TR-03161 - discovered, explain

BSI TR-03174

The IT security of your financial application tested in accordance with BSI TR-03174

BSI TR-03174 is aimed at manufacturers, developers, and operators of digital applications in the financial sector. It specifies binding, verifiable security requirements with the aim of ensuring a uniform and high level of security for financial apps, web applications, and backend systems.

Frau gibt Kontodaten im Smartphone ein. | TÜVIT

What is the BSI TR-03174?

The BSI Technical Guideline TR-03161 aims to protect the confidentiality, integrity and availability of medical data collected by digital health applications.

It was developed by the German Federal Office for Information Security (BSI) and serves as a guideline for developers of healthcare applications when creating secure solutions. It defines the minimum requirements for the IT security of mobile applications, web applications and/or background systems used in the healthcare sector.

Special features of BSI TR-03174

Applies to financial apps, web applications, and backend systems with sensitive data
Guidelines for developers on secure implementation according to “security by design”
Contains requirements, test aspects, and typical threat scenarios
Certification according to TR-03174 strengthens trust and facilitates recognition

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin

To the consulting services Contact us

Goal achieved?

We check that

TÜV Informationstechnik I Essen

To the test offers Contact us

Frequently Asked Questions (FAQ)

What you need to know about BSI TR-03174

BSI TR-03174 is aimed at manufacturers and developers of financial apps, web applications, and the associated backend systems. It also addresses banks, insurance companies, fintechs, and payment service providers that operate or offer such applications. IT service providers that supply components or interfaces in the financial sector are also part of the target group. In addition, the guideline can be used by anyone who develops or operates applications with sensitive data.

Certification according to BSI TR-03174 does not have a formal validity period of five years. A certificate issued under this certification program is only valid for the version of a product that was tested as part of the conformity assessment.

If changes or modifications are made to a certified product, new versions/configurations are created for which the issued certificate is no longer valid. If conformity with the requirements of BSI TR-03174 is also to be confirmed for the change or further development of a certified product, an application for recertification or maintenance can be submitted to the BSI.

The certificate thus documents the compliant security status at the time of testing and serves as proof for customers, partners, and supervisory authorities.

Depending on the object of the evaluation, the customer may require various additional services/information for the evaluation, including, for example

(Technical) descriptions / documentation
If applicable, entry URLs and IP addresses of the systems to be tested
If role concepts/authorisation components are also to be tested, at least 2 test accounts (with different authorisations) are required.
For mobile app evaluations: release version of the app as a compiled and installable (APK / IPA) file; debug version of the app, with deactivated security measures (such as certificate pinning, jailbreak/root detection) as a compiled and installable (APK / IPA) file

BSI TR-03174 consists of several parts that define specific requirements for applications in the financial sector:

Part 1 – Mobile applications: This part deals with security requirements for native and hybrid apps that run on mobile devices such as smartphones or tablets.

Part 2 – Web applications: This part describes requirements for web applications that are accessible via browsers and provide financial services.

Part 3 – Backend systems: This part focuses on the security requirements for server infrastructures, databases, and interfaces that provide backend services for financial applications.

Each part is tailored to the specific requirements and threat situations of the respective platform. The complete documents are available on the website of the Federal Office for Information Security (BSI).