Thông báo 268/TB-NHNN

ANNOUNCEMENT

CONCLUSION BY VICE GOVERNOR NGUYEN KIM ANH IN THE ONLINE MEETING ON "CYBER SECURITY IN ELECTRONIC PAYMENT AND CARD-BASED PAYMENT”

On September 08, 2016, Vietnam State Bank held the online meeting on “cyber security in electronic payment and card-based payment” at 63 teleconference sites across the nation. Representatives of the Economic Department (Government's Office), General Department of Security, Department of Hi-tech Crime Prevention, Department of Cyber Security, Department of Finance, Currency and Investment Security (Ministry of Public Security), Department of Information Security, Vietnam Computer Emergency Response Center (Ministry of Information and Communications), Heads of divisions and departments of the State Bank, Vietnam Credit Information Center, Vietnam Bank for Social Policies, Co-op Bank, Vietnam National Financial Switching Joint-stock Company (NAPAS), Vietnam Information Security Association, Vietnam Banks Association, Vietnam Banking Card Association, commercial banks with headquarters in Hanoi, Office of Finance, Currency and Investment Security (Hanoi Police Department) attended the meeting through the central teleconference site in Hanoi. Heads, managers and information technology officials from provincial branches of the State Bank, representatives of the leaderships of commercial banks with major offices in the localities and Directors of first-level branches of such commercial banks, etc. attended the meeting through provincial teleconference sites. Vice Governor Nguyen Kim Anh presided at the meeting.

After the agencies under the State Bank, Ministries and authorities delivered reports and speeches, and the cyber security specialists from the State Bank, Ministry of Public Security and Ministry of Information and Communications and concerned organizations discussed matters and responded to inquiries, Vice Governor Nguyen Kim Anh issued the following conclusion and instructions:

The management and control of risks over payment activities, in general, and electronic payment, in particular, have been closely directed by the State Bank in line with the strict compliance and cooperation by commercial banks, international card organizations, switching companies, payment intermediary organizations and relevant entities.

However, general and electronic payment activities are in fact prone to risky and fraudulent incidents probably despite every solution of most advanced security that the banks or payment intermediary organizations are adopting. Criminals constantly diverse their assault artifices and ruses to break through security solutions and exploit the information of customers who are negligent over the safekeeping of their data when using electronic and card-based payment services.

In order to minimize risks, uphold security and confidentiality in general, electronic and card-based payment activities and assure the interests of customers and banks in Vietnam, relevant agencies are going to carry out the following tasks in serious manner:

1. Department of Payment shall be chiefly responsible for:

(i) Scrutinizing legislative documents and advising the Governor of the State Bank to examine, promulgate or amend such documents on credit institutions’ and payment intermediary organizations’ provision of payment services with the aim of preventing and minimizing risks throughout the procedures of payment. Forming inspectorates and supervising (along with other departments) the activities of payment and security of electronic and card-based payments in order to provide timely warnings and rectify risks against and breach of the State Bank’s regulations;

(ii) Cooperating with the Bank Inspection and Supervision Agency, Department of Legal affairs and Department of Information technology to provide counsels to the leadership of the State Bank, by October 15, 2016, for regulating that payment service providers and payment intermediaries indicate responsibilities for the intake of customers' information, processing time and restitution of payment mishaps and errors in their service provision contracts.

(iii) Researching and promulgating, at earliest time, the standard(s) of domestic chip cards then directing credit institutions’ replacement of magnetic stripe cards with integrated circuit cards by the schedule that the State Bank has approved in order to diminish risks and losses that entities engaged in card-based transactions may suffer.

2. Department of Information technology shall be chiefly responsible for:

(i) Researching, formulating and presenting to the Governor of the State Bank, for promulgation, the road map to the application of international security standards such as ISO 27001 on information technology systems and PCI/DSS on card-based payment systems;

(ii) Conducting research to counsel the leadership of the State Bank to give instructions, at earliest time, on the deployment of multi-factor authentication technologies in banking transactions in lieu of former ones that cyber criminals have exploited;

(iii) Monitoring and being informed of domestic and global happenings in cyber security in regular manner in order to warn and instruct every agency in the sector to promptly preclude and handle cyber security risks and loopholes. At present, it shall closely coordinate with the Department of Payment in organizing inspectorates, supervising (with other departments) payment activities and security of credit institutions’ electronic and card-based payments.

