Evaluate

Are biometric security systems regulated by compliance standards?

Biometric security systems come with many advantages, but do they also come with many regulations? Expert Mike Chapple discusses biometric authentication compliance.

Mike Chapple

University of Notre Dame
Published: 13 May 2016

My organization is exploring biometric verification but it has some reservations about potential compliance or...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

regulation issues around the technology. Have any major compliance standards such as HIPAA or PCI DSS directly addressed biometric security systems?

Security experts have long considered biometric security systems, such as the use of fingerprint and eye scans, a strong way to implement multifactor authentication. Combined with a password or other knowledge-based authentication approach, biometrics offer strong security that provide solid proof of a user's claimed identity.

While biometric authentication is a strong approach and is widely used by a variety of organizations, it is not required by any major compliance scheme. This is mainly because of the difficulty of implementing remote biometric authentication in some systems. For example, biometric security systems are not easily integrated into the Web-based authentication schemes that dominate many enterprise technology platforms. Organizations often instead choose to use device-based approaches that use smartphones or authentication tokens to achieve multifactor authentication.

HIPAA does not explicitly require the use of two-factor authentication, although many healthcare organizations choose to use it anyway. The HIPAA requirements merely state that covered entities must "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed," which could include biometric verification methods.

PCI DSS gets a little more specific in section 8.3, where it states that organizations must "incorporate two-factor authentication for remote network access originating from outside the network." PCI DSS does not go so far as to require biometric security systems, however, and leaves the door open to the more popular device-based approach to two-factor authentication.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how small companies can ease the PCI DSS compliance burden

Learn how to react when biometric data is compromised

Discover the benefits of behavioral biometrics

Dig Deeper on Security audit, compliance and standards

All
News
Get Started
Evaluate
Manage
Problem Solve

Mike Chapple asks:

What has your experience been with biometric verification in the enterprise?

Join the Discussion

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Next Steps

Dig Deeper on Security audit, compliance and standards

Related Q&A from Mike Chapple

Have a question for an expert?

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.