We have issued, in collaboration with the Proof of Age Standards Scheme, a call for a proposal to find a solution that will enable interoperability across digital proofs of age provided by multiple approved issuers. For universal acceptance, a single validation mechanism is going to be required that can be used in any pub, club, supermarket or corner store, regardless of which provider issued the proof of age.
The detailed call for a prosposal is hosted on the PASS website here https://www.pass-scheme.org.uk/
It is also accessble below
Call-for-a-Proposal-23-May-2022The deadline is 1800 BST June 24th 2022.
Below are the answers to questions raised by bidders. The deadline for submitting questions has now been passed.
Executive Summary. Suggests that revenue is only available to the provider for 3 years, e.g. if we charge DPoA £1 per issued they can do it for three years and earn £3. OR is the mention of 3 years purely in relation to the original contract will only be granted for 3 years?
Card Issuers are charged the annual licence fee for the number of cards issued in that year (currently 1st September to 31st August). The selected provider will collect fees on that basis for three years retrospectively. Thereafter the contract could be extended.. So, 3 years refers to the length of the contract for the selected supplier; fees could still be levied on a per issued (and not cancelled) card per annum basis in perpetuity.
1.9 – Non PASS accredited issuers are not eligible to be part of this ecosystem at all, ever, OR that this CfP is not designed to cover non PASS accredited issuers? (i.e. non PASS accredited could be part of the scheme)
Any issuer wishing to use the PASS logo will be required to operate as part of PASS. Other issuers outside the PASS scheme would not be excluded from using the infrastructure, subject to making an equal contribution to its cost. Those issuers would need to persuade relying parties to accept their digital proof of age without the PASS logo
I was surprised to see no mention of online in 2.5 – how will Sainsburys expect this to act with their off and online distribution methods?
The scope of PASS is limited to physical environments. Relying Parties (who will be consulted as part of the selection process) may be attracted to a fully integrated solution that anticipates convergence in the age verification market but this is not a requirement of the call for a proposal.
The CfP refers to section 10, however there is nothing beyond section 6
This section was deleted – apologies the reference was left in error.
What are the timelines for selection and delivery?
We aim to consult stakeholders before August, negotiate commercials over the summer and seek board approval in September. Implementation will then be dependent on the nature of the solution – it would be helpful to indicate in your response how much time this is likely to require.
Who will be responsible for administering the solution?, i.e. adding/removing issuers
The PASS Scheme will be ultimately responsible for administering the solution for Issuers of PASS Digital Proofs of Age, but may chose to delegate the operational management. PASS or its delegate will confirm to the selected supplier which issuers are appropriately qualified to access the solution..
Is there a requirement to disable individual DPoA holders?
Yes but note this was an “additional requirement” which wll be considered favourably – see 4.3.6 “The solutions MUST allow PASS to authorize and de-authorize providers, allowing and withdrawing access to the validation system, and de-activating any individual DPoA supplied by an Issuer which is no longer authorized.“ – this is intended to meam that both an entire Issuer can be de-authorized and an indvidual card can be de-authorized (either by the Issuer or by the provider of the interoperability solution or both). In other words, individual cards need to be uniquely identified by at least their issuer.
Does the following need to be logged and stored?
- Every verification that is performed against a DPoA, and if yes
- Does that include offline transactions where an internet connection is not available, so it stores the verification and then uploads it once connectivity restored
This is not a requirement – the Call for a Proposal does say that if volume data is collected, it should only be visible to the Issuer – whether it is collected is likely to be determined by the commercial model proposed by the provider
- If the merchant suspects/finds fraudulent use of the DPoA does the merchant have/need the ability to send a notification to cancel the DPoA due to misuse, how will this be policed (for example, with physical cards does the merchant have the ability/requirement/expectation to confiscate the card from the user)
This is not a requirement. That does not mean to say it should not form part of a solution.
- Its not clear whether this is a backend solution only or whether there is a front end customer facing ‘app’ required as well
The intention is for PASS DPoA Issuers to manage the relationships with users (consumers). We would not require the provider of interoperability to make a DPoA available directly (and see 6.2).
Relying Parties may require an App if that is part of the solution put forward.
- 4.4.2 states that the solution MUST be built on agreed international standards – Has PASSCO defined the international standards required and can these be shared? Or, does PASSCO want bidders to propose a set of relevant international standards for running national critical infrastructure?
Please note that 4.4.2 is listed under “Additional Requirements” which are explained as: “In addition, additional requirements for the solution this CfP seeks to find which will be considered favourably are:” (the subsequent use of “MUST” in the requirements which follow in this section is therefore a little misleading for which we apologise)
We are aware of a number of international standards, not all of which are compatible with one another, so have not prescribed any specific standard or standards. So, yes, it is the case that bidders are encouraged to propose relevant standards around which their solution would be based.
“Respondents are asked to provide an estimate of the cost to be recovered through a levy, collected from providers by the PASS Scheme, based on the number of DPoAs issued each year, chargeable for 3 years from commencement, by negotiation thereafter.” Is this levy collected by AVPA directly or shall the proposal include a technical mechanism to collect the levy?
There is no requirement to include any financial payments mechanism. Issuers will be invoiced separately.
There is a requirement, under the heading of “Additional Requirements” which will be considered favourably that (4.4.1) The solution MUST monitor the number of DPoA issued by any provider, as this is the basis of charging for participation in the PASS Scheme.
“This standard addressed the physical look of the DPoA and essential security measures.” Shall the proposal include security testing conducted by the technical provider’s third-party security firm partner or will AVPA want to hold the third-party security firm testing and contract independent of the technical provider?
Conformance with PASS standards will be tested, audited and certified by the PASS auditor, the Age Check Certification Scheme. It may be that the technical provider is independently sub-contracted to support the audit process by ACCS.
