Mexico Financial Sector · Weekly Security Incidents
2026.05.04 — 2026.05.10
·
7 incidents · 3 high-risk
Total Incidents This Week
7
▼ 2 vs last week
Critical / High
3
— 0 unchanged
Relevant to Us
2
AI triage + human review
Mexico Local Incidents
4/ 7
Other 3 are LATAM regional
Critical · CVSS 9.4
May 9
Mexican Sofipo Hit by Ransomware; About 2.3M Customer Records Potentially Exposed
Attackers used an unpatched VPN appliance vulnerability (Fortinet CVE-2024-21762 variant) for initial access and deployed LockBit 4.0 to encrypt core databases. The affected institution has reported to CNBV and suspended online services for 48 hours.
High
May 8
LATAM Payment Gateway API Keys Exposed, Affecting Multiple Mexican Cash-Loan Platforms
A third-party payment aggregator accidentally exposed configuration files containing production API keys in a GitHub repository. Payout channels for at least three Mexican cash-loan platforms were affected, with unauthorized transactions already reported.
High
May 7
Banxico SPEI Briefly Disrupted, Suspected DDoS Attack
Mexico's SPEI interbank electronic payment system had intermittent outages from 14:00 to 16:30 local time. Banxico described it as a "technical failure," while multiple security-community sources pointed to a DDoS attack. About 1.8M transactions were backlogged.
Medium
May 7
Colombian Bank Phished; Internal Employee Credentials Stolen
Attackers spoofed a CNBV email domain (cnbv-gob[.]mx) and sent macro-enabled Excel files to the bank's Mexico branch. Two operations employees clicked and exposed VPN credentials. The pattern may target multiple LATAM financial institutions.
Medium
May 6
Mexican Digital Bank KYC Face Recognition Bypassed with Deepfake
Fraud groups used AI-generated liveness videos to open about 40 synthetic accounts for money laundering. The bank has reported to UIF and upgraded liveness checks to 3D structured-light verification.
Low
May 5
Brazilian Payment Processor PCI Compliance Certification Suspended
The processor's AOC was suspended by PCI SSC after a QSA annual review found unencrypted PAN storage (PCI Req 3.4 violation), affecting settlement paths for some cross-border Mexican merchants.
Info
May 4
CERT-MX Released 2026 Q1 Mexico Financial Sector Threat Report
The report says cyberattacks against Mexico's financial sector rose 34% year over year in Q1, with ransomware and business email compromise (BEC) as the main categories. It recommends stronger MFA deployment and employee security-awareness training.
Weekly Situation Snapshot
By Incident Type
Ransomware
2
Data Breach
2
DDoS
1
Phishing
1
AI Forgery
1
Our Action Items
✅ VPN appliance patch status checked
🔄 Reviewing third-party payment API keys
📋 Scheduling spoofed-domain detection rules
🔄 Reviewing third-party payment API keys
📋 Scheduling spoofed-domain detection rules
Regulatory Updates Monitor
Published · Consultations · Enforcement Cases
·
Tracking 6 regulators
Published
Consultations / Public Comments
Enforcement Cases
Published This Month
6
CNBV 3 · Banxico 1 · UIF 1 · INAI 1
Action Required
3
Average remediation window: 45 days
Aligned
2
No additional action required
Under Review
1
Awaiting Legal interpretation
| Publication Date | Source | Title / Summary | Affected Business Lines | Effective Date | Action | Status |
|---|---|---|---|---|---|---|
| 2026.05.08 | CNBV |
Circular Única Sofipo Amendment: Minimum Capital Adequacy Adjustment
Article 75 amended: unsecured consumer-loan risk weight raised from 100% to 115%
|
Sofipo Cash Loan | 2026.07.01 | Recalculate NICAP | Remediating |
| 2026.05.06 | CNBV |
Final Version of Amended Cybersecurity Provisions
Adds mandatory 72-hour cyber incident reporting obligation
|
Sofipo Credit Card Cash Loan | 2026.09.01 | Build incident reporting process | Under Review |
