THE STATE BANK OF VIETNAM _____________ No. 2345/QD-NHNN | THE SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness ________________________ Hanoi, December 18, 2023 |
DECISION
On implementation of methods to ensure safe and secure online payments and bank card payments
_____________
THE GOVERNOR OF THE STATE BANK OF VIETNAM
Pursuant to the Law No.46/2010/QH12 on the State Bank of Vietnam dated June 16, 2010;
Pursuant to the Government’s Decree No. 102/2022/ND-CP dated December 12, 2022, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;
Pursuant to Circular No. 35/2016/TT-NHNN dated December 29, 2016, of the Governor of the State Bank, prescribing safety and confidentiality in provision of banking services on the Internet;
Pursuant to Circular No 35/2018/TT-NHNN dated December 24, 2018, of the Governor of the State Bank, amending and supplementing a number of Circular No. 35/2016/TT-NHNN dated December 29, 2016, of the Governor of the State Bank, prescribing safety and confidentiality in provision of banking services on the Internet;
At the proposal of the Director of the Information Technology Department.
DECIDES:
Article 1. Credit institutions, foreign bank branches and intermediary payment service providers shall, based on the transaction classification provided in Appendix 01 thereof, take authentication methods in online payments (Internet Banking, Mobile Banking) as follows:
No. | Transaction1 | Least secure authentication measure |
Individual customers | Institutional customers |
1 | Type-A transactions | - Username, password or PIN (if authenticated at the login step, authentication is not required at the transaction step). | - Username, password or PIN (if authenticated at the login step, authentication is not required at the transaction step). |
2 | Type-B transactions | - OTP sent via SMS or Voice or Email; or - OTP matrix card; or - Basic Soft OTP/Token OTP; or - Two-factor authentication method; or - Using the customer's biometric identification features attached to the smart portable devices3; or - Advanced Soft OTP/Token OTP; or - Using FIDO standards; or - Using safe e-signatures. | - OTP sent via SMS or Voice or Email; or - OTP matrix card; or - Basic Token OTP, without the function of authenticating users using Token; or - Using the biometric identification features of the customer’s legal representative or person in charge of accounting (if any), attached to the smart portable devices3. |
3 | Type-C transactions | - Using the customer's biometric identification features, which: (i) match the biometric data stored in the chip of the customer's citizen identity card issued by the competent public security agency4; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system5; or - Using the customer's biometric identification features, matching the biometric data stored in the collected and verified customer biometric database6, which is encouraged to be combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP. | - Basic Token OTP, with the function of authenticating users using Token; or - Two-factor authentication method. |
4 | Type-D transactions | Using the customer's biometric identification features, which (i) match the biometric data stored in the chip of the customer's citizen identity card issued by the competent public security agency4; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system5; or match the biometric data stored in the collected and verified customer biometric database6, combined with any of the following authentication methods: - Advanced Soft OTP/Token OTP; or - Using FIDO standards; or - Using safe e-signatures. | - Advanced Soft OTP/Token OTP; or - Using FIDO standards; or - Using safe e-signatures. |
Note:
- Type-D transaction authentication methods may be used to authenticate transactions of types A, B and C.
- Type-C transaction authentication methods may be used to authenticate transactions of types A and B.
- Type-B transaction authentication methods may be used to authenticate transactions of type A.
- In case of applying authentication methods other than those aforesaid, a written report shall be sent to the State Bank (via the Information Technology Department) at least 3 months before application.
Article 2. Credit institutions, foreign bank branches and intermediary payment service providers shall apply the following methods to minimize the risks in online payments:
1. For individual customers, before making the first transaction via Mobile Banking, or making a transaction on a different device from the one on which the last mobile banking transaction was made, the customer must be authenticated as follows:
- Using the customer's biometric identification features: (i) match the biometric data stored in the chip of the customer's citizen identity card issued by the competent public security agency4; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system; or
- Using the customer's biometric identification features, which match the biometric data stored in the collected and verified customer biometric database6, combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP.
2. Sending a notification about the first-time account login via the Internet Banking/Mobile Banking application, or a login via the Internet Banking/Mobile Banking application on a different device from the one used for the last login via an SMS message, or other channels registered by the customer (by email, phone, etc.).
3. Storing the information about the devices used for the customer's online transactions, and the transaction authentication logs for at least 3 months.
a) Information about the devices must at least include the following:
- For mobile devices: Unique identification information of the device(s) (such as IMEI number, Serial number, WLAN MAC, Android ID, etc.).
- For computers: MAC address or other device identification information through the API (Application Programming Interface) of the operating system.
b) Transaction authentication logs must at least include the authentication measure, authentication time, authenticated transaction code, and customer code.
Article 3. Card payment service providers shall apply the solutions to mitigate the risks as follows:
1. Notifying the customer of the transaction via an SMS message or email.
2. Setting daily transaction limits.
3. Setting up the function to enable/disable online payments.
4. Setting limits for daily online card payments.
5. Setting up the feature to enable/disable overseas payments (except online transactions).
6. Taking the 3D Secure authentication solution (or equivalent) for online payments using international cards.
Article 4.
1. The Information Technology Department shall act as the focal point to monitor, supervise and inspect the implementation of this Decision, summarize and report the implementation to the Governor of the State Bank.
2. The Payment Department shall coordinate with the Information Technology Department in monitoring, supervising and inspecting the implementation of this Decision.
3. The Communications Department shall coordinate with relevant units in carrying out communications to citizens and enterprises for the effective application of authentication standards and methods in online payments and bank card payments.
Article 5. Effect:
1. This Decision takes effect from July 01, 2024, and replaces Decision No. 630/QD-NHNN dated May 31, 2017, of the Governor of the State Bank, on the promulgation of the Plan for applying methods to ensure safe and secure online payments and bank card payments.
2. For credit institutions under special control, the provisions of Articles 1 and 2 of this Decision shall apply from January 01, 2025.
Article 6. Chief of Office, Director of the Information Technology Department, heads of units affiliated to the State Bank of Vietnam, Chairpersons of the Board of Directors, Chairperson of the Member's Council and General Directors (Directors) of credit institutions, foreign bank branches and intermediary payment service providers shall implement this Decision./.
| FOR THE GOVERNOR THE DEPUTY GOVERNOR Pham Tien Dung |
____________________
1 Classification of transactions is specified in Appendix 01.
2 Details about authentication methods are specified in Appendix 02.
3 In case where the customer has logged into the Internet Banking/Mobile Banking application, using his/her biometric identification features attached to the smart portable devices (such as smartphone, tablet PC), this authentication method shall not be applied when carrying out transactions during that login session.
4 Unit must apply the method to accurately authenticate that the customer's citizen identity card is issued by the public security agency.
5 The electronic identification account, electronic identification and authentication system comply with the Government’s Decree No. 59/2022/ND-CP dated September 05, 2022, on electronic identification and authentication.
6 Verification to ensure that: (i) The customer's biometric identification data is matched with that stored in the chip of the customer's citizen identity card issued by the competent public security agency; (ii) or the customer's biometric identification data is matched when using the authentication of the customer's electronic identification account created by the electronic identification and authentication system.
* All Appendices are not translated herein.
Vietnamese
Decision 2345/QĐ-NHNN DOC (Word)
Decision 2345/QĐ-NHNN PDF (Original)
