FAQs | Changes to the DVS

1. Commonwealth electoral roll changes

The Commonwealth Electoral Roll will become available via the Document Verification Service (DVS) from June 2022. The existing Electoral Roll hosted by Equifax will still be available until early 2023 so preparations for migrations will begin in July 2022 in consultation with the restricted list of customers that have access to this data source. If you are affected please contact your Equifax Account Manager.

How will the electoral roll moving to the DVS benefit me?

Faster updates and real time data! The Commonwealth electoral roll moving to the DVS will mean updates to the Commonwealth electoral roll information will be available in real time, as opposed to being updated each quarter. Equifax will no longer receive quarterly updates directly from the AEC, which capture changes made to the Commonwealth electoral roll in the previous 3 months. Instead, Commonwealth electoral roll information will be matched against the AEC data source via DVS in real time. 

How will I be affected?

Equifax recommends you review your profile configuration to understand the potential impacts to your business. Areas for consideration can include:

• What is your verification rule?
• What data sources do you currently use?
• How do the data sources you use contribute to your verification rule?

The Commonwealth electoral roll move to the DVS will result in exact matching on name, DOB and some components of address. This may lead to a decrease in dataset match rates.

IDMatrix currently utilises ‘fuzzy’ matching for the Commonwealth electoral roll. Unlike exact matching, which requires information provided to exactly match the data source, fuzzy matching balances the need to allow for natural variations in data within verification sources, with the need to verify an individual’s identity to a high degree of confidence.

When will the technical specifications and test data be available?

The DVS match specifications for the Commonwealth electoral roll are now available in the DVS portal and if you do not have access to the portal you can contact Equifax.

Will the Historical Electoral Roll also move to the DVS?

No.

How do customers complete the 'Reason for Access Request' section on the declaration form?

This section should include a brief description of what the organisation does, what AML/CTF or FTR obligations the customer has, and how the Electoral Roll will help meet these obligations.  Including the AFSL number will assist DVS in processing the form quicker.

2. Driver Licence Card Number

What is changing?

The card number on a driver licence (DL) is now a mandatory verification field for NSW, ACT, SA, TAS, NT, WA and QLD issued licences. From 19 December 2022 the card number for all Victorian driver licences will become a mandatory field for verification purposes.

Card number is a unique identifier which is updated each time a driver's licence is issued. Including card number in the matching criteria ensures that the document being presented is the most recently issued document and this will minimise the risk of identity theft using a stolen or lost DL. This is particularly relevant for those affected by the Optus breach.

I have read everything below and I still have questions. How else can I get more information?

Please register for a Q&A session here.

When do I need to be ready?

The table below provides a summary of the current status in each state and what it means for you, and we will continue to provide updates as they become available.

How will I know which Victorian driver licences will have a verifiable card number?

VicRoads has started issuing redesigned driver licences which have better visibility of the card number. Over 900,000 new driver licences have been issued for individuals impacted in the Optus data breach, and the cards are in the process of being delivered. Individuals that are yet to receive those cards have been temporarily issued an address label sticker with the new card number on it. VicRoads plans on replacing all the old cards in circulation in 2023 so this means that for verification, DVS will only be able to verify the card number on the new driver licences. If a card number is provided for an individual that still has an old driver licence then DVS will ignore the card number.

There are two changes in relation to this:

• For the new card design please refer to the DVS Driver Licences specification document in the Equifax Developer Centre.
• A sample of the change of address label is shown below. The address label is a temporary measure for individuals whose new driver licences have been issued but not yet delivered by VicRoads. 

Samples of Driver licence:

Is there any workaround if our customers are unable to read the card number on the old driver licence?

The previous Victorian driver licence has a Card Number that is not always readable, and in such instances DVS has recommended that you provide a dummy number which is 8 alphanumeric characters, for example, “A0000000”. This allows the request to pass the mandatory check, and DVS will not include the card number during verification for the old cards only.

When will the technical specifications and test data be available?

The technical specifications and test data are already available in the Equifax Developer Centre. You can request access here if you need to. Once you login you can also download the DVS Match Specifications document for reference to each state's card number length, format and data type.

Where is the card number located? Is it the same for all jurisdictions?

The location of the card number field differs between jurisdictions, and for NT driver licences, it can differ depending on the issuing date. For driver licence image samples, refer to Attachment B in the DVS match specifications - driver licences document in the Equifax Developer Centre.

Are there any Driver Licence cards without a card number based on print or issue date?

All active and not expired cards for all states have a card number printed on them and that card number can be verified via the DVS.

Is the card number different to a licence number?

Yes. Licence Number is an existing field and is already mandatory. Card Number was never used for verification and will now be used, based on each State’s timeline. With this change customers will need to provide both the Licence Number and Card Number along with the other mandatory driver licence details. The licence number identifies the individual while the card number is used to verify that it is the latest card.

How does the card number change apply to lost and stolen driver licences?

The enforcement of the driver licence card number as a mandatory field will ensure that driver licences with a card status of lost or stolen will not verify via the DVS and only the most recently issued card will verify.

If we do not send the card number for mandatory states, would that verification request be rejected by IDMatrix or do you still send it to DVS?

IDMatrix will reject the document request and return the following error message in the Service Result Detail section; 'Request missing mandatory value: driversLicence.cardNumber'. Such document requests will therefore not be sent to the DVS. More details of the error can be found in the API Connectivity Guide which can be found in the Equifax Developer Centre.

Will the card number be included in Digital Driver Licences?

NSW digital driver licences already include the card number. SA is in the process of adding the card number to the SA digital licence and we have not received any timelines yet. QLD is in th process of rolling out a digital licence and it will include the card number.

