ISO/IEC 17839-3:2026

International
Standard
ISO/IEC 17839-3
Second edition
Information technology —
2026-05
Biometric System-on-Card —
Part 3:
Logical information interchange
mechanism
Technologies de l'information — Système biométrique sur
carte —
Partie 3: Mécanisme d'échange de l'information logique
Reference number
© ISO/IEC 2026
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2026 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Conformance . 3
6 Logical data structures . 3
6.1 BSoC capability .3
6.2 Identifying the biometric reference in a BSoC .3
6.3 Configuration data .4
6.4 Enrolment procedures .4
6.4.1 Internal enrolment .4
6.4.2 External enrolment .4
6.4.3 Autonomous enrolment .4
6.5 Initiation of biometric verification .5
6.5.1 IFD initiated verification .5
6.5.2 Self-initiated verification .5
7 Discovery of services . 5
8 Operational sequence . 5
9 Feedback to user from IFD . 6
9.1 General .6
9.2 Feedback messaging mechanism .7
9.2.1 General .7
9.2.2 Feedback message data object .7
9.3 IFD's behaviour based on output from BSoC .8
9.3.1 General .8
9.3.2 Continue .8
9.3.3 Ignore .10
9.3.4 Abort .10
9.4 Time management in BSoC .11
Annex A (informative) Sample command for verification on BSoC .13
Annex B (informative) Commands for different biometric-related implementations . 14
Annex C (informative) Examples of self-initiated BSoC activation.15
Annex D (informative) Examples of command feedback message retrieving .16
Annex E (informative) State transitions for BSoC time management .18
Annex F (informative) Examples of autonomous enrolment . 19
Bibliography .20

© ISO/IEC 2026 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and security devices for personal identification.
This second edition cancels and replaces the first edition (ISO/IEC 17839-3:2016), which has been technically
revised.
The main changes are as follows:
— aligned with ISO/IEC 24787-1:2024;
— improved terms and definitions;
— restructured feedback messaging;
— corrected feedback message format and examples;
— updated all figures;
— updated Annex A and Annex C;
— introduced autonomous enrolment in Annex F.
A list of all parts in the ISO/IEC 17839 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2026 – All rights reserved
iv
Introduction
A Biometric System-on-Card (BSoC) is a portable card-sized device including the following entities:
biometric capture, image/signal processing, storage, comparison, decision and action. The use of a BSoC
with such specifications is subject to an information flow and security mechanisms, which are detailed in
this document.
ISO/IEC 17839-1 describes two types of BSoC. Type ID-1 is a fully flexible card conformant with ISO/IEC 7810.
Type ID-T deviates from some of the requirements of size and flexibility, while keeping the rest of the
requirements intact, including the use of a contactless ICC interface. The logical interface and security
mechanisms are independent on whether the BSoC is of type ID-1 or type ID-T, so the specifications stated in
this document are applicable to both types of BSoC.
The ISO/IEC 17839 series is organized into three separate documents:
— ISO/IEC 17839-1, Biometric System-on-Card — Core requirements
— ISO/IEC 17839-2, Biometric System-on-Card — Physical characteristics
— ISO/IEC 17839-3, Biometric System-on-Card — Logical information interchange mechanism (this document)

© ISO/IEC 2026 – All rights reserved
v
International Standard ISO/IEC 17839-3:2026(en)
Information technology — Biometric System-on-Card —
Part 3:
Logical information interchange mechanism
1 Scope
This document specifies:
— logical data structures for a Biometric System-on-Card (BSoC);
— enrolment procedures; and
— usage of commands and data structures defined in other International Standards for BSoC.
This document does not define requirements for:
— commands and data structures that apply to devices external to a BSoC;
— commands and data structures that apply to logical interfaces inside a BSoC.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37, Information technology — Vocabulary — Part 37: Biometrics
ISO/IEC 7816-4, Identification cards — Integrated circuit cards — Part 4: Organization, security and commands
for interchange
ISO/IEC 7816-11, Identification cards — Integrated circuit cards — Part 11: Personal verification through
biometric methods
ISO/IEC 18328-3, Identification cards — ICC-managed devices — Part 3: Organization, security and commands
for interchange
ISO/IEC 24787-1, Information technology — On-card biometric comparison — Part 1: General principles and
specifications
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 2382-37 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/