“The PASS Board has invited the Age Verification Providers Association (AVPA)3, to facilitate the production of a consensus across all interested stakeholders4 about a suitable single validation mechanism that would be available, as a PASS Scheme preferred interoperability solution, to all Acceptors so they are able to accept DPoA from all Issuers.” Will the responsibility for finding community consensus across all stakeholders on digital credential schemas and machine readable governance requirements sit with AVPA or the technical provider?
The AVPA and PASS will consult stakeholders including issuers and relying parties when reviewing the proposals received to seek a consensus on the technical solution adopted. Once the approach is agreed, the provider will manage the detailed requirements to deliver the operational scheme.
Shall the proposal address verification mechanisms for each of the following scenarios outlined below?
2.5.1 Face-to-face tills where staff confirm a customer’s age in person
2.5.2 Face-to-face access to goods or services situations where tills or dedicated scanners are not used e.g. pubs, restaurants, gaming, entrance challenges etc.
2.5.3 Self-service tills where currently staff confirm a customer’s age in person. but innovative solutions are now available to replace this with technical mechanisms e.g. facial recognition of customers who have pre-enrolled and already proven their age, or whose age is reliably estimated using facial estimation.
2.5.4 In-aisle purchases where customers scan products as they select them, and are able to pay online without using a till.
2.5.5 Lockers where customers pick-up goods which have been purchased in advance online and are delivered to a central point to await collection. This may be in a range of places e.g. a store, a transport hub or in stand-alone premises
2.5.6 Delivery – grocery delivery with a range of operational models
It is not a requirement to address each of these scenarios. The primary focus of this process is interoperability for DPoA when presented face-to-face by the user to a member of staff (2.5.1 and 2.5.2 above). Relying Parties, who will be consulted on the selection of the solution, have indicated a preference in the longer term to have a single solution across multiple channels, so may be attracted to proposals which offer the possibility of extension to the other scenarios above.
Shall the proposal include an interoperability test harness for auditors to determine issuers claims of interoperability as referenced here in 4.14?
An Accredited Provider or any DPoA Interoperability Service shall not use the PASS Trade Mark to indicate that their DPoA is compatible with these PASS Technical Requirements unless:…(e) Their approach to interoperability has been audited by the PASSCO auditors to ensure that it is compatible with these PASS Technical Requirements.
This is not a requirement.
Conformance with PASS standards will be tested, audited and certified by the PASS auditor, the Age Check Certification Scheme. It may be that the technical provider is independently sub-contracted to support the audit process by ACCS.
Should this proposal include offline verification capability? “Relying parties MUST not require extensive or expensive new hardware e.g., no more than a smartphone or existing, widely-deployed point-of-sale technology.”
There is a requirement, under the heading of “Additional Requirements” which will be considered favourably that (4.4.6) It may be assumed that Acceptors have access to the internet/phone connectivity. Solutions SHOULD enable offline operations which will be favourably considered, recognising the level of assurance under such a contingency may be reduced.
Regarding infrastructure uptime requirements, it says it must not disrupt the commercial operations for Acceptors for more than 5 minutes. Is this down time of 5 minutes at any one time? Scheduled maintenance? Typically scheduled maintenance is excluded from downtime calculations. Clarification would be helpful.
The objective of this requirement is that age-restricted sales should not come to a halt for more than 5 minutes as a result of the system being down. Sales are made 24/7 so there is no opportunity for the system to be incapable of delivering age verification when undergoing scheduled maintenance (or at most for no more than 5 minutes but this would still create operational issues in stores with customers potentially delaying a purchase until they can prove their age). But it could continue to operate locally without a live interaction with any central system, if a central system is a component of the solution, or through the offline capability described in 4.4.6.
How are the funds collected today? Is the billing a part of the existing issuing technology or does AVPA bill outside of the issuing system? What I’m trying to figure out is if we are going to need to build a technical payment broker or something like that into the system?
“The PASS scheme is a standards body not an operational entity, and its governance function is currently funded through a small commission per card issued).
5.1.1 Issuers pay an annual Membership fee per card issued to PASS, as well as levy to purchase physical PASS Holograms.”
There is no requirement to include any financial payments mechanism. Issuers will be invoiced separately.
There is a requirement, under the heading of “Additional Requirements” which will be considered favourably that (4.4.1) The solution MUST monitor the number of DPoA issued by any provider, as this is the basis of charging for participation in the PASS Scheme.
Section 1.3: Does the solution need to display a digital representation of a physical card?
We would expect Issuers to provider users with Apps which display the digital proof of age in accordance with the requirements of the PASS5 standard. Whether the DPoA needs to be displayed by the interoperability solution is dependent on the approach that solution takes. It may validate the display on the user’s smartphone and not need to replicate it; or it may reproduce the DPoA on the relying party’s technology e.g. POS, tablet, smartphone, till etc. but keep in mind the requirement (4.3.3) Relying parties MUST not require extensive or expensive new hardware e.g., no more than a smartphone or existing, widely-deployed point-of-sale technology.
Section 1.11: “The interoperability solution will be self-funding, with Issuers continuing to make a royalty payment to PASS including an annual contribution to cover the cost of interoperability” Is this a fee per card issued that goes to PASS and a separate annual contribution?
Yes, we expect PASS to continue to charge an annual fee per card issued to fund its governance role, and then a further element of the fee to cover the cost of managing and operating the interoperability solution.
The exact commercial mechanics are expected to be influenced by the technological approach selected so these have not been pre-determined.
Bidders are reminded that the selection of the successful approach will include consultation with present and potential issuers, relying parties, the PASS auditor and its Board and members.
