---
title_en: "Cybersecurity Standards Practice Guide — Personal Information Security Protection Requirements for Facial-Recognition Payment Scenarios"
title_zh: "网络安全标准实践指南 — 人脸识别支付场景个人信息安全保护要求"
abbreviation: "TC260 FRT Payment Guide"
hierarchy: "standard"
issuing_body: "National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["facial-recognition-technology-application-measures"]
domains: ["personal-information"]
url: https://datacompliancechina.com/laws/tc260-frt-payment-pi-guide/
summary: "This TC260 practice guide sets personal-information security protection requirements specific to facial-recognition payment (人脸识别支付) scenarios. It addresses how face data should be collected, verified, transmitted, stored and protected when facial recognition is used to authorize payments, with an emphasis on consent, the availability of non-facial alternatives, anti-spoofing and minimization. It is advisory practice guidance complementing the facial-recognition application rules and PIPL's sensitive-PI regime."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/tc260-frt-payment-pi-guide/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Cybersecurity Standards Practice Guide — Personal Information Security Protection Requirements for Facial-Recognition Payment Scenarios", https://datacompliancechina.com/laws/tc260-frt-payment-pi-guide/
> *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying regime; specific clauses should be checked against the published guide.

## Scope

This practice guide provides **personal-information security protection requirements for facial-recognition payment scenarios** — the use of facial recognition to verify identity and authorize a payment. It applies to the parties operating such payment services (and their technology providers), and addresses the handling of facial (biometric) information across collection, verification, transmission, storage and deletion in this specific context.

It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard.

## Key contents

At a structural level the guide is expected to cover:

- **Consent and notice** — obtaining the user's separate consent for facial-recognition payment, with clear notice of purpose and scope.
- **Non-facial alternatives** — ensuring users retain a convenient alternative payment/verification method and are not compelled to use facial recognition.
- **Minimization and purpose limitation** — collecting only the face data necessary for payment verification and not repurposing it.
- **Security of face data** — anti-spoofing/liveness detection, encrypted transmission, protected (often tokenized) storage, strict access control, and secure deletion.
- **Risk management and accountability** — impact assessment, logging, and allocation of responsibility among the parties.

> *Editor: verify specific clauses against the published guide.*

## How it fits the regime

Facial information is **sensitive personal information** under **PIPL Article 28**, and facial-recognition payment is one of the highest-stakes consumer uses of it. The guide operationalizes the heightened sensitive-PI duties — separate consent (Article 29), strict necessity and protection (Article 28), and impact assessment (Article 55) — in the payment setting.

It complements the **Measures for the Administration of the Application of Facial Recognition Technology**, which require necessity, alternatives to facial recognition, and filing for large-scale use, and aligns with the facial-recognition judicial interpretation and the sensitive-PI identification and protection standards. For overseas compliance teams operating payment or identity-verification services in China that rely on face data, it is the scenario-specific reference for designing a compliant facial-recognition payment flow.
