Security recommendations

BBVA takes all measures to ensure secure online banking transactions by means of a Secure Password system.

The PIN of your BBVA CARD and the access password to BBVA.es are private keys that owe guard in a sure way. They are stored in our internal systems using non-reversible encryption, so that nobody at BBVA can know them.

BBVA never you request by e-mail or for text message the credentials of BBVA.es nor any other personal detail or banking. If you receive a message of this type, please do not provide any information through these channels.

Web browsers offer the option of saving usernames and passwords of websites that require these. From BBVA you recommend not save never your access passwords to our service of Distance banking in a computer or tablet. These devices can be the target of cyber attacks and your passwords may be exposed.

 

BBVA recommendations

  • Uses passwords complex and difficult of find out that contain upper cases, minuscules and numbers interspersed.
  • The passwords are secret, do not share them with anyone and change them periodically.
  • Don't write down your password on post-its or in notebooks; memorize it or use specialist password managers.
  • In computers shared or connected to nets wifi public not introduce your credentials of access nor facilitate personal details, as postal address, telephone, etc.
  • Provided that is possible is recommendable activate the authentication in two steps in the services that it allow. Besides your password of access, request another type of identification (p.and. code sent to the cell phone). This system adds an extra layer of security to the account.
  • If you receive a text message to confirm a transaction that you have not made, please contact BBVA on 91 224 94 26 to report that a transaction is being made without your consent.

What are the Phishing and the Smishing?

The phishing is an attack via email , in which the racketeer you sends an email for do pass by a trade, company or individuals and access your passwords.

The smishing is likeness, but through text message or WhatsApp: is enough with that reply so that access your details.

How can avoid it?

BBVA never you ask for your details banking for no channel that not is our website or our App, so avoids send them for text message or email. 

  • Set you that the issue of the mail or the body of the text not have misspellings and verifies always also that the sender of the e-mail contains bbva.com or bbva.es. 
  • Take into account that a website sure always starts for https://, distrusts if the url is ill written or has strange characters such as, www.bb-va.informaci%n.com. 
  • Sets up your alerts in BBVA's App or bbva.es and thus, in the event of any unusual movement in your accounts or cards, you it notify. 
  • And remembers that if to the check all of this have doubts, before click in some link or download attached files, the best thing is that us call to the 91 224 94 26 for solve them.

BBVA takes all measures to ensure secure banking transactions with your BBVA Cards.

You can activate the Online Banking services, BBVA.es, Telephone Banking and Contact BBVA, at any time just with the 16 digits of your BBVA Card and the PIN you use at ATMs (this PIN is personal and should be kept secret).

BBVA recommendations

  • Avoid using personal data including significant numbers or dates that can be easily found out, such as your birth date or your registration number, and do not share them with anyone.
  • Report your lost or stolen card immediately. Call us on 91 224 94 26. It is extremely important that you make this call as quickly as possible.
  • When carry out a purchase for Internet, make sure that the website begins with https (and not for http), includes a padlock closed in the bar navigational and explains in a visible place the information of the company, your policy of sending and refund and your policy of cookies.
  • Be wary of online stores with offers that seem too good to be true (-70%, -80%). Also, look out for spelling mistakes or low quality images.

As well as the security measures put in place by BBVA, you should also take your own precautions when browsing internet. This way you will stay safe online and avoid being a victim of a cyber attack.

Some of the most common computer viruses and threats to cybersecurity are:

  • Phishing. Phishing is a cybercrime in which a target is contacted by email by someone posing as a legitimate institution to trick individuals into providing sensitive data such as personal or banking information. The recipient of the email is asked to click on a link in the email and, once in the false page, enter the requested information.
  • Ransomware. Ransomware typically spreads through phishing emails with links that install infected programs or download infected files. This virus prevents users from accessing their system or personal files and demands ransom payment in order to regain access.
  • Trojan Horse. Once inside your computer, a Trojan horse downloads malware to your computer and can enable cyber-criminals to spy on you and steal your sensitive data.

