TRANSACTION TRENDS EXCLUSIVE CE SERIES: Buying With Biometrics

As U.S. payments increasingly embrace biometrics for authentication purposes, new products and considerations emerge

By Christine Umbrell

The integration of biometrics into smartphone technology has sparked a slow but steady progression into U.S. acceptance of biometric payments. Just a few years ago, payments was a completely separate space from biometrics—the process by which a person’s unique physical or behavioral characteristics are detected and recorded into an electronic device or system. And while global mobile biometric market revenues totaled just $6.4 billion annually in 2016, they are expected to reach $50.6 billion annually by 2022, according to a recent report from Acuity Market Intelligence.

Several types of biometric identifiers are being incorporated into or studied for mobile device authentication and other forms of payments—from Touch ID to contactless fingerprinting, to facial recognition and iris scanning, and beyond. It is expected that, as more biometric identifiers become available and are used in conjunction with one another, multifactor biometric authentication may become a reality. But there is still a ways to go before financial institutions, consumers, and payments professionals truly accept biometric payments as business as usual.

The Rise of Touch ID
The introduction of fingerprint identification to Apple and Samsung phones has played an extremely important role in normalizing biometric-related payments, says Jerome Ajdenbaum, vice president of fintech and business development at IDEMIA. “Apple Pay was a game changer,” he says. Before its inception, biometric technology was focused mainly on access control and border control usages, leveraged primarily by the government, police departments, and immigration officials, he explains.

When Apple incorporated biometrics into its smartphones in 2013, “it was not immediately clear whether customers would be in favor of paying with biometrics,” says Ajdenbaum. “Apple Pay totally changed that. The boom we see now has been enabled by Apple Pay.” Millions of consumers are now using Touch ID—a fingerprint recognition feature—to unlock Apple devices and make purchases.

Samsung Pay debuted soon after, allowing users to download an app to add their credit, debit, and gift card information so that consumers can use Samsung Pay at the register, authenticated with a fingerprint scan or password. In addition, Android Pay users also are being given the opportunity to leverage fingerprint biometrics as an authentication mechanism.

“There is mass consumer adoption of [these] technologies, such as Apple Touch ID and similar capabilities on Android devices, and, more recently, facial recognition, such as Apple’s 3-D-sensing Face ID on the iPhone X,” explains Robert Capps, VP and authentication strategist at NuData Security.

“In the past two years, there has been tremendous growth” in the biometric payments space, agrees Tom DeWinter, manager of business development for Iris ID Systems. An ever-increasing number of entities are linking fingerprints and faceprints to payments.

But biometrics alone in these types of devices do not enable the payments—they are linked to a mobile device where card information is stored, DeWinter points out. Layering the technologies helps reduce fraud, he says. The biometrics associated with Apple Pay and Samsung Pay is “unlocking the device that makes the payment.” It’s “another verification tool [authenticating] that the person using the device is the individual authorized to make payments with that device,” says DeWinter.

As consumers grow accustomed to these technologies, they also become more accepting of allowing their fingerprint—and other biometric data—to be used in new ways. Now “we can start thinking about other applications” for biometrics, says Ajdenbaum. For example, during some very high-risk transactions, some banks and credit card companies are asking purchasers to take a selfie with their phones for authentication purposes—and this technology could be expanded to lower-risk purchases, Ajdenbaum predicts.

Leveraging Fingerprint Identification
With the rise of consumer acceptance of fingerprint authentication on mobile devices has come increased interest by financial institutions. At the end of 2014, just two banks offered Touch ID as an authentication option. Since then, many leading banks—including Chase, Bank of America, FIS, Citibank, and Wells Fargo—have introduced support for the technology, according Juniper Research.

In addition, several companies are currently experimenting with fingerprint authentication of credit cards. Two different methodologies are being investigated, according to Ajdenbaum: fingerprint on the payment terminal and fingerprint on the consumer’s card.

For the latter, “some cards can embed a fingerprint reader right on a plastic card. You would insert the card normally into the terminal, then put your fingerprint on the part of the card that’s not inside the terminal, or simply hold the card with your finger on the sensor over a contactless reader,” explains Ajdenbaum. His company has introduced a product, called the F.Code, that allows customers to authorize payments via a fingerprint sensor embedded into an EMV-compliant card, instead of a PIN code. The consumer’s identity is verified when an IDEMIA algorithm matches the owner’s fingerprint to the template stored within the card. This technology is being trialed in Japan, France, and elsewhere.

“Most people prefer this method, where the fingerprint stays on the consumer’s own device,” rather than being stored in a merchant terminal or a database, says Ajdenbaum. “Banks and credit card companies are looking at these experiments to see how they go, and how consumers react,” he says.

