The protection systems adopted by BBVA

1. Access the Customer Area

BBVA Personal offers you various channels to access your data, such as the bbva.it website, the App, or the BBVA Line.

BBVA takes the following steps to verify your identity:

• Website: you will need to identify yourself with your username and your complete password.
• App: allows different access methods, such as using a username and password, or by using biometric identification techniques (such as fingerprint or facial and iris recognition).
• BBVA Line: you will need to provide part of your password, but never fully, and this information will only be requested from you.

2. Last Access

BBVA informs you of the date and time of your last access to your Customer Area. Go to bbva.it, Customer Area, and you will be able to view it.

In the App, you can consult it through the menu, in the "Security and privacy" section.

To ensure that only you can access it, we recommend that you:

• Do not share your password with anyone
• Contact BBVA if you do not recognize the data of the last access to your Customer Area.

3. Chiusura della sessione

For the safety and protection of your data, if BBVA finds that you are not browsing and that you have left the session open, it will close it so that no one else can access your information, warning you in advance with a message. 

4. User credentials

BBVA stores your passwords in an encrypted format by generating a code that is saved in specialized user and identity management systems, so that no one can obtain your password or decrypt it. 

When you enter your password on the login page, it is encrypted and the result compared with the saved code, allowing you to verify that the password was entered correctly.

As for your credentials, follow these recommendations:

• Although passwords do not expire, change them if you think they may have been compromised.
• Use passwords that are difficult to decipher by combining numbers, uppercase, and lowercase letters. 

5. PSD2: what does it entail?

Every 90 days maximum, BBVA will ask you for 2-factor authentication (numeric code that arrives via SMS on your smartphone) or in case you request information on products or movements dating back more than 90 days.

6. Authentication, two-factor authentication, and transaction signing

BBVA is based on three safety factors: one element of knowledge, one of possession, and one of inherency to ensure that it is indeed you carrying out all the operations. To do this, we will always use at least two of these three factors:

• Knowledge (Something that only the user knows): per esempio le tue password usate per l’autenticazione.
• Possession (Something that only the user owns): for example, your smartphone, on which you will receive an SMS with a random code that can be used only once. It is used to sign transactions.
• Inherency (Something the user is): per esempio la tua impronta digitale, il tuo viso o l'iride. Using them will allow you to access digital channels.

7. Account blocked

Only if strictly necessary and to protect the security of your data, the account you use to access digital channels may be blocked in the following cases:

• If you repeatedly enter wrong passwords that do not match your account.
• If we detect abnormal behavior on your behalf, as a preventative measure. 

1. Privacy and integrity

• User passwords: All BBVA customer passwords are saved and encrypted through an irreversible algorithm and, according to BBVA procedures, no operator will ask you for your complete passwords.

• Communications: Communications from services and digital banking are encrypted using the SSL protocol for privacy and integrity.

Furthermore, confidential communications that take place on BBVA's internal networks are protected with specific protocols.

• Data: The data stored in BBVA's systems and databases are protected by various security systems that allow access only to authorized employees.

At BBVA, data protection has top priority. For this reason, the processing of personal data takes place in accordance with the current legislation on data protection. In addition, security measures are taken to ensure the privacy of any information exchange between the customer and the bank.

2. Data privacy

In the Security and Privacy section of the App, you can control how BBVA uses your data, manage it, download it, and review the protection policy.

In the same section, you can check for what purposes the App needs access to the resources of your mobile phone (camera, microphone, contacts, etc.).

3. Safety tips

In the Security and Privacy section (App and web), you can find news, tips, and advice on security that may be useful to you. 

4. Security of data processing centers

BBVA's data processing centers are equipped with the highest security measures for the protection of data processing systems, which include, inter alia, the following:

• Operational sustainability in the Tier IV Gold data center.
• Individual access control to the premises and to the various technical rooms, equipped with systems for detecting dangerous elements.
• A team of people in charge of surveillance and video surveillance cameras around the perimeter and interior of the structures 24 hours a day, 7 days a week.
• Specific detection and protection systems for access control, fires, floods, power outages, and other catastrophic events.

In addition, with two fully operational data centers, BBVA guarantees data recovery should the need arise.

5. Monitoring

BBVA has monitoring systems with a team of specialists who work 24 hours a day, 7 days a week, to identify possible fraud against customers. 

Credential protection 

• Use passwords that are difficult to decipher by combining alternating numbers, uppercase, and lowercase letters.
• Passwords are secret; do not share them with anyone and change them regularly.
• Do not write your passwords on cards or notebooks; memorize them or use a password manager.
• On shared computers or if connected to public Wi-Fi networks, do not enter your login credentials in any online service, and do not provide personal data such as postal address, telephone number, etc.
• Avoid entering your personal information on a website that you have accessed via email. If you know it, we recommend that you log in by typing the address directly into your browser.
• Do not use the "autocomplete/remember password" option in your browser. When enabled, passwords you enter on a website are stored on your computer, which means that, when you re-enter your username, the password field is automatically filled in. This option on a shared computer may allow someone to use your personal passwords.
• Remember that BBVA will never ask you for your bank details or passwords via email, SMS, or instant messaging platforms such as WhatsApp, so do not provide this information through these channels. If you receive a request, please contact BBVA to verify it.

Device protection

Before starting to surf, increase the security of all your devices (PC, mobile phone, tablet…) and keep your operating system, browser, and applications updated. 

• Always use up-to-date versions of the browser downloaded directly from the original website to make sure there are no security holes. You can also set up automatic updating whenever a new version is available.
• Make sure you are using a trusted DNS server (the one provided by your Internet service provider, or one that is recognized internationally, such as 8.8.8.8 or 1.1.1.1). 
• Make sure the set-up screen for your Wi-Fi router is protected by a strong password. This will help to prevent hackers from manipulating the DNS server list on this device.
• Install an antimalware program and keep it updated. Both traditional antivirus and antimalware browser extensions protect you while browsing and alert you in case of anomalies.
• Similarly, we advise you to verify documents received from external sources with an antivirus program, always up-to-date and operational.
• Make regular backup copies of your files so you can recover them in the event of a device malfunction or a ransomware attack.
• Non collegare dispositivi esterni di origine dubbia o sconosciuta, come una chiavetta o un hard disk, ai tuoi dispositivi.
• Download programs and applications from official sites only.
• Set the screen lock or enable a password or biometric login on all your devices to prevent third parties from accessing them.

Safely surfing the Internet

• Evita di navigare su siti web importanti o su cui utilizzi dati personali (enti bancari, organismi pubblici, servizi medici, ecc.) da computer pubblici o di altre persone, perché potrebbero essere infettati da malware.
• When accessing a website, make sure the URL is the official one. If in doubt, use a search engine to confirm that the address is valid.
• Check your browser and antimalware software warnings: they notify you of any circumstances that may go unnoticed. Pay particular attention to warnings that a website is not secure (does not start with https://) or that the URL does not match that of the website's SSL digital certificate.
• Be wary of sites that ask you to provide data or to authenticate yourself in an unusual way.
• In the Cybersecurity section of bbva.it, you can find out more about current cyber attacks, as well as discover some security tips to protect yourself from them.