Is there a user interface best practice we can use to implement the change?

Equifax recommends a user interface with enough flexibility to cater for jurisdictional differences. 

One approach is to have a drop down menu for individuals to select the issuing state, and based on the selection, to provide a customised set of data fields. For example, if Victoria is selected, then the card number field may either not be shown or will be optional (for future use). 

If NSW is selected, then the card number field may be made mandatory before a customer can proceed further with the application.

Due to the jurisdictional nuances, providing a visual cue for customers will also help ensure that the correct information is provided. Common errors include:

• Not capturing the name as it appears on the document
• Providing the card number in the licence number field.

What response should we expect if the card number provided does not match the DVS record?

You will get the same Fail response you currently get if any of the driver licence fields do not match.

If an individual requests a replacement or renewal, is there any time lapse before the new card number is verifiable?

In the majority of cases, the updates are done near real time as soon as the new card is issued. The DVS manager is working with all the jurisdictions to determine the business rules to cater for any edge cases, and that information might be included by the DVS in the Expanded Response Fields.

3. Credential Protection Register (CPR)

Home Affairs High have enabled risk documents to be added to the Credential Protection Register in order to block the document from being used for identity verification via the DVS.

What document types have been added to the CPR?

Please refer to your internal business and operational policies. Some of the common options that other businesses are considering include seeking alternate documents from the individual or to undertake additional identity proofing measures.

Currently what documents does the CPR hold? What is the roll out plan?

The Credential Protection Register (CPR) currently contains Australian and New Zealand Passports but is available for all document issuers to add their documents to. We will advise users if and when any other documents are added to the CPR.

Does it contain all Optus data breached customers ID details as well as other breaches? 

DVS has obtained breached data due to the Optus cyberattack and is working with the document issuers and the organisations that have been subject to other breaches and will add any compromised documents to the register at their direction.

Can you confirm the total volume of documents in CPR? 

DVS is unable to disclose the number of documents that have been added to the CPR. This information may be released by the relevant document issuers at their own discretion.

Does this protect overseas documents that were leaked?

No, the CPR only protects documents that are verifiable via the DVS. In the case of the New Zealand Passports, this is to prevent verification of the Australian Visas for these individuals
 

4. MAPS (Malicious Activity Prevention Solution)

The Expanded Response change also introduces MAPS (Malicious Activity Prevention Solution) which will monitor repeated verification attempts from the same User Originating Agency Code (OAC) against a particular identification document. Once the number of attempts reaches a set threshold for that document, the OAC will be unable to process any further attempts of that particular document. If further attempts to process this document are made after this point, the user will receive an ‘N’ or ‘not matched’ response, and will be advised that they have been locked out via the Expanded Responses functionality. This lockout will be temporary for a period of 20 minutes. It will not prevent users from being able to verify other identity documents, including documents of the same type; they will only be locked out for that individual document.

When will customers start receiving MAPS information in the additional response field?

Q3 2022.

How are the attempts counted?

Each transaction submitted to the DVS Hub is securely logged using a hash value consisting of the document number and the OAC of the user. The number of attempts is counted using these logs within a rolling 30 minute window, and once the number of attempts has reached the set threshold for that document type, the user will be locked out from reattempting that specific identity document.

What are thresholds for each document?

The thresholds that apply before a user is locked out for each document type are listed below:

How long will a document be locked out for?

The lockout will be a rolling 20 minute period and will commence from the last recorded verification attempt. This means that if a user has triggered a lockout, any further attempts during the window may start another 20 minute lockout period.

Once locked out will I be locked out from verifying other documents?

No, users will be able to continue verifying other documents. Only the specific identity document that triggered the lockout will be prevented from further verification attempts. For example, if an individual triggers a lockout attempting to verify their driver Licence, they will still be able to verify other identity documents (e.g. Passport or Medicare card) similarly, lockouts will not be applied to any other individuals attempting to verify their driver licences through the same OAC.

What response will I see if I get locked out?

The DVS will return an ‘N’ or “not matched” response when the threshold has been reached and the user has been locked out. DVS will also return the failure reason “Document Temporarily locked”.

I’ve been locked out, what should I do?

A user can reattempt to verify the document after the 20 minute lockout period, however, any attempt made within this period may restart the lockout window from their last attempt. If you have any questions or concerns please contact the DVS Manager, dvs.manager@homeaffairs.gov.au.

5. DVS expanded response field

How will the additional response field information benefit me?

You will receive more information in the response field for each data set source.  Today, additional information is only available for unsuccessful DVS verification resulting from a data validation error, which happens when the data provided does not meet the specified field requirements.

The expanded response field will help teams identify and address the root cause of failures faster as it will include failed verification reasons from the document issuer, where the data provided did not match the information available. The additional information will be returned as part of the Document Verification Service (DVS) result codes for verification transactions across all DVS data sources. 

You may choose to use this additional information to support your analytics, such as diagnosing ‘fail’ transaction results and when optimising verification pass rates. The additional response information returned will provide more detailed information for unsuccessful document verification transactions. This will be particularly useful if you are also implementing the driver licence card number change. 

How will I be affected?

Given additional data will be sent through in the dataset response fields, the first thing you will need to do is check if you are currently using the response field and identify any subsequent rules and decisioning in your system.  This will allow you to assess if there is any impact from the additional data coming through and provide insight into how you may want to use the new data available to you.

When will I start receiving additional response field information?

The additional response field information was released into production on 23 January, 2022. The DVS has now started providing the information as of the end of Q3 2022.