Thông tư 47/2014/TT-NHNN

CIRCULAR

DEFINING THE TECHNICAL REQUIREMENTS FOR CONFIDENTIALITY AND SAFETY OF EQUIPMENT SERVING BANK CARD PAYMENT

Pursuant to the Law on the State bank of Vietnam No. 46/2010 / QH12 dated June 16, 2010;

Pursuant to the Law on credit institutions No. 47/2010 / QH12 dated June 16, 2010;

Pursuant to the Law on Electronic transaction No. 51/2005 / QH11 dated November 29, 2005;

Pursuant to the Government's Decree No. 35/2007 / ND-CP dated March 8, 2007 on electronic transactions in banking operations;

Pursuant to the Government's Decree No. 101/2012 / ND-CP dated November 22, 2012 of on non-cash payments;

Pursuant to Decree No. 156/2013 / ND-CP dated November 11, 2013 defining the functions, tasks, entitlements and organizational structure of the State Bank of Vietnam;

At the request of the Director of Administration Information Technology;

The Governor of the State bank of Vietnam promulgates the Circular defining the technical requirements for confidentiality and safety of equipment serving bank card payment

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation and regulated entities

1. This Circular defines the technical requirements for confidentiality and safety of equipment serving bank card payment

2. This Circular shall be applied organizations which have card operations (hereinafter referred to as card organizations), including:

a) Organizations issuing cards ( hereafter referred to as issuers)

b) Organizations making payment of card ( hereafter referred to as payment organizations )

c) Organizations providing the intermediary payment services ( hereafter referred to as providers) having equipment for bank card payment.

Article 2. Interpretation of terms

In this Circular, these terms below shall be construed as follows:

1. Equipment serving the card payment includes equipment, software used for receiving, processing card transactions.

2. Outside ATM (Automated Teller Machine) is ATM located in public places and places without direct supervisors.

3. POS (Point Of Sale) is a card-receiving equipment used for card transactions at the card accepting units ( hereafter referred to as accepting units.

4. mPOS (Mobile Point Of Sale) is a POS machine including software and specialized equipment integrated with mobile communication devices.

5. Bank card (hereinafter referred to as card) includes magnetic card and chip card

a) Magnetic cards are cards from which the information of the cardholder and the card is encrypted and stored in the magnetic stripe on the back of the card;

b) Chip cards are cards mounted computer chips or integrated circuits for identification, storage and trading information of the cardholder, or other micro processes.

6. Card number is a sequence of numbers used to identify issuers and cardholders.

7. Card data includes data of cardholder and card authentication .

a) The cardholder data includes the following main data: card number; cardholder's name (for identity cards); the effective date of the card; service code 3 (three) or 4 (four) on the surface of the card to determine jurisdiction of the transaction (if any));

b) Card authentication data includes the following data: all data on the magnetic stripe for magnetic card or data on computer chips, integrated circuit of chip card; the range of value numbers ​​or card authentication code printed on the card; cardholder’s personal identification number (PIN) or personal identification number block ( PIN block) of the cardholder.

8. Data cardholder environment is environment including equipment and processes, transmission, storage of card data.

9. Powerful encryption is an encryption method based on the algorithm tested, widely accepted in the world with a minimum key length of 112 (one hundred and twelve) bits and appropriate key management techniques. The minimum algorithms include: AES (128 bit); TDES (112 bit); RSA (2048 bit); ECC (160 bit); ElGamal (2048 bit).

10. Diary data is data created by card payment system or human to save the transaction process, the operation of the system under the form of electronic, documents to serve monitoring , investigation, and complaints.

11. Competent persons in this Circular mean legal representatives of organizations or the legal representatives of authorizing organizations.

12. Organizations supporting card operations ( hereafter referred to as card-supporting organization ) are organizations and individuals with expertise hired or cooperated by card-supporting organizations to provide technical services or goods for card payment systems.

