Nội dung toàn văn Decision 630/QD-NHNN 2017 application of security measures to online payment and card payment
STATE BANK OF VIETNAM | SOCIALIST REPUBLIC OF VIETNAM |
No. 630/QD-NHNN | Hanoi, March 31, 2017 |
DECISION
PROMULGATION OF THE PLAN FOR APPLICATION OF SECURITY MEASURES TO ONLINE PAYMENT AND CARD PAYMENT
THE GOVERNOR OF THE STATE BANK
Pursuant to the Law on the State bank of Vietnam No. 46/2010/QH12 dated June 16, 2010;
Pursuant to the Government's Decree No. 16/2017/ND-CP dated February 17, 2017 on functions, tasks, entitlements and organizational structure of the State bank of Vietnam;
Pursuant to Circular No. 35/2016/TT-NHNN dated December 29, 2016 of the State bank on safety and security of online banking services;
At the request of the Director of Information Technology Department,
DECIDES:
Article 1. The plan for application of security measures to online payment and card payment is promulgated together with this Decision.
Article 2. This Decision comes into force from the day on which it is signed.
Article 3. Chief of Office, Director of Information Technology Department, heads of affiliates of the State bank, directors of provincial branches of the State bank; Chairpersons of the Executive Boards, Chairpersons of the Boards of members, General Directors (Directors) of credit institutions, foreign branch banks (FBBs), providers of payment services are responsible for implementation of this Decision./.
| PP GOVERNOR |
PLAN
FOR APPLICATION OF SECURITY MEASURES TO ONLINE PAYMENT AND CARD PAYMENT
A. TARGETS
- Enhance state management by the State bank of information technology (IT) security, online payment and card payment services.
- Improve the quality of IT security, enhance security of online banking and card payment services provided by credit institutions, FBBs and payment service providers
B. OBJECTIVES AND ROADMAP
I. Objectives of credit institutions, FBBs and providers of payment services
1. Apply new authentication technologies to Internet banking and mobile banking
From January 01, 2019, according to the categories of transactions in Appendix 01 hereof, payment service providers and online payment service providers shall apply the minimum authentication as follows:
No. | Transaction1 | Minimum authentication 2 |
1 | Category A transaction | - Username, password or PIN |
2 | Category B transactions | - SMS OTP. - or OTP matrix card. - or basic OTP tokens which are not able to verify users. |
3 | Category C transactions | - OTP software or basic OTP tokens which can verify users. - Two-factor authentication. - or biometric authentication. |
4 | Category D transactions | - OTP software or advanced OTP tokens which is capable of transaction signing. - or U2F/UAF authentication. - or certificate-based authentication. |
Notes:
- The authentication methods for Category D transactions can be used for Category A, B and C transactions.
- The authentication methods for Category C transactions can be used for Category A and B transactions.
- The authentication methods for Category B transactions can be used for Category A transactions.
- Use of authentication methods shall be reported to the State bank (through Information Technology Department) before being put into use.
2. Measures for minimization of risks to payment
Provider of card payment services shall implement risk minimization measures by the following deadlines:
No. | Measure | Deadline |
1 | Sending notices by SMS or email | 01/01/2018 |
2 | Establishing daily limits. | 01/01/2019 |
3 | Offering the option to allow/disallow online payment. | 01/01/2019 |
4 | Establishing daily limits on card payment. | 01/01/2019 |
5 | Offering the option to allow/disallow overseas payment (except online payment) | 01/01/2019 |
6 | Apply 3-D Secure or equivalent authentication for online payment by international cards. | 01/01/2019 |
3. Difficulties that arise during implementation should be reported to the State bank (through Information Technology Department) for assistance.
II. Objectives of affiliates of the State bank
1. Communications Department shall cooperate with relevant units in providing information for the public and enterprises; effectively assist application of authentication standards and authentication solutions to online payment and card payment.
2. Payment Department shall cooperate with Information Technology Department in monitoring, supervising and inspecting the implementation of this Plan.
