PhilSys Number: PSN vs PCN Guide for Business KYC
The PhilSys ecosystem uses two distinct numbers: the PhilSys Number (PSN), a confidential 12-digit identifier assigned to each registrant, and the PhilSys Card Number (PCN), the public-facing identifier printed on the PhilID card. Businesses should only collect and use the PCN for verification. The PSN is protected under RA 11055 and must never be stored or shared. Verihubs Government Check uses the PCN for fast, privacy-compliant PhilSys verification.
What Is the PhilSys Number (PSN)
The PhilSys Number is a permanent, unique 12-digit number assigned to every individual registered in the Philippine Identification System. Think of it as the master key to a person’s identity record in the national database. Once assigned, the PSN does not change, even if the cardholder updates their name, address, or other personal details.
The PSN is tied directly to the biometric and demographic data collected during PhilSys registration: fingerprints, iris scans, facial photograph, full name, date of birth, blood type, and address. It is the identifier that connects all of this data in the PSA central registry.
Here is what makes the PSN different from other ID numbers in the Philippines: it is classified as sensitive personal information under RA 11055 (the Philippine Identification System Act). The law explicitly restricts who can access, collect, and use the PSN. This restriction is not a guideline. It is a legal mandate with penalties for violations.
What Is the PhilSys Card Number (PCN)
The PhilSys Card Number is a separate, 16-character alphanumeric identifier printed on the physical PhilID card and encoded in the ePhilID QR code. Unlike the PSN, the PCN is designed for everyday use. It is the number that businesses, government agencies, and service providers interact with during identity verification.
The PCN functions as a reference number that links back to the cardholder’s record in the PhilSys database without exposing the underlying PSN. When a business submits a PCN for verification, the system confirms whether the PCN is valid and active and returns the associated demographic data, all without revealing the PSN.
An easy analogy: the PSN is like a bank account number that should be kept private. The PCN is like a reference number on a bank statement that can be shared with third parties for transaction verification. Both point to the same account, but only one is meant for external use.
PSN vs PCN Key Differences and Business Use Cases
| Attribute | PhilSys Number (PSN) | PhilSys Card Number (PCN) |
|---|---|---|
| Format | 12 digits (numeric) | 16 alphanumeric characters |
| Printed on PhilID card | No (not visible on card) | Yes (printed on card front) |
| Encoded in ePhilID QR | No | Yes |
| Privacy classification | Sensitive personal information (RA 11055) | Public-facing identifier |
| Can businesses collect it? | No (restricted by law) | Yes |
| Can businesses store it? | No | Yes, subject to data privacy compliance |
| Used for verification | Internal to PSA systems only | Yes, via verification API or portal |
| Permanence | Lifetime (never changes) | Changes if card is replaced |
The critical distinction for businesses: you interact with the PCN, never the PSN. If your KYC form asks for a “PhilSys Number” and the applicant enters their PSN, your system should not store it. Collecting the PSN without authorization violates RA 11055 and can trigger penalties from the Philippine Statistics Authority and the National Privacy Commission.
Why the PSN Is Confidential Under RA 11055
RA 11055 (Philippine Identification System Act) contains specific provisions that restrict PSN access. The law is unusually explicit compared to other Philippine data privacy legislation.
Section 10: Confidentiality of the PSN. The PSN shall be kept confidential and shall not be used as a means of identification or verification of the cardholder’s identity without the cardholder’s consent. Even with consent, access is limited to specific use cases defined by law.
Section 20: Unauthorized collection or use. Any person who collects, stores, or uses the PSN without proper authorization faces imprisonment of three to six years and fines ranging from PHP 500,000 to PHP 4,000,000. These are not administrative penalties. They are criminal sanctions.
Ironically, many Philippine businesses are not aware of this distinction. They build KYC forms that ask for “PhilSys Number” without clarifying whether they mean the PSN or the PCN. If applicants enter their PSN (which some may obtain from their registration confirmation), the business is now in possession of restricted data it is not authorized to hold.
The solution is design-level clarity. KYC forms should ask for the “PhilSys Card Number (PCN)” explicitly, with a visual guide showing where the PCN appears on the physical card. This prevents accidental PSN collection and keeps the business on the right side of RA 11055.
How Businesses Verify Identity Using the PCN
The PCN is the key that unlocks PhilSys verification for businesses. The verification workflow is straightforward.
Step 1: Obtain the PCN. The PCN is either extracted from the physical PhilID card via OCR (it is printed on the card front) or parsed from the ePhilID QR code. The applicant does not need to type it manually.
Step 2: Submit the PCN for verification. The PCN is sent to a verification service (PSA portal or API) that checks it against the PhilSys database. The system confirms whether the PCN is valid, active, and returns the associated demographic data: name, date of birth, and address.
