DECISION

PROMULGATION OF THE PLAN FOR APPLICATION OF SECURITY MEASURES TO ONLINE PAYMENT AND CARD PAYMENT

THE GOVERNOR OF THE STATE BANK

Pursuant to the Law on the State bank of Vietnam No. 46/2010/QH12 dated June 16, 2010;

Pursuant to the Government's Decree No. 16/2017/ND-CP dated February 17, 2017 on functions, tasks, entitlements and organizational structure of the State bank of Vietnam;

Pursuant to Circular No. 35/2016/TT-NHNN dated December 29, 2016 of the State bank on safety and security of online banking services;

At the request of the Director of Information Technology Department,

DECIDES:

...

...

...

Article 2. This Decision comes into force from the day on which it is signed.

Article 3. Chief of Office, Director of Information Technology Department, heads of affiliates of the State bank, directors of provincial branches of the State bank; Chairpersons of the Executive Boards, Chairpersons of the Boards of members, General Directors (Directors) of credit institutions, foreign branch banks (FBBs), providers of payment services are responsible for implementation of this Decision./.

PP GOVERNOR
DEPUTY GOVERNOR




Nguyen Kim Anh

PLAN

FOR APPLICATION OF SECURITY MEASURES TO ONLINE PAYMENT AND CARD PAYMENT

A. TARGETS

...

...

...

- Improve the quality of IT security, enhance security of online banking and card payment services provided by credit institutions, FBBs and payment service providers  

B. OBJECTIVES AND ROADMAP

I. Objectives of credit institutions, FBBs and providers of payment services

1. Apply new authentication technologies to Internet banking and mobile banking

From January 01, 2019, according to the categories of transactions in Appendix 01 hereof, payment service providers and online payment service providers shall apply the minimum authentication as follows:

No.

Transaction1

Minimum authentication 2

1

...

...

...

- Username, password or PIN

2

 Category B transactions

- SMS OTP.

- or OTP matrix card.

- or basic OTP tokens which are not able to verify users.

3

 Category C transactions

- OTP software or basic OTP tokens which can verify users.

...

...

...

- or biometric authentication.

4

 Category D transactions

- OTP software or advanced OTP tokens which is capable of transaction signing.

- or U2F/UAF authentication.

- or certificate-based authentication.

Notes:

- The authentication methods for Category D transactions can be used for Category A, B and C transactions.

- The authentication methods for Category C transactions can be used for Category A and B transactions.

...

...

...

- Use of authentication methods shall be reported to the State bank (through Information Technology Department) before being put into use.

2. Measures for minimization of risks to payment

Provider of card payment services shall implement risk minimization measures by the following deadlines:

No.

Measure

Deadline

1

Sending notices by SMS or email

01/01/2018

...

...

...

Establishing daily limits.

01/01/2019

3

Offering the option to allow/disallow online payment.

01/01/2019

4

Establishing daily limits on card payment.

01/01/2019

5

...

...

...

01/01/2019

6

Apply 3-D Secure or equivalent authentication for online payment by international cards.

01/01/2019

3. Difficulties that arise during implementation should be reported to the State bank (through Information Technology Department) for assistance.

II. Objectives of affiliates of the State bank

1. Communications Department shall cooperate with relevant units in providing information for the public and enterprises; effectively assist application of authentication standards and authentication solutions to online payment and card payment.

2. Payment Department shall cooperate with Information Technology Department in monitoring, supervising and inspecting the implementation of this Plan.

3. Information Technology Department shall monitor and supervise the implementation of this Plan. Submit annual reports and irregular reports (when necessary) to the Governor of the State bank.

...

...

...

PP GOVERNOR
DEPUTY GOVERNOR




Nguyen Kim Anh

APPENDIX 01

CATEGORIZATION OF TRANSACTIONS

No.

 Category of transaction

A

B

...

...

...

D

I

Individuals

1

- Information access

...

...

...

