ePhilID Verification: Accept Digital PhilSys IDs
The ePhilID is the digital version of the PhilSys National ID, delivered through the PhilSys mobile app or as a downloadable document with a dynamic QR code. Philippine businesses can verify ePhilIDs by parsing the QR code and authenticating the embedded data against the PhilSys system. Verihubs reads and verifies ePhilID QR codes as part of its automated KYC pipeline, enabling fully remote onboarding without requiring a physical card.
What Is ePhilID?
The ePhilID is not a separate ID. It is the same PhilSys identity record delivered in digital format instead of a physical polycarbonate card. The Philippine Statistics Authority (PSA) introduced it to address a practical problem: millions of Filipinos completed PhilSys registration but had not yet received their physical cards due to production and distribution backlogs.
Rather than leave those registrants without a usable government ID, PSA made the ePhilID available through the PhilSys Check mobile app and as a printable digital document. The ePhilID contains the same data fields as the physical card: full name, date of birth, address, photograph, and PhilSys Card Number (PCN). The key difference is the verification mechanism: instead of holograms and a machine-readable zone, the ePhilID uses a dynamic QR code for authentication.
For Philippine businesses, this matters because a growing share of KYC applicants now present the ePhilID instead of a physical card. According to PSA registration data, over 90 million Filipinos are enrolled in PhilSys, but physical card distribution has lagged behind registration. The ePhilID fills the gap. Businesses that cannot accept and verify it are turning away legitimate applicants.
ePhilID vs Physical PhilID
The two formats carry identical identity data, but the verification workflow for each is fundamentally different. Treating them the same in your KYC system is a common mistake.
| Attribute | Physical PhilID | ePhilID |
|---|---|---|
| Delivery format | Polycarbonate card | Mobile app display or printable document |
| Photograph | Laser-engraved on card | Digital image embedded in QR payload |
| Verification method | OCR + MRZ reading + visual inspection | QR code parsing + cryptographic authentication |
| Security features | Hologram, laser engraving, UV elements, static QR | Dynamic QR code with digital signature |
| Fraud vector | Physical forgery, printed replicas | QR screenshot reuse, tampered QR images |
| BSP Circular 1170 status | Primary CDD document | Primary CDD document |
| Best verification approach | OCR + government database check | QR parsing + signature validation + government check |
The critical takeaway: you cannot OCR-scan an ePhilID the same way you scan a physical card. The ePhilID’s data lives inside the QR code, not printed as readable text on a card surface. A verification system that only supports traditional OCR will fail on ePhilID submissions entirely.
How ePhilID QR Verification Works
The ePhilID’s QR code is not a simple URL or text string. It is a cryptographically signed data package containing the cardholder’s identity information. Verification works in three stages.
Stage 1: QR Code Capture and Decoding
The user presents their ePhilID, either on their phone screen or as a printed document. The verifying system’s camera or scanner captures the QR code and decodes the embedded data payload. This payload includes the cardholder’s name, date of birth, address, PCN, and a photograph.
Stage 2: Digital Signature Authentication
The QR data includes a digital signature issued by PSA. The verification system checks this signature against PSA’s public key to confirm the QR code was generated by the legitimate PhilSys system and has not been tampered with. If the signature does not validate, the ePhilID is rejected as potentially forged or altered.
Stage 3: Government Database Cross-Check
Even with a valid signature, best practice is to verify the extracted PCN against the PhilSys government database. This confirms the record is active (not deactivated due to loss or fraud report) and that the demographic data matches current records. An ePhilID with a valid signature but a deactivated PCN should trigger a fraud flag.
Ironically, the ePhilID’s digital nature makes it both easier and harder to verify than the physical card. Easier because the data is structured and machine-readable from the start, no OCR interpretation needed. Harder because the verification system must handle cryptographic validation, which is a different technical capability than image processing.
BSP Circular 1170 and ePhilID Acceptance
BSP KYC requirements under Circular 1170 explicitly recognize the ePhilID as a primary Customer Due Diligence document, equivalent in regulatory standing to the physical PhilID card. This means banks, fintechs, and other BSP-supervised institutions can accept the ePhilID as the sole identity document for account opening across all three CDD tiers: Simplified, Standard, and Enhanced.
But acceptance alone is not compliance. Circular 1170 also requires that institutions verify the authenticity of digital identity documents through technological means. For the ePhilID, that means QR code authentication and, where applicable, a liveness check to confirm the person presenting the ePhilID is the actual registrant.
A business that accepts an ePhilID screenshot at face value without verifying the QR signature or checking the PCN against the government database is technically non-compliant, even if the ePhilID itself is genuine. The regulation requires verification, not just acceptance.
Security Threats in ePhilID Verification
The ePhilID introduces fraud vectors that do not exist with physical cards. Understanding them is the first step to blocking them.
QR Code Screenshot Reuse
A fraudster obtains someone else’s ePhilID screenshot (through social engineering, data breach, or simply photographing someone’s phone screen) and presents it as their own. Without a liveness check pairing the ePhilID to the presenter’s face, the system cannot distinguish the legitimate holder from the impersonator.