Step 3: Cross-validate extracted data. Compare the demographic data returned by the database against the data extracted from the card via OCR. If the name and date of birth match, the document and the database record are consistent. Mismatches flag potential fraud or data entry errors during the original PhilSys registration.
Step 4: Biometric confirmation. Pair the database verification with a face match and liveness check to confirm the person presenting the PhilID is the registered cardholder. This step is required for BSP KYC requirements under Circular 1170.
Common PSN and PCN Mistakes Businesses Make
Collecting the PSN instead of the PCN. As discussed above, this is a legal violation. Fix it at the form level by explicitly labeling the field “PhilSys Card Number (PCN)” and providing visual guidance.
Storing the PCN without data privacy compliance. The PCN is not restricted like the PSN, but it is still personal information under RA 10173 (Data Privacy Act). Businesses must apply standard data protection measures: encryption at rest, access controls, retention limits, and privacy notice at the point of collection.
Assuming the PCN is permanent. The PCN changes when a new card is issued (replacement for lost card, card renewal). Businesses that store the PCN as a permanent identifier may find mismatches when a returning customer presents a new card with a different PCN. Build your system to update stored PCNs when a new card is verified.
Using the PCN as the sole verification input. A PCN alone confirms the card record exists. It does not confirm who is presenting it. Always pair PCN verification with biometric matching to connect the database record to the person in front of you (or the person in front of your camera, in digital flows).
How Verihubs Government Check Integrates With the PhilSys Verification System
Verihubs Government Check handles PhilSys PCN verification as part of its unified identity verification pipeline. When a PhilSys National ID is submitted, the Verihubs OCR engine extracts the PCN from the card image. The extracted PCN is then submitted to the government verification database via API.
The system returns active status, demographic data, and a consistency score that indicates how closely the OCR-extracted data matches the database record. Fields with discrepancies are flagged with specific codes: name mismatch, date of birth mismatch, or address discrepancy.
Because Verihubs never requests or stores the PSN, the entire verification flow is RA 11055 compliant by design. The PCN is used for the database lookup and the verification result is stored. The PSN never enters the pipeline.
The PhilSys verification step integrates with the same API that handles face matching, liveness detection, and OCR for all other Philippine government IDs. Businesses already using Verihubs for eKYC in the Philippines do not need a separate integration for PhilSys database verification. It runs automatically when a PhilID or ePhilID is detected.
Frequently Asked Questions About PhilSys Number (PSN) and PCN
What is the difference between PSN and PCN?
The PhilSys Number (PSN) is a confidential 12-digit identifier assigned permanently to each registrant. The PhilSys Card Number (PCN) is a 16-character alphanumeric code printed on the PhilID card for public-facing use. Businesses should only collect and verify the PCN. The PSN is legally restricted under RA 11055.
Can businesses legally collect the PhilSys Number (PSN)?
No, except under specific conditions defined by law. Unauthorized collection, storage, or use of the PSN can result in criminal penalties including imprisonment of 3 to 6 years and fines up to PHP 4 million under RA 11055. Businesses should collect only the PCN.
Where can I find the PCN on my PhilID card?
The PCN is printed on the front of the physical PhilID card, typically in the upper section. It is a 16-character alphanumeric code. On the ePhilID, the PCN is encoded within the QR code and extracted during QR verification.
Does the PCN change when I get a replacement PhilID?
Yes. The PCN is card-specific, not person-specific. When a new card is issued (replacement for loss, damage, or renewal), a new PCN is assigned. The PSN remains the same for life. Businesses should update stored PCN records when customers present new cards.
Can the PCN be used to look up someone’s identity without their consent?
PCN verification through authorized channels requires the cardholder’s consent as part of the KYC or identity verification process. Businesses must obtain this consent before submitting a PCN for verification. Unauthorized lookups violate both RA 11055 and RA 10173 (Data Privacy Act).
How does Verihubs handle PSN privacy in its verification flow?
Verihubs uses only the PCN for PhilSys verification. The PSN is never requested, extracted, transmitted, or stored at any point in the verification pipeline. This design makes the entire flow RA 11055 compliant by default.
Why Understanding PSN and PCN Is a Compliance Requirement
The PSN/PCN distinction is one of the most misunderstood aspects of PhilSys implementation for businesses. It is not an academic distinction. Collecting the wrong number exposes your company to criminal penalties. Failing to verify the PCN against the database leaves your KYC incomplete. Storing the PCN without proper data protection violates RA 10173.
Getting this right is foundational. Every downstream KYC decision, from account opening to transaction monitoring, depends on correctly identifying the customer through the PhilSys system. The PCN is the legitimate path to that identification. Build your systems around it.
Need help implementing PCN-based PhilSys verification? Talk to Verihubs about integrating privacy-compliant government database checks into your KYC pipeline.