BBVA recommendations

  • Operating systems and applications must always be updated.
  • You must install and maintain a firewall and an antivirus.
  • Be wary of urgent emails informing you that your account has been suspended and you must reactivate it, or an error has occurred on starting the session or emails requesting you to confirm or update information on your account, and other such requests. These mails are frauds. Always remember that BBVA never sends emails or SMSs asking for your confidential personal or financial information.
  • Don’t download files on your computer with .exe, .bat, .rar, .zip or .ini extensions if you don’t trust the sender.
  • Don’t connect any external device to your devices from an unknown sender, such as flash drives or hard drives.
  • Only download applications from official stores, such as Play Store and App Store. You should also check the permissions you give to each of these.
  • In shared computers or computers connected to public Wi-Fi networks, do not use pages that require you to enter your username and password and do not provide personal details.

Measures from BBVA

The service

1. User administration:

BBVA Net Cash is a multi-user application. It has multiple user profiles that the company can allocate to its staff according to its operational structure.

A specific profile, the administrator, defines and manages the company's users in BBVA Net Cash. Can exist one or several managers and have different levels of delegation (without be able to or with be able to solidary or joint). Every user is allocated a profile that is defined with the most possible detail.

To authorize transactions, the options are:

  • No powers: not able to authorize transactions.
  • Authorized rep.: may be joint and several or joint.
  • Auditor: can block even signed-off orders until authorization is obtained.

This structure allows a group of users as restrictive as the company wishes, in order to guarantee at all times that:

  • They each access only the services and accounts determined by the administrator.
  • Only the consultations and transactions authorized by the administrator can be made.
  • They may or may not have powers to authorize transactions.
  • There is a monetary limit according to transaction and account, as defined by the administrator.
  • Only the administrator may see, in addition to their own profile, the list of users in their organization, their profiles, access to services and their allocated powers.

2. Monitoring of activities:

Users can monitor the entity's transactions in BBVA Net Cash through:

  • The “Statistics” unit (signatures and files: Statistics): view transactions in a given period.
  • “Audit orders” (Signatures and files: Signature and follow-up of files): monitoring of the operations of each user of the entity.
  • “Audit users” (Administration: Audit): shows the actions of each administrator within a group of users.

3. User credentials:

BBVA Net Cash features a dual security factor, which basically consists of adding a token to validate users in the group and sign transactions. The system will ask you to enter a six-digit (single use) security code generated by the device. This device can be physical or it can be installed on your mobile phone (by downloading the BBVA Net Cash app).

  • Although the passwords do not expire, we recommend that you change them every month.
  • The password must be 8 alphanumeric characters, to make it harder to crack.
  • Passwords are stored through irreversible encryption in specialist user and identity management systems, so that they cannot be obtained or determined.

The password must be changed upon the first access: to prevent identity theft, when you first connect to BBVA Net Cash, you will have to change your password.

Block user:

  • Failure to correctly enter the username or activation code five times in a row will block the user on BBVA Net Cash and will require BBVA to generate a new activation code.
  • If the password is entered incorrectly three times, the user will be blocked.
  • If the security code generated by the security device is incorrectly entered five times in a row, the user will be blocked from BBVA Net Cash.
  • The user administrator has autonomy to block users from their entity, so if an employee leaves, their access is immediately revoked.

4. Identification and authentication:

Traceability of transactions: accesses and completed transactions are recorded in automated transaction records that collect the completed transaction, the date and time thereof and the user that executed it, to determine the validity of the recorded transactions.

Information on the last connection:

  • BBVA Net Cash will inform users when they log in for the first time.
  • On successive log-ins, BBVA Net Cash will show the user the date and time of their last connection.

Cookies active only while you are logged in: cookies stored in the user's operating system, which are necessary to safely browse any website, are active only while the user is connected to BBVA Net Cash and are deleted when the user logs off.

Automatic timeout: as an additional security measure, after 10 minutes of inactivity in BBVA Net Cash, the user's session is ended and the user is disconnected from the system.