| 2026.05.03 | BANXICO |
Circular 4/2026: New Cross-Border Payment Reporting Requirements
Cross-border remittances must include sender full address and CURP
|
Cash Loan | 2026.08.15 | Check payout interface fields | Scheduled |
| 2026.04.28 | UIF |
AML Guidance Update: Enhanced Due Diligence (EDD) for High-Risk Customers
PEP customers must be reviewed every 6 months instead of every 12 months
|
Sofipo Cash Loan Credit Card | Effective Immediately | Adjust EDD cycle | Urgent |
| 2026.04.25 | INAI |
New Standard Contractual Clauses (SCCs) for Cross-Border Personal Data Transfers Released
Data processing agreements with cloud providers such as AWS / GCP must be updated
|
Sofipo Credit Card Cash Loan | 2026.10.01 | Update DPA appendix | Aligned |
| 2026.04.20 | CNBV |
R-28 Reporting Format Amendment Notice
Adds loan portfolio risk concentration detail fields
|
Sofipo | 2026 Q3 Filing | Adjust reporting template | Aligned |
Regulatory Compliance Library
24 laws and regulations · 20 SME source PDFs · 6 regulators · 3 business lines
·
Query Center + Source Document Download
CNBV
Fully Mapped
Circular Única de Sofipos
Sofipo single circular · covers capital adequacy, governance, regulatory reporting, credit classification, and broad regulatory requirements
142 Controls
28 Reports
Federal Law
Fully Mapped
Ley de Ahorro y Crédito Popular (LACP)
Savings and Popular Credit Law · the parent law for Sofipo licensing, defining incorporation conditions, minimum capital, and governance requirements
116 Articles
38 Controls
International Standard
Partially Mapped
PCI DSS v4.0
Payment Card Industry Data Security Standard · 12 requirements · security baseline for credit-card processing and storage environments
12 Requirements
340+ Subitems
INAI
Fully Mapped
LFPDPPP + Reglamento
Federal personal data protection law and implementing regulations · data subject rights, consent mechanisms, cross-border transfers, breach notification
69 Articles
45 Controls
UIF
Fully Mapped
LFPIORPI + Reglas de Carácter General
AML parent law and general rules · customer due diligence (CDD/EDD), suspicious transaction reports (ROS), large-transaction reporting
65 Articles
52 Controls
ISO
Partially Mapped
ISO 27001:2022
Information security management system · Annex A 93 controls · ISMS buildout, risk assessment, continual improvement
93 Controls
4 Domains
Federal Law
In Entry
Ley Fintech
Fintech Law · regulates electronic payments, crowdfunding, virtual assets, and regulatory sandbox
145 Articles
— Pending Mapping
CONDUSEF
Fully Mapped
LGOAAC + Disposiciones CAT
Financial Services User Protection Law + CAT (annual total cost) calculation and disclosure rules
56 Articles
28 Controls
BANXICO
In Entry
Circular 3/2012 + Circular 4/2026
Banxico payment-system circulars · POS terminals, SPEI access, cross-border remittance information reporting
48 Articles
— Pending Mapping
Regulatory Source Documents
| Requirement Name | Regulator | Business Line | Document Type | Status | Actions |
|---|---|---|---|---|---|
|
Ley de Ahorro y Crédito Popular (LACP)
Source file: RM-001-LACP.pdf
Sofipo licensing, governance, capital, and reporting baseline.
|
Federal Law | Sofipo | Law | Available | |
|
Circular Única de Sofipos
Source file: RM-002-CUSOFIPO.pdf
Core Sofipo operating requirements and regulatory reporting.
|
CNBV | Sofipo | Circular | Available | |
|
LACP Art. 124 AML General Provisions for Sofipos
Source file: RM-004-UIF-LACP-ART124-DCG(DCG_SOFIPOS_compilado_2021).pdf
AML obligations, customer due diligence, and reporting controls.
|
UIF | Sofipo Cash Loan | General Provisions | Available | |
|
LPDUSF · User Protection for Financial Services
Source file: RM-005-LPDUSF.pdf
Customer protection, claims, disclosure, and service obligations.
