What is a Remote Identity Verification Provider (PVID)?
A PVID is a service provider that offers an application-based or hybrid service designed to verify the identity of a natural person remotely, eliminating the need for physical travel.
The PVID Framework
The ANSSI PVID v1.1 requirements framework sets out a strict set of organizational, legal, and technical rules. The fundamental objective is to achieve a level of certainty and reliability equivalent to an identity verification performed in a physical face-to-face setting. To achieve this, the framework mandates a double-validation process combining cutting-edge technologies (character recognition, biometrics, and liveness detection) with a final control operated by human experts specially trained in document fraud.
The PVID qualification, widely used to issue eIDAS qualified certificates or within the qualification of Electronic Identification Means (MIE), relies on:
- The assessment of the service's conformity against the framework's organizational and technical requirements.
- Extensive effectiveness testing focused on both the biometric components and identity documents.
The Two Assurance Levels
The ANSSI framework qualifies services according to two distinct security profiles based on their resistance to attackers:
- Substantial Profile (Profil Substantiel): The solution must demonstrate its robustness against attackers with a moderate attack potential. The tolerance criteria for false positives (FAR) or biometric acquisition failures follow standardized thresholds.
- High Profile (Profil Élevé): Tailored for the most critical use cases, this profile evaluates the service's resistance to attackers with a high attack potential (such as state-sponsored threats or advanced fraud laboratories). Presentation Attack Detection (PAD) and Injection Attack Detection (IAD) requirements, along with verification redundancies, are drastically reinforced.
What are the Key Stakes of PVID Qualification?
Obtaining the PVID qualification (which leads to the award of the prestigious ANSSI Security Visa) provides major strategic and regulatory advantages:
- Legal Compliance Guarantee (AML-CFT / LCB-FT Exemption): Using a PVID-qualified service strictly complies with the requirements of the French Monetary and Financial Code (Art. R. 561-5-2). It offers legal equivalence to a physical face-to-face interaction, exempting regulated entities (such as banks, insurance companies, and DASPs/PSAN) from complementary customer due diligence measures (such as requiring an initial bank transfer from an account already established within the EU).
- Absolute Guarantee Against Identity Fraud: The certified service demonstrates a proven capability to withstand and block state-of-the-art complex attacks, including deepfake spoofs, document falsification, and video injection attacks.
- European Trust Recognition: The ANSSI framework is aligned with the European eIDAS Regulation. Achieving this qualification allows seamless legal integration into the issuance processes of qualified electronic certificates (signatures, seals) or the approval of Electronic Identification Means (MIE).
- Market Distinction and Value: Displaying a state-backed trust label reassures contracting authorities and cements the competitive advantage of qualified providers.
- Future Interoperability: Early positioning ahead of emerging European standards for remote identity verification (e.g., ETSI TS 119 461).
Who is the PVID Qualification For?
PVID qualification is broadly aimed at all digital trust stakeholders designing, integrating, or operating remote identity verification solutions:
- Technology Providers: Companies developing software solutions for document acquisition, biometric analysis, and liveness detection (PAD/IAD). The ANSSI Security Visa validates their technical robustness in the market.
- Managed Service Providers: Platform operators managing the logical architecture or the hubs of human operators tasked with the final verification against document fraud.
- In-House Corporate Accounts: Banking institutions, insurance companies, or Digital Asset Service Providers (DASPs/PSAN) developing their own internal KYC workflows to legally benefit from the exemption of complementary customer due diligence measures (AML-CFT).
By obtaining this ANSSI qualification following an evaluation by LSTI, these structures validate immediate regulatory compliance and prepare for interoperability with future European standards (eIDAS, ETSI TS 119 461, EUDI Wallet).
How Does the PVID Assessment Work?
The qualification scheme for Remote Identity Verification Providers (PVID) was launched on April 1, 2021, following the publication by ANSSI of the requirements framework developed jointly with the French Directorate General of the Treasury.
This qualification is issued based on three types of evaluation work:
- Evaluation of the service's compliance.
- Technical and physical tests of service effectiveness regarding the biometric component.
- Effectiveness tests regarding the identity document component (conducted by the state administration).
This assessment verifies the provider's compliance with:
- Contractual, legislative, and regulatory aspects, alongside impartiality.
