DECISION

APPLICATION OF SAFETY AND SECURITY MEASURES TO ONLINE PAYMENT AND CARD PAYMENT

THE GOVERNOR OF STATE BANK OF VIETNAM

Pursuant to the Law on the State Bank of Vietnam dated June 16^th 2010;

Pursuant to the Government’s Decree No. 102/2022/ND-CP dated December 12^th 2022 on functions, tasks, powers and organizational structure of State Bank of Vietnam;

Pursuant to Circular No. 35/2016/TT-NHNN dated December 29^th 2016 of the Governor of State Bank of Vietnam on safety and security of provision of banking services on the Internet;

Pursuant to Circular No. 35/2018/TT-NHNN dated December 24^th 2018 of the governor of State Bank of Vietnam on amendments to some Articles of Circular No. 35/2016/TT-NHNN dated cot 29^th 2016 of the Governor of State Bank of Vietnam on safety and security of provision of banking services on the Internet;

At the request of the Director of Information Technology Department.

...

...

...

Article 1. Credit institutions, foreign bank branches (FBBs), organizations providing payment services shall, in accordance with the categorization in Appendix 01 hereof, apply authentication methods to online payment (internet banking, mobile banking) as follows:

No.

Transaction 1

Minimum authentication methods 2

Individual customers

Organization customers

1

Category A transactions

- Username, password or PIN (if a customer has been authenticated during log-in, authentication is not required during transaction)

...

...

...

2

Category B transactions

- OTP sent by SMS or Voice or Email; or

- OTP Matrix Card; or

- Basic OTP generated by soft/hard token; or

- Two-factor authentication method; or

- The customer's handheld device 3, or

- Advanced OTP generated by soft/hard token; or

- FIDO Authentication; or

...

...

...

- OTP sent by SMS or Voice or Email; or

- OTP Matrix Card; or

- Basic OTP token without authentication of token user; or

- Handheld device biometrics of the customer's legal representative or accountant 3.

3

Category C transactions

- The customer's biometric identifier that: (i) matches the biometric data in the customer's ID card issued by the police authority 4; or (ii) is authenticated by the customer's electronic identification account created by the electronic identification and authentication system 5; or

- The customer's biometric identifier that matches the customer's biometric data in the biometric database 6. It is recommended to combine with SMS/Voice OTP or OTP generated by soft/hard token.

- Basic OTP soft/hard token with authentication of software/token user; or

...

...

...

4

Category D transactions

The customer's biometric identifier that: (i) matches the biometric data in the customer's ID card issued by the police authority 4; or (ii) is authenticated by the customer's electronic identification account created by the electronic identification and authentication system; or (iii) matches the biometric data stored in the verified biometric database 6, combined with one of the following authentication methods:

- Advanced OTP generated by soft/hard token; or

- FIDO authentication; or

- Safe electronic signature.

 - Advanced OTP generated by soft/hard token; or

- FIDO authentication; or

- Safe electronic signature.

...

...

...

- Authentication methods of Category A, B, C transactions can be applied to Category D transactions.

- Authentication methods of Category A, B transactions can be applied to Category C transactions.

- Authentication methods of Category A transactions can be applied to Category B transactions.

- Units that apply authentication methods other than the methods specified above shall send written reports to State Bank of Vietnam (via Information Technology Department) at least 03 months before application.

Article 2. Credit institutions, FBBs, organizations providing payment services shall implement solutions for minimization online payment risks as follows:

1. Before an individual customer makes the first transaction using the mobile banking app or before making a transaction using a device that is different from the latest device on which the mobile banking app was used, the customer must be authenticated:

- Using the customer's biometric identifier that: (i) matches the biometric data in the customer's ID card issued by the police authority 4; or (ii) is authenticated by the customer's electronic identification account created by the electronic identification and authentication system; or

- The customer's biometric identifier that matches the customer's biometric data in the biometric database 6, combined with SMS/Voice OTP or OTP generated by soft/hard token.

2. Send notifications of first login into the Internet Banking/ Mobile Banking app or notification of login into the Internet Banking/ Mobile Banking app on a device that is different from the latest device via SMS or another channel registered by the customer (email, phone number, etc.)

...

...

...

a) Mandatory device information includes:

- For mobile devices: unique identifier of the device e.g. IMEL Serial, WLAN MAC, Android ID, etc.

- For computers: MAC address or other device identifiers via the application programming interface (API) of the operating system.

b) The authentication log shall contain the following information: authentication methods, authentication times, codes of authenticated transactions, customers' codes.

Article 3. Providers of card payment services shall implement the following risk minimization solutions:

1. Send notifications of transactions via SMS or emails.

2. Set daily transaction limits.

3. Allow users to enable/disable online transactions.

4. Set daily online card payment limits.

...