|
CONDUSEF | Cash Loan Credit Card | Law | Available | |
|
LTOSF · Transparency and Ordering of Financial Services
Source file: RM-006-LTOSF.pdf
Financial service transparency, fees, contracts, and disclosure controls.
|
CONDUSEF | Cash Loan Credit Card | Law | Available | |
|
Transparency Provisions for Sofipos · 2015
Source file: RM-007-CONDUSEF-TRANSPARENCIA-SOFIPO-2015-Original.pdf
Sofipo-facing transparency and customer disclosure requirements.
|
CONDUSEF | Sofipo | General Provisions | Available | |
|
CONDUSEF Registry Provisions · 2022
Source file: RM-008-010-DISPOSICION-REGISTROS-CONDUSEF-2022.pdf
Registration and disclosure-related operational requirements.
|
CONDUSEF | Sofipo Cash Loan Credit Card | General Provisions | Available | |
|
LSP · Payment Systems Law
Source file: RM-011-LSP.pdf
Payment-system participation and operating obligations.
|
BANXICO | Credit Card | Law | Available | |
|
Banxico Circular 3/2012
Source file: RM-016-BanxicoCircular3-2012.pdf
Payment systems, SPEI, cards, and financial operations requirements.
|
BANXICO | Credit Card Cash Loan | Circular | Available | |
|
LFPDPPP · Federal Personal Data Protection Law
Source file: RM-017-LFPDPPP.pdf
Consent, privacy notice, ARCO rights, transfer, and breach obligations.
|
INAI | All | Law | Available | |
|
Reglamento de la LFPDPPP
Source file: RM-018-reglamento de la LFPDPPP.pdf
Implementation rules for personal data protection controls.
|
INAI | All | Regulation | Needs extraction check | |
|
Diario Oficial de la Federación Source Notice
Source file: RM-019-DOF - Diario Oficial de la Federacion.pdf
Official gazette source document for regulatory traceability.
|
DOF | All | Official Gazette | Available | |
|
LRSIC · Credit Information Companies Law
Source file: RM-020-LRSIC.pdf
Credit bureau, credit information, and reporting obligations.
|
CNBV | Cash Loan Credit Card | Law | Available | |
|
LGTOC · General Law of Credit Instruments and Operations
Source file: RM-021-LGTOC.pdf
Credit instruments, obligations, and commercial financing operations.
|
Federal Law | Cash Loan Credit Card | Law | Available | |
|
NOM-151-SCFI-2016 · Data Message Preservation
Source file: RM-022-NOM-151-SCFI-2016-...
Digital document preservation and data-message integrity requirements.
|
NOM | All | Official Standard | Available | |
|
Código de Comercio (CCom)
Source file: RM-023-CCom.pdf
Commercial code provisions relevant to contracts and digital records.
|
Federal Law | All | Code | Available | |
|
PCI DSS v4.0.1
Source file: RM-032-PCI-DSS-v4_0_1.pdf
Payment card data security baseline and 12-requirement control set.
|
PCI SSC | Credit Card | Standard | Available | |
|
PCI PIN Security Requirements and Testing v3.1
Source file: RM-033-PCI_PIN_Security_Requirements_Testing_v3_1.pdf
PIN security control requirements and testing procedures.
|
PCI SSC | Credit Card | Standard | Available | |
|
PCI 3DS Core Security Standard v1
Source file: RM-034-PCI-3DS-Core-Security-Standard-v1.pdf
3-D Secure environment security requirements.
|
PCI SSC | Credit Card | Standard | Available | |
|
Banxico Circular 14/2017
Source file: B1-Circular 14_2017.pdf
Banxico circular source added by SME team.
|
BANXICO | Credit Card Cash Loan | Circular | Available |
No source documents match the current filters.
Future AI Knowledge Base (Phase 2 Reserved)
Current phase focuses on source-document access: users can filter by regulator, business line, or keyword, then view or download the exact regulatory PDF.
Phase 2 can connect these source documents to an AI knowledge base after the retrieval pipeline is ready. That future layer should support cited Q&A, PRD compliance checks, and clause-to-control mapping, but no ingestion workflow is exposed in Phase 1.