Enhanced Security
One of the main benefits associated with Touch ID and other biometrics associated with payments is increased security. Many consider the use of Touch ID, used instead of or in addition to PIN authentication, as more secure than other types of mobile transactions, because the card information is never collected by the merchant—the services tokenize account information and authenticate it with a fingerprint stored in the device, rather than in a database.

For card companies, this feature may be considered a limitation of Apple Pay and similar payment systems used in conjunction with Touch ID because “you don’t know who is paying,” notes Ajdenbaum. “With Apple Pay, you authenticate the user, but you don’t know exactly who you are authenticating,” he says. “That piece—identification—is important to the banks, and they will want to link the fingerprint to a verified identity.” But keeping the fingerprint within the consumers’ devices allays some privacy concerns.

Still, Ajdenbaum says the use of biometrics is “a step forward” for security. Take, for example, a chip-and-PIN card. Adding in biometrics, “it’s at the same level as chip and PIN, plus there’s an increase in security since it also requires a fingerprint,” he says. “The security inherent in biometrics is never perfect, but it’s very high because with biometrics you can authenticate a cardholder, you can prove [that individual] actually authored the transaction,” he says. Plus, he notes that it’s more difficult to steal a fingerprint than a PIN number.

Fingerprints aren’t foolproof, however, because they are left behind whenever you touch something, says Ajdenbaum. But if the fingerprint is kept within a smartphone or within a consumer’s credit card, even if a highly skilled attacker would manage to impersonate a user, a stolen print could only be used to defeat one device—rendering the scam impossible to scale.

Touch ID on mobile devices also yield higher conversion rates, says Benny Silberstein, founder of Payrix and a former ISO agent. “Using Apple Pay or Samsung Pay means the transactions are more secure,” he says. “I know that a transaction made this way was authenticated and verified by the cardholder” because the cardholder had to use biometrics to unlock the phone and make the payment on a mobile device. “So, these transactions lead to fewer chargebacks.”

Privacy Issues
The thought of linking a payment to a physical trait can create resistance to biometrics among some consumers and poses a barrier to wider acceptance. “There is a ‘perceived’ notion that something about you is being given away,” says Ajdenbaum. But individuals have already given up this information when crossing borders and for access control purposes, he notes. “When you enter a country, you will agree to leave a fingerprint—everyone accepts [that requirement] for border control.”
For consumers, Ajdenbaum points out that it is a matter of each individual evaluating his or her threshold regarding privacy. “Am I ready to give my fingerprint for public transit? For payments? For other uses?” Because of Apple Pay, more people are willing to answer “yes” to these questions, he says.

Confining fingerprint data to an individual device assuages some of the privacy fears. With Touch ID Apple phones, for example, the fingerprint is stored only in the phone—not in any database, so you’re not sacrificing privacy, says Silberstein. “But the drawback is, when you get a new phone, you need to input a new biometric.”

Ajdenbaum offers a similar point of view regarding fingerprints stored within an individual card, rather than a payment card reader, and believes that consumers will increasingly understand their privacy is not being compromised with this technology.

Stronger and more secure biometric authentication is already underway in some other countries and may be possible in the United States soon, “but that also means putting additional friction on the consumer,” says Capps, “which could prevent transactions from occurring” in a country that prioritizes privacy. Biometrics integrated with payments are more common in countries that have national ID systems. Some countries in Latin America and Asia, for example, have full biometric capabilities that ensure the presence of the human and leverage a high security level for payments, says Capps. But the United States “lack[s] a central repository of authentication data” that would make such a system possible here, he says.

Privacy concerns in the United States are preventing companies from developing and deploying facial recognition solutions in a meaningful way, says Capps. “It’s unclear how U.S. consumers will feel about going and being identified solely by facial recognition,” he says. More than 9.7 billion consumer records have been lost to data breaches since 2013, Capps notes, “so most companies are taking a cautious approach to make sure they deploy biometrics solutions in a secure way.”

Regions with lower privacy expectations are experiencing greater innovation in biometric payments, Capps adds. “Consumers in [certain] countries have grown used to camera surveillance and Internet monitoring as a normal way of life—there’s no expectation that you’re not being watched,” explains Capps. In China, for example, Alipay has launched a ‘Smile to Pay’ service in a limited trial. This service allows Alipay users to authenticate their payments without using wallets or smartphones, instead using a combination of facial scanning and inputting their mobile phone numbers.

