Intermediary payment services 

Intermediary payment services (IPS) are regulated and licensed by the State Bank of Vietnam. IPS include very specific activities, namely:

1. e-payment infrastructure supply services, including:
   1. Switching service;
   2. Electronic clearing service;
   3. Online payment portal service.
2. Services supporting payment services, including:
   1. Authorized collection or payment service;
   2. Online money transfer service;
   3. E-wallet service.

All of these services require a license from the SBV and there are currently more than forty licenses granted in Vietnam. But in providing these services there are additional responsibilities for the protection of safety and confidentiality of data and information. These provisions are outlined in Circular 35/2016/TT-NHNN dated 29 December 2016 (Circular 35).

Circular 35 applies to all IPS conducted on the internet. For purposes of developing servers and host databases for information, Circular 35 divides the areas of relevant information into several zones that include an internet connection zone, demilitarized zone (DMZ), user zone, management zone, server zone. Depending on the role of the function in question it may be placed in various zones. For example, computers in service of providing information on the Internet are to be placed in the DMZ and those involved with hosting and data processing in the server zone. All outside connections must go through the DMZ before connecting with any internal zones.

Servers must reach up to 80% of their stated efficiency and be kept separate from other servers involved in different zones. Backup servers must be made available to ensure continuous service. Databases must be updated hourly and backed up to a Disaster Recovery Center. Software used in conducting IPS must be checked by the provider and the code provided by the original programmer must be tested and set out procedures for dealing with errors if and when they occur. Other requirements exist for any update of the program or change to ensure that the update does not unduly affect the operations of the IPS. All data transmitted on the internet must apply end-to-end encryptions and all transactions on the IPS must be authenticated using two-factor authentication.

When IPS uses mobile applications there are additional requirements. In addition to confirming the link used for accessing the app, the app must be protected so as to prevent reverse engineering and all logins to the app must be monitored and confirmed. If a user enters the incorrect password five times or more then the app must temporarily block the user from accessing the app.

Internet access to IPS must be through a login and password and passwords must meet certain minimum requirements. The password must be at least 6 characters longs, including letters and numerals, containing uppercase and lowercase or special symbols. Passwords must be changed at least every 12 months.

When conducting two-factor authentication the OTP message must include an indication of the OTP’s purpose and expire within five minutes of its receipt. Additional requirements apply if providing an OTP matrix card or OTP generator on a mobile device. When the IPS allows for digital signatures, they must comply with relevant laws on digital signatures and authentication of the same.

Circular 35 contains requirements related to personnel staffing in an IPS service provider. They must have staff specifically tasked with the supervision of the system’s operation who can deal with technical incidents and network attacks. They must receive annual training to ensure they are capable of handling the safety and confidentiality of the system. There must also be staff who are tasked to deal directly with customers and who are to contact customers promptly upon detecting unusual transactions. And the staff in charge of authenticating accounts and administering them must be separate from the staff involved with issuing accounts.

The IPS provider must ensure the system against vulnerabilities and weaknesses by taking the following actions:

1. Adopt measures for preventing, combating, and finding changes of the website and Internet Banking application.
2. Establish mechanisms to discover, prevent and combat intrusion or attacks to the Internet Banking system.
3. Cooperate with regulatory agencies, information technology partners in timely discovering incidents and cases of system failure and insecurity so as to implement prompt preventative measures.
4. Review and inspect the update of patches of the system software, database management system and application at least quarterly.
5. Assess security and confidentiality of the Internet Banking system at least annually. Implement attack drills to assess the levels of security of the system.

The internet banking system must be monitored by approved personnel and all access points to the management and supervision of the system must be kept in a separate control room that is only accessible upon approval of authorized personnel. Any remote access to this equipment must be through two-factor authentication. Specific criteria must be established for logging details that signal an unusual transaction. A mechanism must be in place for monitoring and reporting violations or incidents of confidentiality in the system.

In order to prevent interruption of services, the IPS provider must set in place procedures for dealing with threats to the continuous operation of the services. This must include proactive identification of threats and for those classified as medium or high-level risks provide for specific actions to prevent them from occurring. Personnel, equipment, and financial resources must be allocated to ensure the continuous operation of the system and regular drills must be practiced in order to prepare for any possible interruption.

Information Provision

The IPS service provider must provide customers with the following information upon registering an account:

1. Method of providing services: on the Internet, via mobile equipment or telecommunication. Method of accessing Internet Banking services equivalent to each equipment on the Internet, mobile equipment, or telecommunication equipment;
2. Transaction limits and transaction authentication measures;
3. Necessary conditions for equipment to use services: OTP generator, mobile phone number, email, digital certificate, mobile equipment to be installed with the software;
4. Risks in connection with using Internet Banking services.
5. A contract that contains:
   1. Rights and obligations of the client when using Internet Banking services;
   2. Responsibility of the service provider for the confidentiality of the client’s personal information; method of collecting and using the client’s information; commitment not to sell or disclose the client’s information;
   3. Commitment to ensuring the continuous operation of the Internet Banking system;
   4. Other contents in terms of Internet Banking services (if any).

Sensitive information of customers must be encrypted and safeguards put in place to ensure that information collected is not abused. Access to customer’s data must be limited to relevant personnel. And procedures must be put in place for controlling access to the physical servers where databases containing sensitive information of customers are stored.

This is not a comprehensive list but covers most of the requirements that IPS providers must satisfy when dealing with cybersecurity and confidentiality issues on their internet and mobile payment service platforms. It is important to ensure that at the very least these standards are met so as to protect the provider from legal action and to maintain the privacy and safety of customer information, particularly as IPS providers deal in sensitive information related to financial accounts.