Are Biometrics Changing Payment Security?

Will PIN numbers go the way of signatures? When it comes to payment transactions, biometrics are coming to a payment terminal near you. From fingerprints to selfies and iris scans, advances in payment technology have the potential to transform security and the customer experience.biometrics

Passwords and PIN numbers aren’t the most secure way to authenticate a payment. They can be bypassed or stolen, even hijacked with man-in-the-middle software, to access customer accounts and clone cards. Security is a moving target in the payments industry.

We have to stay one step ahead of cyber-criminals or risk losing customers through fraud and the fear that we aren’t doing enough to protect their money and data.

Authenticate Using Fingerprints

This explains the Visa study in Europe, which found that 73% of consumers across the continent want to use biometrics, with most preferring fingerprint scanning as an authentication method.

Consumers are already getting used to using fingerprints as part of the payment process, thanks to Apple Pay, Android Pay and Square Cash. Fingerprints are also used to unlock phones. If payment providers use similar technology, the user-experience should be similar enough that consumers will need minimal education to get onboard with this method.

Furthermore, biometrics could also be used for online payment transactions, as well as for taking payments in stores, entertainment venues etc.

Many online banking customers have adopted card reader technology to access their accounts. A natural development of this could be a card reader incorporating biometrics, such as fingerprinting scanning or other technology as part of the two-step – or even three-step – authentication process.

What About Selfies?

Over the last few years, taking selfies have become one of the most popular forms of content uploaded on social networks. Hundreds of millions are uploaded every year. Hence, MasterCard launching Identity Check, which requires a selfie that is converted into binary data using facial recognition technology.

Authorising future payments requires the customers to take and upload another selfie. Once it matches, the payment is processed. The technology is sophisticated, even asking the user to blink, to ensure someone isn’t using an existing photo. Geolocation information is also incorporated to add an extra layer of security.

Other companies, including Amazon and Alibaba, are interested in launching similar security features. Amazon has even filled a patent for a selfie payment system.

Alternative Solutions For Authentication

Some companies and tech start-ups are looking into other behaviour biometrics. Gyroscopes, GPS and accelerometers are built into most smartphones, which could provide alternative solutions. Ear scans are also being explored. Michael Boczek, President and CEO of Descartes Biometrics that specialise in mobile ear detection security apps says, “[the ear is] stable and enduring, which means it changes very little over the course of one’s life. That’s also true of fingerprints, but less true of facial recognition.”

Or, how about using your heartbeat? Mastercard is exploring heartbeat data to authentication and verify purchases: using a sensor to read a cardholder electrocardiogram.

However, there is one significant issue with biometrics and that is what happens if a biometric is compromised in some way? If a password or PIN is stolen, a new one can be issued. But if biometric data is stolen, it is not possible to issue a new fingerprint.

Therefore security has to be of upmost importance to ensure that biometric data, if stolen, cannot be readily used. For example, by data encryption and also using systems that check for ‘liveness’: Mastercard’s Identity Check requires that users blink to prove that they are actually live and present.

Data encryption could also circumvent the problem of theft and the need to reissue a fingerprint. If the encrypted fingerprint data is stolen this can easily be cancelled and a new encrypted fingerprint issued using different encryption keys. Similarly, decryption keys can also be changed so that the biometric essentially becomes cancelled.

As with all authentication methods consumer trust and ease of transactions will be at the heart of how quickly and to what extend technology solutions are adopted. Those merchants and other parties employing biometrics will need to ensure that all security issues are addressed and reasonable measures put in place to protect this unique authentication data.