What’s Next?
Right now, a variety of biometrics options and capabilities are being rolled out in the United States, says Capps. “The customer convenience of biometrics will consistently rise in some sectors, but most biometric options in the U.S. are still focused around a mobile device with a local user using that device,” says Capps. “True physical verification [without a mobile device or password authentication] is not here yet.”
Biometric technologies come in a wide variety of cost points and accuracy ratings, and are advancing all the time, says DeWinter. The fingerprint technology associated with Apple devices has grown more advanced since its initial implementation. “Every year, fingerprint technology gets better and more sophisticated,” he explains. Facial recognition technologies also are evolving, and currently range from 2-D imaging to more sophisticated infrared 3-D imaging.

Silberstein believes Touch ID phone usage will continue to grow, and mobile wallets will see increased usage as well. While it has taken longer than originally expected for mobile wallets to gain acceptance in the United States, more companies have begun introducing them, he says.

As fingerprint and facial recognition biometrics become more accurate and secure, other types of biometrics are starting to gain ground. Silberstein notes that voice biometrics, iris biometrics, and even biometrics based on “how you type” are currently under development.
In fact, iris technology—which has benefits of being both noncontact and highly accurate—has grown significantly over the past five years and has come down in price since first developed, says DeWinter, whose company is one developer of the technology. Currently popular in Europe and Asia, he says, this technology is being used “for both security and convenience” for identification purposes—for example, at border crossing checkpoints and airports. The technology is also being used in high-end health clubs and even daycare centers, as well as by “leading-edge time and attendance vendors” to offer solutions for clocking in and out and similar functions. In addition, newer Samsung devices feature iris scanning technology.

Iris solutions are beginning to be integrated with payments, according to DeWinter. “In universities and in companies, they’re tying iris technologies into dining programs, using biometrics as the authorization to authenticate and pay for food and health through a loyalty program,” he explains. Irises are linked to employee ID programs and to accounts university workers have linked with their identity.
DeWinter also notes that iris data is “very stable for a lifetime.” Whereas other biometrics—faces and fingerprints—tend to age and change slightly or degrade over time, iris data is captured behind the lens of the eye, so it remains more consistent over an individual’s lifetime.
With the various biometric technologies getting more advanced month by month, expect to see increasing acceptance and new models for biometric payments popping up in the future, says Ajdenbaum. He envisions a day when “contactless entry” popular in some access control models evolves into contactless purchasing.

For example, some stadiums currently allow visitors to enter with a wave of their hand, which is authenticated using touchless 3-D fingerprint technology. “Right now, that technology exists for access control. But maybe you could continue that biometric identification to the concessions area, and pay for concessions there with a wave of your hand—and use it everywhere in the venue,” suggests Ajdenbaum.
He cautions that some biometrics are better than others, and more suited to particular applications. Facial recognition technologies are easy to implement when you have a camera on a phone or computer, according to Ajdenbaum—but while these technologies can be embedded in a payment terminal, they cannot be embedded in a card. He also notes that iris is a secure method but requires specific hardware for recognition.

As more stakeholders begin experimenting, Ajdenbaum predicts that several types of technologies—fingerprint, facial recognition, iris, etc.—may co-exist “until we may find a ‘winner.’”

A New Chapter for Payments Professionals
Moving forward, biometrics alone “are not the total solution and must be secured and layered with other factors depending on the risk and what is being safeguarded,” says DeWinter. But it’s important for all stakeholders to understand this new sector and where it is headed.
For payments professionals in particular, new technologies are “pushing and pulling” reluctant adopters into the market, says DeWinter. Payments professionals who seek an understanding of the latest advances will be able to educate their customers and appropriately plan for the new future of payments—one where security may be enhanced and transactions may become easier.

“Anything payments professionals can do to reduce friction and increase convenience is going to help increase transaction volume,” says Capps. “Using passive and local biometrics can help reduce risks, remove unnecessary friction, and reduce the potential of fraud.”

As changes big and small begin to impact the biometric payments space, it is important for payments professionals to follow the evolution, says Silberstein, who previously worked for an ISO. “Coming from the ISO world, we were very disconnected from the actual transaction stream—transactions went straight to acquirers. We had very little data,” he explains. “We only had the merchant credit card number. ISOs typically don’t gather real data on who’s filling out the applications.” With different types of biometrics coming to market, it has become possible to gather more data—and know more about your clients.

For payments professionals, “it’s important to recognize the value of biometrics and what it brings to the table in verifying the identity of consumers,” Silberstein says. “This will lead to a more secure payments infrastructure.”

“The rise of biometrics in payments is happening now,” adds Ajdenbaum. He encourages payments professionals to start looking at and understanding the different solutions. “Start monitoring this space. It’s the right time to get started.”

Christine Umbrell is a contributing writer to Transaction Trends. Reach her at [email protected].

ETA CPPs: earn ETA CPP Continuing Education (CE) credits. Read this article, then visit ETA CPP Quizzes to test your knowledge and earn 2 ETA CPP CE credits per quiz!