Chapter II

GENERAL TECHNICAL REQUIREMENTS

Article 3. Configuration management and establishment of network security devices

1. Requirements for configuration management and establishment of network security devices

a) Establishing and changing the configuration of network security devices must be tested and approved by competent persons prior to implementation;

b) Network connected schematic must be designed to meet the requirements:

- The cardholder data and other network areas, including the wireless network, must be separated;

- Server’s functions must be separated on the principle that the application server, database server, domain name managing server must be on different servers (which may be virtual servers on a physical server );

- There is a firewall at the point of connection between regions of the network;

- The network diagram must describe the entire path of cardholder data.

c) Responsibilities and powers of departments, individuals in management, configuration of network security devices shall be distributed in writing;

d) Internal Internet Protocol address (IP address) and routing information shall not be provided for other organizations without the approval of competent persons ;

dd) Ports, services, using protocols on the network system, including unsafe port, protocol or services shall be defined in writing . Security solutions in using the unsafe port, service and protocols shall be fully deployed;

e) Establishment policies on network security devices shall be revaluated at least 02 times / year to remove the unused, expired or wrongly established policies, policies shall be ensured to be established on the device correct with the policies approved by competent persons.

2. Configuration of network security devices

a) Access to cardholder data environment shall be restricted, only really necessary and controllable access shall be accepted;

b) Access to network devices and network security devices shall be restricted in accordance with the responsibility of individuals, departments specified at Point c, Clause 1 of this Article;

c) Configuration files must be synchronized with the active configuration of the device and stored safely under the regulations of confidentiality to avoid unauthorized access;

d) Monitoring function of status of data packets must be set up or data on the firewall device or router must be filtered automatically to detect invalid packets.

3. Control of direct access from the Internet to the cardholder data environment

a) Service providing intermediary areas outside the Internet must be set up (specify the server, service, IP address, port, accessible protocol ). Connecting in and out between Internet and cardholder data environment must be via service providing intermediary areas ;

b) Measures against forge to prevent and remove capabilities of IP source address forge must be carried out;

c) Access from the cardholder data environment out of the Internet without the approval of competent persons shall not be allowed.

4. Requirements for firewall software establishment on all devices, personal computers connected to the data card.

a) The security policy on the firewall software only allows activities catering for the needs to handle the operation process;

b) Establishment on the firewall software must be ensured to be active;

c) That users can not change firewall software configuration on the device must be ensured.

Article 4. Change, removal or disabling parameters, default functionalities of equipment systems serving card payment

1. Parameters and default functionality of the system (accounts, secret keys, parameters of operating system, software, unused applications, the parameters on unused POS; default character string in Simple Network Management Protocol (SNMP)) shall be changed or disabled.

2. Default parameters ( encryption key in wireless networks, the secret key; default character string in the SNMP protocol in the wireless network environment is connected to a data card) shall be changed.

3. Default functionalities (services, protocols, background programs) shall only be turned on or set up when there is using demand.

4. Unnecessary functions, services, files, drives shall be removed . Additional safety measures (SSH , S-FTP, SSL, IPSec VPN technologies) shall be carried out when using unsafe services, protocols to transfer data on the network (File Sharing, NetBIOS, Telnet, FTP).

Article 5. Confidentiality and safety in developing and maintaining the equipment serving card payment

1. Security holes shall be identified by scanning tools and information resources of the reputable outside network security organizations to determine the impact of new security vulnerabilities for card payment system, including the extent of impact: high; moderate; low level.

2. All equipment for card payment shall be ensured to be updated patches of security holes launched from the manufacturer. Patches of security holes with high degree must be installed in the shortest time and within 01 month after the manufacturer launches the patches.

3. Development of the application software in the field of cards must be ensured to comply with the law and development standards of the application software widely applied in the field of information technology. The software development cycle must integrate with the information safety requirements and at least meet the following requirements:

a) The development and test environment must be separated with the operational environment;

b) The data card in the operating environment must not used for the test environment;

c) All test data and account shall be removed before putting the software in use;

d) The source code of application software shall be revaluated and reviewed to detect and fix potential security holes before they are put to use. Evaluating persons must be different from persons developing application source code.

4. Procedures for control of changes in updating the patches of security holes and changes in application software shall be carried out:

a) Evaluation material impacting to the entire system shall be designed and approved by competent persons before implementation;

b) The security and confidentiality of the system must not be affected;

c) Backups shall be carried out and backup plan shall be made before making changes

5. Application source codes needing to test, remove security holes in applications shall be developed, including:

a) SQL injection, OS injection, other data storage devices;

b) Buffer overflow;

c) Errors in unsafe encryption in data storage ;

d) Unsafe error unsafe in the media;

dd) Leakage of information through an error message (error handling);

e) Risks of inserting javascript, jscript, DHTML codes, HTML cards;

g) Incorrect access controls;

h) Forms of Cross Site Request Forgery;

i) Error in session ID;

k) Security holes identified with high levels specified in paragraph 1 of this Article.

