Accreditation of financial-services firm Eftpos as Australia’s first accredited non-government digital identity provider will provide a standardised, secure way to verify the identities of individuals and businesses online, officials said in announcing the company’s certification under the Trusted Digital Identity Framework (TDIF).
That certification reflects the success of Eftpos in demonstrating that its connectID service is “trustworthy, safe and secure and has met strict usability and accessibility requirements,” Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said in announcing the certification.
“A safe, thriving digital economy is not possible without identity – a safe, secure and convenient way for Australians to prove their identity online.”
TDIF imposes a range of strict controls on identity providers, who must demonstrate requirements around accessibility and usability, privacy protection, security and fraud control, risk management, technical integrity, and more.
The certification process took “months of rigorous assurance evaluations and privacy and security testing,” Eftpos CEO Stephen Benton said, calling the certification “a significant and tangible milestone in the rollout of Australia’s digital identity ecosystem”.
To maintain the certification, TDIF-accredited organisations must demonstrate its continuing compliance by undergoing annual assessments that include independent privacy impact assessments; independent security assessments; and ICT penetration testing.
They must also develop, maintain and refine organisational policies and practices aligned with Australian government requirements including the Protective Security Policy Framework (PSPF), Information Security Manual (ISM), Australian Privacy Principles (APPs), and a range of cybersecurity controls built around the Australian Cyber Security Centre’s Essential Eight security mitigations.
Robert linked to the expansion of the Australian Government Digital Identity system, although noting that Eftpos “is not currently seeking to operate as part of” that system.
Proving your identity online
Eftpos is the first private company to meet the strict TDIF requirements, joining Services Australia as the only entities certified as identity exchanges under the framework.
As an identity ‘broker’, connectID allows online government, e-commerce, and other service providers to confirm the identity of customers by linking to identity providers – organisations that securely hold identity data – in real time.
This layered structure reflects the intentions of the Consumer Data Right (CDR) by allowing consumers to control who can access their data by interfacing directly with identity providers – and granting or withholding consent for data to be shared.
That means online companies can use the framework to better identify themselves and their customers online, potentially addressing issues such as verification of new financial-services customers, recruitment, limiting access to gaming, and more.
The system would also support age-verification systems such as the one the eSafety Commissioner is currently investigating to manage access to online pornography.
The connectID framework is already being tested with organisations including Australia Post, Yoti, and several state governments for uses such as police checks, age verification for online liquor sales, and validating licenses for heavy equipment operators on mining sites.
“The creation of an Australian digital identity system... is a foundation stone in a modern digital economy,” said Eftpos Digital Identity managing director Andrew black, who said the new system “reduces friction, delays and cost while automating and boosting safety and compliance for individuals businesses and government services.”
Eftpos, which processes over $300 million worth of transactions daily through its nationwide debit-card network, has been leaning on its point-of-sale expertise to extend itself into online transactions.
It began developing connectID last year, and this year negotiated a three-way merger with BPAY Group Holding and NPP Australia that will reshape Australia’s digital-payments infrastructure.
The ACCC this month approved that merger, subject to a number of conditions, with ACCC chair Rod Sims concluding that the merger “is likely to result in public benefit, by placing [payment providers] in a better position to deliver payment service initiatives more quickly and successfully, for the benefit of consumers and businesses.”