Banking online BBVA Business: what security measures includes?

These are the guidelines that you allow protect your operations.

The service

1. Manager of users:

BBVA Business is an application multiuser. It has multiple user profiles that the company can allocate to its staff according to its operational structure.

A profile specific, Manager of Users, defines and manages the users of the company in BBVA Business. Can exist one or several Managers of Users and have different levels of delegation (without be able to or with be able to solidary or joint). Every user is allocated a profile that is defined with the most possible detail.

To authorize transactions, the options are:

  • Without be able to: not able to authorize transactions.
  • Proxy: may be joint and several or joint.

This structure allows a group of users as restrictive as the company wishes, in order to guarantee at all times that:

  • Accesses just to the services and accounts that establishes the Manager of Users.
  • Can carry out just those enquiries and operations that you authorizes the Manager of Users.
  • They may or may not have powers to authorize transactions.
  • There is a monetary limit according to transaction and account, as defined by the administrator.
  • Only if is Manager of Users be able to consult, as well as your profile, the relationship of defined users in your company, your profiles, the access to services and the powers that have assigned.

2. Activity control:

The users can carry out a tracking of the operatoria of the company in BBVA Business through:

  • The “Statistics” unit (signatures and files: Statistics): view transactions in a given period.
  • “Audit orders” (Signatures and files: Signature and follow-up of files): monitoring of the operations of each user of the entity.
  • “Audit users” (Administration: Audit): reflects what actions has carried out each of the Managers of Users within the circuit of users.

3. Credentials of user:

As mechanism of authentication reinforced, BBVA Business adds the double factor of security in the access. Every 90 days, be necessary that, as well as your code of company, user and password, introduce the code generated for your device of security or token (if not have one, receive the double factor via email). In the case of access BBVA Business from the app: the token is comprehensive and the double factor been worth automatically, without need of introduce no code additional to the already usual.

  • Although the passwords not expire, you recommend modify them every month.
  • The password must be 8 alphanumeric characters, to make it harder to crack.
  • Passwords are stored through irreversible encryption in specialist user and identity management systems, so that they cannot be obtained or determined.

The password must be changed upon the first access: for prevent the suplantación of the user, in your first connection to BBVA Business, you requires that modify your access password.

Blockade of users:

  • The error in the introduction of the user or the password necessary to BBVA's activation Business in a repeated way, causes the blockade of your account, that not be able to be activated until BBVA not generates a new key of activation.
  • In the case of the access password, after several unsuccessful attempts the user is blocked.
  • The error in the introduction of the generated safety code for your device of security five times consecutive, causes the blockade of the token in BBVA Business.
  • The Manager of Users has autonomy for block the access or give of cancellation to the users of your company, so, before any cancellation of an employee, the access can be immediately revoked.

4. Identification and authentication:

Traceability of transactions: accesses and completed transactions are recorded in automated transaction records that collect the completed transaction, the date and time thereof and the user that executed it, to determine the validity of the recorded transactions.

Information on the last connection:

  • If the user enters for the first time, BBVA Business it point out.
  • On successive log-ins, BBVA Net Cash will show the user the date and time of their last connection.

Cookies active only while you are logged in: the cookies that place in the operating system of the user, necessary to the navigation of sure way by any website, are active just during the connection to BBVA Business and are erased when the user disconnects from the application.

Automatic timeout: as additional action of security in BBVA Business, to the 5 minutes of inactivity or to the 60 of session, proceeds to finish the session of the user and disconnect it of the system.


1. Confidentiality and integrity

Of all user credentials:

  • All user passwords are encrypted and stored on specialist user and identity management systems, making it impossible to obtain or guess them.
  • BBVA's operative procedures not require that nobody in the bank has the operational passwords of your customers, so nobody the knows nor you the request personally.

Of the communications:

  • BBVA transaction and remote banking services communications are encrypted using SSL protocol to secure the confidentiality and integrity of online communications.
  • In addition, sensitive communications in BBVA's internal networks are appropriately protected according to the operative environment and protocol used.

Of the information:

  • The information stored in systems and internal databases is protected by various security systems, and access is permitted only to authorized employees.
  • BBVA has an automated management system of information access privileges that guarantees controlled access that is restricted to authorized personnel.
  • In BBVA, the protection of the details is one of our main priorities. For this reason, guarantee that the personal information is agreement with the current legislation with regard to data protection. Moreover, have security measures that guarantee the privacy of any information exchange between the customer and the bank.

