and when data is communicated to backend DFS       4�6�16  Is there a monitoring mechanism in place to
            systems? (See C17 for a discussion of strong encryp-  track data sharing through APIs?  Are there controls
            tion algorithms.) Are policies in place to assure the   in place to prevent data leakage?
            reaction of sensitive customer confidential informa-  4�6�17  Is there limitation on customer sensitive
            tion?                                              information shared during transaction processing
            4�6�12  Is test data and test user accounts deleted   with third parties? (e.g., Only information needed for
            from the production environment?                   processing the transaction is shared with the third
            4�6�13  Is the DFS data and forms used for customer   party)
            registration securely stored, transmitted, and stored   4�6�18  Is there proper segregation of data imple-
            to prevent any data leakages using RBAC, data      mented for tests and production environments?   Are
            encryption etc.?                                   there processes that limit the use of customer data
            4�6�14  Is the TLS lifetime certificate up to date? I.e.,   for test purposes? Such as data anonymization.
            the certificate age should be less than 825 days
            4�6�15  Is there a mechanism in place to ensure that
            data-at-rest is encrypted and stored securely?




























































                                                                      Digital Financial Services security audit guideline  23