5. Compliance with national and international regulations:

In all its services, BBVA complies with the rules and regulations of the countries in which it operates. BBVA's commitment to those regulations is contained in the Code of Conduct, which is mandatory for all employees.

Technology

1. Confidentiality and integrity

Of all user credentials:

  • All user passwords are encrypted and stored on specialist user and identity management systems, making it impossible to obtain or guess them.
  • BBVA's operational procedures do not require anyone at the bank to have customers' passwords, meaning that no one knows them or will ask for them.

of communications:

  • BBVA transaction and remote banking services communications are encrypted using SSL protocol to secure the confidentiality and integrity of online communications.
  • The certificates used by BBVA to provide this service are generated by Verisign Inc.
  • In addition, sensitive communications in BBVA's internal networks are appropriately protected according to the operative environment and protocol used.

Of information:

  • The information stored in systems and internal databases is protected by various security systems, and access is permitted only to authorized employees.
  • BBVA has an automated management system of information access privileges that guarantees controlled access that is restricted to authorized personnel.

2. Physical security of Data Processing Centers

The Centers of Data processing of BBVA are equipped of wide physical security measures for the protection of the systems of data processing, emphasizing, among others, the following ones:

  • CPD Tier IV Gold on operational sustainability.
  • Individual monitoring of entry to the site and different technical rooms, with hazard detection systems.
  • 24/7 physical surveillance guards and closed-circuit television on the perimeter and inside the facilities.
  • Specific detection and protection systems for intruders, fire, flood, power cuts and other disasters.

By having two fully operational Data Processing Centers, BBVA guarantees information safeguarding and recovery should it ever be necessary.

3. Security architecture:

In order to ensure maximum security in the design of its systems, BBVA has established specific security architecture especially for systems offering online services to its customers.

Specifically, and to minimize online exposure, it maintains exposure only to the presentation layer (performing user authentication functions, authorization of access to web applications and secure monitoring of sessions) through reverse proxy.

4. Specific protection systems:

Continually updated firewalls and antivirus and anti-intruder systems:

  • BBVA separates is networks and systems using multiple levels of firewalls.
  • In addition, BBVA's internal systems are permanently protected by anti-malware and intruder detection systems.
  • Both types of systems are managed 24/7 and are permanently updated, to offer permanent protection from new threats.
  • All monitoring, alert and security response systems to potential fraud are monitored and overseen by a team of specialists working 24/7/365 in the Data Processing Center.

Activity log of all components: BBVA has logs in all remote banking systems and applications for all critical components, which provide support to phishing detection services and forensic analysis of suspicious or reported fraudulent activities or transactions.

Regular service review, applying the latest attack techniques: systems supporting remote banking services are regularly reviewed using vulnerability analysis tools.

Internal and external audit: BBVA systems and processes are subject to regular security audits by the independent audit department and by specific external auditors and financial or compliance audit firms.

Measures for the user

Protection of your user credentials

  • Use complex passwords that are difficult to guess, containing upper and lower case letters and interspersed numbers.
  • Do not share your password with anyone. Passwords are secret and only the owner must know it.
  • Don't write down your passwords on post-its or notebooks; memorize it or use specialist password managers. You can find free such programs at www.osi.es.
  • Deactivate the option to save the password on your web browser. It is safer to enter it every time you log in.
  • Change your passwords regularly. If you suspect that someone has been able to ascertain your password, you must change it as soon as possible.
  • Not uses the same password in different services (email, evernote, other banks, etc).
  • Your physical security device is personal and non-transferable.
  • If you receive a message asking for your password, do not provide any information and immediately contact BBVA Net Cash's customer service: 91 224 98 02 / 902 33 53 73.

Protecting your computer

  • Keep your operating system and the version of your web browser up to date with the corresponding patches, to protect it from possible gaps or errors.
  • Configure your computer and all your programs with the highest levels of security.
  • Install a firewall or firewalls and keep them activated and up to date.
  • Install anti-malware programs and keep them activated and up to date. Check documents you receive before opening them with your antivirus.
  • Regularly back up your files.
  • Avoid downloads from unknown websites, as they may contain viruses or spyware.
  • Do not connect any external device to your device of doubtful origin, such as memory sticks, hard disks and cell phones.
  • Regularly clean cookies and temporary files from your computer.
  • Download programs and applications only from official sites.
  • Set an unlock pattern on your cell phones and tablets, so they cannot be accessed by a third party.