2. Physical security of Data Processing Centers

The Centers of Data processing of BBVA are equipped of wide physical security measures for the protection of the systems of data processing, emphasizing, among others, the following ones:

  • CPD Tier IV Gold on operational sustainability.
  • Individual monitoring of entry to the site and different technical rooms, with hazard detection systems.
  • Human assets of physical vigilance and videovigilance of the perimeter and the hinterland of the facilities in regime of 24x7.
  • Specific detection and protection systems for intruders, fire, flood, power cuts and other disasters.

By having two fully operational Data Processing Centers, BBVA guarantees information safeguarding and recovery should it ever be necessary.

3. Monitoring

BBVA has systems of monitoring operated for a group of specialists in regime of 24x7 for the detection of possible frauds. If detect some operation suspicious we will get in touch with you for confirm it. 

Measures for the user

Protection of the credentials 

  • Uses passwords complex and difficult of find out that contain upper cases, minuscules and numbers interspersed.
  • The passwords are secret; not the share with nobody and change them in a periodical way.
  • Not jottings your passwords in pósits or notebooks; memorize them or uses managers of passwords specialized.
  • In computers shared or connected to nets wifi public, not introduce your credentials of access in no service online nor facilitate personal details, as postal address, telephone, etc.
  • Avoids introduce personal your details in a website to the one which have accessed through a mail. If the know, is preferable that access she keying in the address in the web browser.
  • Not use the option of “autocomplete passwords” of your web browser. If is installed, the passwords that introduce in a website are stored in the computer and, when introduce again your user, the field of password fills in automatically. This option in an use computer shared can cause that someone uses your personal passwords.
  • Remembers that BBVA never you request your information banking for email or text message, so not owe give information banking for no system of communication, including the emails personalized with BBVA logo copied, the mailslots and the text message where the issuer looks be BBVA, phone calls in which the interlocutor looks be employee of BBVA, etc.).
  • In the event of receive a message requesting your personal passwords, not facilitate no detail and put on immediately in touch with BBVA's customer service Business: 91 224 98 02 

Protection of the devices

  • Reinforces the security of your devices, whether your personal computer or your cell phone, and keep updated the operating system, the web browser and the applications. This combination can avoid you many problems economic.
  • Installs and keep updated a program antimalware. Likewise, you recommend verify the documents received from the exterior with an antivirus software, that also owes be always updated and in operation.
  • Carries out periodically backups (backup) of your files; this practice you allow recover them if could not have access to they for a mistake in the device or for cause purposive (for example, for an attack of ransomware).
  • Not connect no external device of origin doubtful or stranger, as a pendrive or a hard disk, in your devices.
  • Download programs and applications only of official spaces.
  • Sets up a pattern of unblock or active the access with password in your devices (cell phones, tablets, laptops, etc.) for avoid that a third party can access they.

Navigation sure on the internet

  • Revises good the URL of the websites to which access and make sure that begin always for https.
  • Another indication of that the server is insurance is the presence of a closed padlock (instead of open as in any server not insurance) in the bar navigational.
  • Can check the security certificates of the page in which you are clicking in the icon of the padlock for verify that the expiry date and the authority of the certificate are in force. In the information of detail appears the issuer (Verisign), the period of validity and for who has issued the certificate (BBVA).
  • Revises your accounts periodically for have controlled the movements that carry out in them and the total accumulated. If see some operation that not admit, put on immediately in touch with customer service (or with your manager) for solve it.

Cyber attacks

A type specific to vectored attack to the companies is the so-called «Fraud to the CEO». Is a scam carried out via email in which a cybercriminal supplants to a manager of a company for request to an employee of the department financial that carries out a transfer confidential and urgent. 

As security measures additional to the previous ones you advise:

  • Contact, via telephonic or another channel, with the sender for confirm that really has been he who has requested the operation, but not it do replying to the mail received.
  • Not publish e-mail addresses corporate on the internet nor share them with people that not are of your confidence. 
  • Not share information relating to the flow chart of your company with third parties.

If want expand information on this and other types of computer attacks and how can protect you of they, address to our branch of Computer attacks .