6. Service provision applications on the external network (Internet, wireless network, mobile communications network and other networks) must be taken measures to deal with the threats and security holes, including:

a) The security and confidentiality shall be evaluated at least 01 time / quarter or after a change in the automatic or manual assessment tools;

b) Technical solutions to automatically detect and prevent attacks by Web Application Firewall shall be applied.

7. Card payment system software must have filtering, do not accept payment for transactions which are not allowed to make in accordance with the law.

Article 6. Requirements for allocation and control of accounts to access card payment systems

1. Accessing card payment application must be authenticated by at least one of the following methods: secret keys, authentication card, equipment and biometric .

2. The remote access to the network system must be authenticated by at least two methods specified in paragraph 1 of this Article.

3. The entire secret key in transmission and storage shall be encrypted with powerful encryption methods.

4. Measures to control operating accounts and administration accounts shall be carried out:

a) Separate access account shall be allocated , management and operation of equipment for card payments shall be decentralized to each corresponding individual ;

b) Adding, deleting, rectifying identification, information of users right to management objectives shall be controlled;

c) Access right shall be revoked as soon as the user expires his/ her terms of use or transfers his/her job or no longer works in operation or management;

d) The identity of the user shall be verified and confirmed when receiving indirect requests via email, telephone before the change or recovery of the account secret key ;

dd) The initial allocation account must be established a secret key and such secret key must be different on different accounts ; Such account may only be activated when the user changes the initial secret key;

e) Withdrawal, removal or disabling of unused, expired accounts or accounts not activated for a period of time shall be stipulated and carried out;

g) Allocating the remote access account to a card operation support organization must be limited in time, approved by the competent persons and monitored its operations;

h) Accounts shall not be shared to access the system;

i) An account must be changed its secret key at least 01 time / quarter; the secret key must have a minimum length of 07 (seven) characters, including alphanumeric characters (except PIN); the secret key must not be used again in the nearest four times;

k) The times of secret key entered incorrectly shall be a maximum of three (03) times. There are measures to lock the account automatically when the secret key is entered wrongly more than the specified times. Time for locked account recovery after the secret key is entered wrongly shall be at least 30 minutes or at request ;

l) If the session with the card payment system on hold is more than 15 minutes, the system shall require again the authentication to access the system;

m) Access policies, procedures and account authentication to the system shall be disseminated and trained, involved organizations and individuals shall be ensured to understand their entitlements and responsibilities when they are allocated the access account.

5. Policies and procedures for access account authentication shall be issued, including the following contents:

a) Guidelines on selection and protection of authentication information, secret key;

b) Guidelines on not using the previously used secret key ;

c) Guidelines on periodical change of secret key or in case of a doubt of leakage of secret keys.

6. Card payment database access shall be managed

a) Only the administrator of database may directly access the database;

b) Other users must access the database through application programs which are controlled entitlements to view, enter, delete or change information;

c) The account to access the database of application programs shall not be used for individuals or other processes;

d) Secret key of the database access account of application must be encrypted on the application and in the database;

dd) All operations on the database must be logged and the log must be at least 01 year.

Chapter III

TECHNICAL REQUIREMENTS FOR ATM

Article 7. Technical requirements for installation and physical safety of ATM

1. Requirements for installation of ATM

a) Card operation organization providing ATM services (hereinafter referred to as organizations providing ATM services) must meet the requirements for the installation of ATM prescribed by the State Bank of Vietnam on equipment, management, operation and operation safety of the ATM.

b) For ATM located outside

In addition to the requirements in clause 1 of this Article, the organization providing ATM services shall take safety measures for ATM located outside for the following risks of physical safety loss :

- Safety measures shall be taken to avoid the ATM being dragged for unauthorized removal;

- Components, parts of the ATM unneccessary to be disclosed outside shall be hidden.

2. Requirements for the alarm system

a) Organizations providing ATM services shall provide sensors for ATM located outside to warn the heat impact from the blowtorch and identify forces with great or external intensity on machine body;

b) Organization providing ATM services shall provide alarm equipments for ATM to prevent:

- Opening machine doors unauthorizedly

- Moving from the machine area illegally ;

- Demolishing machines unauthorizedly . In addition to signaling alarms on the spot, the alarm device must send a warning to the monitoring center.

3. Requirements for the safe

a) Organization providing ATM services shall provide ATM’s safe made of a material of strong force resistance, corrosion resistance, heat dissipation or slow heat absorption to minimize the damage to the shell and loss of money due to external force, chemical and heat impact;

b) ATM safe must be equipped with at least two locks and keys, kept by two people.

