Key Certifications and Standards for ID Verification Vendors

Choosing an ID verification vendor goes hand in hand with checking which industry credentials the vendor holds. And there are many to go through: names such as ISO, ICAO, NIST, and ETSI may only be the tip of the iceberg.

This guide is meant to make that review easier: we have grouped the most relevant identity verification certifications by their practical role, explained what each one covers, and outlined what a vendor usually has to demonstrate.

Disclaimer: This list is selective and may not cover every certificate, regional rule, or customer-specific requirement. If you are looking for the latest details on Regula’s certificates specifically, please contact us directly.

ISO/IEC 27001 is the primary security certificate for a company that handles document images, selfies, biometric templates, NFC chip data, device metadata, and verification logs. 

Certification means the vendor runs an audited information security management system with:

• defined scope, 

• risk assessment, 

• risk treatment, 

• policies,

• access control,

• supplier control,

• incident handling,

• internal audits, 

• management review,

• recurring surveillance audits.

A vendor seeking ISO/IEC 27001 certification has to define its ISMS boundary, identify assets and information-security risks, select controls in a Statement of Applicability, run internal audits, fix nonconformities, and pass an external certification audit. 

Regula holds ISO/IEC 27001:2022 certification for executive management, engineering, and sales of Regula software products. Additionally, Regula holds ISO/IEC 27001:2022 for optoelectronic equipment and related software design, development, manufacturing, sales, and maintenance.

ISO 9001 belongs to the ISO 9000 quality-management family and is relevant when an IDV vendor also produces hardware, forensic devices, passport readers, or document-inspection systems. It gives buyers proof that product quality, corrective action, supplier control, customer feedback, internal audits, and management review are governed by a certified system rather than ad hoc processes.

ISO 14001 covers environmental management. It does not validate ID verification accuracy, but it can be useful in enterprise and public-sector procurement, where buyers may review hardware production, maintenance, waste, legal duties, environmental objectives, and supplier policies.

A vendor seeking ISO 9001 certification has to:

• document its quality management system,

• define roles and process controls, manage nonconformities, 

• show corrective actions,

• pass internal and external audits.

ISO 14001 adds environmental aspects, compliance obligations, objectives, monitoring, audit evidence, and management review.

Regula holds ISO 9001:2015 certification for development, production, and sales of optoelectronic equipment and systems. Regula also holds ISO 14001:2015 certification for development, production, maintenance, and sales of optoelectronic equipment and software.

ISO/IEC 14443-3 covers initialization and anticollision for contactless proximity objects, while ISO/IEC 14443-4 defines the block transmission protocol and activation/deactivation sequence. In identity verification, these standards are relevant because ePassports, eIDs, residence permits, and some other identity documents use contactless chip communication.

A vendor claiming support for these standards should prove the following evidence: 

• supported document types, 

• mobile and reader platforms, 

• failed-read behavior, 

• APDU handling, 

• chip-speed behavior.

💡 For example, during NFC verification, electronic IDs may use different speeds, including 106 kbps, 212 kbps, 424 kbps, 848 kbps, and higher bit rates up to 6.78 Mbps.

Regula supports ISO/IEC 14443-3 and ISO/IEC 14443-4 for NFC verification. Regula’s NFC verification technology is also listed as compliant with ICAO 9303 and BSI TR-03105 parts 5.1 and 5.2.

ISO/IEC 18013-5 defines interface specifications for mobile driver’s licenses (mDLs), including communication between an mDL and reader, as well as the interface between the reader and issuing authority infrastructure. It covers machine reading of mDL data, origin authentication, integrity verification, and holder binding.

A vendor claiming mDL support should be able to describe:

• how the product reads and verifies mDL data, 

• which transfer methods are supported, 

• how issuer signatures are checked, 

• how the holder is bound to the credential, 

• what fallback paths exist. 

Regula Document Reader SDK supports mDL verification based on ISO/IEC 18013-5 with QR, NFC, and Bluetooth options.

ISO/IEC 30107-3 is the biometric presentation attack detection (PAD) testing and reporting standard behind most liveness procurement. It covers attacks at the biometric capture device during presentation, which means it is highly relevant to face liveness and PAD, but it should not be read as full proof against every injection, replay, emulator, session-tampering, or back-end attack.

A vendor needs a specific product version, platform, device or capture channel, biometric modality, attack set, test plan, and metrics. The most useful PAD figures are APCER, BPCER, and non-response rates: APCER measures accepted attacks, while BPCER measures genuine users rejected as attacks.

iBeta is one of the best-known independent PAD labs. Level 1, Level 2, and Level 3 are iBeta PAD testing tiers rather than separate ISO standards; they indicate the attack difficulty and pass criteria used during testing. A successful result is typically documented through an iBeta confirmation letter showing that a specific product version passed PAD testing in accordance with ISO/IEC 30107-3.

• Level 1 covers lower-effort presentation attacks using lower-cost artifacts and short preparation time. It allows 0% penetration or match rate, with BPCER or FNMR of no more than 15%. 

• Level 2 introduces more advanced artifacts, greater tester effort, and a higher material-cost allowance; it allows 1% penetration or match rate, with the same 15% BPCER or FNMR cap. 