Secure internet access and browsing practices

  • When using shared computers or connecting to public Wi-Fi networks, do not visit websites that require you to use your username and password. Likewise, do not enter personal details such as address, telephone number, etc.
  • Avoid connecting to pages with private content from public computers.
  • If you have to enter your credentials, check that the server address (URL) starts with https, which means that you are accessing a secure server.
  • A closed padlock (rather than an open one for a non-secure server) on the right or on the left of the address (URL) is another sign that the server is secure.
  • Check the security certificates of the page by clicking on the padlock icon that appears when entering a secure site, or the certificate from the navigation bar, and check that it has not expired and that the domain certificate is in force. The detailed information shows the issuer (Verisign), the validity period and for whom it has issued the certificate (BBVA).
  • Do not choose the “autocomplete passwords” option on your web browser. If it is activated, the passwords that you enter on the website are stored in the computer and, when you enter your username, the password field is automatically filled in. Checking this option on a shared computer could mean that someone else uses your passwords.
  • Check the date and time of the last login.
  • To securely end your BBVA Net cash session, click “Sign out” at the top right.

Viruses and common attacks

Computer viruses are programs whose sole purpose is to install themselves on a user's computer without their permission or knowledge. There are several types of virus, but they usually all have this in common: they propagate and spread in the same computer and through the network.

It is easy to unknowingly contribute to spreading of viruses, by forwarding emails with infected attached files. All users must work togetherand the Internet to prevent it from spreading.

There are several types of virus, including:

Phishing:

The sending of an email that impersonates a very well-known organization and asks the user for information (address, bank details, passwords, etc.). For the user to give the information, they are often asked to click a link in the email and, once they are on the fake website, enter the requested information.

It basically works as follows:

  • 1. A bulk message (spam) is sent out informing BBVA Net cash users that they need to confirm their login details.
  • 2. The message includes a link to a page from which to confirm their information. Sometimes, the link starts a download of malware.
  • 3. The user clicks on the link, which leads to a page that is "similar" to the true BBVA Net Cash and, thinking it's safe, the user enters their details.
  • 4. As the page is false and controlled by the fraudsters, they are the ones who actually receive the user's information, and thus have access to the user's account.

Although BBVA will never ask you for your BBVA Net Cash login password and signature by email, here are some tips to recognize this type of attack:

- Sometimes, the logo is distorted or stretched. They usually also include spelling mistakes or odd expressions.

- They address you as "dear customer” or “dear user” rather than your actual name.

- They warn you that your online banking account/service will close unless you reconfirm your login details immediately.

- The tone of the email is threatening.

- The text refers to “security commitments” or “security threats” and requires immediate action.

- The URL is not https:// and the security padlock does not appear in the browser box. False links include this kind of icon within the window to deceive you.

Ransomware:

It is a lucrative kind of tech crime. They are usually disguised as “package delivery services” or any other credible excuse, and are spread by email with links that install infected programs or download infected files. This virus blocks access to your computer's files and demands a ransom which once paid is supposed to provide a password to unlock them.

Below is a series of tips to protect yourself from ransomware:

  • Do not follow links or download files attached to emails that you think are suspicious.
  • Use only legal software and keep it permanently updated.
  • Install an antivirus and keep it up to date.
  • Back up files regularly. If your system becomes affected by a virus, you will be able to recover the information without having to pay a ransom.

Trojans:

They enter a personal computer and conceal themselves in a program. They transform the computer's behavior so that everything that it does can be seen on the criminal's computer. To prevent a Trojan horse on your computer, follow the same instructions as above for ransomware:

  • Do not follow links or download files attached to emails that you think are suspicious.
  • Use only legal software and keep it permanently updated.
  • Install an antivirus and keep it up to date.

