Third-Party Certifications, Part 2: 6 Key Criteria for Evaluation


In the first blog of this series, I described the role of certifications and conformance with standards as the foundation for establishing trust and credibility in ID verification (IDV) solutions. We highlighted six critical elements that underpin how to evaluate the gold standard across a vendor’s performance index. 

In this second entry, we will take a more extensive look into the tangible stamps of authority that point to each of these elements—by which I mean certifying bodies and the specific certifications they grant—and demonstrate how they contribute to building a robust and reliable IDV solution.

1) Privacy

Privacy is of paramount concern in the digital age, and IDV solutions must adhere to strict standards to protect personally identifiable information (PII). Two key certifications, provided by the Swiss-based International Organization for Standardization, ensure that vendors handle PII with the utmost care and compliance:

ISO 27018 provides guidelines for implementing measures to protect PII in the cloud, emphasizing transparency, data security, and privacy. This certification enhances trust in cloud services by ensuring compliance with international privacy laws and helps mitigate risks associated with data breaches and privacy violations.

ISO 27701 is an extension to ISO 27001 (further discussed below) for privacy management. It offers a comprehensive approach to privacy risk management and supports compliance with GDPR and other global privacy laws.

2) Security

Security is another crucial element of any IDV solution, and several certifications attest to a vendor’s commitment to maintaining a secure environment. Two of the three I highlight below are overseen by the ISO. The third, pertaining to systems and organization controls (SOC), is administered by the American Institute of Certified Public Accountants (AICPA):

ISO 27001 is the international standard for managing information security. It provides a systematic approach to managing sensitive company information and demonstrates a commitment to information security to stakeholders.

ISO 27017 focuses on reducing the risk of security problems in the cloud environment. It enhances the security of cloud services, making them more reliable for users, and supports organizations in managing and mitigating cloud-related security risks.

SOC 2 is a standard for managing customer data based on five “trust service principles”: security, availability, processing integrity, confidentiality, and privacy. It builds customer trust by demonstrating strong data management practices and is essential for SaaS providers and other tech companies handling sensitive data.

3) Accuracy

IDV solutions must be highly accurate, and the ISO 19795 standard ensures the reliability of biometric systems. It provides guidelines for testing and reporting the accuracy of biometric systems, focusing on the repeatability and reproducibility of results. 

ISO 19795 consists of several parts, each addressing different aspects of biometric performance testing. ISO 19795-1, for instance, provides a framework for evaluating the performance of biometric systems in terms of error rates, such as false acceptance rate (FAR) and false rejection rate (FRR). It also establishes requirements for test design, data collection, and reporting of results.

Other parts of the standard, like ISO 19795-2, focus on testing methodologies for specific biometric modalities, like facial recognition. These standards ensure that biometric systems are evaluated consistently and thoroughly, providing reliable and comparable results across different vendors and implementations.

4) Presentation attack detection

Presentation attack detection (PAD) is an essential component of secure biometric systems. ISO 30107 defines methods to assess and mitigate biometric system vulnerabilities, focusing on the robustness of biometric systems against fraudulent attacks. 

Vendors are affirmed at PAD Level 1 and PAD Level 2, which differ based on the sophistication of the presentation attack, the number of attacks, and the duration of test times. This certification enhances the security and reliability of biometric systems and is essential for maintaining trust in biometric identity verification processes.

5) Inclusivity

Inclusivity is an essential consideration for IDV solutions, ensuring that they are accessible to all users, regardless of demographic factors. Two key standards support this goal:

Level B Bias Evaluation involves testing by an independent laboratory, such as a laboratory accredited by the National Voluntary Laboratory Accreditation Program (NVLAP), to determine if the efficacy of liveness detection mechanisms for bona fide users are performing within expectations with similar performance across the measured demographic groups of age, gender, and ethnicity. This ensures that all users can effectively use biometric systems and promotes the ethical and fair use of biometric technologies.

WCAG AA 2.2 (Web Content Accessibility Guidelines) provides international guidelines for making web content and applications more accessible to people with disabilities. It ensures that digital content and services are accessible to a wider audience, supports compliance with legal accessibility requirements, and promotes inclusivity.

6) Business continuity

Business continuity is vital for ensuring that IDV solutions remain operational and reliable, even in the face of disruptions. ISO 22301 provides a framework for developing and implementing business continuity plans, focusing on resilience and response to disruptions. 

This certification ensures continuous operation and quick recovery in the event of disruptions and demonstrates a commitment to maintaining service levels under adverse conditions.

Building consumer confidence

Certifications and standards play a key role in establishing trust and credibility in ID verification solutions. When they can demonstrate that they adhere to these rigorous standards, IDV vendors show their commitment to privacy, security, accuracy, presentation attack detection, inclusivity, and business continuity. 

When evaluating IDV solutions, organizations should look for vendors that have achieved these certifications, as they provide tangible, universally recognized evidence of a vendor’s ability to deliver a robust, reliable, and trustworthy solution. Partnering with certified IDV providers allow businesses to confidently conduct business knowing their solution is reliable.

About the post:
Images are generative AI-created. Prompt: Two young black children, a boy and a girl, lying on their backs in a grassy meadow, gazing up at the night sky with wide-eyed wonder, 6 brilliant comets with long, colorful tails streaking across the dark expanse. Tool: Midjourney.

About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse Americas. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security