Directive 03/CT-NHNN on security in electronic payment, card-based payment

THESTATE BANK OF VIETNAM 

Directive No. 03/CT-NHNN dated January 10, 2017of the State Bank of Vietnam onthe strengthening ofsecurity in electronic payment and card-based payment

In order to strengthen security in electronic payment and card-based payment and minimize the risks in payment activities, to implement the instruction of thePrime Ministeron security in electronic payment and card-based payment as well as ensuring the benefit of customers and providers of payment services and providers ofintermediary payment services; theGovernor of the State bank of Vietnamrequiresthe entities of the State bankofVietnam,and theproviders to perform the following responsibilities:

I.RESPONSIBILITIES OFENTITIES AT THE HEADQUATERS OF THE STATE BANK OF VIETNAM

The headquaters of the State bank of Vietnam shall perform the followingresponsibilities ex officio:

1.Implement effectively the Scheme on non-cash payment developemnt in Vietnam in 2016-2020 enclosed with the Decision No. 2545/QĐ-TTg dated December 30, 2016 of the Prime Minister.Keep consulting withthe Governor of the State bank of Vietnamabout promulgation or revision ofthe legislative documents in connection with electronic and card-based payment; legislative documents on security and penalties for violations against law onelectronic payment and card-based payment. Promote the management and control over the latest types, means, and systems of electronic payment in Vietnam.

2.Proactively monitor and update the domestic and international cyber security movements to alert and guide entities in the banking industry to promptly prevent and solve risks, and information technology security holes.Designcooperation programmes, exchange information and corordinate with the Ministry of Public Security, Ministry of Information and Communications in preventing high technology criminals and taking measures forensuring network securityin electronic payment and card-based payment.

3.Consult withthe Governor of the State bank of Vietnam about drawing the road map of applying international standards in securitysuch asISO 27001 to information technology systems, PCI/DSS standard to the card-based payment system, the latestmulti-factor authenticationtechnologies to replace the out-dated and unsafesecuritytechnology. Proactively conduct research,consult withthe Governor of the State bank of Vietnam about carrying out the instructions as specified in the document on providing guidance on measures for cyber restoration for the financial market infrastructures promulgated by the Committee on Payments and Market Infrastructure Finance (CPMI) of the Bank for International Settlements (BIS).

4.Intensifythe inspection and supervision on security in electronic payment and card-based payment to assess, detect, early alert the risks, impose penalties for violations against law  onelectronic payment and card-based payment

5.Make overall communication plan of the Banking industry on electronic payment and card-based payment, especially the security in electronic payment and card-based payment in order for the public to clearly understand and securely use the payment services; and at the same time guide theproviders of payment services and providers ofintermediary payment servicesto implement the aprroved plan, ensure the synchronous communication between the State bank of Vietnam and the providers.

II.RESPONSIBILITIES OFPROVINCIAL BRANCHES OF THE STATE BANK OF VIETNAM

1.Proactively supervise, monitor, and guide the providers of payment services and providers of intermediary payment services to adopt the documents and regulations of the State bank of Vietnam on the payment activities in general, and electronic payment and card-based payment in particular; assist the Governor of the State bank of VietnaminStatemanagement ofpayment activities, electronic payment and card-based payment in their provinces.

2.Carry out inspectionand impose penalties for the providers’ violations against the regulations of the State bank of Vietnam on processes, procedures, and regulations on security in payment in general and in electronic and card-based payment in particular; supervise and inspect the providers’ implementation of the conclusion andrequests after the inspection.

3.Proactively propagate the regulations of law, policies of the Government and the State bank of Vietnam on the payment activities in general and in electronic and card-based payment in particular in order for the public to clearly understand and securely use the payment services.

4.Proactively collect the information on the criminals’artificesto alert, at the same time provide guidance for measures for ensuring asset safety of the providers and customers, dig up the information via mass media and provide timely measures for the cases relating to security in electronic payment and card-based payment in the locality. Promptlyinformthe State bank of Vietnamofany cases relating to service quality as well as the incidents compromising the security in electronic payment and card-based payment.

5.Guide the local providers to coordinate with the local polliceauthoritiesin preventingelectronic payment-related crimes.

III.RESPONSIBILITIESOFPROVIDERS OF PAYMENT SERVICES AND PROVIDERS OFINTERMEDIARY PAYMENT SERVICES

1.Strictlyadopt the guiding documents of the State bank of Vietnamand law on payment activities. Regularlyinspect, amend and complete procedures, internal regulations on information technology security to minimize the risks; and at the same time early detect the violations to ensure to comply with the regulations of the State bank and law on security in payment activities. Carry out research and introduce measures tobefullyimplemented by their affiliated unitsin the process of payment operation. The process of payment operation shall present its roles, functions and responsibilities in each step during the process of performing the payment transaction.

2.Periodically review and assess the risks of technical infrastructure and information technolofy serving the payment and implement appropriate measures to minimize risks, ensure asset safety of customers and providers;construct and enact security breach scenarios.Inspectall ATMs, POSs (especially the providers offerringmerchant services for accepting payments to prevent fraud), strengthen the system for ensuring safety for transactions via ATMs, POSs, and measures for customer authenticationat ATMs to prevent the use of counterfeit bank cards.

3.Proactively apply international principles and standards to the payment system and information technology security, such as applying theISO 27001standard to information technology system, thePCI/DSS to the card-based payment system; the latestlatestmulti-factor authenticationtechnologiesto the bank transactions in order to replace the old and unsafe security technologies. Apply and carry out an assessment of the compliance with principles forthe financial market infrastructures promulgated by the Committee on Payments and Market Infrastructure Finance (CPMI) of the Bank for International Settlements (BIS).

4.Provide training in recognizing, receiving, and solving risks for banking staff; provide training programs forcriminals’assault artifices and preventive measures for payment security for theproviders offerringmerchant services for accepting payments.

5.Regularly and promptly provide alerts and instructions for customers in order for them to acknowledge types of risks and fraud in payment activities and how to utilize payment services securely; provide advice for customers in case of any problems, he/she should calmly coordinate with the providers and competent agencies in solving the problems according to regulations of law.

6.Proactively monitor and promptly solve the arising issues relating to its payment services. (Head office and branches). When risks and fraud occurs, the providers must report tothe State bank of Vietnamand provincialbranches of the State Bankof Vietnam (the locality from which the issue arises), and at the same time coordinate with their customers and relevant entities in order to handle those issues according to the regulations and then inform the customer; protect relevant entities’ right according to regulations of law.

IV.IMPLEMENTATION

1.ThisDirectivetakes effect on the signing date.

2.The relevant entities at the headquarters ofthe State bank of Vietnam; provincialbranches of the State Bankof Vietnam; providers of payment services and providers of intermediary payment services shall implement the duties as specified in this Directive shall submit the biannual and annual reports on the implementation of the Decree tothe State bank of Vietnam(Department of Payment) within 10 days from the end of the reporting period. The entities which make biannual and annual reports on payment activities shall submit reports on the implementation of the Decree in a particularSectionof those reports.

3.Chief of Office,Director Generalof Payment, Heads of relevant entities ofthe State bank of Vietnam, Directors of provincialbranches of the State Bankof Vietnam, Chairman of the Management Board, Chairman of the Members Council, General Director (Director) of the providers of payment services and Chairman of the Management Board, General Directors (Directors) of the  providers of intermediary payment services are responsible for implementing this Directive./.

The Governor

Le Minh Hung