ISO/TC 292/WG 4 - Authenticity, integrity and trust for products and documents

This document gives guidance on how to secure physical documents for specifying entities of physical documents. It establishes a procedure for security design, which includes: — risk assessment; — determination of document classes; — introduction of security features; — security evaluation; — document risk mitigation. This document is applicable to secure physical documents that are used for important actions such as validating value transactions, providing access, demonstrating compliance and securing products. This document does not apply to banknotes, machine-readable travel documents, driving licences, postage stamps, tax stamps, health cards or national identity cards covered by existing standards and regulations.

This document establishes a framework for a trustworthy environment for information processing and communication that protects integrity along the supply chain of physical and related electronic documents, products, software and services life cycle to mitigate product fraud and counterfeit goods, by using object identification techniques. This document gives guidelines to establish a framework for ensuring trust, interoperability and interoperation via secure and reliable electronically signed encoded data set (ESEDS) schemes for multi-actor applications which are even applicable in multi-sector environment. This document does not interfere with existing traceability and identification and authentication systems but is able to support interoperations between them by introducing an ESEDS scheme.

This document specifies a process to qualify the suitability, reliability and effectiveness of artefact metrics as well as artefact metric recognition principles for identification and verification. The artefact metric recognition described in this document can be used to identify or verify artefacts using one or more measurements of their characteristics, each of which is unique to an individual artefact and is supposedly impossible to reproduce. This document is applicable to artefact metrics throughout the life cycle processes of products. Measurement of the resilience of the system where the distinguishing characteristic is degraded is out of the scope of this document. This document is applicable to performance testing of artefact metric systems and algorithms through analysis of the comparison scores and decisions output by the system, without requiring detailed knowledge of the system’s algorithms or of the underlying distribution of characteristics in the objects of interest. This document excludes performance testing where deliberate attacks undermine the artefact metric system.

This document gives guidelines for assessing product security-related threats, risks and countermeasures by developing a suitable protection plan, supporting its implementation and monitoring its effectiveness after implementation. This includes consideration of impacts and modifications to, for example, product life cycle, supply chain, manufacturing, data management, brand perception and costs so as to adapt the protection plan accordingly. This document is applicable to all types and sizes of organizations that want to ensure authenticity and integrity in order to support the trustworthiness of products, including documents, data and services related to products. This document supports organizations setting up a process to assess risks and to select and combine individual measures for developing a product protection plan.

This document gives guidelines for the content, security, issuance and examination of physical tax stamps and marks used to indicate that the required excise duty or other applicable taxes identified with an item have been paid and to signify that the item is legitimately on the intended market. Specifically, this document gives guidance on: — defining the functions of a tax stamp; — identifying and consulting with stakeholders; — planning the procurement process and selection of suppliers; — the design and construction of tax stamps; — the overt and covert security features that provide protection of the tax stamp; — the finishing and application processes for the tax stamp; — security of the tax stamp supply chain; — serialization and unique identifier (UID) codes for tax stamps; — examination of tax stamps; — monitoring and assessing tax stamp performance. This document is applicable only to tax stamps that are physical in nature and apparent to the human senses of sight (with the aid of a revealing tool if necessary) or touch, applied to a consumer good or its packaging and which allow material authentication. When the term "authentication" is used in this document, it refers only to the authentication of the tax stamp, not to the product on which the tax stamp is affixed. This document does not apply to systems or procedures that an issuing authority has in place to control and monitor its excise revenue collection, except by reference to them where they have an impact on the design or specification of tax stamps.

This document gives guidelines for establishing interoperability among independently functioning product identification and related authentication systems, as described in ISO 16678. The permanent transfer of data from one system to another is out of the scope of this document. It also gives guidance on how to specify an environment open to existing or new methods of identification and authentication of objects, and which is accessible for legacy systems that may need to remain active. It is applicable to any industry, stakeholder or user group requiring object identification and authentication systems. It can be used on a global scale, or in limited environments. This document supports those involved in planning and establishing interoperation.

This document establishes general principles for an organization to identify the risks related to various types of product fraud and product fraudsters. It provides guidance on how organizations can establish strategic, business countermeasures to prevent or reduce any harm, tangible or intangible loss and cost from such fraudulent attacks in a cost-effective manner. This document is applicable to all organizations regardless of type, size or nature, whether private or public sector. The guidance can be adapted to the needs, objectives, resources and constraints of the organization. This document is intended to promote common understanding in the field of product-related fraud risk and its countermeasures.