...

...

6. Apply 3D Secure protocol (or an equivalent protection method) to online payment by international cards.

Article 4.

1. Information Technology Department shall take charge of monitoring, supervising, and inspecting the implementation of this Decision and submit reports to the Governor of State Bank of Vietnam.

2. Payment Department shall cooperate with Information Technology Department in monitoring, supervising, and inspecting the implementation of this Decision.

3. Communications Department shall cooperate with relevant units in publicizing the contents of this Decision to the people and enterprises, effectively supporting the application of authentication methods and standards to online payment and card payment.

Article 5. Entry into force

1. This decision comes into force from July 1^st 2024 and replaces Decision No. 630/QD-NHNN dated March 31^st 2017 of the Governor of State Bank of Vietnam promulgating the Plan for Application of Safety and Security Solutions to online payment and card payment.

2. From January 1^st 2025, regulations of Article 1 and Article 2 of this Decision shall apply to credit institutions placed under special control.

Article 6. Chief of Office, Director of Information Technology Department and heads of units of State Bank of Vietnam, Presidents of the Boards of Directors, Presidents of the Member Assemblies, General Directors/Directors of credit institutions, FBBs, providers of payment services are responsible for the implementation of this Decision./.

...

...

...

PP THE GOVERNOR
DEPUTY GOVERNOR




Pham Tien Dung

APPENDIX 01

CATEGORIZATION OF TRANSACTIONS
(Promulgated together with Decision No. 2345/QD-NHNN dated December 18^th 2023 of the Governor of State Bank of Vietnam)

No.

Description

Category A

Category B

...

...

...

Category D

I

Individual customers

1

Group I.1:

...

...

...

- Intrabank transfer to the same account holder

All transactions

2

Group I.2:

- Transactions including payments of lawful goods and services processed by payment service providers at payment acceptors selected, appraised, supervised and managed by payment service providers

Any transaction that satisfies the following condition:

...

...

...

Any transaction that satisfies the following conditions:

(i) G + T > 5 million VND

(ii) G + T ≤ 100 million VND

Any transaction that satisfies the following conditions:

(i) G + T > 100 million VND

(ii) G + T ≤ 1,5 billion VND

Any transaction that satisfies the following condition:

G + T > 1,5 billion VND

3

...

...

...

-  Intrabank transfer to other account holders

- Domestic interbank transfer

- Money transfer between e-wallets

- E-wallet cash-in 7

- E-wallet cash-out

Any transaction that satisfies the following conditions:

(i) G ≤ 10 million VND

(ii) G + T_ksth ≤ 20 million VND.

...

...

...

1. Any transaction that satisfies the following conditions:

(i) G ≤ 10 million VND

(ii) G + T_ksth > 20 million VND

(iii) G + T ≤ 1,5 billion VND.

2. 2. Any transaction that satisfies the following conditions:

(i) G > 10 million VND.

(ii) G ≤ 500 million VND.

(iii) G + T ≤ 1,5 billion VND.

Any transaction that satisfies one of the following conditions:

...

...

...

(i) G ≤ 10 million VND

(ii) G + T_ksth > 20 million VND

(iii) G + T ≤ 1,5 billion VND

2. Any transaction that satisfies the following conditions:

(i) G > 10 million VND

(ii) G ≤ 500 million VND

(iii) G + T ≤ 1,5 billion VND

3. Any transaction that satisfies the following condition:

G > 500 million VND

...

...

...

Group I.4:

Outbound interbank transfer *

Any transaction that satisfies the following conditions:

(i) G ≤ 200 million VND

(ii) G + T ≤ 1 billion VND

Any transaction that satisfies one of the following conditions:

1. Any transaction that satisfies the following conditions:

...

...

...

(ii) G + T > 1 billion VND

2. Any transaction that satisfies the following condition:

G > 200 million VND

II

Organization customers

...

...

...

Group II.1:

Information lookup

All transactions

2

Group II.2:

Intrabank transfer to the same account holder

...

...

...

All transactions

3

Group II.3:

- Intrabank transfer to other account holders

- Domestic interbank transfer

- Transactions including payments of lawful goods and services processed by payment service providers at payment acceptors selected, appraised, supervised and managed by payment service providers

- Money transfer between e-wallets

...

...

...

- E-wallet cash-out

Any transaction that satisfies the following conditions:

(i) G ≤ 1 billion VND

(ii) G + T ≤ 10 billion VND

Any transaction that satisfies one of the following conditions:

1. Any transaction that satisfies the following conditions:

(i) G ≤ 1 billion VND

...

...

...

