Document from CIS Legislation database © 2003-2024 SojuzPravoInform LLC

LETTER OF CENTRAL BANK OF THE RUSSIAN FEDERATION

of August 5, 2013 No. 146-T

About recommendations about increase in the security level by provision of retail payment services with use of the Internet

The Bank of Russia submits recommendations about increase in the security level by provision of retail payment services with use of the Internet (further - Recommendations).

To territorial offices of the Bank of Russia to bring this letter to the attention of credit institutions.

This letter is subject to official publication in "the Bulletin of the Bank of Russia".

Vice-chairman of the Bank of Russia

T. N. Chugunova


 

Appendix

to the letter of the Bank of Russia of August 5, 2013 No. 146-T

Recommendations about increase in the security level by provision of retail payment services with use of the Internet

These Recommendations are held for use the credit institutions which are operators on money transfer (further - operators on money transfer), and the bank payment agents involved by them for the purpose of increase in the security level by provision of retail payment services with use of the Internet.

1. Operators on money transfer within risk management systems are recommended to carry out the risk analysis of security violation of information, the retail payment services connected with provision with use of the Internet (further - Internet network) considering including such factors as:

threats of security violation of information by provision of retail payment services with use of Internet network;

results of assessment of the revealed vulnerabilities program and the hardware and technologies applied by provision to clients of services with use of Internet network;

set of organizational measures of protection of information, program and the hardware and technologies, and also connected with ensuring information protection of functionality of the electronic instruments of payment (characteristics and opportunities of electronic instruments of payment, capable to prevent or complicate making of unauthorized transactions) applied by provision of retail payment services with use of Internet network (further - information measures of protection) the operator on money transfer;

information measures of protection which need of application is established by the operator on money transfer and is brought to the client (for example, the means of authentication provided to the client by the operator on money transfer);

transfer of function of the operator on money transfer on outsourcing <1>;

--------------------------------

<1> Within these Recommendations third parties should understand transfer on contractual basis of accomplishment of separate functions of the operator on money transfer as outsourcing, for example, of function of system administration or call center.

data of polls, other researches directed to receipt of information on awareness of clients on measures of ensuring information protection in case of consumption of services with use of Internet network.

2. Operators on money transfer are recommended to review analysis results of risks:

on regular basis in full (at least, than every two years);

in case of change or emergence of the factors influencing risk analysis, for example, in case of modification of process of provision of retail payment services with use of Internet network;

according to the decision of the head of the operator on money transfer and persons responsible for ensuring information protection in case of implementation of money transfers;

when entering essential changes into structure of organizational measures of protection of information, structure or configuration of technical means of information protection, program and the hardware, retail payment services applied by provision with use of Internet network.

3. Operators on money transfer are recommended to consider analysis results of risks in case of determination of frequency of control of application of measures of protection of information.

On money transfer it is recommended to make to operators if necessary on analysis results of risks changes to the used information measures of protection. If modification of structure of the applied measures of protection of information cannot provide the necessary security level by provision of retail payment services or the specified changes cannot be made for the technical or economic reasons, it is recommended to implement countervailing measures of information protection (for example, to use technologies with other set of risks, characteristic of them, and so forth) and to carry out risk analysis for confirmation of the fact that the necessary security level is provided.

4. Operators on money transfer are recommended to carry out the work directed to increase in financial literacy of clients including to bring to clients information on the measures promoting increase in the security level in case of receipt of retail payment services with use of Internet network including use of program and technical or organizational measures (for example, the antivirus software, personal identifiers and so forth).

The specified work can be carried out on regular basis (at least, than every two years) and (or) in case of the factors specified in item 2 of these Recommendations including at stage of the conclusion of the contract between the client and the operator on money transfer.

5. On money transfer it is recommended to operators in case of provision to the client of technical means of information protection for receipt of retail payment services with use of Internet network to provide application of the measures guaranteeing integrity and authenticity of the specified means by their transfer.

6. On money transfer it is recommended to operators by provision to clients of retail payment services with use of Internet network to use including:

multifactor authentication <1>;

--------------------------------

<1> Within these Recommendations it is necessary to understand authentication in case of which two or more authentication factors are used as multifactor authentication. Treat authentication factors: possession of subject or the device (for example, the personal identifier), knowledge of certain information (for example, the password), possession of the determined permanent integral properties (for example, fingerprints).

dynamic client authentication (that is authentication in case of which at one of stages the password (confirmation code) having limited effective period and restriction for number of uses is used);

confirmation of transactions by means of one-time passwords (confirmation codes), at the same time passwords (confirmation codes) shall be led up to the client in total with information on the made transaction (for example, transaction amount, the receiver and so forth) and to be delivered to the client on alternative communication link, for example, through Sms.

7. Operators on money transfer are recommended to inform the client on all abortive attempts of receipt of access to retail payment services with use of Internet network, to give to the client opportunity to stop or to otherwise limit access to the specified services.

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SoyuzPravoInform LLC.