Security Mechanisms in CitiDirect®

CitiDirect has the following 6-level security system:

User Identification and Verification

Access to CitiDirect is granted to Users who log into the system with their SafeWord card (token).

Each SafeWord card is assigned to a particular User. The card generates dynamic, one-time passwords, which significantly reduce the risk of unauthorized access to CitiDirect, for example as a result of password theft or cracking. In addition, the SafeWord card is protected with a 4-digit PIN code, known only to its holder. Card holders may change their PIN codes at any time.

  How can I change the PIN code for my SafeWord card?

User Entitlement Levels

User entitlements are controlled via their access profiles, which determine a specific level of access to functionalities in CitiDirect. Access profiles assigned to Users define: access to particular accounts and transaction types, operations allowed under transactions with a predefined limit, authorization schemes and limits, etc.

Multi-level Transaction Authorization

Even the best designed internal processes can prove insufficient, for example when a single person has full control over transactions in the system. That is why we recommend authorization schemes that require the transactions to be accepted by at least one additional User.

The Bank offers as many as 9 authorization levels. If a higher authorization level is required when making payments in CitiDirect, the security level can be significantly improved.

We recommend our Clients to define at least 1 transaction authorization level.

The Bank also offers other risk mitigating functionalities, like blocking manual submission of payment orders by Users, requiring authorization of created payment templates or defining payment limits. In order to configure such additional security mechanisms, please contact your Relationship Manager.

Encrypted Session and Digital Security Certificate

All information, from Client identification through the end of session in CitiDirect, is secured with the TLS (Transport Layer Security) protocol, which ensures confidentiality of transmitted data with the use of advanced encryption methods.

TLS also protects data integrity. One of its elements is the Message Authentication Code (MAC), which checks if no unauthorized data modification occurred during transmission.

Our electronic banking system is secured with a Symantec Class 3 EV SSL CA – G3 digital certificate. This is the digital signature of a site which confirms that the User is in a service owned by Citi Handlowy. The certificate ensures that all confidential transactions executed via CitiDirect are encrypted.

Before you log in to the service, check if the certificate is valid and verify its issuer.

  How can I check that the certificate is valid?

Automatic Session Expiration

Every session will be automatically ended after 20 minutes of inactivity to prevent a third party from accessing the accounts if the User forgets to log out.

Blocking Users

In order to ensure the security of your funds, the SafeWord card and the User will be automatically blocked after 7 unsuccessful attempts to log in and/or after 12 months since:
  • the last login date – concerns Users who have logged into the system or
  • the date of creating the user in the system – concerns Users who have never logged into the system.

In order to maintain access to the CitiDirect system on a given SafeWord card, we advice to log into the system at least once every 3 months. A blocked SafeWord card should be replaced with a new one if a User intends to use the CitiDirect system in the future. This intention should be expressed in a separate application.

If your SafeWord card is lost or damaged User should immediately contact CitiService (call (22) 690 19 81 or 801 24 84 24) to block access to CitiDirect.