BSI publishes code of practice for digital identification and strong customer authentication

This new PAS is for organizations with regulatory requirements under the Second Payment Services Directive (PSD2) and related regulations. It covers how organizations can implement robust customer authentication processes.

In particular, it focusses on management principles and takes a regulatory view of identification and strong customer authentication, specifically in relation to PSD2.

Who is this PAS for?

Financial organizations (e.g. banking, online payment providers)
Organizations needing to comply with PSD2

Why should you use this PAS?

Robust digital identity and user authentication processes are essential for minimizing the risks of online transactions. This PAS provides recommendations to take into account when implementing strong customer authentication in line with the Second Payments Services Directive (PSD2). It also provides recommendations and guidance on process design elements which optimize implementing a system to meet legal requirements.

PAS 499 covers the management of identification and strong customer authentication systems in regulated industries, including:

Identity validation
Identity verification
Enrolment
Authentication
Delegated authority and authorization
Security and usability
Risk models for authentication

It also applies to management processes for creating, accessing or managing accounts digitally; users making a payment via a mobile device or other computer; users making a contactless payment using an electronic device; a retailer receiving such payments; third-party roles; delegated authority; and a bank or payment service provider administering such transactions.

It includes supporting guidance in informative annexes, including use cases to address common scenarios and strong customer authentication, and a summary description of additional good practice that can be used in developing a compliant secure system.

NOTE 1: The PAS does not cover: contactless payments made using plastic cards; transactions in the context of the internet of things; digital currencies; specifics of payment devices or payment terminals.

NOTE 2: There is a difference in the way that the term “identification” is used in this PAS (establishing an association between a known identity and a person) and that employed in biometric standards (process of searching a biometric enrolment database to find and return the biometric reference identifier(s) attributable to a single person). When used in PAS 499, the latter meaning is referred to as “biometric identification”.