Although biometrics is accepted in the identity sector, it remains experimental at this stage in the payment sector. Japanese and Brazilian banks have introduced ATMs equipped with palm-vein scanners and others are beginning to use voice biometric identification in their call centers… In- store and internet payment solutions secured by biometrics are developing more slowly however. These solutions, whether based on fingerprint, iris, voice or vein recognition, have two obvious qualities. Not only do they theoretically guarantee a high level of security and authentication, but they also offer a simple, intuitive user experience, accessible to everyone, irrespective of age or ability with new technologies.
Biometrics and security
Securing transactions is not limited to simply validating them at the time of purchase, and the promised benefits of biometrics therefore require closer examination, since implementing these solutions raises questions regarding the security of the system as a whole, such as possible weaknesses at the time of user enrolment or in relation to data storage. Finally, some users can be reticent about biometrics. If a user has security data relating to a means of payment stolen, he or she knows that only the service in question is compromised. However, if he or she has biometric data stolen, the risk is not only that the payment service is compromised, but many other services besides, from official identity data, to administrative data, driving license, cloud access, etc.
For these reasons, biometrics should not be seen as a miracle solution. While it offers significant benefits in terms of individual authentication, it needs to be part of a comprehensive security system, also addressing the issue of data storage.
Implementation – two key success factors
OT has conducted several experiments concerning the integration of biometrics in payment solutions and has recorded two key success factors.
The first involves offering a solution which reassures the user, by storing the biometric data scanned during the enrolment phase in a embedded Secure Element (inside a bank card or smartphone) which then acts as a mini data vault. This data therefore remains in the user’s possession at all times and is not communicated via the bank’s systems or via the merchant’s payment terminals or the cloud. The other key success factor involves integrating the biometric reader directly into the device owned by the user, strengthening perceived security and facilitating roll-out by avoiding merchants having to fit new, potentially expensive terminals.
OT is therefore involved in the Mastercard pilot called Zwipe, a contactless payment device just a few millimeters thicker than a card. Users enroll directly on the device, ensuring that their personal data is never communicated to a server, but passes directly “from the finger to the smartcard”. The same approach applies when the device is used: successful scanning of the print directly onto the device activates it to allow a Paypass payment on a standard contactless payment terminal, which requires no adaptation. Biometric authentication replaces the entering of a PIN and allows the user to make payments for higher amounts, reinforcing the product’s appeal.
This pilot is a pioneer of the “all-in-one“ card which could soon be launched.