BSI launches code of practice for digital identification and customer authentication

8th October 2019

The new code of practice helps organizations to secure their systems and reduce fraudulent misrepresentation, in line with regulatory requirements including the Second Payments Services Directive (PSD2)

BSI, the business improvement company, has published a publicly available specification, PAS 499:2019 Code of practice for digital identification and strong customer authentication.

Cybercrime and fraud are the fastest growing areas of criminal activity and vulnerabilities in organizations’ identity and authentication practices account for much of the unwelcome-growth. Adoption of robust processes are essential to minimizing the risks to organizations and their users, employees and partners who are associated with online transactions and services. PSD2 and related regulation has mandated identification assurance and strong customer authentication.

The new PAS is for organizations with regulatory requirements under the PSD2 and related regulations. It focuses on management principles and takes a regulatory view of identification and strong customer authentication, including:

  • Identity validation
  • Identity verification
  • Enrolment
  • Authentication
  • Delegated authority and authorization
  • Security and usability
  • Risk models for authentication

It also applies to management processes for creating, accessing or managing accounts digitally; users making a payment via a mobile device or other computer; users making a contactless payment using an electronic device; a retailer receiving such payments; third-party roles; delegated authority; and a bank or payment service provider administering such transactions.

It does not cover contactless payments made using plastic cards; transactions in the context of the internet of things; digital currencies; specifics of payment devices or payment terminals. 

Tim McGarr, Digital Sector Lead at BSI said: “At a time when cybercrime and fraud are on the rise, it is critical that organizations have robust digital identity and user authentication processes in place to minimize the risks of their online transactions. PAS 499:2019 provides the recommendations needed to optimize and implement a system that supports legal and regulatory requirements.”

PAS 499:2019 was developed by a steering committee* and underwent a peer and public review as is normal practice in such a consensus document.

Further details about PAS 499:2019 can be found here.