Online Transaction Authentication Measures for Credit Institutions and Foreign Bank Branches from July 01, 2024: What Are They?
What are the online transaction authentication measures for credit institutions and foreign bank branches from July 1, 2024?
According to Appendix 02 issued together with Decision 2345/QD-NHNN in 2023, the online transaction authentication measures include the following:
| No. | Measure | Details about the measure || --- | --- | --- || 1 | OTP sent via SMS, Voice, or Email. | When performing online payment transactions, the Internet Banking / Mobile Banking system will send an OTP code via SMS (SMS OTP) or via voice call (Voice OTP) or via the registered email (Email OTP).
The customer enters the OTP code on the online payment interface to complete the transaction. || 2 | OTP matrix card | The OTP matrix card is a two-dimensional table (rows and columns), with each row and column corresponding to an OTP code.
When performing online payment transactions, the Internet Banking / Mobile Banking system will notify the row and column number on the matrix card for the customer to enter the corresponding OTP code to complete the transaction. || 3 | Basic type Soft OTP | The OTP generation software (Soft OTP) is usually installed on a registered handheld smart device with the payment service provider or intermediary payment provider. For the basic type, the OTP code is randomly generated based on time, synchronized with the online payment system of the payment service provider or intermediary payment provider.
When performing online payment transactions, the Internet Banking / Mobile Banking system requires the customer to enter the OTP code generated by the Soft OTP.
The customer or software automatically enters the OTP code on the online payment interface and the customer confirms to complete the transaction. || 4 | Advanced type Soft OTP | The advanced type Soft OTP is usually installed on a registered handheld smart device with the payment service provider or intermediary payment provider. For the advanced type, the OTP code is generated in combination with each transaction code (transaction signing).
When performing online payment transactions, the Internet Banking / Mobile Banking system generates a transaction code and notifies the customer.
The customer or software automatically enters the transaction code into the Soft OTP to generate the OTP code.
Then, the customer or software automatically enters the OTP code on the online payment interface and the customer confirms to complete the transaction. || 5 | Basic type Token OTP | Token OTP is a device that generates an OTP code. For the basic type, the OTP code is randomly generated based on time, synchronized with the online payment system of the payment service provider or intermediary payment provider.
When performing online payment transactions, the Internet Banking / Mobile Banking system requires the customer to enter the OTP code generated by the Token OTP to complete the transaction. || 6 | Advanced type Token OTP | The advanced type Token OTP is a device that generates an OTP code. The OTP code is generated in combination with each transaction code (transaction signing).
When performing online payment transactions, the Internet Banking / Mobile Banking system generates a transaction code and notifies the customer.
The customer enters the transaction code into the Token OTP to generate the OTP code.
The customer then enters the OTP code on the online payment interface to complete the transaction. || 7 | Two-channel authentication | When performing online payment transactions, the Internet Banking / Mobile Banking system sends authentication request information to the customer’s mobile device via voice channel or USSD code or specialized software.
Customers directly respond through the connected channel to confirm or decline the transaction. || 8 | Biometrics | When performing online payment transactions, the Internet Banking / Mobile Banking system requires the customer to present biometric identification that is difficult to counterfeit to authenticate the transaction (such as face, finger or hand vein, fingerprint, iris, voice). || 9 | FIDO | Authentication standard issued by the FIDO Alliance (refer to Fidoalliance.org).
When performing online payment transactions, the Internet Banking / Mobile Banking system requires the customer to use U2F/UAF devices (communicating via USB port or wireless (Bluetooth, NFC)) or authentication software integrated with smartphones or browsers meeting the FIDO2 standard. After authenticating using a passcode or biometric identification, the U2F/UAF device or authentication software will automatically communicate with the browser and authentication server to authenticate the Internet Banking website address and the transaction. || 10 | Secure electronic signature | When performing online payment transactions, the Internet Banking / Mobile Banking system requires the customer to use the registered secure electronic signature with the payment service provider or intermediary payment provider.
Secure electronic signatures include specialized secure electronic signatures or digital signatures or foreign electronic signatures recognized according to legal regulations. |
What are the online transaction authentication measures for credit institutions and foreign bank branches from July 1, 2024? (Image from the internet)
What do customers need to authenticate when accessing Internet Banking services?
According to Article 9 of Circular 35/2016/TT-NHNN as amended and supplemented by Clauses 7 and 8, Article 1 of Circular 35/2018/TT-NHNN, authentication in Internet Banking transactions is regulated as follows:
Customer authentication for accessing Internet Banking services
1. Customers accessing and using Internet Banking services must be authenticated at least by a username and a secret key that meets the following requirements:
a) The username must be at least six characters long and cannot use completely identical or sequential characters in the alphabet or numerical order;
b) The secret key must be at least six characters long, including letters and numbers, containing uppercase and lowercase letters or special characters. The secret key's validity period is a maximum of 12 months.
c) For accessing the Internet Banking system via a browser, the unit must have measures against automatic login.
2. The Internet Banking application software must have a function that requires customers to change the secret key immediately upon the first login; lock the access account if the secret key is entered incorrectly consecutively beyond the limit set by the unit. The unit will unlock the account only upon customer request and must authenticate the customer before unlocking the account to prevent fraud and impersonation.
Thus, based on the above provisions, customers accessing Internet Banking services must authenticate:
- Username: must be at least six characters long; cannot completely use identical or sequential characters in the alphabet or numerical order;
- Secret key: must be at least six characters long, including letters and numbers, containing uppercase and lowercase letters or special characters. The secret key's validity period is a maximum of 12 months.
For accessing the Internet Banking system via a browser, the unit must have measures against automatic login.
What are the general principles of ensuring safety and security of information technology systems for providing Internet Banking services?
According to Article 3 of Circular 35/2016/TT-NHNN as amended by Clause 1, Article 1 of Circular 35/2018/TT-NHNN, the general principles of ensuring the safety and security of information technology systems for providing Internet Banking services are as follows:
- The Internet Banking system is an important information system according to the State Bank's regulations on information system safety in banking activities.
- Ensure the confidentiality and integrity of customer information; ensure the availability of the Internet Banking system to provide continuous service.
- Customer transaction information is assessed for risk levels based on customer groups, transaction types, transaction limits, and based on that provide appropriate authentication measures for customers to choose. The authentication measures must meet:
+ Apply at least multi-factor authentication when changing customer identification information;
+ Apply authentication measures for each customer group, transaction type, transaction limit according to the decision of the Governor of the State Bank from time to time;
+ For multi-step transactions, apply at least authentication at the final approval step.
- Conduct periodic annual security evaluations and assessments of the Internet Banking system.
- Regularly identify risks, risk-causing threats, and promptly determine the causes of risks, promptly take preventive measures, control, and handle risks in providing banking services on the Internet.
- Information technology infrastructure equipment for providing Internet Banking services must have clear copyright, origin, and provenance.
For equipment nearing end-of-life and will no longer be supported by the manufacturer, the unit must have an upgrade or replacement plan according to the manufacturer's notice to ensure the infrastructure equipment can install the latest software version.
Decision 2345/QD-NHNN in 2023 is effective from July 1, 2024.
LawNet