- Information protection.
- Quality and security requirements of its identity verification processes.
- Competence of its personnel for qualified activities.
- Reliability of the electronic identification means used for acquiring verification data.
The qualification is issued for 2 years by ANSSI, with no surveillance audit required, though it may be subject to ad-hoc ANSSI checks. A full audit is necessary every two years to renew and maintain this qualification.
LSTI and CLR Labs, in association, offer three types of work: conformity assessment (LSTI) and computer and physical evaluation of the effectiveness of the biometric component.
The evaluation process follows a strict regulatory triptych:
- Conformity Requirements Evaluation (by LSTI): An in-depth audit of governance, logical infrastructure security, and business processes. Assessors analyze service documentation, human operator training, risk management, and legal/contractual compliance.
- Biometric Effectiveness Evaluation (in partnership): LSTI collaborates with accredited technical evaluation laboratories (such as CLR Labs). These labs perform extensive automated and physical tests to challenge Presentation Attack Detection (PAD) and Injection Attack Detection (IAD) mechanisms.
- Identity Document Evaluation: Specific effectiveness tests targeting the detection of fraudulent identity documents are conducted in accordance with the framework established by the state administration.
Your Questions about PVID Qualification
-
Can a 100% automated identity verification solution (AI) obtain PVID qualification?
Under ANSSI’s PVID framework, an identity verification solution cannot be 100% automated by artificial intelligence. The framework strictly mandates a hybrid approach. Even if AI (biometrics, automated document analysis, character recognition) handles sorting and initial checks with high precision, the intervention of a human identity verification operator remains indispensable to validate the final file, handle complex fraud alerts, and make the acceptance decision. AI assists human operators to boost productivity but does not legally replace them in this qualification process. -
Why is the PVID mandatory for certain companies?
ANSSI imposes this framework to secure the sectors most vulnerable to identity fraud:
- Banks and Fintechs: Mandatory (Decree 2020-118) to validate the remote opening of a bank or financial account under the AML-CFT (Anti-Money Laundering and Countering the Financing of Terrorism) framework.
- Electronic Signatures: Required by the European eIDAS regulation to remotely issue "Qualified" level electronic signature certificates.
- Digital Identities: Indispensable for creating secure digital identity accounts certified by the State (at Substantial and High levels).
-
What is the difference between a PVID-qualified solution and another identity verification solution?
A qualified PVID offers a security level equivalent to a physical face-to-face identity check at a service counter. Its major advantages are:
- Mandatory Video Feed: Unlike traditional KYC (Know Your Customer) solutions, it is impossible to upload a simple photo (which is frequently falsified). A live video stream is mandatory.
- Systematic Human Verification: Where traditional verification relies 100% on automated AI, PVID enforces a double validation by human operators who are experts in fraud detection.
- Legal Validity in Court: PVID generates an encrypted evidence file that is legally binding and unassailable in a court of law in the event of a dispute or identity theft.
- 100% Sovereign Data: Servers and operators must strictly be located within the European Union.
-
Does PVID qualification exempt entities from complementary customer due diligence measures for AML-CFT (LCB-FT)?
Yes, using a PVID-certified verification solution (whether Substantial or High profile) provides a major regulatory benefit. It exempts regulated entities from complementary customer due diligence measures under Anti-Money Laundering and Countering the Financing of Terrorism (AML-CFT) rules. In accordance with the French Monetary and Financial Code (Art. R. 561-5-2), a PVID-certified workflow is legally recognized as equivalent to a physical face-to-face interaction. This allows banks, insurance firms, and digital asset service providers (DASPs/PSAN) to onboard new clients without having to require, for instance, an initial bank transfer coming from an existing bank account within the European Union. -
How does the PVID v1.1 framework evaluate resistance to deepfakes and video injection attacks?
Given the rise of deepfakes and video injection attacks, the requirements under the PVID v1.1 framework are extremely stringent. During technical evaluations conducted by a specialized biometrics laboratory, auditors test system resilience via Presentation Attack Detection (PAD) using 3D masks, high-definition screens, or falsified documents. Furthermore, the framework demands strict proof of resistance against Injection Attack Detection (IAD), where auditors attempt to bypass the smartphone camera or web browser to directly inject a video stream generated by artificial intelligence. Audited providers must imperatively demonstrate the absolute integrity and impermeability of their video acquisition stream. -
Can a PVID provider outsource the human component (verification operators)?
