificate Centre, also known as the "3Skey Portal"
• SWIFT managed network infrastructure
The same restriction applies to all SWIFT systems and infrastructures supporting these
SWIFT services and products.
2 Performance Testing
2.1 Stress tests
Stress tests on SWIFT messaging services must be carefully planned.
Except for limited FIN stress tests (see section 2.2), customers must always seek SWIFT’s
express approval to perform any stress tests on SWIFT messaging services and solutions,
such as InterAct, FileAct, Browse, WebAccess, FIN and related copy services (such as
FINCopy and FINInform), Sanctions Screening, MIRS and SWIFT gpi.
More information about the process to request such approval is available in the Knowledge
Base tip 2008531.
Important: If a customer plans to perform throughput tests using FINCopy, then all MT 096,
MT 097, and MT 012 must be included in the total number of messages.
Legal Notices
Copyright
SWIFT © 2017. All rights reserved.
Restricted Distribution
Do not distribute this publication outside your organisation unless your subscription or order expressly grants you
that right, in which case ensure you comply with any other applicable conditions.
Disclaimer
SWIFT supplies this publication for information purposes only. The information in this publication may change from
time to time. You must always refer to the latest available version.
Translations
The English version of SWIFT documentation is the only official and binding version.
Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: the SWIFT logo,
SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo, MyStandards, and SWIFT Institute.
Other product, service, or company names in this publication are trade names, trademarks, or registered trademarks
of their respective owners.