Driving Value Added Services & Content|Billing & Engagement In Motion|Minutes, Messages & Traffic That Pays|Engage & Commercialize Connected Consumers|Making Interactive Media Pay|Billing & Alternative Payments That Convert|Mobile Strategies For Merchants & Content Owners|Monetising Premium Content & Services
Digital Select 2022 Ad
Evina Header Banner Ad
DMWF 2022 Main Banner Ad

BSI launches code of practice for digital identification and customer authentication as part of PSD2 SCA


BSI, the business improvement company, has published a publicly available specification, PAS 499:2019 Code of practice for digital identification and strong customer authentication.

The new code of practice helps organizations to secure their systems and reduce fraudulent misrepresentation, in line with regulatory requirements including the Second Payments Services Directive (PSD2).

Cybercrime and fraud are the fastest growing areas of criminal activity and vulnerabilities in organizations’ identity and authentication practices account for much of the unwelcome-growth. Adoption of robust processes are essential to minimizing the risks to organizations and their users, employees and partners who are associated with online transactions and services. PSD2 and related regulation has mandated identification assurance and strong customer authentication.

The new PAS is for organizations with regulatory requirements under the PSD2 and related regulations. It focuses on management principles and takes a regulatory view of identification and strong customer authentication, including:

  • Identity validation
  • Identity verification
  • Enrolment
  • Authentication
  • Delegated authority and authorization
  • Security and usability
  • Risk models for authentication.

It also applies to management processes for creating, accessing or managing accounts digitally; users making a payment via a mobile device or other computer; users making a contactless payment using an electronic device; a retailer receiving such payments; third-party roles; delegated authority; and a bank or payment service provider administering such transactions.

It does not cover contactless payments made using plastic cards; transactions in the context of the internet of things; digital currencies; specifics of payment devices or payment terminals.

Tim McGarr, Digital Sector Lead at BSI said: “At a time when cybercrime and fraud are on the rise, it is critical that organizations have robust digital identity and user authentication processes in place to minimize the risks of their online transactions. PAS 499:2019 provides the recommendations needed to optimize and implement a system that supports legal and regulatory requirements.”

PAS 499:2019 was developed by a steering committee and underwent a peer and public review as is normal practice in such a consensus document.


Leave A Reply