A provider applying for PVID qualification is fully entitled to outsource the human component (operator verification centers), but this is subject to very strict conditions for which they remain solely responsible. During the evaluation audit, the provider must prove that they impose drastic physical security requirements (access control, ban on mobile phones on the operating floor) and logical security rules (Information Systems Security Policy - ISSP, continuous training on identity document fraud) on their subcontractor. Moreover, due to GDPR obligations concerning the handling of sensitive biometric data, these outsourced centers must justify maximal confidentiality guarantees and are predominantly located within the European Union. -
What types of identity documents is a PVID service authorized to accept?
ANSSI’s PVID v1.1 framework limits acceptable source documents to guarantee reliability equivalent to face-to-face verification. Only secure identity documents or those equipped with an electronic component (passports, national identity cards, residence permits) issued by France, another EU Member State, or a third country exempt from short-stay visas are accepted. This is provided that the issuing country makes available the verification keys necessary to authenticate the chip or document. The assessed service must prove its capability to reject any non-compliant or altered document. -
What do the IAD and PAD biometric tests required by the PVID framework mean?
To obtain PVID qualification, the provider must submit its solution to highly rigorous biometric tests evaluating two specific defense types: PAD and IAD. PAD (Presentation Attack Detection) refers to the system's ability to detect physical "presentation" attacks in front of the camera, such as using 3D masks, printed photos, or displaying a high-definition screen. IAD (Injection Attack Detection) corresponds to the detection of software "injection" attacks. In this case, the fraudster attempts to physically bypass the smartphone camera to directly inject a manipulated or AI-generated video stream (such as a deepfake) into the system. The ANSSI framework requires proven technical resistance against both attack vectors. -
What is LSTI's role regarding biometric testing laboratories within the PVID context?
In the PVID qualification process, LSTI's role (as a Conformity Assessment Body) is to lead and perform the comprehensive organizational, operational, and regulatory audit of the identity verification service. However, the evaluation of pure biometric robustness is not performed directly during this audit. The provider must first have the effectiveness of its detection algorithms (against PAD and IAD attacks) tested by an independent and accredited technical evaluation laboratory. Once the attack tests are executed by this laboratory, the results and effectiveness reports are transmitted directly to LSTI. Our auditors then integrate these scientific results into the global audit to validate the device's technical compliance and issue the final evaluation report destined for ANSSI. -
What is the validity period of the PVID Security Visa and how is it maintained?
PVID qualification, which grants the prestigious ANSSI Security Visa, is issued for an initial duration of 2 years. In parallel, the certified provider is strictly obligated to maintain an active threat intelligence and monitoring process regarding new fraud methods and must immediately report any major vulnerability or substantial modification to its architecture to ANSSI, under penalty of having its trusted qualification status revoked. -
How does the remote identity verification process by a PVID work?
The verification process by a PVID is a secure process, defined by the ANSSI requirements baseline, which takes place in 4 stages:
- Acquisition: The user records a live video of themselves and their identity document.
- Verification: Algorithms and qualified human operators analyse the authenticity of the document and ensure the user's "liveness" (guaranteeing there are no masks or spoofed videos).
- Evidence: An encrypted digital file is created to legally seal all verification stages.
- Verdict: The system returns an immediate "Success" or "Failure" result. The original videos are never transmitted to the client site in order to protect privacy.
Why Choose LSTI?

Recognized expertise
With over twenty years of experience, LSTI supports more than 300 organisations in France and Europe as a benchmark certification body and evaluation centre, operating in the fields of cybersecurity, digital trust, and information security.

Specialized Auditors
Our auditing teams consist of seasoned professionals with deep expertise in ANSSI cybersecurity frameworks, information security management practices, and European digital trust frameworks. Their approach ensures rigorous, balanced evaluations adapted to each organisation's operational context.

Independent Third Party and Dedicated Support
Accredited by ANSSI, LSTI guarantees impartiality, transparency, and consistency throughout the entire cycle: preparation, audits, surveillance, and renewals. A dedicated point of contact ensures continuity and clarity throughout the certification journey.
Find out more
Discover ou other
news