Hoaxes:

These are emails containing false gossip for the sole purpose of circulating and propagating low quality information online.

In general, they are not too harmful and are easy to delete.

For prevent these attacks, follows the recommendations that you pointed out and communicate us any situation or suspicious communication that receive: 91 224 98 02 / 902 33 53 73.

As soon as you inform us, BBVA Net Cash's customer service will launch its anti-fraud protocol: a group of specialists will be allocated to your case.

If confirms the suspicion, you recommend:

  • Format your hard disk.
  • Installing up-to-date anti-malware.
  • Keep updated the software of your team.

In all confirmed cases, the login password of the affected user will be changed.

What is PSD2?

The second European Payment Service Directive was published in November 2015 by the European Commission in order to benefit consumers. How? improving the security of electronic payments, promoting innovation and competition between countries and suppliers, and helping to develop a more integrated and efficient payment market throughout Europe.

In addition, PSD2 lays out certain technical security measures (RTS) to improve customer identification, which will start going into effect on September 14th of this year.

What is SCA?

Among the concepts more relevant introduced for PSD2 is the reinforced authentication of the customer, known as SCA (Strong Customer Authentication), that not is no more, no less that the procedure compulsory for check the authenticity of the customers through the use of 2 factors that belong to some following categories:

  • Something that only the customer knows, for example the password.
  • Something that only the customer has, for example your cell phone.
  • Something that only the customer is, for example your fingerprint.

This procedure of authentication lookalike is compulsory whenever the customer:

  • Accesses your accounts online (so much for website as for app).
  • Initiates transactions fee-paying electronic (a transfer, a payment in trade online, etc).
  • And/or carries out some stock through channels remote that can suppose a fraud risk.
Is important emphasize that there are cases in which not be necessary apply SCA, for example if is payments by card present or if the purchases are of goes down amount. Still thus, the card holders owe be conscious that this step of additional safety owe carry out more often of what were accustomed until now.

What supposes this regulation?

All the intervening parties in a process of e-commerce in Europe – banks, suppliers of payment services as Visa or Mastercard, shops, etc –, owe implement additional actions for ensure that comply with the requirements normative of PSD2.

The customers be able to experience changes in the form of access your accounts from channels remote (app or website) or in the form of do electronic payments as can be the transfers banking, online purchases or physical payments with contactless card in Europe.

And this what wants say for me as customer of BBVA?

In BBVA take time working in adapt our high security standards to new requirements of this directive, always with the view placed in keep an optimal experience of use for our customers.

For that reason, provided that the regulation it allows and our security measures, ‘invisibles’ for the customers, us give the peace of mind of that the transaction not is fraudulent, avoid that have to do the double authentication doing more comfortable the transaction. In the cases that demands the law, you ask for the double authentication.

See some simple examples that you help to understand how you affect these novelties that try look after the security of your money.

1. A customer that pay in online store with card:

  • Accesses the page fee-paying of the trade as usual.
  • You request that introduces the details of your card.
  • As complete the transaction, you request security information additional (is what calls "credentials", as can be for example a password of use only). This information be able to request on the same page or through your application in the cell phone.
  • Once validated the credentials contributed, visualize the screen usual confirming that the transaction has completed successfully.

2. A customer that pay in physical shop with Contactless card:

  • Carries out the payment with your card as is usual.
  • Is possible that you ask for that introduces your PIN with more frequency of what is usual: when carries out more than 5 payments Contacless of less than 20€ or when the sum of the payments Contacless overcome 100€.

3. A customer that wants access your accounts for website or app:

  • When the customer between for the first time in your banking app or website online from September, you request a double factor of authentication.
  • Every 90 days or when accesses information of more than 90 days, meet with that application of authentication reinforced, just as demands the regulation.
  • Once authenticated, access your accounts as is usual.

 

I have to do something?

Yes, is important that have your mobile phone number updated, since use as factor of authentication a code of single access (One Swindles Password, OTP for your acronyms in English) that receive in your cell phone for validate the access to your accounts or carry out determined electronic transactions.

