ISO 30107-3 PAD Explained and iBeta Level 1 vs Level 2 Difference: A Fintech Compliance Guide
In the rapidly evolving landscape of digital identity and financial services, ensuring robust security against fraud is paramount. For compliance engineers in fintech, understanding the nuances of biometric liveness detection standards is no longer optional—it’s a critical requirement. This article will provide a comprehensive overview of ISO 30107-3 PAD explained and iBeta Level 1 vs Level 2 difference, shedding light on the technical specifications and their implications for secure digital onboarding and authentication.
Presentation Attack Detection (PAD) is a crucial component of any biometric system designed to verify a user’s identity. It specifically addresses attempts to spoof a biometric system by presenting a fake biometric sample, such as a photo, video, or mask, to the sensor. The international standard ISO/IEC 30107-3 provides a framework for evaluating the performance of PAD mechanisms.
Understanding ISO/IEC 30107-3 Presentation Attack Detection
ISO/IEC 30107-3 is the international standard that specifies methods for testing and reporting presentation attack detection (PAD) in biometric systems. It defines how to evaluate a system’s ability to detect when a fake biometric sample, known as a Presentation Attack Instrument (PAI), is presented to the biometric capture device. This standard is vital for establishing a common ground for assessing and comparing the effectiveness of different liveness detection solutions.
The standard focuses on attacks that occur at the biometric capture device, meaning it evaluates the system’s resilience against physical or digital artifacts presented to the camera or sensor. It does not, however, cover injection attacks or deepfakes that bypass the camera entirely, which require different detection mechanisms. In 2026, it is increasingly important to distinguish between these attack vectors, as liveness detection, while necessary, is no longer sufficient on its own to counter all forms of sophisticated digital identity fraud.
Key metrics used in PAD evaluations, as mandated by ISO/IEC 30107-3, include:
- Attack Presentation Classification Error Rate (APCER): The proportion of presentation attacks incorrectly classified as bona fide presentations. A lower APCER indicates better attack detection.
- Bona Fide Presentation Classification Error Rate (BPCER): The proportion of bona fide presentations incorrectly classified as presentation attacks. A lower BPCER indicates better usability for legitimate users.
These metrics are crucial for evaluating the balance between security and user experience. A system that is too sensitive might reject legitimate users (high BPCER), while one that is not sensitive enough might be vulnerable to spoofing (high APCER).
iBeta Level 1 vs Level 2 Difference: What Developers Need to Know
iBeta Quality Assurance, an independent testing laboratory accredited by NIST NVLAP, operationalizes the ISO/IEC 30107-3 standard through its progressive conformance levels. While iBeta provides conformance letters, it’s important to note that this indicates the solution’s testing is compliant with the ISO 30107-3 requirements, not a certification of the vendor product itself. Understanding the iBeta Level 2 PAD certification meaning and its distinctions from Level 1 is critical for fintech companies aiming for robust security.
iBeta Level 1 PAD Conformance
iBeta Level 1 PAD conformance focuses on resistance to common, readily available 2D presentation attack instruments (PAIs) under cooperative conditions. These typically involve easily reproducible attacks with low-cost materials. According to iBeta’s methodology, Level 1 artifacts generally cost no more than $30 to create or procure.
Common attack types evaluated at Level 1 include:
- Printed photographs
- Video replays on screens (smartphones, laptops)
- Simple paper masks or cutout masks
For a system to achieve Level 1 conformance, it must demonstrate a 0% APCER, meaning it correctly detects all attempted spoofs, and a BPCER of no more than 15% for genuine presentations. This level simulates consumer-grade threats and ensures a basic level of anti-spoofing capability.
iBeta Level 2 PAD Conformance
iBeta Level 2 PAD conformance addresses more sophisticated or varied PAIs and less predictable capture conditions. This level involves more realistic and complex spoofing attempts, often utilizing higher-quality materials and advanced techniques. Level 2 artifacts have a higher cost limit, typically up to $300, reflecting the increased complexity.
Attack types at iBeta Level 2 often include:
- Silicone masks
- Latex masks
- 3D-printed masks
- Resin masks
- Sophisticated video attacks or 3D animations
To achieve Level 2 conformance, a system must maintain an APCER of no more than 1% and a BPCER of no more than 15%. This demonstrates a higher degree of resilience against more advanced fraud attempts, making it a commonly pursued benchmark for fintech, KYC providers, and banking onboarding applications, as noted by Axonlab.ai in their overview of iBeta certification requirements. You can find more details on the testing requirements and attack types on the Axonlab.ai iBeta Certification Overview.
iBeta Level 3 PAD Conformance
While less common, iBeta also offers Level 3 PAD conformance, which targets high-sophistication attacks using custom, hyper-realistic artifacts and curated test environments. This level involves significant research into presentation attacks and extensive equipment, with no fixed PAI cost limit. The BPCER limit for Level 3 is even stricter, at no more than 10%, reflecting the demand for exceptional accuracy in highly secure environments. More information on iBeta’s testing methodology can be found on their official site: iBeta ISO 30107-3 Presentation Attack Detection Test Methodology.
Liveness Standards for KYC Compliance in Fintech
For neobanks and other fintech entities, adhering to liveness standards for KYC compliance is non-negotiable. Regulations like PSD2 and eIDAS in Europe, FinCEN in the US, and RBI V-CIP in India all emphasize the need for robust identity verification processes that include anti-spoofing measures. While these regulations don’t typically mandate specific iBeta levels, they require systems to effectively prevent fraud and ensure the person presenting themselves is indeed live and real.
