BankID security and data protection

Information security and protection

Electronic remote identification of individuals using the NBU BankID System is done by transmitting personal data of such individual from the subscribed identifier (bank servicing the user’s account) to the subscribed service provider which provides the service to the user, and it is safe for users.

Only the user (personal data owner) can initiate transmission of these data from the subscribed identifier to the subscribed service provider. Therefore, nobody except you can initiate the process! Information is transmitted encrypted in line with the requirements of the Ukrainian law.

  • The Internet channel of data transmission is protected;
  • User data are protected by an encryption certificate and transmitted by the NBU BankID System affixing a qualified electronic signature or a qualified electronic seal of the transmitting bank;
  • The data are only for transmission to one subscribed service provider, requested singlehandedly by the user, thus only this subscribed service provider can decrypt the encrypted response containing data from subscribed identifier;
  • The BankID does not store personal data of users
Infographic: Information security and protection in the NBU BankID System. Step-by-step flow of user data between the customer, service provider, BankID system, and identifying bank with encryption and e-signature.
Image description: Information security in BankID system

The infographic outlines the secure exchange of identification data through the NBU BankID System:

  1. Customer submits a request for an online service to the subscribed provider.
  2. Service provider sends a data request through BankID to the customer’s identifying bank.
  3. BankID system forwards the request to the bank.
  4. Identifying bank authenticates the customer using multifactor methods, signs and encrypts data with a qualified electronic signature (QES).
  5. Bank sends an encrypted response through BankID.
  6. Service provider receives and decrypts the response using appropriate certificates.
  7. Service is provided to the customer using the verified identification data (e.g., full name, date of birth, address).

Security layers include:

  • Open certificate of the service provider
  • Open encryption certificate of the bank
  • Encryption/decryption with QES from the Accredited Key Certification Center

 

Furthermore, Internet channel for transmitting data is protected, all personal data is encrypted before transmission in line with Ukrainian data transmission security requirements (personal data protection). The encrypted data shall be accompanied by a qualified electronic signature of an assigned employee of the bank or a qualified electronic seal of the bank transmitting information through BankID. The data are encrypted only for transmission to one subscribed service provider requested singlehandedly by the user, thus only this subscribed service provider can decrypt the encrypted response containing data from subscribed identifier.