CIRCULAR

AMENDMENTS TO CIRCULAR NO. 47/2014/TT-NHNN DATED DECEMBER 31, 2014 OF THE GOVERNOR OF THE STATE BANK OF VIETNAM DEFINING TECHNICAL REQUIREMENTS CONCERNING SECURITY AND CONFIDENTIALITY OF EQUIPMENT SERVING BANK CARD PAYMENT

Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on Credit Institutions dated June 16, 2010; Law on Amendments to the Law on Credit Institutions dated November 20, 2017;

Pursuant to the Law on E-Transactions dated November 29, 2005;

Pursuant to the Government’s Decree No. 35/2007/ND-CP dated March 08, 2007 on e-transactions in banking operations;

Pursuant to the Government’s Decree No. 101/2012/ND-CP dated November 22, 2012 on non-cash payments; Government’s Decree No. 80/2016/ND-CP dated July 01, 2016 on amendments to Government's Decree No. 101/2012/ND-CP dated November 22, 2012 on non-cash payments.

Pursuant to the Government’s Decree No. 16/2017/ND-CP dated February 17, 2017 defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the request of the Director of the Information Technology Department;

The Governor of the State Bank of Vietnam hereby promulgates a Circular on amendments to Circular No. 47/2014/TT-NHNN dated December 31, 2014 of the Governor of the State Bank of Vietnam defining technical requirements concerning security and confidentiality of equipment serving bank card payment (hereinafter referred to as the “Circular No. 47/2014/TT-NHNN”).

Article 1. Amendments to Circular No. 47/2014/TT-NHNN

1. Clause 9 of Article 2 is amended as follows:

 “9. “strong encryption” means an encryption method based on the algorithm tested and widely accepted in the world with a minimum key length of 112 (one hundred and twelve) bits and appropriate key management techniques. The minimum algorithms include AES (256 bits); RSA (2048 bits); ECC (224 bits); ElGamal (2048 bits).”.

2. Point d Clause 1 of Article 3 is amended as follows:

“d) Internal Internet Protocol address (IP address) and routing information shall not be provided for other organizations without the approval by a competent person. Measures shall be in place to hide internal IP address and information about the routing table when connecting with the third parties;”.

3. Point c Clause 3 of Article 3 is amended as follows:

“c) Access from the cardholder data environment to public Internet shall be subject to the approval by a competent person and kept under strict control.”.

4. Clause 5 is added to Article 4 as follows:

“5. All remote access connections shall be encrypted by strong encryption.”.

5. Clause 8 is added to Article 5 as follows:

“8. Regular reviews shall be carried out to make sure that hardware and software receive technical support from the manufacturer.”.

6. Clause 1 of Article 6 is amended as follows:

 “1. The access to all components of an information system serving card payment must be authenticated by at least one of the following methods: secret keys; authentication card or equipment; biometrics.”.

7. Point c Clause 4 of Article 6 is amended as follows:

“e) Unused or expired accounts or accounts that have been inactive for a period of up to 90 days since the last login shall be revoked or deactivated;

8. Clause 3 of Article 10 is amended as follows:

“3. There must be phone numbers of card acquirers on all POS.”.

9. Point c Clause 1 of Article 14 is amended as follows:

 “c) The card number must be appropriately concealed when shown (only the first 6 and the last 4 digits are shown) and only be fully shown to the card holder and the competent authority or certain employees with the approval by a competent person;”.

10. Clause 1 of Article 15 is amended as follows:

“1. Methods of strong encryption and appropriate security protocols shall be used to protect card authentication data during transmission of information through the network connected to external networks (Internet, wireless network, mobile communications network and other networks).”.

11. Point b Clause 1 of Article 17 is amended as follows:

“b) Camera shall be used or other measures shall be taken to monitor the entry into or exit from the server room, releasing and printing area, holder data processing and storage area. The monitoring data must be retained, securely protected and accessible for at least 03 months.”.

12. Point i is added to Clause 1 of Article 18 as follows:

“i) Policies and processes shall be promulgated to monitor all access to network resources and cardholder data and disseminated to all individuals and departments related to card operations.”.

Article 2.

The phrase “Cục Công nghệ tin học” (“Informatics Technology Department”) in Articles 20, 22 and 23 of the Circular No. 47/2014/TT-NHNN are replaced with the phrase “Cục Công nghệ thông tin” (“Information Technology Department”).

Article 3. Responsibility for implementation

The Office’s Chief, the Director of the Information Technology Department, the heads of the State Bank’s affiliates, the Directors of the State Bank branches of provinces and central-affiliated cities, and organizations involved in card operations are responsible for the implementation of this Circular.

Article 4. Implementation clause

This Circular comes into force from February 15, 2021./.

---------------

This document is handled by Vinas Doc. Document reference purposes only. Any comments, please send to email: [email protected]