Tampered QR Images
More sophisticated attackers generate a QR code containing fabricated identity data, formatted to look like a legitimate ePhilID. The digital signature validation step catches this: a QR code not signed by PSA’s key will fail authentication.
Expired or Deactivated ePhilIDs
An ePhilID linked to a deactivated PCN (reported lost, stolen, or flagged for fraud) may still display correctly on a phone screen. Only a real-time government database check reveals the deactivation.
The defense is layered: QR parsing plus signature validation plus database check plus liveness detection. Remove any layer, and a gap opens.
How to Integrate ePhilID Verification Into Digital Onboarding
For businesses building or updating their onboarding systems, here is the practical integration path for ePhilID support.
Step 1: Detect Document Type
Your system should automatically distinguish between a physical PhilID scan and an ePhilID QR code. The presence of a QR code filling most of the capture frame (rather than a card with printed text) is the signal to switch to QR verification mode.
Step 2: Parse QR and Validate Signature
Decode the QR payload, extract identity fields, and authenticate the digital signature. This step requires integration with PSA’s public key infrastructure or a verification service that handles this layer.
Step 3: Cross-Check Against Government Database
Validate the extracted PCN against the PhilSys system. Confirm active status and data consistency.
Step 4: Liveness Detection and Face Match
Capture a live selfie from the applicant and compare it against the photograph embedded in the QR data. This confirms the presenter is the registered identity holder, closing the gap that screenshot reuse attacks exploit.
Step 5: Maintain an Audit Trail
Log every verification step with timestamps, including the raw QR data (minus the photo, for privacy), the signature validation result, the database check result, and the face match confidence score. BSP Circular 1170 requires institutions to maintain complete CDD records.
How Verihubs Verifies ePhilID QR Codes
Verihubs supports ePhilID verification as a native capability within its eKYC Philippines pipeline. The system handles the entire workflow described above through a single API integration.
When an applicant presents an ePhilID, the Verihubs SDK detects the QR code, parses the embedded data, validates the digital signature, and checks the PCN against the government database. Simultaneously, the liveness detection module captures and verifies the presenter’s identity against the QR-embedded photograph.
The entire flow completes in under three seconds. No separate tools for QR reading, signature checking, and face matching. No manual fallback for ePhilID submissions. The same API endpoint that handles physical PhilSys National ID verification also handles ePhilID, with automatic document type detection.
For businesses already using Verihubs for physical ID verification, adding ePhilID support requires zero additional integration. The SDK update handles both formats transparently, and the API response schema remains identical regardless of whether the input was a card scan or a QR code.
Frequently Asked Questions About ePhilID Verification
Is the ePhilID a valid government ID in the Philippines?
Yes. The ePhilID carries the same legal standing as the physical PhilID card under Republic Act 11055 (PhilSys Act). BSP Circular 1170 recognizes it as a primary CDD document for financial institution KYC, equivalent to the physical card for all due diligence tiers.
How do I get my ePhilID?
Registered Filipinos can access their ePhilID through the PhilSys Check mobile app (available on Android and iOS) or by requesting a digital copy through PSA-authorized channels. The ePhilID becomes available once PhilSys registration is complete and the record is validated.
Can businesses tell if an ePhilID QR code has been tampered with?
Yes. The ePhilID QR code contains a digital signature issued by PSA. Verification systems check this signature against PSA’s public key. A tampered QR code will fail signature validation, flagging it as potentially fraudulent before any identity data is accepted.
What is the difference between the QR code on a physical PhilID and the ePhilID QR?
The physical PhilID has a static QR code that encodes limited data (typically the PCN). The ePhilID uses a dynamic QR code containing the full identity record, including a photograph, and is protected by a digital signature. The ePhilID QR carries more data and stronger authentication.
Can someone use a screenshot of my ePhilID for fraud?
Without liveness detection, yes. A screenshot of an ePhilID displayed on a phone screen can be presented as if it belongs to the fraudster. Businesses should always pair ePhilID QR verification with a liveness check that confirms the presenter matches the photograph in the QR data.
Does ePhilID verification work offline?
QR code parsing and signature validation can theoretically work offline if the PSA public key is cached locally. But the government database cross-check and liveness detection require an active internet connection. For full verification, connectivity is required.
Why ePhilID Verification Matters for Philippine Digital Onboarding
Physical card production and distribution will always lag behind registration. The ePhilID solves this by making verified identity available instantly through a mobile device. For businesses, the question is no longer whether to support ePhilID. It is whether your verification system can handle the QR-based workflow that digital IDs demand.
The businesses that adapted early gained a measurable onboarding advantage: they could accept applicants who carried only an ePhilID while competitors turned them away. As ePhilID adoption grows, that advantage compounds.
Ready to add ePhilID verification to your onboarding flow? Talk to Verihubs about integrating QR-based identity verification into your existing KYC pipeline.
