Achieving Swift PSCF certification: A journey in security excellence

Brussels, November 27th–Shirley Delvaux, Product Owner and PSCF Project Manager, together with Arthur Dang, IT Security Officer, share how our company navigated the journey to Swift’s Provider Security Compliance Framework (PSCF) certification — from early assumptions to a full-scale, cross-departmental effort. Read on to see how the journey unfolded.

When Khyber Scholtz, IT Risk Manager at our company, first mentioned Swift's Provider Security Compliance Framework (PSCF) during an offsite meeting in Istanbul in April 2024, the team thought it would be a straightforward process. After all, we were already ISO 27001 certified with robust security policies in place. However, as we dove deeper into the requirements with our internal auditors, we quickly realized this would be a more substantial undertaking than initially anticipated. 

The PSCF certification became mission-critical for a simple reason: compliance wasn't optional. As a Swift service provider, failing to achieve certification on time would trigger notifications to our customers about our non-certified status—a reputation disaster—and could even block us from onboarding new customers on Business Connect. With the audit scheduled for February 2025, we had roughly seven months to close the gaps and prove our compliance. 

The Challenge: More Than Just Checkboxes 

"First, we thought it was not going to be a big deal," admits Shirley Delvaux, Product Owner, and the PSCF Project Manager. "But when we reviewed the requirements with our internal auditors, we realized we had gaps and it was mandatory to do some work." 

The assessment revealed that approximately 15-20% of requirements needed attention. It wasn't the quantity that posed the challenge, but rather the modifications and improvements needed to existing policies and procedures. Some controls required full implementation, while others needed refinement. 

The biggest challenge? Workload management. The IT team was already stretched thin with customer priorities and ongoing projects. Balancing this high-priority certification project with business-as-usual operations required careful orchestration. Fortunately, the seven-month timeline provided enough breathing room to work on PSCF in parallel with other commitments. 

Strategic Approach: Quick Wins First 

The team's strategy was straightforward: prioritize quick wins to give auditors something to close immediately, providing a clear picture of remaining work and timeline. Critical blocking observations—gaps that could halt the certification process—took top priority. 

"We prioritized first the blocking gaps because it was the first one to be closed in order to avoid a notification being sent to customers," the Ms Delvaux explains. This approach allowed the team to systematically tackle complex issues while demonstrating steady progress. 

The project involved nearly every department—primarily IT and Customer Success, with contributions from Risk Management, Sales, and HR. Notably, the team accomplished this without external consultants, relying instead on their internal expertise and guidance from the third-party auditor, Deloitte. The IT team even developed their own tools rather than purchasing external solutions. The only external resource needed was a third-party service for employment reference checks, a mandatory PSCF requirement. 

Transparency with auditors proved crucial. From the first meeting, the team established a clear seven-month timeline with regular check-ins every two months. This created a feedback loop where the team could submit evidence and receive guidance on their progress. 

Technical Implementation: Building a Fortress 

For Arthur Dang, the IT security officer, the technical work centred on three critical areas: encryption, integrity checks, and access controls. 

Encryption and Network Security 

The most technically challenging control was encrypting all data flows within the infrastructure. "We had to deploy our own certificate authority," Mr. Dang explains. "It was a deployment that could have caused a lot of disruption within the infrastructure, so we took a long time to deploy everything carefully." 

Network segmentation was already in place thanks to AWS VPC architecture, with each environment operating in its own network. However, the team added redundancy by duplicating the Swift connectivity pack—the stack that connects to Swift's network—ensuring backup availability if the primary connection fails. 

The Four-Eyes Framework

A cornerstone of the certification was establishing access management across all systems. The team implemented a comprehensive four-eyes approval process for critical operations, requiring individual nominative accounts for every team member, complete audit logging of all access events, and mandatory dual approval for sensitive actions.

"Everyone has their own account, we have comprehensive logging for all accesses, and critical operations require approval before execution," Mr. Dang explains. "This four-eyes check ensures that no single person can perform sensitive actions unilaterally." This multi-layered approach applied uniformly across the infrastructure, customer applications, and Swift connectivity.

The team has a custom administration application that provides complete visibility into access logging and control, enabling them to see who accessed what and when.

Hardening and Monitoring 

Additional security measures included enhanced malware protection across all servers, automated patch management for minor updates, and software integrity checks to detect unauthorized alterations. While monitoring tools were already extensive, the new admin application filled the critical gap in access logging. 

Patch and vulnerability management received a process overhaul. Monthly vulnerability scanner reports and regular access reviews became standard practice, ensuring continuous alignment with security requirements. 

Balancing Security and Operations 

One key consideration throughout the project was avoiding operational paralysis. The team implemented security controls strategically—meeting certification requirements without unnecessarily hindering day-to-day work. 

"The balance for security was everything that was required to have the certification," Mr. Dang explains. "For example, with four-eyes checks, we just put it on critical operations and not all actions, so we can still access our environment without too much hindrance." 

Remarkably, customers experienced zero disruptions during implementation. While internal processes adapted and architectural changes occurred—including password management modifications for environments—the customer experience remained seamless. 

The Result: Certified and Future-Ready 

In February 2025, the team achieved Swift PSCF certification. As pioneers, they became one of the first companies compliant with this newly established standard. 

Looking back, the Ms Delvaux identifies documentation as the foundation of success. "Everything starts by clear internal process," she reflects. "The main work we had to do, besides architecture review and technical stuff, was a clear review of all our processes to ensure every procedure was clearly documented and that we were following them when working on a daily basis." 

The auditors proved flexible when procedures deviated from standard requirements—provided everything was properly documented. This reinforced a crucial lesson: thorough documentation isn't bureaucracy; it's the backbone of demonstrable compliance. 

Lessons for Others 

If they could do it again, the team would adjust two things: build more buffer into the planning to reduce end-of-timeline stress and front-load efforts earlier in the process rather than concentrating workforce at the deadline. 

"Maybe if we put more efforts at the start, we would have less stress after that," Mr. Dang suggests. 

For ongoing compliance, the team maintains a regimen of recurrent security actions, monthly vulnerability reviews, and regular access audits. The Head of IT, Head of Customer Success, and IT Risk Manager stay in constant contact with Swift to monitor any updates to the standard, though as early adopters, they don't expect major changes in the coming year. 

Annual audits are now part of the routine, though the team expects them to be lighter than the initial certification process. Regardless, they're ready for any level of scrutiny. 

Conclusion 

Achieving Swift PSCF certification required seven months of focused effort, cross-departmental collaboration, and significant technical implementation. But beyond the certificate itself, the process strengthened the company's security posture, clarified operational procedures, and demonstrated the team's ability to tackle complex compliance challenges without sacrificing customer experience. 

For organizations embarking on their own PSCF journey, the message is clear: start early, prioritize transparently, document thoroughly, and remember that the auditors are partners in the process, not adversaries. With the right approach, certification is not just achievable—it's an opportunity to build a more secure, well-documented, and operationally excellent organization.