ASC/X9 - ANSI X9.84
Biometric Information Management and Security for the Financial Services Industry
|Publication Date:||31 March 2010|
This Standard describes the security framework for using biometrics for authentication of individuals in financial services. It introduces the types of biometric technologies and addresses issues concerning their application. This Standard also describes the architectures for implementation, specifies the minimum security requirements for effective management, and provides control objectives and recommendations suitable for use by a professional practitioner. Within the scope of this Standard the following topics are addressed:
- Security for the collection, distribution, and processing, of biometric data, encompassing data integrity, authenticity, and non-repudiation.
- Management of biometric data across its life cycle comprised of the enrollment, transmission and storage, verification, identification, and termination processes.
- Usage of biometric technology, including one-to-one and one-to-many matching, for the identification and authentication of banking customers and employees.
- Application of biometric technology for internal and external, as well as logical and physical access control.
- Encapsulation1 and cryptographic protection of biometric information for security, interoperability, and data confidentiality..
- Secure transmission and storage of biometric information during its life cycle.
- Security of the physical hardware used throughout the biometric data life cycle.
- Cryptographic techniques for data integrity, authenticity, and data confidentiality of biometric information.
- Validation of credentials presented at enrollment to support authentication as required by risk management;
- Surveillance to protect the financial institution and its customers;
Items considered out of scope and not addressed in this Standard include the following:
- The individual's privacy and ownership of biometric information.
- Specific techniques for data collection, signal processing, and matching of biometric data, and the biometric matching decision-making process;
- Usage of biometric technology for non-authentication convenience applications such as speech recognition, user interaction, and anonymous access control.
Although this Standard does not address specific requirements and limitations of business application employing biometric technology, other standards may address these topics.
1 Analogous to the ANSI PIN Block, refer to ANSI X9.8 and ISO 9564 PIN Management and Security standards.