• In late 2025, iBeta announced Level 3, which is the most demanding tier. It uses extensive equipment, hyper-realistic facial masks, specialized environments, and accessories; it allows 5% penetration or match rate, with BPCER or FNMR capped at 10%.

Regula’s products have passed iBeta PAD Level 1 and Level 2 testing in accordance with ISO/IEC 30107-3. Regula’s public iBeta Level 2 result: 750 presentation attacks were not accepted as live, producing APCER 0% for that test scenario.

ICAO Doc 9303 is the main standard set for machine-readable travel documents. ICAO lists parts covering MRTD security, passports, ID cards, visas, biometric storage in eMRTDs, logical data structure, security mechanisms, PKI, and visible digital seals.

A document-verification vendor should be able to map its checks to:

• MRZ formats and check digits, 

• VIZ-to-MRZ consistency, 

• document-type rules, 

• NFC reading and verification, 

• LDS data groups, 

• Passive Authentication, 

• Active Authentication,

• Chip Authentication, 

• Terminal Authentication (where relevant), 

• Visible Digital Seals. 

Regula Document Reader SDK validates MRZ data according to ICAO 9303 and ISO 18013, while Regula NFC verification is listed as compliant with ICAO 9303.

BSI technical guidelines are especially relevant in German and high-assurance European identity projects. BSI TR-03105 covers ePassport conformity testing and aims to support international interoperability of electronic travel documents.

BSI TR-03135 was developed with German law-enforcement bodies and deals with modern machine-assisted document inspection. In practice, BSI claims should always specify the technical guideline, version, product function, and evidence type, because “BSI compliant” can refer to very different topics.

Regula NFC verification supports BSI TR-03105 parts 5.1 and 5.2. Regula Document Reader SDK materials also refer to XML result processing in line with BSI TR-03135 v2.5.

ETSI TS 119 461 defines policy and security requirements for trust-service components that provide identity proofing of trust-service subjects. It covers initiation, evidence collection, evidence validation, applicant binding, proofing results, evidence retention, and Baseline or Extended Levels of Identity Proofing.

The standard contains practical proofing details. For remote proofing with a physical identity document, it references video capture quality examples such as 25 fps and 1280×720 or 720×1280 resolution, requires PAD for live-person capture, calls for checks against artificially generated or manipulated face images, and covers biometric injection attack prevention and detection.

eIDAS 2.0 is the EU legal framework for electronic identification and trust services, now tied to the European Digital Identity Framework and wallet direction.

A vendor review should connect ETSI and eIDAS claims to a named use case: QES onboarding, qualified certificate issuance, Trust Service Provider onboarding, wallet-related proofing, or another trust-service scenario.

Regula is a Full Member Service Provider of ETSI and publicly positions its workflows as aligned with eIDAS and ETSI requirements.

NIST FATE Age Estimation & Verification is an independent evaluation for algorithms that estimate age from face photos. It is not a certificate, but it is one of the strongest public benchmarks for age-estimation accuracy, age-restricted decisions, demographic variation, timing, and failure-to-process behavior.

Participation requires a wrapped C++ API, a validation package run, encrypted submission, and NIST-run testing. NIST reports metrics such as mean absolute error, accuracy within three and five years, false positive rate, false negative rate, mean assessment time, and failure-to-process rate.

For example, Regula reported top performance in overall age estimation and top-three placement for Challenge 25 and Child Online Safety scenarios (lower values are better).

Naturally, identity verification certifications do not all center around the same thing, and a vendor can look strong in one area and still leave gaps in another. A system may have liveness testing but weak document checks; or strong NFC reading but poor certificate-source handling.

And the more fragmented the IDV stack is, the harder it gets to ensure that there are no such gaps. That’s why a holistic solution like Regula IDV Platform can make identity lifecycle management much more coherent, with high-quality document checks, biometrics, liveness, NFC verification, screening, storage, analytics, and workflow controls built to work together.

More specifically, Regula IDV Platform provides:

• Identity lifecycle management: Manage verification, reverification, user status, and review history in one place, instead of treating IDV as a one-time document check.

• Workflow management: Configure IDV flows for different products, risk levels, regions, and user groups, combining document checks, biometrics, NFC verification, screening, age assurance, and manual review where needed.

• Case management: Give compliance, fraud, and operations teams a shared workspace for identity, compliance, and fraud cases, with clearer decision history and audit records.

• Document and chip verification: Use Regula’s document expertise, 16,000+ identity document templates, ICAO 9303 support, NFC verification, ISO/IEC 14443-3/-4 support, ISO/IEC 18013-5 support for mDLs, and selected BSI technical guideline support within the same IDV environment.

• Biometric and age checks: Combine face matching, liveness, and age assurance in the identity flow, with public proof points such as iBeta PAD Level 1 and Level 2 testing under ISO/IEC 30107-3 and NIST FATE age-estimation results.

• KYC and screening controls: Add KYC checks, AML/PEP screening, databases, watchlists, and age confirmation to the same workflow, so verification and risk review are not managed as separate processes.

• Deployment and operating control: Choose hosted cloud or 100% on-premises deployment depending on privacy, security, data residency, and IT requirements, backed by Regula’s ISO/IEC 27001:2022, ISO 9001:2015, and ISO 14001:2015 management-system certificates.

Curious about how Regula IDV Platform can improve your ID verification? Let's talk.