What is PAS499?

PAS499 sets out recommendations for organizations to meet security, regulatory, and usability requirements in the provision of digital services. It aims to assist organizations in understanding changes to existing security practices necessary to prevent fraud techniques that have evolved, or could be developed, to circumvent controls.

It aims to help organizations secure their systems to prevent fraudulent misrepresentation of a natural or legal person.

History of PAS 499

The PAS was initiated in 2016 with the BSI from a number of public meetings involving hundreds of stakeholders and further small committees within the rules of the BSI with senior stakeholder representatives from across the government, payment, technology and consumer sectors to participate in helping draft the content of PAS499.

Aims

PAS499 sets out recommendations for organizations to meet security, regulatory, and usability requirements in the provision of digital services. 

It aims to assist organizations in understanding changes to existing security practices necessary to prevent fraud techniques that have evolved, or could be developed, to circumvent controls and to help organizations secure their systems to prevent fraudulent misrepresentation of a natural or legal person.

Why the need for a PAS

Cybercrime and fraud are the fastest growing areas of criminal activity, and vulnerabilities in identity and authentication practices account for much of this unwelcome growth. 

Adoption of robust digital identity and user authentication processes are essential to minimizing the risks, to organizations and their users, employees and partners, associated with online transactions and services that a successful digital economy needs. 

Regulatory changes recognize these requirements, but the development of standards to meet them is vital to ensure a coherent environment for businesses, public services and users.
Digital identification and authentication systems allow organizations to manage a wide range of digital services securely (e.g. for electronic payments or access to online services), but the evolving complexities of the regulatory environment makes standards crucial in helping organizations understand what is expected of them in offering such secure systems.

PAS499 sets out recommendations for organizations to meet security, regulatory, and usability requirements in the provision of digital services. It aims to assist organizations in understanding changes to existing security practices necessary to prevent fraud techniques that have evolved, or could be developed, to circumvent controls.

It aims to help organizations secure their systems to prevent fraudulent misrepresentation of a natural or legal person.

It builds on existing standards, directives and regulations to provide additional recommendations and guidance, considering new regulatory security requirements, to address cybercrime trends; developments in the move towards, but not limited to, combined financial and government identity and authentication requirements; this may, for example, include commercial applications for GOV.UK Verify]. Accreditation and certification to BSI PAS499

PAS Overview

The PAS covers the following subjects in detail providing a clearly explained management and technology process for meeting its recommendations
Identity Validation
Identity Verification
Enrolment
Authentication
Delegated Authority and authorization
Security and usability
Authentication Risk Model

Technology requirements

The PAS advises organisations on how to best use technology processes to enable strong customer authentication at on-boarding and when re-authenticating the claimed credentials.

An example of two notable recommendations within the PAS are:
Biometric capture alongside the capture of documentary evidence should be conducted as part of a continuous enrolment process via audio/video live stream in order to prevent an attack on the two factors through separating their capture
For additional security, when choosing modalities for the multiple factors, the organization should adopt at least one factor capable of dynamic authentication.
twitterlinkedinlinkcheckmark-circle