Accordingly, the credit institutions, the foreign bank branches, and the intermediary payment service providers are required to apply verification measures to the online transactions via internet banking and mobile banking on the basis of the categorization of the transactions as stipulated in this Decision.
The credit institutions, the foreign bank branches, and the intermediary payment service providers are required to apply the following measures to minimize the risks in online payments:
For individual customers, before making the first transaction via Mobile Banking, or making a transaction on a different device from the one on which the last mobile banking transaction was made, the customer must be authenticated as follows:
By the customer's biometric identification features, which: (i) match the biometric data stored in the chip of the customer's citizen identification card issued by the competent public security agency; (ii) or match the authentication of the customer's electronic identification account created by the electronic identification and authentication system;
Or by the customer's biometric identification features, which match the biometric data stored in the collected and verified customer biometric database, combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP.
Along with that, a notification about the first time account login via the Internet Banking/Mobile Banking app, or a login via the Internet Banking/Mobile Banking app on a different device from the one used for the last login via an SMS message, or other channels registered by the customer (email, phone,...).
Besides, the credit institutions, the foreign bank branches, and the intermediary payment service providers are required to store the information about the device(s) used for the customer's online transactions, and the transaction authentication logs for at least 3 months.
The Decision clearly stipulates that the card payment service providers are required to implement the solutions to mitigate the risks, specifically as follows:
Notifying the customer of the transaction via an SMS message or email.
Setting daily transaction limits.
Setting up the feature to enable/disable online payments.
Setting limits for daily online card payments.
Setting up the feature to enable/disable overseas payments (except online transactions).
Implementing the 3D Secure authentication solution (or equivalent) for online payments using international cards.
This Decision takes effect from July 1, 2024 and shall replace Decision No. 630/QD-NHNN dated March 31, 2017 of the SBV Governor promulgating the Plan for the application of the solutions to ensure safe and sound online payments and bank card payments. For the specially controlled credit institutions, this Decision will be effective from January 1, 2025.
Source: SBV