A PAS is a sponsored fast-track standard that is developed through a consensus-building process facilitated by BSI Standards Limited. A PAS should not be regarded as a BS, EN or ISO standard.
|PAS Sponsor||MIDAS Alliance|
|BSI Project Manager||Laura Cordell, firstname.lastname@example.org|
Cybercrime and fraud are the fastest growing areas of criminal activity, and vulnerabilities in identity and authentication practices account for much of this unwelcome growth. Adoption of enhanced identity and authentication techniques are essential to make secure the ever increasing number of on-line transactions and services that a successful digital economy needs. Regulatory changes recognise these requirements, but standards towards meeting them are vital to ensure a coherent environment for businesses, public services and consumers.
PAS 499 aims to provide a framework for understanding the practical applications of stronger authentication requirements, and the increased levels of assurance and data protection demanded. It also offers an opportunity for engagement towards the formation of a code of practice enabling clarity for providers, and users, of online transactions and services.
PAS 499, Digital identification and authentication – Code of practice
This PAS gives recommendations for enhanced identification and authentication for digital actions and transactions in the context of regulatory requirements for ‘strong authentication’ and defined ‘levels of assurance’.
It covers: privacy enhancing technologies (PET), personally identifiable information (PII), enrolment at different levels of assurance, strong authentication, anonymity and KYC, device identification, mutual authentication, and biometrics.
This PAS covers customers creating and accessing their digital accounts; customers making a payment via a mobile device or other computer; customers making a contactless payment using an electronic device; a retailer receiving such payments; third-party access; delegated authority; and a bank or payment service provider administering such transactions.
This PAS also includes the following supporting guidance as informative annexes to the PAS: a summary of legal requirements in the context of identity, validation, verification, enrolment, and authentication, and practical challenges in satisfying these requirements; a summary description of additional good practice that can be used in developing a compliant secure system.
This PAS is for use by any organization requiring the adoption of strong authentication techniques for the protection of their customers.
The PAS does not cover: contactless payments made using plastic cards; transactions in the context of the internet of things; digital currencies; specifics of payment devices or payment terminals.