Decision 2345/QD-NHNN 2023 methods to ensure secure online payments and bank card payments

  • Summary
  • Content
  • Status
  • Vietnamese
  • Download
Save

Please log in to use this function

Send link to email

Please log in to use this function

Error message
Font size:

ATTRIBUTE

Decision No. 2345/QD-NHNN dated December 18, 2023 of the State Bank of Vietnam on implementation of methods to ensure safe and secure online payments and bank card payments
Issuing body: State Bank of VietnamEffective date:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Official number:2345/QD-NHNNSigner:Pham Tien Dung
Type:DecisionExpiry date:Updating
Issuing date:18/12/2023Effect status:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Fields:Finance - Banking

SUMMARY

Methods to ensure secure online payments and bank card payments from from July 1, 2024

On December 18, 2023, the State Bank of Vietnam issues Decision No. 2345/QD-NHNN on implementation of methods to ensure safe and secure online payments and bank card payments.

1. Individual customers must be authenticated before making the first transaction via Mobile Banking, or making a transaction on a different device from the one on which the last mobile banking transaction was made as follows:

- Using the customer's biometric identification features: (i) match the biometric data stored in the chip of the customer's citizen identity card issued by the competent public security agency; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system; or

- Using the customer's biometric identification features, which match the biometric data stored in the collected and verified customer biometric database, combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP.

2. Storing the information about the devices used for the customer's online transactions, and the transaction authentication logs for at least 3 months. Information about the devices must at least include the following:

- For mobile devices: Unique identification information of the device(s) (such as IMEI number, Serial number, WLAN MAC, Android ID, etc.).

- For computers: MAC address or other device identification information through the API (Application Programming Interface) of the operating system.

3. Card payment service providers shall apply the solutions to mitigate the risks as follows:

- Notifying the customer of the transaction via an SMS message or email.

- Setting daily transaction limits.

- Setting up the function to enable/disable online payments.

- Setting limits for daily online card payments.

- Setting up the feature to enable/disable overseas payments (except online transactions).

- Taking the 3D Secure authentication solution (or equivalent) for online payments using international cards.

This Decision takes effect from July 01, 2024.
For more details, click here.
Download files here.
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency
Effect status: Known

THE STATE BANK OF VIETNAM

_____________

No. 2345/QD-NHNN

THE SOCIALIST REPUBLIC OF VIETNAM

Independence - Freedom - Happiness

________________________

Hanoi, December 18, 2023

DECISION

On implementation of methods to ensure safe and secure online payments and bank card payments

_____________

THE GOVERNOR OF THE STATE BANK OF VIETNAM

 

Pursuant to the Law No.46/2010/QH12 on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Government’s Decree No. 102/2022/ND-CP dated December 12, 2022, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

Pursuant to Circular No. 35/2016/TT-NHNN dated December 29, 2016, of the Governor of the State Bank, prescribing safety and confidentiality in provision of banking services on the Internet;

Pursuant to Circular No 35/2018/TT-NHNN dated December 24, 2018, of the Governor of the State Bank, amending and supplementing a number of Circular No. 35/2016/TT-NHNN dated December 29, 2016, of the Governor of the State Bank, prescribing safety and confidentiality in provision of banking services on the Internet;

At the proposal of the Director of the Information Technology Department.

 

DECIDES:

 

Article 1. Credit institutions, foreign bank branches and intermediary payment service providers shall, based on the transaction classification provided in Appendix 01 thereof, take authentication methods in online payments (Internet Banking, Mobile Banking) as follows:

No.

Transaction1

 

Least secure authentication measure

Individual customers

Institutional customers

1

Type-A transactions

- Username, password or PIN (if authenticated at the login step, authentication is not required at the transaction step).

- Username, password or PIN (if authenticated at the login step, authentication is not required at the transaction step).

2

Type-B transactions

- OTP sent via SMS or Voice or Email; or

- OTP matrix card; or

- Basic Soft OTP/Token OTP; or

- Two-factor authentication method; or

- Using the customer's biometric identification features attached to the smart portable devices3; or

- Advanced Soft OTP/Token OTP; or

- Using FIDO standards; or

- Using safe e-signatures.

- OTP sent via SMS or Voice or Email; or

- OTP matrix card; or

- Basic Token OTP, without the function of authenticating users using Token; or

- Using the biometric identification features of the customer’s legal representative or person in charge of accounting (if any), attached to the smart portable devices3.

3

Type-C transactions

- Using the customer's biometric identification features, which: (i) match the biometric data stored in the chip of the customer's citizen identity card issued by the competent public security agency4; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system5; or

- Using the customer's biometric identification features, matching the biometric data stored in the collected and verified customer biometric database6, which is encouraged to be combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP.

- Basic Token OTP, with the function of authenticating users using Token; or

- Two-factor authentication method.