If not have validated your mobile phone number, that is, if not have the certainty of that are receiving the code of single access for authenticate that are you who is to the other side, not be able to access your accounts for website or app, nor carry out payments online.

Validate your mobile phone number is a simple procedure that can do in:

  • Any BBVA BRANCH , with your cell phone and your ID.
  • Any BBVA ATM , with your card and your cell phone.
     
     

 

What is PSD2?

The second European Payment Service Directive was published in November 2015 by the European Commission in order to benefit consumers. How? improving the security of electronic payments, promoting innovation and competition between countries and suppliers, and helping to develop a more integrated and efficient payment market throughout Europe.

In addition, PSD2 lays out certain technical security measures (RTS) to improve customer identification, which will start going into effect on September 14th of this year.

How affects PSD2 to the shops online?

Although the issuers of the cards are who owe carry out this process of authentication lookalike, the e-commerces likewise owe ensure that your platform of payments online (VIRTUAL POS) has the skills of process transactions in sure way, since be able to happen that to the process payments within an environment of purchase NOT SURE, these payments could be refused by the issuing banks of the cards.

Is important mention that the processes of reinforced authentication be very beneficial for the shops online because as well as offer broader safety and confidence to your buyers, reduces the risk that the customer demands the operation for possible fraud.

Owes my trade do something for adapt to PSD2?

Every trade owe or not introduce modifications in your VIRTUAL POS depending on the connection that uses currently for process operations online. Although is elaborating a plan that validate with the national authority for determine when leaves to comply with the requirements of the SCA established in the regulation of payment services, you recommend that in the event of have to do adaptations, it do as soon as possible.

  • If your trade connects to the payment gateway for redirecting, not owe do nothing since BBVA proceed to modify the settings of your VIRTUAL POS for adapt it to the technical norms when these come into force.
  • If your trade sand connects to the payment gateway through connections Host-to-Host (as webservice, Price, Rest), owe carry out a series of changes in the settings of your VIRTUAL POS for adapt it to the new regulation. There are two options for this adaptation:

One of the novelties for adapt to this new stage is the creation of a new version of the etiquette of purchase sure: EMV 3DS (also call 3DS 2.0), which gradually substitute to the current version (3DS 1.0), and that among your advantages offers the possibility of add more fields of information and favors a better experience of authentication of the consumers.

  • If use the services of a Supplier of services Payments (Payment Service Provider) that not is BBVA, owe contact your supplier so that this is who you report of the adaptations necessary.

 

There are exemptions or exclusions to the law?

Additionally, the new law establishes some exemptions to SCA or exclusions that be of a lot of profit when make more flexible the processes of customers authentication. Some of these cases are:

Exemptions to SCA:

Although the trade can propose the next exemptions, is the company that issues the card who in last can require the double authentication of the transaction.

  • Online operations of amount lower than 30€.
  • Contactless operations lower than 50€.
  • Transactions carried out in terminals not looked after of car parks or transportation.
  • When the payee is included by the payer in a payee list reliable .
  • Operations identified for the platform fee-paying as low risk . Are operations considered as of non fraudulent profile, to the coincide with the habitual operation of the customers (guidelines of expense, carried out with your same device, etc).
  • Operations frequent or periodical in which coincides the amount and payee. In this case be necessary apply the double authentication the first time.
Exclusions:
Are out of this regulation and therefore of the requirement of SCA:
 
  • Operations with cards in shops situated out of the European Economic Area (EEE), although the issuer of the card require of the double factor of authentication if thus it considers.
  • Operations initiated on the phone, mail, or email.
  • Payment with cards anonymous (for example, gift cards).
  • Initiated transactions of automatic way by the trade, as subscriptions or payments made without the customer is present (is necessary that previously the customer has given your consent for carry out these payments).

If have some doubt on PSD2, or if are interested in use some exemptions to SCA or exclusions that contemplates the law, contact:

  • Line Shops: soportevirtual@bbva.com  
  • Telephone: 912 983 609