ANSI - X9.84
Biometric Information Management and Security for the Financial Services Industry
|Publication Date:||1 January 2018|
This standard describes the security framework for using biometrics for authentication of individuals in financial services. It introduces the types of biometric technologies and addresses issues concerning their application. This standard also describes the architectures for implementation, specifies the minimum security requirements for effective management, and provides control objectives and recommendations suitable for use by a professional practitioner. Within the scope of this standard the following topics are addressed:
- Security for the collection, distribution, and processing, of biometric data, encompassing data integrity, data confidentiality, origin authenticity, and non-repudiation.
- Management of biometric data across its life cycle comprised of the enrollment, transmission and storage, verification, identification, and termination processes.
- Usage of biometric technology, including one-to-one and one-to-many matching, for the identification and authentication of banking customers and employees.
- Application of biometric technology for internal and external, as well as logical and physical access control.
- Encapsulation and cryptographic protection of biometric information for security, interoperability, and data confidentiality.
- Encryption, signcryption, tokenization methods, and biometric policy for privacy
- Secure transmission and storage of biometric information during its life cycle.
- Security of the physical hardware used throughout the biometric data life cycle.
- Cryptographic techniques for data integrity, origin authenticity, and data confidentiality of biometric information.
- Validation of credentials presented at enrollment to support authentication as required by risk management;
- Surveillance to protect the financial institution and its customers;
- Items considered out of scope and not addressed in this standard include the following:
- Privacy laws and legal interpretations regarding the collection, processing, or storage of biometric information preceding or during enrollment or authentication.
- Specific techniques for data collection, signal processing, and matching of biometric data, and the biometric matching decision-making process;
- Usage of biometric technology for non-authentication convenience applications such as speech recognition, user interaction, and anonymous access control.
Although this standard does not address specific requirements and limitations of business applications employing biometric technology, other standards may address these topics.
A biometric authentication system may claim compliance to this standard if the implementation satisfies the management and security requirements identified in §8 Management and Security Requirements. A biometric authentication system that utilizes the methods recommended in §9 Techniques and has implemented appropriate policies, practices and operational procedures should comply with this