4. The keyboard to enter a PIN must meet the requirements specified in Article 13 of this Circular.

5. ATM must have origin certificates and quality certificates of the manufacturer.

Article 8. Technical requirements for software, transmission, connection to ATM

1. Organizations providing ATM services must meet the requirements for ATM software

a) The ATM operating system must have the copyright, supported by the provider and updated timely patches;

b) The operating system installed or set up must ensure the separation of the different rights: the right to use external storage device; the right to change the configuration and run applications and services;

c) Transaction software in ATM must be set up to notify in the image or sound to alert the user of safety measures before entering a PIN or to notify the user to get card or money after the transaction;

d) Device driver software, transaction software must be set up the feature of anti disclosure of card information , loss of money due to errors, fraud or technical defects, including :

- If spending device driver software or software recording electronic transactions does not work, ATM shall automatically stop its withdrawal function and send error message to the center;

- Transaction software in ATM must be set up features forcing users to re-enter their PIN when making subsequent withdrawals; having notices reminding the user of safety measures before entering the PIN and receiving cards after the transaction.

2. Transmission requirements for ATM

Organizations providing ATM services shall set up transmission for ATM which must prevent access form the Internet except for connections to the center to perform transactions. Updating the operating system error’s patches, anti-virus software and other updates in ATM have been made on spot or through internal focusing system.

3. Requirements for interconnection of card payment system

Contracts, agreements of interconnection of card payment system through ATM must define the encrypted data and responsibilities of the parties in confidentiality of keys used for encryption. Encryption keys shall be changed at least 01 time / year.

Article 9. Requirements for supervision and security of ATM system

1. Organizations providing ATM services must equip the software of centralized management, instant full track of the status of ATM.

2. Organization providing ATM services shall have technical measures, administration to closely manage the ATM system, timely detect unauthorized access, unauthorized installation of equipment to copy the card information or record the user’s operation

a) Having monitoring system of transactions on the card payment system, continuously monitoring to detect suspicious or fraud card payment transactions based on time, geographical location, transactions frequency , transaction’s sum of money, times of PIN wrongly entered beyond the regulations and other unusual signs for timely processing and alerting the cardholder;

b) The image recorded by the camera must be clear enough to resolve investigation, and complaint requests.

3. Diary data on ATM must be ready to be accessed within at least 03 months and stored at least 01 year.

4. Organization providing ATM services must satisfy other requirements for operation safety of ATM under the provisions of State Bank of Vietnam of equipping, managing, operating and ensuring the operation safety of the ATM.

Chapter IV

TECHNICAL REQUIREMENTS FOR POS

Article 10. Technical requirements for POS

1. Payment organizations, providers, card accepting units must have a clear agreement in responsibilities of the card accepting units, including:

a) POS shall be managed and installed in a safe place. There are measures to prevent the unauthorized use, theft of POS. Equipment to illegally read the data on POS shall be installed ;

b) Power, transmission line in accordance with the technical requirements of the manufacturer shall be installed;

c) POS must have a name and logo of the payment organization.

2. POS must have origin certificates and quality certificates of the manufacturer.

3. There must be the contact phone number of the payment organizations and organizations providing support services (if any) on all POS.

4. The keyboard to enter a PIN must meet the requirements specified in Article 13 of this Circular.

5. The payment organizations, issuers must have a system of monitoring and warning unusual transactions (quantity, value, time and place of transaction).

Article 11. Requirements for mPOS

1. Payment organizations, providers, card accepting units must have a clear agreement in technical standards and responsibilities of inspection and supervision the operation of Mpos at least meeting the following requirements:

a) Requirements for the mobile communication device installed mPOS software.

- Devices are not jailbroken, rooted, or turned off unneccessary connections for use for payment;

- Security features to prevent loss, theft (location tracking via GPS, encrypting storage drive) shall be additionally installed. Simultaneously, card accepting units must manage information about the serial number, software version of the device.

b) Requirements for mPOS software;

- mPOS software shall be installed under the guidance of the unit providing measures or payment organizations ;

- mPOS software shall not be allowed to make payment when mPOS device can not connected to the card payment center and are not allowed to store card transactions;

- The mPOS’s screen must display the status ready to serve for the user to know;

- The bill shall be sent to customers via email, SMS or printed out (upon request), in which the card number must be concealed (only display a maximum of 06 (six) first numbers and 04 (of four) last numbers).

