API Security at HSBC

Today, API Security is a key priority for protecting important data, especially within Financial Services. Here at HSBC, when it comes to data security, our market leading API Developer platform goes further than just industry best practice.

Let's take a look at our API Security in detail.


API Authentication and Authorization

All our APIs confirm the identity of all requestors, this is Authentication.

All our APIs are called and activated only by trusted systems, this is Authorisation.

Both of the above are handled during the initial exchange between the Client Application and HSBC's API Gateway.


Transport Level Security

Transport Level Security (TLS) is the encryption protocol that keeps internet browsing secure. It protects your privacy and the integrity of your data while in transit. All messages exchanged between you and HSBC use HTTPS - an extension of HTTP which is secured using TLS.
Transport Layer Security


Message Level Encryption

Message Level Encryption (MLE) ensures Data privacy of messages either in transit or at rest and involves a PGP handshake and encryption key exchange.

HSBC uses Message Level Encryption for our Corporate and Institutional APIs to ensure the highest level of security is applied to the data exchanged by our APIs.

We know that MLE carries an overhead, as both parties need to encrypt and decrypt both request and response messages, however this practice has the important advantage of non-repudiation, giving assurance to both sender and receiver that the message has not been modified.

 

Message Level Encryption


Digital Identity

In addition to Message Level Encryption, a Digital Signature is used to ensure that your API requests are not tampered with and originate from the expected source. Currently, we use the Client Private Key to ensure the digital signature following creation of the message. However, in the near future we are moving to JWT notation as a form of Digital Signature, where the JWT token replaces the Client ID and Secret in the message header. The Message Flow in both cases is illustrated below.

Using Client Private Key

Digital Identity

Using JWT with Client Private Key

Using JWT with Client Pvt Key

 


Summary

HSBC considers API security as our highest priority and are constantly monitoring advancements in technology to improve our protection where possible.

The diagram below illustrates how Authentication, Authorisation, TLS and Message Level Encryption combined, stack up to provide you with world class API Security.
 

Communication diagram

 


Homepage: Banking-as-a-Service

API Architecture Blog: Why we're automating API governance

 

Return to top