Chỉ thị 03/CT-NHNN

DIRECTIVE

ON THE STRENGTHENING OF SECURITY IN ELECTRONIC PAYMENT AND CARD-BASED PAYMENT

In order to strengthen security in electronic payment and card-based payment and minimize the risks in payment activities, to implement the instruction of the Prime Minister on security in electronic payment and card-based payment as well as ensuring the benefit of customers and providers of payment services and providers of intermediary payment services; the Governor of the State bank of Vietnam requires the entities of the State bank of Vietnam, and the providers to perform the following responsibilities:

I. RESPONSIBILITIES OF ENTITIES AT THE HEADQUATERS OF THE STATE BANK OF VIETNAM

The headquaters of the State bank of Vietnam shall perform the following responsibilities ex officio:

1. Implement effectively the Scheme on non-cash payment developemnt in Vietnam in 2016-2020 enclosed with the Decision No. 2545/QĐ-TTg dated December 30, 2016 of the Prime Minister. Keep consulting with the Governor of the State bank of Vietnam about promulgation or revision of the legislative documents in connection with electronic and card-based payment; legislative documents on security and penalties for violations against law on electronic payment and card-based payment. Promote the management and control over the latest types, means, and systems of electronic payment in Vietnam.

2. Proactively monitor and update the domestic and international cyber security movements to alert and guide entities in the banking industry to promptly prevent and solve risks, and information technology security holes. Design cooperation programmes, exchange information and corordinate with the Ministry of Public Security, Ministry of Information and Communications in preventing high technology criminals and taking measures for ensuring network security in electronic payment and card-based payment.

3. Consult with the Governor of the State bank of Vietnam about drawing the road map of applying international standards in security such as ISO 27001 to information technology systems, PCI/DSS standard to the card-based payment system, the latest multi-factor authentication technologies to replace the out-dated and unsafe security technology. Proactively conduct research, consult with the Governor of the State bank of Vietnam about carrying out the instructions as specified in the document on providing guidance on measures for cyber restoration for the financial market infrastructures promulgated by the Committee on Payments and Market Infrastructure Finance (CPMI) of the Bank for International Settlements (BIS).

4. Intensify the inspection and supervision on security in electronic payment and card-based payment to assess, detect, early alert the risks, impose penalties for violations against law  on electronic payment and card-based payment

5. Make overall communication plan of the Banking industry on electronic payment and card-based payment, especially the security in electronic payment and card-based payment in order for the public to clearly understand and securely use the payment services; and at the same time guide the providers of payment services and providers of intermediary payment services to implement the aprroved plan, ensure the synchronous communication between the State bank of Vietnam and the providers.

II. RESPONSIBILITIES OF PROVINCIAL BRANCHES OF THE STATE BANK OF VIETNAM

1. Proactively supervise, monitor, and guide the providers of payment services and providers of intermediary payment services to adopt the documents and regulations of the State bank of Vietnam on the payment activities in general, and electronic payment and card-based payment in particular; assist the Governor of the State bank of Vietnam in State management of payment activities, electronic payment and card-based payment in their provinces.

2. Carry out inspection and impose penalties for the providers’ violations against the regulations of the State bank of Vietnam on processes, procedures, and regulations on security in payment in general and in electronic and card-based payment in particular; supervise and inspect the providers’ implementation of the conclusion and requests after the inspection.

3. Proactively propagate the regulations of law, policies of the Government and the State bank of Vietnam on the payment activities in general and in electronic and card-based payment in particular in order for the public to clearly understand and securely use the payment services.

4. Proactively collect the information on the criminals’artifices to alert, at the same time provide guidance for measures for ensuring asset safety of the providers and customers, dig up the information via mass media and provide timely measures for the cases relating to security in electronic payment and card-based payment in the locality. Promptly inform the State bank of Vietnam of any cases relating to service quality as well as the incidents compromising the security in electronic payment and card-based payment.

5. Guide the local providers to coordinate with the local pollice authorities in preventing electronic payment-related crimes.

III. RESPONSIBILITIES OF PROVIDERS OF PAYMENT SERVICES AND PROVIDERS OF INTERMEDIARY PAYMENT SERVICES

1. Strictly adopt the guiding documents of the State bank of Vietnam and law on payment activities. Regularly inspect, amend and complete procedures, internal regulations on information technology security to minimize the risks; and at the same time early detect the violations to ensure to comply with the regulations of the State bank and law on security in payment activities. Carry out research and introduce measures to be fully implemented by their affiliated units in the process of payment operation. The process of payment operation shall present its roles, functions and responsibilities in each step during the process of performing the payment transaction.

2. Periodically review and assess the risks of technical infrastructure and information technolofy serving the payment and implement appropriate measures to minimize risks, ensure asset safety of customers and providers; construct and enact security breach scenarios. Inspect all ATMs, POSs (especially the providers offerring merchant services for accepting payments to prevent fraud), strengthen the system for ensuring safety for transactions via ATMs, POSs, and measures for customer authentication at ATMs to prevent the use of counterfeit bank cards.

3. Proactively apply international principles and standards to the payment system and information technology security, such as applying the ISO 27001 standard to information technology system, the PCI/DSS to the card-based payment system; the latest latest multi-factor authentication technologies to the bank transactions in order to replace the old and unsafe security technologies. Apply and carry out an assessment of the compliance with principles for the financial market infrastructures promulgated by the Committee on Payments and Market Infrastructure Finance (CPMI) of the Bank for International Settlements (BIS).

4. Provide training in recognizing, receiving, and solving risks for banking staff; provide training programmes for criminals’assault artifices and preventive measures for payment security for the providers offerring merchant services for accepting payments.

5. Regularly and promptly provide alerts and instructions for customers in order for them to acknowledge types of risks and fraud in payment activities and how to utilize payment services securely; provide advice for customers in case of any problems, he/she should calmly coordinate with the providers and competent agencies in solving the problems according to regulations of law.

6. Proactively monitor and promptly solve the arising issues relating to its payment services. (Head office and branches). When risks and fraud occurs, the providers must report to the State bank of Vietnam and provincial branches of the State Bank of Vietnam (the locality from which the issue arises), and at the same time coordinate with their customers and relevant entities in order to handle those issues according to the regulations and then inform the customer; protect relevant entities’ right according to regulations of law.

IV. IMPLEMENTATION

1. This Directive comes into force from the day on which it is signed.

2. The relevant entities at the headquarters of the State bank of Vietnam; provincial branches of the State Bank of Vietnam; providers of payment services and providers of intermediary payment services shall implement the duties as specified in this Directive shall submit the biannual and annual reports on the implementation of the Decree to the State bank of Vietnam (Department of Payment) within 10 days from the end of the reporting period. The entities which make biannual and annual reports on payment activities shall submit reports on the implementation of the Decree in a particular Section of those reports.

3. Chief of Office, Director General of Payment, Heads of relevant entities of the State bank of Vietnam, Directors of provincial branches of the State Bank of Vietnam, Chairman of the Management Board, Chairman of the Members' Council, General Director (Director) of the providers of payment services and Chairman of the Management Board, General Directors (Directors) of the  providers of intermediary payment services are responsible for implementing this Directive./.