2. Payment organizations must declare the list of card accepting units registered for using mPOS to accept payments on their website or other media (if any)

Chapter V

CARD DATA SECURITY

Article 12. Policy on confidentiality and safety of card information

1. Card organizations must make and update the list of equipment for payment card and describe the functions related to the payment card system.

2. Card organizations must establish, declare, maintain and disseminate the safety and confidentiality policy throughout the unit, assess the safety and confidentiality policy at least 01 time / year and update the policy when equipment for card payments have errors.

3. Card organization must perform the process of risk assessment at least 01 time/ year and as soon as the system has changes in the network map, confidentiality security, add the server systems or supplement, modify operations.

4. Card organizations must make and commence regulations on the use of high-risk technologies (remote access, wireless network, use of mobile devices, email and Internet ). Content of regulations shall include the following requirements:

a) High-risk technologies must be approved by competent persons before being used;

b) High-risk technologies must be authenticated by account and secret keys or other authentication methods before being used;

c) All lists of equipment, technology and the user granted the right to enjoyment right to use shall be enumerated and monitored ;

d) There shall be a method to identify easily and conveniently the owner, contact information and use purpose of the instruments (by labeling, recording the barcode or inventory equipment);

dd) The scope of application of high-risk technologies shall be determined;

e) The location of network using high-risk technologies shall be determined;

g) For remote access, the session must be automatically disconnected for a specific time when the system does not work;

h) Remote access may only be activated to card-supporting organizations when really necessary as required and concurrently the access shall be disabled immediately after the session ends;

i) Technical measures to prohibit copying, moving and storing cardholder data in the hard drive, news brought media, peripherals must be taken when the right to access remotely to cardholder data is granted . For special cases needing copying, moving, storing the cardholder data by remote access, the responsibility to protect cardholder data must be clearly defined in accordance with the provisions of this Circular.

5. Card organizations must clearly define the responsibility to protect the safety and confidentiality of card data for organizations and individuals of their units and parties involved.

6. Task of managing card information safety shall be assigned as follows

a) Information, warning about the risk of information security shall be monitored and analyzed and information shall be transferred to the department in charge for coordination and resolution;

b) Measures of timely emergency response to control all situations shall be made;

c)User accounts shall be managed on the system;

d) All access to data shall be monitored and controlled ;

dd) The assignment shall be made in writing.

7. Card organizations must train the awareness about security and confidentiality of card for new employees when recruiting them and train periodically at least 01 time / year for all employees; control and ensure their employees to know about the card safety and confidentiality policies.

8. Card organizations shall establish and maintain process and policies for management of card-supporting organizations sharing card data or having influence on the safety and confidentiality of the card data. Process and policies for management shall meet the following minimum requirements:

a) The list of card-supporting organizations shall be updated;

b) Card organization shall select organizations supporting cards before signing the contract. The selection process must clearly reflect their requirements to support organizations supporting cards, records of meeting the requirements of card organizations must meet the safety and confidentiality of the card information;

c) Contracts with organizations supporting cards must specify the responsibility of the organization supporting cards in compliance with the provisions related in this Circular. There must be a written commitment to terms and responsibilities in which organizations supporting cards shall ensure the safety and confidentiality of the card information in the service they provide, store, process or exchange information. The commitment must specify the scope of supply and services provided by organizations supporting cards ;

d) Card organizations must manage and update information on meeting the requirements of this Circular of organizations supporting cards .

9. Card organizations must develop the process and response emergency to ensure to handle as soon as the emergency occurs. Process for emergency response shall meet the following minimum requirements:

a) The role, responsibility, communication and contacts of individuals and organizations in case of infringement of the system shall be included;

b) Specific scenarios for emergency response shall be included;

c) Scenarios in recovery and ensuring the continuous operation shall be included;

d) Scenarios in backing up the data shall be included;

dd) Process test at least 01 time / year shall be included;

e) Assignment of specific personnel to be ready for emergency response for 24/7 shall be included;

g) Running of training programs for staff to meet emergency response in card safety and confidentiality shall be included;

Warnings from security monitoring system (the system of detecting, intrusion prevention, firewall devices and systems monitoring the integrity of the data files) shall be included;

i) Modification and improvement of the process of emergency response through experience and meet the development of information technology shall be included.

Article 13. Requirements for keypad for PIN

1. The keypad used to enter the PIN must itself delete stored sensitive information including encryption keys, PIN, secret keys and can not restore this information in case of physical intrusion.

