James Thew - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are biometric security systems regulated by compliance standards?

Biometric security systems come with many advantages, but do they also come with many regulations? Expert Mike Chapple discusses biometric authentication compliance.

My organization is exploring biometric verification but it has some reservations about potential compliance or...

regulation issues around the technology. Have any major compliance standards such as HIPAA or PCI DSS directly addressed biometric security systems?

Security experts have long considered biometric security systems, such as the use of fingerprint and eye scans, a strong way to implement multifactor authentication. Combined with a password or other knowledge-based authentication approach, biometrics offer strong security that provide solid proof of a user's claimed identity.

While biometric authentication is a strong approach and is widely used by a variety of organizations, it is not required by any major compliance scheme. This is mainly because of the difficulty of implementing remote biometric authentication in some systems. For example, biometric security systems are not easily integrated into the Web-based authentication schemes that dominate many enterprise technology platforms. Organizations often instead choose to use device-based approaches that use smartphones or authentication tokens to achieve multifactor authentication.

HIPAA does not explicitly require the use of two-factor authentication, although many healthcare organizations choose to use it anyway. The HIPAA requirements merely state that covered entities must "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed," which could include biometric verification methods.

PCI DSS gets a little more specific in section 8.3, where it states that organizations must "incorporate two-factor authentication for remote network access originating from outside the network." PCI DSS does not go so far as to require biometric security systems, however, and leaves the door open to the more popular device-based approach to two-factor authentication.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how small companies can ease the PCI DSS compliance burden

Learn how to react when biometric data is compromised

Discover the benefits of behavioral biometrics

This was last published in May 2016

Dig Deeper on Security audit, compliance and standards