(iv) Working with the Police Department for hi-tech crime prevention (C50) and Department of Cyber Security under the Ministry of Public Security, with the Department of Information Security and Computer Emergency Response Center under the Ministry of Information and Communications to expedite the program for information exchange and cooperation in combating hi-tech crimes with the participation of the State Bank’s units and the divisions under the Ministry of Public Security and Ministry of Information and Communications.

3. Bank Inspection and Supervision Agencies and supervisory inspectorates of provincial branches of the State Bank are assigned to: Consolidating their examination, supervision and directing of the banks operating in localities to adhere to, in strict manner, the regulations on the security of electronic payment systems and card reading devices amid the provision of services; instructing the banks to cooperate closely with the police in exchanging information and promptly tackling with frauds over electronic and card-based payments.

4. Communication Committee is assigned to: Plan the banking sector's general propaganda about cashless payments and present the plan to the Governor of the State Bank for approval and instruction to credit institutions' implementation of the approved plan.

5. Provincial branches of the State Bank are assigned to: Formulate and accomplish the program of examination and supervision of cashless payment services by local credit institutions and payment intermediaries, by October 30, 2016, in order to assure the continuity, safety and fitness of services for the people's demands for payment; comprehend difficulties and shortcomings of local cashless payment activities then instruct and cooperate with credit institutions to solve such obstacles. Report the result of examination and supervision to the State Bank (Department of Payment) by November 15, 2016.

6. Vietnam National Payment Services Joint-stock Company (NAPAS) shall: Set up risk control mechanisms to detect suspicious transactions and affairs and support the banks to handle such; closely cooperate with participating banks in supervising card-based transactions and promptly alert participating banks about doubtful transactions for swift and complete actions against incidents to assure customers’ interests.

7. Credit institutions shall:

(i) Carry out general examinations and reviews of all professional procedures, technological facilities, human resource and adoption of regulations in effect, relevant supporting services such as online support center, complaint settlement, etc. under payment and card-based payment systems so as to abide by the State Bank’s regulations. Credit institutions must propose the road map to deploy, rectify and complete items in 2016, which have not adhere to their regulations. Examination reports shall be sent to the State Bank (Department of Payment) by October 30, 2016;

(ii) Recheck and supplement the ATM security equipment such as surveillance cameras, problem warning system, anti-theft system, et cetera; examine ATMS and points of sale to identify and impede devices illegally installed to skim card owners’ information;

(iii) Evaluate and classify, by type, the risks in payment activities and adopt suitable solutions to minimize risks and secure the assets that belong to the customers and the banks. Research and apply advanced security technologies such as biometric authentication, PKI, 3D secure for customers with grand transactions and gradually for every customer.

(iv) Research and utilize information technology solutions to detect and warn against threats and insecure risks over customers in active manner. Set up and carry out drills in response to information insecurity problems;

(v) Strengthen communication to have enterprises and people fully informed of threats and risks and equipped with knowledge and skills necessary for using banking services in safe manner;

(v) Train and improve employees’ skills in processing and handling risks; set up response procedures for public relation disasters, in general, and for electronic and card-based payment activities, in particular, in scientific and professional manner. Cooperate with functional agencies, the State Bank and customers in coping with risks and frauds ensuing in fast and precise manner with the aim of assuring customers’ interests as per the laws.

8. Vietnam Banks Association shall:

(i) Cooperate with participating banks to propagate information and heighten the awareness of economic entities, when using electronic payment services and methods, of risks and of criminal deceit and fraud;

(ii) Cooperate further with participating banks in monitoring and informing each other of new types of crimes; coordinate and exchange information on ATMs and points of sale, in which card skimmers are planted, and on suspicious individuals, etc.

By the order of the Governor, the office of the State Bank makes this announcement to concerned entities./.