2. The sound of typing a key shall be indistinguishable from the sound of typing another key . It is also unable to identify any PIN character entered by monitoring the electromagnetic or power consumption.

3. The PIN must be encrypted as soon as being entered (users press Enter). Cache shall be automatically cleared after the transaction ends or timeout is over.

4. The safety features of the keypad shall not be altered by environmental conditions, operating conditions.

Article 14. Protection of card data storage area

1. Storage, recovery, cancellation of card information and data

a) Policies, procedures, processes for storage and cancellation of cardholder data shall be implemented; the amount of data, storage time shall be limited to meet requirements for operation and provisions of the law on storage; cardholder data expiring the storage shall be identified and deleted safely quarterly; provisions of the cardholder data storage including the provisions on the term to maintain records, stored documents in the banking sector shall be complied ;

b) Card authentic data must ensure that the secret of card printing and issuance shall be kept; individuals or organizations that handle card authentication must commit not to disclose the information and not to store the card authentication data including the information encrypted in the transactions, diary data files, history files, tracking files, data diagrams and contents of the database;

c) The card number must be concealed when being displayed and may only be displayed fully when requested by competent agencies or legitimate owners of the card; card number must not be read in the repository;

d) The card number must be ensured not to be read in the repository by using one of the following methods:

- Using one-way hash function based on powerful encryption algorithms;

- Splitting, cutting data to ensure full data shall not be read when stored in files, databases, diary data;

- Using encryption system used once which ensures the code receiving device must be kept secretly;

- Complying the strong encryption method with processes and procedures for key management;

- Using the disk encryption method which ensures the encryption of files through a separate and independent mechanism from the mechanism of access control and authentication based the available operating system .

2. Regulations on data encryption in the card data storage area

a) Keys used to encrypt must be stored and safety measures to avoid the risk of release of information shall be made:

- The number of people entitled to access to the encryption key shall be limited;

- Private keys shall be stored to encrypt, decrypt cardholder data in all times by one of the following methods:

Storing in specialized equipment or PIN security device in transactions;

Storing keys into at least two separate parts.

Encrypting by algorithm which is as strong as or stronger than the algorithm used to encrypt the data. Encryption keys must be stored separately from keys used to encrypt data;

b) Process for all the work related to key management and encryption procedures shall be issued to encrypt cardholder data, including:

- Process of creating the encryption key;

- Distribution of encryption keys;

- Storage of the encryption key;

- Periodical change of the key of which useful life expires;

- Replacement or revocation keys which are in doubt about disclosure or change.

c) Management of encryption keys must meet the following minimum requirements: :

- If an encryption key is used under clear text form, this encryption key must be ensured to be divided into many parts managed by at least two people, each of whom keep a part of the encryption key;

- Replacement of the encryption key without permission shall be prevented;

- Responsibilities of the holder of the encryption key shall be specified

Article 15. Encryption of card on transmission over external network

1. Methods of encryption and appropriate security protocols (minimum of SSL / TLS, SSH, IPSEC protocols) shall be used to protect card authenticated data during transmission of information through the network connected to external networks (Internet, wireless network, mobile communications network and other networks).

2. When the card number is sent to the user via electronic messages, it must be encrypted by the powerful encryption method.

Article 16. Restriction of rights to access to card data

1. The access and process on the card data must ensure proper decentralization and be kept to the minimum which is enough to fulfill responsibilities of each individual.

2. Policies that restrict remote access, access from external network area into the system shall be developed. Operations shall be monitored, the time of access to the system shall be recorded.

3. Granting of right to access to the card payment system must be approved in writing by competent persons .

4. Measures and access control systems for all the equipment for card payments shall be established, access shall be restricted in accordance with the responsibilities and tasks assigned; Invalid access must be rejected.

Article 17: Restriction of physical access to card data

1. Control of moving out and in the area to put the card payment system, card data center, the physical environment of data card shall be taken:

a) Control of points of wired and wireless network connection in public areas shall be established to ensure the access restriction. Physical access to mobile devices, communications equipment, network equipment and telephone, telecommunication lines shall be controlled;

b) Camera shall be used or other measures shall be taken to monitor physical access to the server room area, releasing and printing area, processing and storage area of holder data. The monitoring data must be archived for at least 03 months.

2. Procedures for identifying external employees and individuals (organizational supporting card, visitors) coming for work shall be developed, including:

a) The procedure for identifying new external employees and individuals;

b) The procedure for changes of the access request and revocation of right to access of employees if the employees resign, external individuals if the right to access expires .