4

Type-D transactions

 

Using the customer's biometric identification features, which (i) match the biometric data stored in the chip of the customer's citizen identity card issued by the competent public security agency4; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system5; or match the biometric data stored in the collected and verified customer biometric database6, combined with any of the following authentication methods:

- Advanced Soft OTP/Token OTP; or

- Using FIDO standards; or

- Using safe e-signatures.

- Advanced Soft OTP/Token OTP; or

- Using FIDO standards; or

- Using safe e-signatures.

 

Note:

- Type-D transaction authentication methods may be used to authenticate transactions of types A, B and C.

- Type-C transaction authentication methods may be used to authenticate transactions of types A and B.

- Type-B transaction authentication methods may be used to authenticate transactions of type A.

- In case of applying authentication methods other than those aforesaid, a written report shall be sent to the State Bank (via the Information Technology Department) at least 3 months before application.

Article 2. Credit institutions, foreign bank branches and intermediary payment service providers shall apply the following methods to minimize the risks in online payments:

1. For individual customers, before making the first transaction via Mobile Banking, or making a transaction on a different device from the one on which the last mobile banking transaction was made, the customer must be authenticated as follows:

- Using the customer's biometric identification features: (i) match the biometric data stored in the chip of the customer's citizen identity card issued by the competent public security agency4; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system; or

- Using the customer's biometric identification features, which match the biometric data stored in the collected and verified customer biometric database6, combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP.

2. Sending a notification about the first-time account login via the Internet Banking/Mobile Banking application, or a login via the Internet Banking/Mobile Banking application on a different device from the one used for the last login via an SMS message, or other channels registered by the customer (by email, phone, etc.).

3. Storing the information about the devices used for the customer's online transactions, and the transaction authentication logs for at least 3 months.

a) Information about the devices must at least include the following:

- For mobile devices: Unique identification information of the device(s) (such as IMEI number, Serial number, WLAN MAC, Android ID, etc.).

- For computers: MAC address or other device identification information through the API (Application Programming Interface) of the operating system.

b) Transaction authentication logs must at least include the authentication measure, authentication time, authenticated transaction code, and customer code.

Article 3. Card payment service providers shall apply the solutions to mitigate the risks as follows:

1. Notifying the customer of the transaction via an SMS message or email.

2. Setting daily transaction limits.

3. Setting up the function to enable/disable online payments.

4. Setting limits for daily online card payments.

5. Setting up the feature to enable/disable overseas payments (except online transactions).

6. Taking the 3D Secure authentication solution (or equivalent) for online payments using international cards.

Article 4.

1. The Information Technology Department shall act as the focal point to monitor, supervise and inspect the implementation of this Decision, summarize and report the implementation to the Governor of the State Bank.

2. The Payment Department shall coordinate with the Information Technology Department in monitoring, supervising and inspecting the implementation of this Decision.

3. The Communications Department shall coordinate with relevant units in carrying out communications to citizens and enterprises for the effective application of authentication standards and methods in online payments and bank card payments.

Article 5. Effect:

1. This Decision takes effect from July 01, 2024, and replaces Decision No. 630/QD-NHNN dated May 31, 2017, of the Governor of the State Bank, on the promulgation of the Plan for applying methods to ensure safe and secure online payments and bank card payments.

2. For credit institutions under special control, the provisions of Articles 1 and 2 of this Decision shall apply from January 01, 2025.

Article 6. Chief of Office, Director of the Information Technology Department, heads of units affiliated to the State Bank of Vietnam, Chairpersons of the Board of Directors, Chairperson of the Member's Council and General Directors (Directors) of credit institutions, foreign bank branches and intermediary payment service providers shall implement this Decision./.

 

 

FOR THE GOVERNOR

THE DEPUTY GOVERNOR

 

 

Pham Tien Dung

____________________

1 Classification of transactions is specified in Appendix 01.

2 Details about authentication methods are specified in Appendix 02.

3 In case where the customer has logged into the Internet Banking/Mobile Banking application, using his/her biometric identification features attached to the smart portable devices (such as smartphone, tablet PC), this authentication method shall not be applied when carrying out transactions during that login session.

4 Unit must apply the method to accurately authenticate that the customer's citizen identity card is issued by the public security agency.

5 The electronic identification account, electronic identification and authentication system comply with the Government’s Decree No. 59/2022/ND-CP dated September 05, 2022, on electronic identification and authentication.

6 Verification to ensure that: (i) The customer's biometric identification data is matched with that stored in the chip of the customer's citizen identity card issued by the competent public security agency; (ii) or the customer's biometric identification data is matched when using the authentication of the customer's electronic identification account created by the electronic identification and authentication system.

* All Appendices are not translated herein.

Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Processing, please wait...
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency

VIETNAMESE DOCUMENTS

Decision 2345/QĐ-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Decision 2345/QĐ-NHNN PDF (Original)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

ENGLISH DOCUMENTS

LuatVietnam's translation
Decision 2345/QĐ-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Decision 2345/QĐ-NHNN PDF

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

* Note: To view documents downloaded from LuatVietnam.vn, please install DOC, DOCX and PDF file readers
For further support, please call 19006192

SAME CATEGORY

loading