3. Information Technology Department shall monitor and supervise the implementation of this Plan. Submit annual reports and irregular reports (when necessary) to the Governor of the State bank.
| PP GOVERNOR |
APPENDIX 01
CATEGORIZATION OF TRANSACTIONS
No. | Category of transaction | A | B | C | D |
I | Individuals |
|
|
|
|
1 | - Information access - Intrabank transfer to the same account holder | All transactions |
|
|
|
2 | Bill payments with fixed customer’s ID (electricity, water, telephone, traffic bills) | Limited transactions: + Daily limit: ≤ 5 million VND | Limited transactions: + Daily limit: > 5 million VND but ≤ 100 million VND, and as registered by clients |
|
|
3 | Intrabank transfer to other account holders |
| Limited transactions: + Daily limit: ≤ 100 million VND | Limited transactions: +< 500 million VND per transaction + < 1,5 billion VND per day | Limited transactions: + ≥ 500 million VND per transaction + Daily limit registered by clients |
4 | Domestic interbank transfer |
| Limited transactions: + Daily limit: ≤ 100 million VND | Limited transactions: + < 500 million VND per transaction + < 1,5 billion VND per day | Limited transactions: + ≥ 500 million VND per transaction + Daily limit registered by clients |
5 | Overseas interbank transfer |
|
| Limited transactions: + < 200 million VND per transaction + < 1 billion VND per day | Limited transactions: + ≥ 200 million VND per transaction + Daily limit registered by clients |
II | Businesses |
|
|
|
|
1 | Information access | All transactions |
|
|
|
2 | Interbank transfer to the same account holder |
| All transactions |
|
|
3 | Interbank transfer to other account holders |
|
| Limited transactions: + < 1 billion VND per transaction + < 10 billion VND per day | Limited transactions: + ≥ 1 billion VND per transaction + Daily limit registered by clients |
4 | Domestic interbank transfer |
|
| Limited transactions: + < 1 billion VND per transaction + < 10 billion VND per day | Limited transactions: + ≥ 1 billion VND per transaction + Daily limit registered by clients |
5 | Overseas interbank transfer |
|
| Limited transactions: + < 500 million VND per transaction + < 5 billion VND per day | Limited transactions: + ≥ 500 million VND per transaction + Daily limit registered by clients |
APPENDIX 02
ONLINE TRANSACTION AUTHENTICATION METHODS
No. | Method | Description |
1 | SMS OTP | When an online payment is made, the online banking system will send an SMS that contains OTP to the phone number registered by the client. The client has to enter the OTP on the online payment interface to complete the transaction. |
2 | OTP matrix card | The matrix card is a 2-dimension table (line and column), each line and column has an OTP. When an online payment is made, the online banking system will inform the client of the number of line and column on the matrix card. The client has to enter the corresponding OTP to complete the transaction. |
3 | Basic OTP software | The basis OTP software program will be installed on a cell phone or tablet registered with the bank and will periodically generate random OTPs, which are synchronized with the online banking system. When an online payment is made, the online banking system will request the client to enter the OTP generated by the OTP software to complete the transaction. |
4 | Advanced OTP software | The advanced OTP software program will be installed on a cell phone or tablet registered with the bank and will generate the OTP together with a transaction code (transaction signing). When an online payment is made, the online banking system will generate a transaction code. The client has to enter the code to the OPT program to generate the OTP. Then the client has to enter the OTP on the online payment interface to complete the transaction. |
5 | Basic OTP token | OTP token is an OTP-generating device. A basic OTP token will periodically generate random OTPs, which are synchronized with the online banking system. When an online payment is made, the online banking system will request the client to enter the OTP generated by the token to complete the transaction. |
6 | Advanced OTP token | Advanced OTP token is an OTP-generating device. It will generate the OTP together with a transaction code (transaction signing). When an online payment is made, the online banking system will generate a transaction code. The client has to enter the code to the OPT token to generate the OTP. Then the client has to enter the OTP on the online payment interface to complete the transaction. |
7 | Two-factor authentication | When an online payment is made, the online banking system will send an authentication request to the client’s mobile device through the telephone network or using USSD code or through a dedicated software program The client has to respond utilizing the same factor to confirm or cancel the transaction. |
8 | Biometric authentication | When an online payment is made, the online banking system will analyze the client’s hard-to-fake biometric traits (face, finger vein, palm, retina, voice) before accepting the transaction. |
9 | Universal 2nd Factor/ Universal Authentication Framework (U2F/UAF) | When an online payment is made, the online banking system will request the client to use an U2F/UAF device which is connected through the USB port or wirelessly ((Bluetooth, NFC). After authenticating the user with a password or biometric traits, the U2F/UAF device will communicate with the browser and server to authenticate the website address and the transaction. |
10 | Digital signature | When an online payment is made, the online banking system will request the client to enter the digital certificate (stored on an USB flash drive or SIM card). The client has to enter the access code of the USB device or SIM card and select the digital certificate to complete the transaction. |
1 See categorization in Appendix 01
2 See authentication methods in Appendix 02
------------------------------------------------------------------------------------------------------
This translation is made by LawSoft and for reference purposes only. Its copyright is owned by LawSoft and protected under Clause 2, Article 14 of the Law on Intellectual Property.Your comments are always welcomed