In the wake of new advances in science and technology that pose challenges to security and confidentiality, the State Bank of Vietnam (SBV) is drafting amendments to Circular 47/2014/TT-NHNN with new technical regulations on security and confidentiality for the card payment system.
Under the changes, banks and payment intermediaries will need to withdraw, remove or deactivate unused, expired or inactive accounts after 90 days, or accounts that are not activated within the required period.
Card numbers must also be kept confidential by only displaying the first six and the last four digits.
Only employees who have the authority to perform certain procedures or the authorities and the cardholders themselves will be allowed access to the full information.
Banks, card payment organisations and payment intermediaries will no longer be allowed to provide intranet addresses and routing information to other organisations without authorisation, and should take measures to protect such information when connecting with third parties.
In addition, workstations must not have access to card data which is not concealed or encrypted.
For payment equipment, all remote administration access connections should be encrypted using strong encryption to minimise cybersecurity risks.
To ensure security, banks and payment intermediaries will need to review software technology at least once a year. If it is no longer supported or does not meet security requirements, it must be repaired or replaced.
Access to all card payment systems must be verified using at least one of these methods: secret password, device, authentication card, biometrics.
The SBV said the provisions under Circular 47 were technical requirements for equipment security serving the card payment system and would not affect bank customers' accounts.
Source: Vietnam News Agency