| Trustmark Definition Name | Version |
|---|---|
|
Credential Service Providers restrict all applicants and approved users to non-minors, adults over the age of 18.
|
1.0 |
|
Credential Service Providers must conduct a risk management process that covers the privacy and security risks related to the retention of PII data recorded during the identity proofing process.
|
1.0 |
|
Credential Service Providers must provide an explicit notice to applicants regarding the purpose for collecting and maintaining attributes.
|
1.0 |
|
Credential Service Providers that process attributes for purposes other than the primary functions of an identity service (identity proofing, authentication, attribute assertions, fraud mitigation, or legal processes) shall implement additional measures appropriate for the additional risk these attributes present.
|
1.0 |
|
Credential Service Providers must limit the collection of PII to the minimum necessary to uniquely identify a given subject. This may include attributes that correlate identity's to authoritative sources and to provide RPs with authorization attributes.
|
1.0 |
|
Credential Service Providers should make their identity resolution algorithms public or at least available to relevant communities of interest.
|
1.0 |
|
Credential Service Providers must collect a biometric sample (e.g. finger print, facial image) at the time of identity proofing for the purposes of non-repudiation and re-proofing.
|
1.0 |
|
Credential Service Providers that accept applications from minors must adhere to Children's Online Privacy Protection Act (COPPA) and other laws as applicable.
|
1.0 |
|
Credential Service Providers must plan ahead for proper protection or disposal of sensitive data in the event that they cease performing identity proofing and enrollment.
|
1.0 |
|
Credential Service Providers must collect evidence of the applicant's identity prior to credential issuance. This evidence must meet guidance specified for high assurance.
|
1.0 |
|
Credential Service Providers must collect evidence of the applicant's identity prior to credential issuance. This evidence must meet guidance specified for moderate assurance.
|
1.0 |
|
Credential Service Providers must validate evidence presented by an applicant as part of the credential issuance process. The validation methods must meet guidance specified within NIST 800-63-3.
|
1.0 |
|
Credential Service Providers engaging in high assurance identity proofing must verify the identity evidence presented during credential issuance in-person.
|
1.0 |
|
Credential Service Providers engaging in moderate assurance identity proofing must verify the identity evidence presented during credential issuance and should support both remote and in-person verification.
|
1.0 |
|
Credential Service Providers engaging in in-person identity proofing must collect biometric data insuring it is legitimate and for the applicant.
|
1.0 |
|
Credential Service Providers shall not perform identity proofing to determine suitability or entitlement to gain access to services or benefits.
|
1.0 |
|
Credential Service Providers operating exclusively with Identity Assurance Level 1 (IAL1) identities shall not validate and verify attributes.
|
1.0 |
|
Credential Service Providers that accept applications from minors should use the applicants parent or legal guardian as a trusted referee.
|
1.0 |
|
Credential Service Providers must undergo a thorough privacy analysis and impact assessment publishing the results.
|
1.0 |
|
Credential Service Providers must protect the PII collected during the enrollment process to ensure confidentiality, integrity, and attribution of the information.
|
1.0 |
|
Credential Service Providers must have easy to find and use mechanisms in place to assist applicants when problems arise during identity proofing. These mechanisms should be evaluated for their efficacy.
|
1.0 |
|
Credential Service Providers should define within their lifecycle policy a schedule for re-proofing refereed subscribers.
|
1.0 |
|
Credential Service Providers that accept applications from minors under the age of 13 must adhere to Children's Online Privacy Protection Act (COPPA) and other laws as applicable.
|
1.0 |
|
Credential Service Providers engaging in remote identity proofing must ensure biometric data is collected in a supervised manner to ensure it is legitimate and for the applicant.
|
1.0 |
|
Credential Service Providers must identity proof trusted referees at the same identity assurance level as applicants, and must determine a minimum evidence set required to bind the referee and applicant.
|
1.0 |
