The card industry and regulators must incorporate new technology, including biometric card payments, to combat card fraud.
The rise in payment card fraud has forced both the payment card industry and regulators to find new ways to incorporate the latest technology and processes in card payment systems that ensure security of both payment transactions and card holders’ data. Strong Customer Authentication (SCA) is one of the requirements laid out in the Revised Payment Services Directive (PSD2) for payment service providers in the European Economic Area. All payment service providers were required to implement this by September 14, 2019. According to this requirement, electronic payments should be performed with two-factor authentication. While EMV chip cards already satisfy this requirement when used with a PIN for authentication, this requirement will specifically impact online transactions.
Two-factor authentication ensures that two of the following factors are verified during the transaction:
- Knowledge (something the user knows e.g. password or PIN);
- Possession (something the user possesses e.g., token); and
- Inherence (something the user is).
Card present transactions in stores usually verify the first two factors in order to ensure that the two-factor authentication requirement is satisfied. The most secure and error free method to verify inherence – or the identity of the person – online is by using their fingerprint or some other unique biometric identification. Thus, there is a huge demand for biometric card payments especially in the EU.
According to MasterCard, another factor which has led to this demand is that ‘[t]he use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets. It’s far easier to authenticate with a thumbprint or a selfie, and it’s safer too.’ Users are already familiar with biometric card payments due to the increasing use of mobile wallets for payments which rely on biometric authentication. Both Mastercard and Visa have already released the next generation EMV biometric dual interface payment card which combine chip technology with fingerprints to safely verify card holders’ identity.
High security capabilities, cost effectiveness and convenience are the three most vital requirements when it comes to finance, access and ID cards; and biometric cards seem to satisfy these. Besides mobile phones, we have only used fingerprint recognition for identity verification in offices or during immigration at airports. As such, it is difficult to visualise how it will be used with cards. The following stages will be involved in the biometric card authentication process:
- Enrolment: During this stage, a person registers for a card with the financial institution issuing the card. The biometric data (e.g. fingerprint scan) will be captured, processed and stored in the card issued to the person along with other identity attributes. The fingerprints captured at the enrolment stage should be of high quality to ensure that they can be matched easily during a transaction; and
- On-Card Matching: During a transaction, the card itself will act as a biometric sensor. It already has the enrolled biometric in its memory. When new biometric data is captured during a transaction, the card matches it with the enrolled biometric signature. This requires that the card have enough computational power to compare the two biometrics accurately in a short time.
Besides the strong security requirement which has called for the introduction of biometric card payments, these cards offer further advantages:
- PIN or password entry is not required with biometric card payments. Authentication takes place with a single touch of the finger on the card. This reduces the transaction time while making these cards an extremely user friendly option;
- Biometric payment cards are designed to be compatible with existing payment terminals. Merchants will not need to upgrade their existing hardware/software to start accepting these cards and consumers can continue shopping at their favourite online or brick and mortar stores;
- The embedded biometric sensors on cards will be self-charging, and will not need an embedded battery or recharging capabilities for either the sensor or the card;
- Biometric cards are similar in look and feel to existing payment cards and are as robust and durable as any other card made thin but strong plastic which is difficult to break; and
- The same method of authentication by on-card fingerprint matching will be used, for both online transactions and card-present transactions in stores, thus providing a common and consistent authentication interface.
The age of biometric card payments is here, propelled not only by regulation and the demand for security but also by the other advantages that they offer. Let us hope that this is one puzzle which proves difficult for fraudsters to crack.
David Smith
Independent Consultant
The Smart Card Institute
