Publication of the requirement rule set for remote identity verification service providers

What is remote identity verification?

A remote identity verification serves the same purpose as a physical face-to-face identity verification. As such, a remote identity verification service makes it possible to check that the identity document presented by the user is authentic and that the user is the legitimate holder.

The main threat during identity verification, whether face-to-face or remote, is that of identity theft. A remote identity verification service is therefore exposed to the same risks as a face-to-face identity verification, but also, by its very nature, to specific risks (digital manipulation of images (deepfakes), injection of fraudulent data, repeated and massive attempts at identity theft, use of masks, etc.).

Initial version of the pvid rules set

In response to these risks, ANSSI has produced a set of rules and recommendations gathered in the remote identity verification service provider (PVID – prestataire de vérification d’identité à distance) rule set. The requirements expressed by this rule set concern the service provider and the information system security allowing the remote identity verification service to be provided. It aims to create a robust remote identity verification service offer that meets the need for trust of users, clients of such services, and regulators. This rule set certifies the implementation of the relevant fraud reduction measures by the certified services based on two assurance levels: substantial and high.

The development of this reference rule set is part of the work carried out in collaboration with the Directorate General of the Treasury (DGT) for the certification of remote business contact services under decree no. 2020-118. Beyond this specific sectoral need, this rule set constitutes the basis of the unified evaluation scheme for remote identity verification services, whatever the assurance level (substantial and high) and whatever the regulatory framework. Trust services and electronic identification means using remote identity verification will therefore have to comply with it.

The purpose of this rule set is therefore to allow:

• certification under decree no. 2020-118 of remote business contact services when implemented by organisations subject to the fight against money laundering and terrorist funding;
• qualification under European Regulation no. 910/2014 (eIDAS) of trust services using remote identity verification;
• certification under article L102 of the French post and electronic communications code of electronic identification means, for assurance levels substantial and high, using remote identity verification.

Getting your service certified

Fully aware of the sector’s expectations in this area and of the impact of this new evaluation activity, based on the requirements of the PVID rule set, ANSSI published various documents on 1 April to enable service providers wishing to submit their services for evaluation to formalise their requests to ANSSI.

In order to be considered for certification, the service provider must submit a certification request form.

The certification request form and the associated certification process, specifying the technical procedure for the evaluation of a PVID in relation to ANSSI’s rule set, are available in the dedicated section.

Finally, the list of evaluation centres that have applied to assess remote identity verification service providers (PVID) is available here.

Contact

For any questions relating to the PVID requirements rule set published by ANSSI, the point of contact is the one indicated in the document concerned.

Preliminary questions for a compliance or qualification certification request should be addressed to ANSSI’s Industrial Policy and Assistance office.

Compliance or qualification certification requests should be addressed to ANSSI’s Qualification and Approval office.