PAS 499 Code of practice for digital identification and authentication

PAS 499:2019

Code of practice for digital identification and strong customer authentication

Status : Current   Published : July 2019



What is this PAS about?

This new PAS is for organizations with regulatory requirements under the Second Payment Services Directive (PSD2) and related regulations. It covers how organizations can implement robust customer authentication processes. In particular, it focusses on management principles and takes a regulatory view of identification and strong customer authentication, specifically in relation to PSD2.

Who is this PAS for?

  • Financial organizations (e.g. banking, online payment providers)
  • Organizations needing to comply with PSD2

Why should you use this PAS?

Robust digital identity and user authentication processes are essential for minimizing the risks of online transactions. This PAS provides recommendations to take into account when implementing strong customer authentication in line with the Second Payments Services Directive (PSD2). It also provides recommendations and guidance on process design elements which optimize implementing a system to meet legal requirements.

PAS 499 covers the management of identification and strong customer authentication systems in regulated industries, including:

  • Identity validation
  • Identity verification
  • Enrolment
  • Authentication
  • Delegated authority and authorization
  • Security and usability
  • Risk models for authentication

It also applies to management processes for creating, accessing or managing accounts digitally; users making a payment via a mobile device or other computer; users making a contactless payment using an electronic device; a retailer receiving such payments; third-party roles; delegated authority; and a bank or payment service provider administering such transactions. 

It includes supporting guidance in informative annexes, including use cases to address common scenarios and strong customer authentication, and a summary description of additional good practice that can be used in developing a compliant secure system.

NOTE 1: The PAS does not cover: contactless payments made using plastic cards; transactions in the context of the internet of things; digital currencies; specifics of payment devices or payment terminals.

NOTE 2: There is a difference in the way that the term “identification” is used in this PAS (establishing an association between a known identity and a person) and that employed in biometric standards (process of searching a biometric enrolment database to find and return the biometric reference identifier(s) attributable to a single person). When used in PAS 499, the latter meaning is referred to as “biometric identification”.

Standard NumberPAS 499:2019
TitleCode of practice for digital identification and strong customer authentication
Publication Date31 July 2019
Normative References(Required to achieve compliance to this standard)PD ISO/IEC TR 29196:2018, BS 18477:2010
Informative References(Provided for Information)BS ISO/IEC 2382-37:2017, BS 18477:2010, PD ISO/IEC TR 29196:2018, ISO/IEC Guide 76, BS ISO/IEC 24760-1, BS ISO/IEC 30107-1, BS ISO/IEC 30107-3, BS PD ISO/IEC TS 29003, BS ISO/IEC 29115, BS ISO/IEC 24745, ISO/IEC 27000, BS ISO/IEC 19795-6
DescriptorsSecurity, Identification methods, Authentication, Organizations, Customers
ISBN978 0 580 94481 9
File Size11.06 MB

 Your basket
Your basket is empty

Multi-user access to over 3,500 medical device standards, regulations, expert commentaries and other documents

Worldwide Standards
We can source any standard from anywhere in the world


The faster, easier way to work with standards

Tracked Changes

Understand the changes made to a standard with our new Tracked Changes version