3. Physical access for employees when they go to server rooms, card releasing and printing area, cardholder data storing and processing area shall be controlled under the following requirements :

a) Access shall be granted based on job requirements of each individual;

b) Access rights shall be revoked as soon as the job is finished, all of the equipment used to access (keys, access cards) must be revoked or disabled.

4. Procedures for identifying and licensing for external individuals when they move in and out the cardholder data storing and processing area shall be taken.

a) External individuals must gain permission before they come in the cardholder data storing and processing area and be monitored full-time there;

b) External individuals must been identified by valid card or other methods and to identified with the naked eye;

c) External individuals shall be required for revocation of the card or other identification methods before leaving the unit or the card or other identification methods expire their period of validity;

d) Out and in records of external individuals must be kept under the written or electronic form for at least 01 year.

5. Means containing data backup of card payment system must be stored in a safe place. Storage location must be checked to ensure the safety conditions at least 01 time / year.

6. The safety of physical assets, information, important documents relating to the operation of cards, information-carrying means must be ensured. Transport of information-carrying means to ensure the card data safety must be controlled. Information-carrying means must be approved by competent persons before being transferred, moved and distributed .

7. The storage and access to information-carrying means must be strictly controlled. Inventory of assets, the information-carrying means must be carried out at least 01 time/ year.

8. Data card readers must be monitored and protected to meet the following requirements:

a) Lists of equipment, information about the manufacturer, equipment samples, places of equipment, equipment code (serial, product number) shall be regularly updated;

b) The equipment surface shall be periodically examined to detect forgery or added additional components by examining the characteristics for identification or serial number of the equipment;

c) The manager and user of equipment must be trained to recognize the risk of forgery or replacement on the equipment to steal card information. The training content shall include :

- The identification of card supporters shall be verified before they are permitted to participate in the process of repair, maintenance, troubleshoot the equipment;

- Equipment must be checked and verified before being allowed its installation, replacement or refund;

- Risks and suspicious behaviors around the equipment shall be identified;

- Risks, forgery or unauthorized replacement of the equipment shall be reported to competent persons.

9. Records and documents containing the card data shall be destroyed under the form of cut into small pieces, burned or crushed to ensure the data card can not be read or reconstructed again. Electronic information-carrying equipment containing cardholder information shall be canceled by dedicated data deleting programs or destroyed by physical cancellation measures, demagnetization to ensure the cardholder data can not be read and restored.

Article 18. Monitoring, protection and check on equipment for card payment

1. All access to resources and cardholder data shall be tracked and monitored

a) Full access to the equipment for the card payment shall be recorded to keep track of all acts of users;

b) Access to all equipment for card payments shall be automatically recorded to redefine the following events:

- All access to cardholder data of users;

- All actions of users having privileged accounts ;

- Access to all diary data;

- Attempts to unauthorized access to the system;

- Management of users (including events in creating a new account and administrative improvement, changes or deletion of accounts of administrator account);

- Initiation, termination or suspension of recording data ;

- Initiation or deletion of data, resources, functions, services on equipment for card payments.

c) Diary data of each event (prescribed in point b, Paragraph 1 of this Article) shall include at least the following information:

- Identification of the user;

- Types of event;

- Date and time;

- Success or failure status ;

- The origin of the event;

- The name or identification of the data, resources or functions or services affected by the event.

d) There must be time synchronization system for server systems, ATM systems for card payment ;

dd) Diary data shall be protected:

- Restriction of the minimum right to view the diary data according to job requirements ;

- Protection of diary data files in order to avoid unauthorized modifications;

- Backing up of dairy data to the centralized servers or information-carrying means;

e) Card organizations must use instruments to monitor the integrity of diary data files or software of detection of change of diary data;

g) Card organizations must conduct a review and evaluation of diary data and security events across all equipment for card payment to identify unusual, suspicious activities by use of analytical, developing and alerting instruments based on diary data, as follows:

- Card organizations must assess daily at least contents of diary data, as follows:

All facts about the safety and confidentiality;

Diary data of storage, processing, transfer and receiving system of card information;

Diary data of the safety and confidentiality equipment for the system ( firewall devices, intrusion detection and intrusion prevention systems, authentication servers).

- Card organizations must assess the entire diary data according to regulations on safety and confidentiality and regulations on risk management of the unit. Assessment of diary data shall be at least 01 time / year;

- During the assessment of diary data, card organizations must monitor and handle the exception events and extraordinary events detected.

h) Diary data must be stored online at least 03 months to be ready for access and backup for at least 01 year.

