As we’ve seen in our Primer and our look at the FIDO Alliance for On-Device Biometrics Month, there’s a wide range of areas in which the on-device approach to biometric data and authentication can be usefully applied. But one of the most important of these application areas is only just starting to come into view, through the emerging trend of biometric payment cards.
The Payment Card of the Future
The concept is pretty much what you’d imagine: debit and credit cards featuring embedded fingerprint sensors. The idea is to add security transactions made by contemporary chip-enabled payment cards. Today, such cards can be used to make contactless, tap-to-pay purchases, which of course entails a bit of a security risk; or they can be inserted into a chip reader, allowing for PIN-based authentication – not the most rigorous approach to security either, but certainly better than nothing. With the coming biometric payment cards, a fingerprint scan will be triggered at the point of sale, eliminating the need for PIN entry in contact-based transactions, and adding real security to convenient contactless transactions, with virtually no extra effort from the user.
For those unfamiliar with the concept, this might sound a bit like science fiction. But make no mistake: This is expected to be the next wave in payments. Major banks and credit card companies including Mastercard and Visa are now actively trialling this technology, and are aiming for large-scale commercial rollouts as early as this year.
That could end up feeling like a big change for a lot of consumers, and that’s why stakeholders in these biometric payment card programs are putting so much effort into getting the technology, user experience, and messaging just right. And a particularly important aspect of these efforts is that of enrollment: How are consumers going to actually get their biometrics registered for a payment card?
Taking the Tech to the Consumer
This is an issue that major fingerprint sensor specialists have been particularly keen to resolve. Zwipe, for example, announced two white label solutions for financial services partners last autumn: one was a mobile app allowing banks to enroll customers fingerprints through a kiosk or tablet at a bank branch, while the other was an at-home enrollment kit that could be mailed to customers for activation at home. While the former solution was designed more as a regionally-specific one that could be used in areas where customers would normally expect to show up at a bank branch for card activation, the latter embodied an approach that has been embraced more widely.
Indeed, Zwipe wasn’t the first biometrics specialist to come up with an at-home solution. IDEX first announced its own home enrollment system for biometric payment cards back in late 2017, and its partner Mastercard embraced this concept soon after, announcing a remote enrollment solution in the spring of 2018. Another major fingerprint sensor specialist targeting the biometric payment cards market, Fingerprint Cards, announced its own self-enrollment concept this past February – a compact, envelope-like solution that unfolds to reveal simple instructions, with an LED embedded in the payment card designed to blink when the user’s biometric enrollment is complete – and its China-based partner Feitian highlighted this on-device approach to data storage in announcing its “Fingerprint Power Card” the following month.
Convenience and Security
Much of this is about convenience. Consumers don’t want to have to physically go to a bank branch to activate these new cards, with Fingerprint Cards’ marketing head for biometric cards noting that any friction in the initial enrollment process “could put users off.” But it’s also clearly a security issue, with biometrics specialists and their financial services providers looking for a way to ensure that users’ valuable biometric data is not stored in some remote database where it could be vulnerable to a hack attack.
Discussing his firm’s efforts here in a new interview with FindBiometrics Managing Editor Peter Counter, IDEX CEO Stan Swearingen noted that “there are currently misconceptions around the use of biometric data within a centralised system” among consumers. “We help people understand that their fingerprint never leaves the card and is not connected to some network or held in a central databases that could be easily accessed by cybercriminals,” he emphasized.
Fingerprint Cards was also keen to emphasize the on-device storage of end users’ biometrics in announcing its remote enrollment solution; and in the official announcement of major biometric payment card trials with NatWest and the Royal Bank of Scotland, its partner Gemalto echoed this messaging. “We have also made the data on the cards as secure and private as possible by ensuring that there is no central database controlled by the bank that contains their customers’ sensitive information,” the company explained.
It’s the answer to a question that consumers are going to be asking more and more as their financial services providers start to introduce the concept of biometric payment cards to the broader public. And it’s one that should prove to be pretty compelling. Apple and Google have acclimatized consumers to having their biometric data stored on their own personal smartphones, just as employers looking to take advantage of biometric authentication in the workplace are opting for solutions like Aware’s Knomi app to make sure that their employees’ data is kept securely out of the hands of hackers or malicious insiders. Payment cards shouldn’t be any different – if anything, the protection of sensitive user data is an even more critical question here. And Visa, Mastercard, major banks, and fingerprint sensor specialists are looking to on-device biometrics for the answer.
On-Device Biometrics Month is made possible by our sponsor: Aware, Inc.
May 16, 2019 – by Alex Perala