Phase 2 can connect these source documents to an AI knowledge base after the retrieval pipeline is ready. That future layer should support cited Q&A, PRD compliance checks, and clause-to-control mapping, but no ingestion workflow is exposed in Phase 1.
PCI Certificates & Document Library
PCI DSS v4.0 · 12-Requirement Coverage Matrix
·
12 documents · 2 expiring soon
PCI DSS v4.0 · 12-Requirement Coverage Matrix
1
Install and Maintain Network Security Controls
2
Apply Secure Configurations to All System Components
3
Protect Stored Account Data
4
Protect Data in Transit with Strong Cryptography
5
Protect Against Malware
6
Develop and Maintain Secure Systems
7
Restrict Access by Business Need
8
Identify Users and Authenticate Access
9
Restrict Physical Access to Cardholder Data
10
Log and Monitor All Access
11
Regularly Test Security Systems
12
Maintain an Information Security Policy
Complete Coverage
Partial Coverage
Missing / Expired
Drag or click to upload PCI-related documents
Supports PDF / DOCX / ZIP · encrypted storage · AI document-type detection
Document Inventory
Document Name
Covered Requirements
Issue Date
Expiry Date
Status
Attestation of Compliance (AOC) 2025
QSA: TrustWave · PCI DSS v4.0 · Level 2
Req 1–12
2025.12.15
2026.12.14
Valid
SAQ D · 2026 Q1 Self-Assessment
Completed internally · 340 self-check items · 298 passed
Req 1–12
2026.03.30
2026.06.29
Valid
ASV Quarterly Scan Report · 2026 Q1
Scanner: Qualys · 12 external IPs · 0 high-risk
Req 11.3
2026.03.15
2026.06.14
Expires Within 30 Days
ASV Quarterly Scan Report · 2025 Q4
Scanner: Qualys · 12 external IPs · 1 medium-risk (remediated)
Req 11.3
2025.12.18
2026.03.17
Expired
Annual Penetration Test Report 2025
Tester: Securitize MX · black-box + gray-box · 3 high / 7 medium / 12 low
Req 11.4
2025.11.20
2026.11.19
Valid
Network Segmentation Test Report · 2026 H1
CDE scope: 14 systems · segmentation validation passed
Req 11.4.5
2026.02.10
2026.08.09
Valid
QSA Auditor Qualification Certificate
TrustWave · Auditor: J. Rodriguez · PCIP #28341
—
2025.06.01
2026.05.31
Expires Within 21 Days
PCI Security Awareness Training Records · 2026 Q1
142 participants · 96% pass rate · includes developer-team track
Req 12.6
2026.03.28
—
Archived
Total Documents
12
Valid
9
Expires Within 30 Days
2
ASV Q1 · QSA Qualification
Expired
1
ASV Q4 — needs update
Detail Panel
Incident Summary / Regulation Summary
This is a generic detail-panel preview. In actual development:
Security Incidents: show full description, IOC list, MITRE ATT&CK mapping, recommended actions, linked controls
Regulatory Updates: show original regulation summary (Spanish + English comparison), impact analysis, action items, owners
Compliance Library Regulations: show chapter tree (left navigation + right-side clauses), each linked to controls + evidence + owner
PCI Certificates: show file preview, metadata, linked PCI requirements, version history, audit trail
Security Incidents: show full description, IOC list, MITRE ATT&CK mapping, recommended actions, linked controls
Regulatory Updates: show original regulation summary (Spanish + English comparison), impact analysis, action items, owners
Compliance Library Regulations: show chapter tree (left navigation + right-side clauses), each linked to controls + evidence + owner
PCI Certificates: show file preview, metadata, linked PCI requirements, version history, audit trail
Metadata
- Entry Time
- 2026-05-10 14:28
- Source
- Reuters MX / El Financiero
- Severity
- Critical
- Affected Business Lines
- Sofipo
- Owner
- Rubén García (CISO)
- Linked Controls
- CTL-008, CTL-045, CTL-089
Actions