2. Card payment system security shall be inspected

a) Card organizations must control access points of wireless network, have a list explaining clearly the use purpose and approved by competent persons of wireless access points (if any) allowed to connect to the network of units, and quarterly review the wireless access points connected to the internal network of the unit;

b) Card organizations must scan, assess of security holes of information technology systems from inside and outside the network at least 01 time/ quarter and immediately after any significant change in the system (including adding devices, changing network model, changing access policies of firewall devices, upgrading, updating the operating system, applications). Remedy of security holes at a high level is determined under paragraph 1 of Article 5 of this Circular;

c) Card organizations must organize rehearsals of access test scenario according to the following requirements:

- Test the access to all system of storage, processing of the cardholder data;

- Test the access from inside and outside the system at least 01 time / year and immediately after having significant changes in the system or detecting holes after scanning;

- Test the access to system based on the guidelines of the prestigious organizations in penetration test and security and confidentiality;

- Test the access in developing the holes listed in paragraph 5 of Article 5 of this Circular;

- Test the access for both network and application level;

- Assess and review threats and holes that happened in the past 12 months;

- Store under confidentiality regulations on test results of access and the results of remedy;

- Holes which can be developed detected during access test must be remedied and checked to guarantee the holes’ remedy.

d) Card organizations must use the system of access detection and prevention to detect and prevent unauthorized access to the network, monitor all access to cardholder data environment and alert to the administrator of risks of access. Access prevention devices must be updated with new signs of code from suppliers;

e) Card organizations must inspect the integrity for important data (system files, configuration files, content files) at least monthly.

Article 19. Requirements for continuous operation guarantee

1. Card organizations shall establish the process for troubleshooting, risk management for card payment systems, conduct periodic review and update the process at least 01 time / year.

2. Information technology system for card payment card redundancy must have system of backup in spot and disaster prevention. Disaster prevention system must replace the main system in less than 04 hours from the crash of the main system.

3. Card payment system must be transferred at least 02 times / year from the main system to the backup system to ensure consistency and availability of the backup systems.

Chapter VI

IMPLEMENTATION

Article 20. Reports

Card organizations shall submit reports to the State Bank of Vietnam (Information Technology Administration ) as follows:

1. Annual reports on the implementation of the provisions of this Circular:

a) Deadline for reports is before November 15 each year;

b) Report submission forms and report samples shall be under the guidance of the State Bank of Vietnam (Information Technology Administration )

2. Extraordinary reports on unsafety of card payment systems:

a) Deadline for reports is within 10 days from the date of detecting the case

b) Contents of the report include date and place of the case ; cause of the case; assessment of risk and impact for card payment systems and operations at the place of the case and other related locations;

c) Measures have been taken to prevent, remedy and prevent risks or proposed by the organization.

Article 21. Effect

This Circular takes effect from the April 01,2015.

Article 22. Transitional provisions

Card organizations having card payment equipment which has been installed prior to the effective date of this Circular must review, set up plans for handling which specify the requirements that are not met, measures and duration of implementation to meet fully the requirements of the Circular and submit to the State bank (Information Technology Administration ) before July 01, 2015.

The State Bank of Vietnam (Information Technology Administration ) shall review handling plans, request card organizations to modify and complete the handling plan including the implementation duration (if it has not met the requirements or feasibility ) and measures in the handling plan; monitor the implementation of the handling plan of the card organizations .

Card organizations shall be responsible for the implementation of the handling plan, modify, complete and implement the handling plans in accordance with opinions of the State Bank of Vietnam (if any).

Article 23. Responsibilities for implementation

1. Information Technology Administration shall be responsible for monitoring, inspection the implementation of this Circular and submitting the inspection results to relevant units to handle.

2. Bank Supervision and Inspection Agency shall be responsible for inspection, monitoring involved organizations and individuals in the implementation of this Circular and having actions against violations in accordance with law.

3. Branches of the State bank in central-affiliated cities and provinces shall be responsible for inspection, monitoring, handling violations within their competence for operations of ATM, POS in administrative divisions under the provisions of this Circular and submit test results to the State Bank of Vietnam (through the Information Technology Administration ).

4. Heads of the related units under the State Bank of Vietnam; Director of branches of the State bank in central-affiliated cities and provinces ; President of the Board of Directors , General Director (Director) of card organizations card shall be responsible for the implementation of this Circular.