© ISO/IEC 2026 – All rights reserved
3.1
Biometric System-on-Card
card-sized device including biometric capture, data processing, comparison, decision and action, used to
compose a complete biometric verification system
[SOURCE: ISO/IEC 17839-1:2025, 3.1]
3.2
feedback messaging mechanism
mechanism of informing devices outside of a Biometric System-on-Card (3.1) of detailed error, warning
or progress message complementing the status bytes by using card-originated byte strings defined in
ISO/IEC 7816-4
3.3
on-card biometric comparison
comparison and decision making on the integrated circuit card (ICC) where the biometric reference is
retained on-card in order to enhance security and privacy
[SOURCE: ISO/IEC 24787-1:2024, 3.12]
3.4
decision
process that compares a similarity score to a predefined threshold to decide whether the biometric claim is
from the genuine cardholder or an imposter
[SOURCE: ISO/IEC 24787-1:2024, 3.9]
3.5
action
operation taken according to the results of the biometric decision (3.4)
[SOURCE: ISO/IEC 24787-1:2024, 3.1, modified — Example and Note 1 to entry removed.]
3.6
biometric comparison
algorithmic process to assess the similarity of characteristic features extracted from a current biometric
sample with biometric reference data stored in the card, typically resulting in a score
Note 1 to entry: This definition replaces the definition of comparison in ISO/IEC 2382-37.
3.8
biometric verification
process of confirming a biometric claim through biometric comparison
[SOURCE: ISO/IEC 24787-1:2024, 3.8, modified — Note 1 to entry removed, specified "biometric"
comparison.]
3.9
storage-on-card
system architecture where biometric reference data is stored in an ICC and compared outside of the ICC
used as a portable data carrier
[SOURCE: ISO/IEC 17839-1:2025, 3.2]

© ISO/IEC 2026 – All rights reserved
4 Abbreviated terms
ACBio Authentication Context for Biometrics (see ISO/IEC 24761)
APDU application protocol data unit
AT control reference template for authentication
ATR answer-to-reset
BER basic encoding rules
BSoC Biometric System-on-Card
CRT control reference template
DF dedicated file
DO BER-TLV data object
DVCP device control parameter
FCI file control information
ICC integrated circuit card
IFD interface device
PBO PERFORM BIOMETRIC OPERATION
PCD proximity coupling device
SW1-SW2 status bytes
SW1 first status byte
SW2 second status byte
TLV tag, length, value
5 Conformance
A BSoC claiming conformance with this document shall conform to all mandatory requirements specified
herein as applicable.
6 Logical data structures
6.1 BSoC capability
BSoC capability should be expressed with a biometric information template DO‘7F60’ specified in
ISO/IEC 24787-1.
6.2 Identifying the biometric reference in a BSoC
An application in a BSoC can know which biometric reference is used in the following ways:
— implicitly;
— commands for a biometric comparison, for example, reference data qualifier in P2 of VERIFY or PBO
command;
© ISO/IEC 2026 – All rights reserved
— AT (control reference template valid for authentication) in a security environment (see ISO/IEC 7816-4);
— AT in FCI for DF (dedicated file) (see ISO/IEC 7816-4).
6.3 Configuration data
A BSoC may use configuration data for BSoC comparison and decision. Each application may provide its
own configuration data for a biometric reference, as defined in ISO/IEC 24787-1. See ISO/IEC 7816-4 and
ISO/IEC 7816-11 for generic handling of CRTs and biometric information template.
Regardless of individual configuration data, a BSoC shall implement a retry counter as defined in
ISO/IEC 24787-1.
6.4 Enrolment procedures
6.4.1 Internal enrolment
Internal enrolment uses an on-card sensor for capturing biometric data (image or signal). Internal enrolment
processes the captured biometric data and extracts its features. Internal enrolment shall be executed by
using the PBO CAPTURE AND STORE BIOMETRIC REFERENCE or PBO CAPTURE AND UPDATE BIOMETRIC REFERENCE
command (see ISO/IEC 7816-11).
The enrolment may use a single or multiple presentation of the biometric characteristic by the cardholder.
The policy for single or multiple presentation is defined internally by the algorithm and application in the
BSoC and not by command parameters.
The enrolment in a BSoC shall implement a feedback mechanism as specified in Clause 9, which includes
status bytes (SW1-SW2) for the cases specified in Table 1.
Table 1 — Status bytes related to the enrolment of a BSoC
Case SW1-SW2 Meaning
Normal
‘90 00’ Enrolment successful
processing
State of non-volatile memory is unchanged
‘62 XX’
XX = ‘02’ to ‘80’: length of the provided feedback data object containing reason for
Warning
warning (see Clause 9)
processing
‘63 XX’ State of non-volatile memory may have changed
State of non-volatile memory is
...