Are biometric security systems regulated by compliance standards?

My organization is exploring biometric verification but it has some reservations about potential compliance or...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

regulation issues around the technology. Have any major compliance standards such as HIPAA or PCI DSS directly addressed biometric security systems?

Security experts have long considered biometric security systems, such as the use of fingerprint and eye scans, a strong way to implement multifactor authentication. Combined with a password or other knowledge-based authentication approach, biometrics offer strong security that provide solid proof of a user's claimed identity.

While biometric authentication is a strong approach and is widely used by a variety of organizations, it is not required by any major compliance scheme. This is mainly because of the difficulty of implementing remote biometric authentication in some systems. For example, biometric security systems are not easily integrated into the Web-based authentication schemes that dominate many enterprise technology platforms. Organizations often instead choose to use device-based approaches that use smartphones or authentication tokens to achieve multifactor authentication.

HIPAA does not explicitly require the use of two-factor authentication, although many healthcare organizations choose to use it anyway. The HIPAA requirements merely state that covered entities must "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed," which could include biometric verification methods.

PCI DSS gets a little more specific in section 8.3, where it states that organizations must "incorporate two-factor authentication for remote network access originating from outside the network." PCI DSS does not go so far as to require biometric security systems, however, and leaves the door open to the more popular device-based approach to two-factor authentication.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how small companies can ease the PCI DSS compliance burden

Learn how to react when biometric data is compromised

Discover the benefits of behavioral biometrics

Related Resources

Top Monitoring Tools to Help Meet Regulatory Compliance Standards –SearchSecurity.com
How to tackle IT audit and compliance –ComputerWeekly.com
The Need for Cloud Computing Security Standards –SearchSecurity.com
End the Struggle with InfoSec Policies and Standards through Risk & ... –Edgile

Dig Deeper on Security audit, compliance and standards

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Next Steps

Related Resources

Dig Deeper on Security audit, compliance and standards

Related Q&A from Mike Chapple

Have a question for an expert?

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.