What is PVID?
As part of the fight against identity fraud, the French National Agency for Information Systems Security (ANSSI) has set up the PVID (Remote Identity Verification Providers) standard, which provides a framework for remote identity verification systems. Indeed, the fight against identity theft is more than ever at the heart of the concerns of the State, which wishes to help companies to offer more secure identification systems to their users. The implementation of this standard is therefore a real boon for companies wishing to operate in a more secure manner, at various levels.
Why set up this benchmark?
The PVID repository responds to a demand that has been growing in recent years and whose need has become all the more present with the arrival of Covid and remote operations, i.e. the possibility of verifying the identity of one's remote contact in a more secure manner. Indeed, whether it is a question of sending a registered letter online, a secure document, having a customer sign a contract remotely or other, identity verification is required. It allows first of all to avoid recipient errors, but also, and above all, to fight against fraud.
Online scams are becoming more and more numerous. They concern private individuals, in particular with phishing methods which are now well known to the general public, but also companies which may be faced with the theft of money or documents for example. Identity theft and fraud can have serious consequences and repercussions at different levels, which is why companies must offer an online identification system that is sufficiently effective to protect themselves and their users. This raises the question of what the characteristics of an effective identification system are, and this is precisely what the PVID standard proposed by the French National Agency for Information Systems Security addresses.
What is in this text?
The PVID standard is a reference text proposed by the French National Agency for Information Systems Security (ANSSI) in order to provide a framework for remote identity identification services. Its primary objective is to allow the identification of providers of remote identity verification services with a substantial or high level of guarantee.
Two versions available to the public
Although the PVID standard is now sufficiently mature to be applied and to offer companies certification by the National Agency for Information Systems Security after they have submitted their file for evaluation, the text is in fact quite recent. The health crisis and above all the containment have accelerated things since many companies have adapted their services to be able to remain active even at a distance. Electronic signatures and the sending of documents have thus become tools that are used much more frequently and that therefore had to be regulated as quickly as possible. Thus, a first version of the PVID repository with a call for comments was published in November 2020. A first definitive version of the PVID repository can now be found on 1 March 2021.
A precise process to be followed
In this reference framework, various information is listed, the aim of which is to enable the certification and compliance of various remote identification services. The official document made available by the French National Agency for Information Systems Security details
- General description of the remote identity verification service
- Evaluation of remote identity verification providers
- Requirements to be met by the provider (risk assessment and treatment, remote identity verification policies and practices, remote verification service activities, information protection, provider organisation and governance, quality and service level).
Companies and other service providers offering an identity identification system can therefore refer to the PVID reference framework to find out about all the recommendations suggested by the National Agency for Information Systems Security.
Two levels of coverage depending on need
The PVID repository allows for the implementation of two different levels of safeguards of the eIDAS regulation: the substantial level and the high level.
The substantial level of guarantee makes it possible to substantially reduce the risk of identity theft or alteration. The service in question must then guarantee an equivalence in terms of reliability with a physical face-to-face meeting that would be carried out in the context of access to a public or private service with presentation of proof of identity. In other words, the service must be able to withstand a moderate potential attack.
The high level of guarantee prevents any risk of identity theft or alteration. The service in question must then guarantee an equivalence in terms of reliability with a physical face-to-face meeting that would be carried out within the framework of the issuance of an identity document. In other words, it must resist a high potential attack.
How to implement the PVID standard?
The implementation of the PVID standard depends above all on the willingness of the company to follow the recommendations of the National Agency for the Security of Information Systems and to offer a quality and secure service to both its employees and its customers. While the PVID standard therefore describes the various stages involved in achieving a sufficient level of security, the National Agency for Information Systems Security also proposes the certification of service providers.
The company can in fact send an evaluation request to the National Agency for Information Systems Security, which will then carry out various checks to ensure that the company is compliant. It can then issue a form of certification that allows the company to ensure that it has a secure system, but also to let its customers know that the tools it uses enable it to fight identity fraud more effectively.
Why comply with the PVID standard?
PVID compliance and certification of companies will not only help to combat identity fraud and thus limit the risk of theft, for example, but also to gain the confidence of its customers. A company can therefore choose to implement PVID-compliant tools, but it can also call on a service provider who has the necessary skills to provide a PVID-compliant identity identification system. This allows companies with limited financial and/or technical resources to benefit from a secure identity identification system.
At Archipels, we intend to provide professionals with identification and identity fraud prevention tools that are effective and of course compliant with the PVID standard. Our partners can thus benefit from our expertise and guarantee their clients the use of remote services that meet the standards set by the French National Agency for Information Systems Security.