2. Any transaction that satisfies the following condition:

G > 1 billion VND

4

Group II.4:

Outbound interbank transfer *

Any transaction that satisfies the following conditions:

(i) G ≤ 500 million VND

...

...

...

Any transaction that satisfies one of the following conditions:

1. Any transaction that satisfies the following conditions:

(i) G ≤ 500 million VND

(ii) G + T > 5 billion VND

2. Any transaction that satisfies the following condition:

G > 500 million VND

Notes:

G: Value of the transaction.

T_ksth: Total value of Category A and Category B transactions of each category of transactions performed on a bank account (including e-wallet cash-in) or an e-wallet (excluding e-wallet cash-in). T_ksth of a bank account/e-wallet shall be zero (0) at the beginning of the day or after the bank account/e-wallet has a transaction in the day which is authenticated by an authentication method for Category C or Category D transactions.

...

...

...

*: Converted limit according to exchange rate at the time of transaction.

APPENDIX 02

ONLINE PAYMENT AUTHENTICATION METHODS
(Promulgated together with Decision No. 2345/QD-NHNN dated December 18^th 2023 of the Governor of State Bank of Vietnam)

No.

Method

Description

1

SME/Voice/Email OTP

...

...

...

The customer will then enter the OTP on the online payment interface to complete the payment process.

2

OTP Matrix Card

The matrix card has 2-dimension table with rows and columns, which provide an arrangement of OTPs.

When an online payment is made, the Internet Banking/Mobile Banking will send a notification of the numbers of row and column on the matrix card. The customer will then enter the corresponding OTP to complete the payment process.

3

Basic OTP generated by soft token

The OTP-generating software (soft token) is usually installed on a handheld device that has been registered with the payment service provider. Basic OTPs will be periodically generated and synchronized with the online payment system of the payment service provider.

When an online payment is made, the Internet Banking/Mobile Banking will require the customer to enter the OTP generated by the soft token.

...

...

...

4

Advanced OTP generated by soft token

The soft token is usually installed on a handheld device that has been registered with the payment service provider. Advanced OTPs will be generated in combination with the transaction code (transaction signing).

When an online payment is made, the Internet Banking/Mobile Banking will generate a transaction code and notify the customer.

Then customer or the software will enter the transaction code into the soft token, which will generate an OTP.

The customer or the software will then enter the OTP on the online payment interface. Next, the customer will give a confirmation to complete the payment process.

5

Basic OTP generated by hard token

An OTP token is a device that generates OTPs. Basic OTPs will be periodically generated and synchronized with the online payment system of the payment service provider.

...

...

...

6

Advanced OTP generated by hard token

Advanced OTPs will be generated by the hard token in combination with the transaction code (transaction signing).

When an online payment is made, the Internet Banking/Mobile Banking will generate a transaction code and notify the customer.

Then customer will enter the transaction code into the hard token, which will generate an OTP.

The customer will then enter the OTP on the online payment interface to complete the payment process.

7

Two-factor authentication

When an online payment is made, the Internet Banking/Mobile Banking will send an authentication request to the customer's mobile device by a call, USSD or a dedicated software.

...

...

...

8

Biometrics

When an online payment is made, the Internet Banking/Mobile Banking will require the customer to present his/her forgery-proof biometric identifier, such as face, finger veins, hand veins, fingerprint, iris, voice.

9

FIDO

Authentication standards established by FIDO Alliance (more at  Fidoalliance.org)

When an online payment is made, the Internet Banking/Mobile Banking will require the customer to authenticate using an U2F/UAF device (connected via a USB port, Bluetooth or NFC) or an authentication software on the smart phone, or a FIDO2-compatible browser. After authentication using an access code or biometric identifier, the U2F/UAF or software will automatically communicate with the browser and the server to authenticate the address of the internet banking website and the transaction.

10

Safe digital signature

...

...

...

Safe digital signatures include secured digital signature or recognized foreign digital signature as prescribed by law.

1 See categorization in Appendix 01

2 Details about authentication methods are specified in Appendix 02.

3 If the customer has signed into the Internet Banking/Mobile Banking using biometrics on a smart handheld device i.e. a smart phone or tablet, this biometric authentication shall not be used during transactions in the same sign-in session.

4 The customer's ID card must be authenticated to make sure it is issued by the police authority.

5 Electronic identification accounts, electronic identification and authentication and system are prescribed in the Government’s Decree No. 59/2022/ND-CP dated 05/9/2022.

6 Verify the: (i) the consistency between the customer's biometric identifier and the biometric data in his/her ID card provided by the police authority; or (ii) the consistency between the customer's biometric data and his/her electronic identification account created by the electronic identification and authentication system.

...

...

...