BPI ExpressLink is committed to provide you, our valued client, with the safest and strictest security measures to protect your account information and banking transactions. ExpressLink’s security infrastructure combines various hardware and software devices, policies and procedures to make our customers confident that issues on privacy, authentication, integrity and non-repudiation are addressed.
 However, maintaining security in online transactions is a mutual responsibility. We at BPI ExpressLink would like to enjoin you in protecting your online transactions. Below is a brief list of what you can do to secure your personal information and transactions:
  Be skeptical of unsolicited e-mails asking for personal data or account information. DO NOT REPLY to these e-mails! REPORT      THESE INCIDENTS IMMEDIATELY to Express Phone’s Corporate Help Desk (89-100) or via e-mail at      bpiexpresslink@bpi.com.ph. You may also notify your respective Relationship Managers.
  DO NOT PROVIDE any personal or account information and access codes via e-mail or other means (unless you have      initiated the transaction with a valid bank channel). As a matter of policy, BPI WILL NEVER ask for your personal information      and access codes via email.
  Always begin your online session by manually typing the web address of BPI into your browser. You may also save it in      your list of favorite internet sites. The legitimate URL of BPI ExpressLink is www.bpiexpresslink.com.
  To know more about ExpressLink’s security features, please see the BPI ExpressLink Security section below.
  
 With BPI ExpressLink, security is of the highest priority.
 ExpressLink provides you the best security available. With Expresslink multiple-layer security, we provide Non-repudiation of transactions, Data Confidentiality and Integrity, Authenticity, Secure Access,
and User Authorization.
 ExpressLink is the only online financial management system in the Philippines that utilizes the PKI (Public Key Infrastructure) technology. PKI is an asymmetric key system which consists of a private key that generates the digital signature and a public key that verifies the digital signature.
 Whatever your online transactions may be, make sure they remain confidential and well-protected. Do it the ExpressLink way.
 
 Non-repudiation of transactions
 Digital signatures are created when a transaction is created or approved. Thus, the maker of the transaction, as well as the approvers, cannot deny the fact that they created or approved the transaction.
 Bank of the Philippine Islands issues PrivateWire Minikeys containing your digital certificate to further protect your financial transaction over the internet. The minikey will be your electronic pen used to sign your electronic transactions in ExpressLink. It addresses non-repudiation of electronically signed documents, as stated in Republic Act 8792.

            Check your minikey.
            Download BPI certificate.
            Update Your VeriSign Certificate.
  
 Data Confidentiality and Integrity
 Data integrity can be verified with the use of message digest and hashing. This ensures that data is uncorrupted, not tampered and has not been forged as it is passed on through the internet from the ExpressLink servers to the Client and vice-versa.
 Further, strong 128 bit encryption with session key dynamically generated at each connection request, provides for session confidentiality.
 Authentication
 ExpressLink implements two-factor authentication through the use of log-on IDs and passwords and the minikey.
 Each ExpressLink user is assigned a unique user ID and password. Our servers check if the user ID entered is valid and if the password entered corresponds to the given user ID.
 For a user to create or approve a financial transaction, the user must have a valid minikey. The user is advised to exercise reasonable care to avoid unauthorized use of his minikey. Upon receipt of the device, the user must change the initial password immediately. It is further recommended that the user change the minikey password regularly.
 The minikey user must notify appropriate persons, including the concerned information certifier, without undue delay if he knows that the electronic signature has been compromised or that the circumstances known to him give rise to a substantial risk that his electronic signature may have been compromised (abridged from Rule 15, Dept. of Trade and Industry, Implementing Rules and Regulations on Electronic Signatures).
 User Authorization
 User’s access to company accounts and ExpressLink facilities is pre-enrolled in accordance with the documentation submitted by the company.
 Secure Access
 Access to ExpressLink is allowed only upon entry of a valid user ID and the corresponding password. Multiple logons using the same user ID is not allowed. A user is automatically logged-off after a prescribed time of inactivity.