From July 1, 2024, will customers be authenticated with the biometric identifier before making the first transaction using the mobile banking app in Vietnam?
- From July 1, 2024, will customers be authenticated with the biometric identifier before making the first transaction using the mobile banking app in Vietnam?
- What are the risk minimization solutions for providers of card payment services in Vietnam?
- What are the online payment authentication methods in Vietnam?
From July 1, 2024, will customers be authenticated with the biometric identifier before making the first transaction using the mobile banking app in Vietnam?
On December 18, 2023, the Governor of the State Bank of Vietnam issued Decision 2345/QD-NHΝΝ on application of safety and security measures to online payment and card payment.
Credit institutions, foreign bank branches (FBBs), organizations providing payment services shall, in accordance with the categorization in Decision 2345/QD-NHΝΝ, apply authentication methods to online payment (internet banking, mobile banking) as follows:
Specifically, credit institutions, FBBs, organizations providing payment services shall implement solutions for minimization online payment risks as follows:
Before an individual customer makes the first transaction using the mobile banking app or before making a transaction using a device that is different from the latest device on which the mobile banking app was used, the customer must be authenticated:
- Using the customer's biometric identifier that: (i) matches the biometric data in the customer's ID card issued by the police authority 4; or (ii) is authenticated by the customer's electronic identification account created by the electronic identification and authentication system; or
- The customer's biometric identifier that matches the customer's biometric data in the biometric database 6, combined with SMS/Voice OTP or OTP generated by soft/hard token.
Send notifications of first login into the Internet Banking/ Mobile Banking app or notification of login into the Internet Banking/ Mobile Banking app on a device that is different from the latest device via SMS or another channel registered by the customer (email, phone number, etc.)
Store information about the devices that are used by customers to make online transactions and transaction authentication logs for at least 3 months.
- Mandatory device information includes:
+ For mobile devices: unique identifier of the device e.g. IMEL Serial, WLAN MAC, Android ID, etc.
+ For computers: MAC address or other device identifiers via the application programming interface (API) of the operating system.
- The authentication log shall contain the following information: authentication methods, authentication times, codes of authenticated transactions, customers' codes.
From July 1, 2024, will customers be authenticated with the biometric identifier before making the first transaction using the mobile banking app in Vietnam?
What are the risk minimization solutions for providers of card payment services in Vietnam?
Pursuant to Article 3 of Decision 2345/QD-NHΝΝ, providers of card payment services shall implement the following risk minimization solutions:
- Send notifications of transactions via SMS or emails.
- Set daily transaction limits.
- Allow users to enable/disable online transactions.
- Set daily online card payment limits.
- Allow users to enable/disable overseas payment (except for online transactions).
- Apply 3D Secure protocol (or an equivalent protection method) to online payment by international cards.
What are the online payment authentication methods in Vietnam?
Based on Appendix 02 issued with Decision 2345/QD-NHΝΝ, online payment authentication methods include the following:
No. | Method | Description |
1 | SME/Voice/Email OTP | When an online payment is made, the Internet Banking/Mobile Banking will send an OTP via SMS (SMS OTP) or call (Voice OTP) or email (Email OTP) Article registered by the customer. The customer will then enter the OTP on the online payment interface to complete the payment process. |
2 | OTP Matrix Card | The matrix card has 2-dimension table with rows and columns, which provide an arrangement of OTPs. When an online payment is made, the Internet Banking/Mobile Banking will send a notification of the numbers of row and column on the matrix card. The customer will then enter the corresponding OTP to complete the payment process. |
3 | Basic OTP generated by soft token | The OTP-generating software (soft token) is usually installed on a handheld device that has been registered with the payment service provider. Basic OTPs will be periodically generated and synchronized with the online payment system of the payment service provider. When an online payment is made, the Internet Banking/Mobile Banking will require the customer to enter the OTP generated by the soft token. The customer or the software will enter the OTP on the online payment interface, then the customer will give a confirmation to complete the payment process. |
4 | Advanced OTP generated by soft token | The soft token is usually installed on a handheld device that has been registered with the payment service provider. Advanced OTPs will be generated in combination with the transaction code (transaction signing). When an online payment is made, the Internet Banking/Mobile Banking will generate a transaction code and notify the customer. Then customer or the software will enter the transaction code into the soft token, which will generate an OTP. The customer or the software will then enter the OTP on the online payment interface. Next, the customer will give a confirmation to complete the payment process. |
5 | Basic OTP generated by hard token | An OTP token is a device that generates OTPs. Basic OTPs will be periodically generated and synchronized with the online payment system of the payment service provider. When an online payment is made, the Internet Banking/Mobile Banking will require the customer to enter the OTP generated by the hard token to complete the payment process. |
6 | Advanced OTP generated by hard token | Advanced OTPs will be generated by the hard token in combination with the transaction code (transaction signing). When an online payment is made, the Internet Banking/Mobile Banking will generate a transaction code and notify the customer. Then customer will enter the transaction code into the hard token, which will generate an OTP. The customer will then enter the OTP on the online payment interface to complete the payment process. |
7 | Two-factor authentication | When an online payment is made, the Internet Banking/Mobile Banking will send an authentication request to the customer's mobile device by a call, USSD or a dedicated software. The customer will respond directly through this channel to confirm or deny the transaction. |
8 | Biometrics | When an online payment is made, the Internet Banking/Mobile Banking will require the customer to present his/her forgery-proof biometric identifier, such as face, finger veins, hand veins, fingerprint, iris, voice. |
9 | FIDO | Authentication standards established by FIDO Alliance (more at Fidoalliance.org) When an online payment is made, the Internet Banking/Mobile Banking will require the customer to authenticate using an U2F/UAF device (connected via a USB port, Bluetooth or NFC) or an authentication software on the smart phone, or a FIDO2-compatible browser. After authentication using an access code or biometric identifier, the U2F/UAF or software will automatically communicate with the browser and the server to authenticate the address of the internet banking website and the transaction. |
10 | Safe digital signature | When an online payment is made, the Internet Banking/Mobile Banking will require the customer to use the safe digital signature registered with the payment service provider. Safe digital signatures include secured digital signature or recognized foreign digital signature as prescribed by law. |
Decision 2345/QD-NHΝΝ takes effect from July 1, 2024, replacing Decision 630/QD-NHNN of 2017.
For specially controlled credit institutions, the application period of the provisions in Article 1 and Article 2 of Decision 2345/QD-NHΝΝ is from January 1, 2025.
LawNet