All transactions

2

Bill payments with fixed customer’s ID (electricity, water, telephone, traffic bills)

Limited transactions:

+ Daily limit: ≤ 5 million VND

 Limited transactions:

...

...

...

3

Intrabank transfer to other account holders

 Limited transactions:

+ Daily limit: ≤ 100 million VND

 Limited transactions:

+< 500 million VND per transaction

...

...

...

 Limited transactions:

+ ≥ 500 million VND per transaction

+ Daily limit registered by clients

4

Domestic interbank transfer

 Limited transactions:

+ Daily limit: ≤ 100 million VND

 Limited transactions:

...

...

...

+ < 1,5 billion VND per day

 Limited transactions:

+ ≥ 500 million VND per transaction

+ Daily limit registered by clients

5

Overseas interbank transfer

Limited transactions:

...

...

...

+ < 1 billion VND per day

Limited transactions:

+ ≥ 200 million VND per transaction

II

Businesses

...

...

...

Information access

All transactions

2

Interbank transfer to the same account holder

All transactions

...

...

...

3

Interbank transfer to other account holders

Limited transactions:

+ < 1 billion VND per transaction

+ < 10 billion VND per day

Limited transactions:

...

...

...

+ Daily limit registered by clients

4

Domestic interbank transfer

Limited transactions:

+ < 1 billion VND per transaction

+ < 10 billion VND per day

Limited transactions:

...

...

...

+ Daily limit registered by clients

5

Overseas interbank transfer

Limited transactions:

+ < 500 million VND per transaction

+ < 5 billion VND per day

Limited transactions:

...

...

...

+ Daily limit registered by clients

APPENDIX 02

ONLINE TRANSACTION AUTHENTICATION METHODS

No.

Method

Description

1

SMS OTP

...

...

...

The client has to enter the OTP on the online payment interface to complete the transaction.

2

OTP matrix card

The matrix card is a 2-dimension table (line and column), each line and column has an OTP.

When an online payment is made, the online banking system will inform the client of the number of line and column on the matrix card. The client has to enter the corresponding OTP to complete the transaction.

3

Basic OTP software

The basis OTP software program will be installed on a cell phone or tablet registered with the bank and will periodically generate random OTPs, which are synchronized with the online banking system.

4

...

...

...

The advanced OTP software program will be installed on a cell phone or tablet registered with the bank and will generate the OTP together with a transaction code (transaction signing).

When an online payment is made, the online banking system will generate a transaction code.

The client has to enter the code to the OPT program to generate the OTP.

Then the client has to enter the OTP on the online payment interface to complete the transaction.

5

Basic OTP token

OTP token is an OTP-generating device. A basic OTP token will periodically generate random OTPs, which are synchronized with the online banking system.

When an online payment is made, the online banking system will request the client to enter the OTP generated by the token to complete the transaction.

6

...

...

...

Advanced OTP token is an OTP-generating device. It will generate the OTP together with a transaction code (transaction signing).

When an online payment is made, the online banking system will generate a transaction code.

The client has to enter the code to the OPT token to generate the OTP.

7

Two-factor authentication

When an online payment is made, the online banking system will send an authentication request to the client’s mobile device through the telephone network or using USSD code or through a dedicated software program

The client has to respond utilizing the same factor to confirm or cancel the transaction.

8

Biometric authentication

...

...

...

9

Universal 2nd Factor/ Universal Authentication Framework (U2F/UAF)

When an online payment is made, the online banking system will request the client to use an U2F/UAF device which is connected through the USB port or wirelessly ((Bluetooth, NFC). After authenticating the user with a password or biometric traits, the U2F/UAF device will communicate with the browser and server to authenticate the website address and the transaction.

10

Digital signature

When an online payment is made, the online banking system will request the client to enter the digital certificate (stored on an USB flash drive or SIM card).

The client has to enter the access code of the USB device or SIM card and select the digital certificate to complete the transaction.

...

...

...

2 See authentication methods in Appendix 02