Mythbusting: debunking the common misconceptions around biometric payment cards
October 2019 by David Orme, Senior Vice President at IDEX Biometrics ASA
From mobile phone access to passport control, the use of biometrics is on the rise. Now, with biometric trials taking place across the payment sector, fingerprint authorisation payment cards look set to reach the market tipping point by next year. As these biometric smart cards become a daily fixture in our lives, they will bring many benefits, including extra security, convenience and reliability.
However, despite the benefits it brings, biometric technology in payment cards is still often misunderstood. There remain a number of misconceptions about the future of biometric payment cards that could be a barrier to global adoption.
So, to unravel the fact from biometric fiction, it’s important to outline some of the most common myths and misconceptions surrounding fingerprint biometric smart cards. These reveal the truth and will debunk the misapprehensions of the physical biometric smart card as a product, its transactional processes, infrastructure and support.
The truth behind fingerprint data storage
As a growing number of security breaches continue to hit the headlines, the public have become ever more aware of the need for biometric data security. This concern has led to the common misconception that biometric data for fingerprint payment cards is stored on a central database. But this is not the case.
Instead, upon registration, the owner’s fingerprint image is immediately transformed into an abstract biometric certificate via encryption technology. This is then stored in the secure element of the card’s EMV chip and the owner’s data never leaves the card. In this case, even if the fingerprint data was somehow extracted from the payment card, it cannot be used without the encryption key to unlock the biometric certificate.
Along with security concerns, it is also problematic for card manufacturers to store biometric data in a centralised database. If biometric data was held in a central location, the user would need to visit a secure site in order to register the fingerprint to be matched to the card. Instead, with user data stored on the payment card, the user is able to register their fingerprint at home through a remote enrolment process.
From registration to transaction: the reality
In fact, the at-home enrolment process breaks down friction points associated with biometric fingerprint registration. In order to achieve this, card issuers should supply a single-use, battery-powered enrolment sleeve allowing them to complete the fingerprint registration process, wherever they are. With a single-use sleeve, the device only works for registration and cannot be used to override the fingerprint stored on the card.
While battery power is needed from the enrolment sleeve during registration, outside of this process the payment card works in ‘passive mode’. This means that the level of power required to transmit an authentication signal from the card to the Point-of-Sale (POS) system is drawn from the terminal itself. So, despite the misconception, no battery is needed to power the card itself. Another common concern, from both consumers and retailers, is the issue of what happens if fingerprint authentication fails during a transaction, say due to damage to the card. Would they be unable to complete their payment? Well, just as with any digital transaction, there will always be a certain card authentication fail rate that produces false positives or negatives, because of unforeseen circumstances or damage to the card’s antenna or contact chip. However, as the primary function of biometric smart cards is for contactless transactions, a method with fewer physical strains on the card, it is likely there will less issues with card damage and failed transactions.
In addition, while the biometric sensor makes the need for PIN authentication redundant, the PIN will still function. This means the PIN can still be used as a fail-safe in the rare event of a failed authentication attempt, ensuring the consumer can still complete their transaction.
No need for new payment infrastructure
One of the most important biometric myths to debunk is the perceived need for new banking and payment infrastructure in order to use biometric payment cards. Merchants can be reassured that consumer fingerprint smart cards work with existing infrastructure at PoS systems, so there is no issue accessing money.
In addition, these new cards will work with the current contactless ATMs and PoS systems on the high street. This means consumers can use contactless technology in conjunction with fingerprint authentication for secure end-to-end contactless cash withdrawals and in-store transactions, without the need for a PIN.
It’s also not just in-store card-present (CP) transactions that would benefit from fingerprint biometric security. By combining a new dynamic digital CVC display with fingerprint authentication biometric smart cards will generate unique one-time-passwords (OTP) that can be used to secure e-commerce or card-not-present (CNP) transactions as well.
While fingerprint biometric smart cards are primarily thought of as a payment technology, their potential as an authentication goes far beyond payments. As well as contactless transactions, biometric smart cards can also provide authentication for physical and virtual access control, such as to offices and company networks or mass transit ticket systems. When incorporated with biometric fingerprint data, smart cards can also prove valuable to combine government IDs, healthcare access, and payments, all into one single, convenient and secure identity card.
The cost of the card
Finally, while many of the perceptions covered here have proved to be false, one of the most common accurate impressions of biometric cards is that they will cost more than existing bank cards. Given the complexity of technology needed in biometric development these cards will inherently be more expensive than current cards used by consumers. This is also higher due to the current lack of market penetration – which would bring savings from economies of scale in the future.
However, given the level of increased security biometric cards provide, it’s likely that many consumers are willing to pay a modest fee for a more secure bank card. Work is also underway to reduce these product costs further. Advanced technology, such as hot lamination, is currently being developed to aid the capacity for mass production of biometric smart cards, which will help further scale down card price points.
The benefits of biometric payments
Through films such as James Bond and Mission Impossible, we have become used to seeing futuristic images of fingerprint scanners or facial recognition as tools used in extreme circumstances, but not in our everyday lives. This has left us with many misconceptions and skewed ideas about biometric technology. Yet, these sci-fi interpretations don’t offer the full picture of biometric technology. Despite additional production costs, biometric smart cards bring many added benefits to our lives, and could ultimately introduce savings in the long run, by increasing payment card security and reducing the threat of card fraud. When we set out the truth of biometric payment cards products and processes, it’s clear the technology has the potential to bring greater security and convenience to our payment transactions.
As biometric technology evolves, its inclusion in the payment ecosystem will make one of our most everyday experiences — shopping for goods — not only more secure, but also easier and more reliable.