ARSA Technology’s ARSA Face Recognition & Liveness API is designed to help organizations meet these stringent compliance obligations. As a cloud-based SaaS solution, it offers enterprise-grade face recognition and liveness detection capabilities that are crucial for secure digital onboarding and authentication. The API features both passive and active liveness detection, with active liveness incorporating head movement challenges to effectively prevent presentation attacks using photos and video replays.
Our API provides a complete identity layer, enabling 1:1 face verification for logins and step-up authentication, and 1:N face recognition against a secure, per-account isolated face database for identification and access control. This isolation ensures data privacy and tenant separation, which is vital for compliance. Developers can integrate the API quickly, with the first API call possible in under 5 minutes, significantly reducing time-to-market for new features like face login.
For more insights into preventing digital identity fraud, you might find our blog post on How to Prevent Deepfake Fraud with Face Liveness Detection in Fintech particularly useful.
APCER BPCER Liveness Metrics Explained
As discussed, APCER and BPCER are fundamental to evaluating liveness detection systems.
- APCER (Attack Presentation Classification Error Rate) quantifies the system’s ability to reject presentation attacks. A low APCER is critical for security, ensuring that fraudsters are consistently denied access.
- BPCER (Bona Fide Presentation Classification Error Rate) measures the system’s accuracy in accepting legitimate users. A low BPCER is essential for a positive user experience, preventing genuine customers from being falsely rejected.
Achieving an optimal balance between these two metrics is the goal of any effective PAD system. The ARSA Face Recognition & Liveness API is engineered to deliver high accuracy, supporting your efforts to minimize both types of errors. Our API also provides detailed confidence scores and structured results for each API call, enabling compliance engineers to monitor and fine-tune their systems effectively.
Beyond presentation attacks, it’s crucial to acknowledge the growing threat of injection attacks and sophisticated deepfakes, which can bypass the camera entirely. While ISO/IEC 30107-3 and iBeta PAD testing focus on presentation attacks, a comprehensive security strategy for 2026 and beyond must also consider these advanced threats. ARSA Technology is continuously researching and developing solutions to combat the evolving landscape of digital fraud.
Building a Secure Future with ARSA Face Recognition & Liveness API
For compliance engineers tasked with building secure and compliant digital identity solutions, choosing the right technology partner is paramount. The ARSA Face Recognition & Liveness API offers a powerful, scalable, and privacy-focused solution for integrating advanced biometric capabilities into your applications. With features like active and passive liveness detection, age and gender estimation, expression detection, and robust face database management, it provides the tools necessary to combat presentation attacks effectively.
Our flexible pricing plans, from a free trial (100 calls/month, 100 face IDs) to enterprise-grade Mega plans (500,000 calls/month, 500,000 face IDs) at $1,290/month, ensure that you only pay for what you use, without the burden of managing complex infrastructure. All features are included across every plan, providing full functionality regardless of scale. You can explore our Face API pricing plans and Face Recognition API documentation for more details.
The ability to launch face login in days, not months, and meet critical KYC and AML obligations under frameworks like PSD2, eIDAS, FinCEN, and RBI V-CIP, translates directly into significant business outcomes and ROI. By leveraging ARSA’s proven technology, neobanks can enhance security, streamline user onboarding, and build trust with their customers.
To experience the power of ARSA’s liveness detection and face recognition capabilities, we invite you to create a free Face API account. With a 30-day free trial and no credit card required, you can immediately begin integrating and testing our API to see how it can fortify your digital identity processes. For custom requirements or to discuss how ARSA can support your unique compliance needs, please contact ARSA solutions team.
—
FAQ
What is ISO IEC 30107-3 presentation attack detection?
ISO/IEC 30107-3 is an international standard that defines the framework and methodology for testing and reporting how effectively a biometric system can detect presentation attacks (spoofing attempts) using fake biometric samples like photos, videos, or masks. It helps evaluate the system’s resilience against such fraud at the sensor level.
What does iBeta Level 2 PAD certification meaning imply for fintech?
iBeta Level 2 PAD conformance indicates that a biometric liveness detection system has demonstrated resilience against more sophisticated 3D presentation attacks, such as those involving silicone or 3D-printed masks. For fintech, this means the system is better equipped to prevent advanced spoofing attempts during digital onboarding and authentication, helping to meet stringent KYC and AML compliance requirements.
How are APCER BPCER liveness metrics explained in practice?
APCER (Attack Presentation Classification Error Rate) measures how often a presentation attack is mistakenly accepted as a genuine user, while BPCER (Bona Fide Presentation Classification Error Rate) measures how often a legitimate user is mistakenly rejected as a fraudster. In practice, a robust liveness detection system aims for low values in both metrics to ensure strong security without hindering user experience.
Why are liveness standards for KYC compliance crucial in 2026?
Liveness standards for KYC compliance are crucial in 2026 because digital identity fraud is becoming increasingly sophisticated. While presentation-attack detection (PAD) addresses common spoofing, the rise of injection attacks and deepfakes that bypass the camera necessitates a multi-layered security approach. Adhering to recognized liveness standards ensures a foundational defense against prevalent fraud methods, complementing broader anti-fraud strategies.
Stop Guessing, Start Optimizing.
Discover how ARSA Technology drives profit through intelligent systems.


