In light of some high-profile data breaches in recent years, businesses are constantly seeking possible forms of authentication to replace passwords. While such breaches might suggest passwords aren’t as efficient as they used to be, they can also be inconvenient for consumers, who need to remember their passwords across a variety of online accounts — including email, e-commerce, online banking, social media, and more.
One of the latest forms of identity protection that might take the place of passwords is biometric authentication. Several leading credit card providers are testing ways for cardholders to authorize online transactions using biometrics, including fingerprints and selfies. This has the potential to create tighter security and a more convenient customer experience, as customers will no longer have to remember passwords. However, for this type of identity protection to reach the masses, it will involve collaboration between two key players in the payments space – biometrics providers and merchants.
How biometric authentication is used for identity protection
Biometric authentication could see widespread adoption across several aspects of the customer experience, including e-commerce, mobile, wearables and in-store.
E-commerce: Using unique, genetic signatures – via fingerprint scans and facial recognition technology – to sign off on online purchases might not be a far-off reality. MasterCard and Apple are testing industry-leading credit card programs that empower cardholders to authorize online transactions using biometrics. The platforms prompt consumers to scan their fingerprint or snap a selfie to verify their identity before moving forward in the virtual checkout process. According to MasterCard, selfie authentication is more secure than passwords, due to its sophisticated facial recognition algorithm, which can flag when someone is trying to use a video or other fraudulent form of identification in place of a user’s authentic selfie.
Mobile and wearables: From the Apple Watch to the Kerv Payment Ring, intuitive motions and biometrics can help transactions occur more instantly and securely. Using mobile devices, consumers have the option to draw passwords, scan their fingerprints or snap a selfie for added authentication. For consumers who opt to use mobile devices and wearables for payments in-store, as POS terminals are increasingly equipped with near field communication (NFC) technology, so retailers can more easily enable intuitive user experiences and secure data protection measures.
In-store: Biometric technology has garnered significant attention, but its role in face-to-face environments has seen slow adoption to date, likely in part due to perceived high costs and hassle associated with implementation. To make in-store biometrics easier and more secure, merchants can use embedded Pin Entry Device (PED) Cams at payment terminals. The devices use an upward-facing camera, embedded into a standard card terminal to take a picture of the cardholder each time a PIN is entered. The resulting image generates a unique biometric template, linked to the individual’s card and is stored in a secure, central database.
Biometrics in the age of EMV
With EMV in the spotlight and card-present transactions seemingly becoming more secure, CNP systems have now piqued the interest of fraudsters. Some industry analysts are predicting an overwhelming increase in CNP fraud from identity thieves targeting underprepared businesses. EMV must be met with cloud-based security features like encryption, tokenization and vaulting, all of which may be incorporated into biometric authentication technology.
Encryption: By way of an algorithm, encryption transforms account information into an unreadable message. That message is understood only by the payment processor, whose securely held key decodes the dispatch to complete a transaction. Via this end-to-end approach, information is encrypted immediately after it’s captured by the card reader, read and authorized by the payment processor, re-encrypted and sent back to the POS terminal to finalize the exchange. One perceived issue with using passwords for encryption is that this type of identity protection only proves the password is authentic, whereas biometrics – including fingerprints and iris patterns – can authenticate users directly by identifying stored biometric keys and detecting fraudulent use of the keys.
Tokenization: Tokenization is the process of replacing cardholder data with a unique string of characters to avoid account visibility. (If a card number is 1234, a token could be ABCD.) It has the potential to beat fraudsters at their own games, because even if information is obtained, tokenization essentially leaves it worthless to fraudsters. With tokenization, there are two aspects of security at play – user authentication and protection of the Primary Account Number (PAN). For banks or retailers tapping into tokenization, requiring biometric authentication, such as a fingerprint scan, can add an extra layer of security when it comes to mobile payments.
Vaulting: Vaulting mechanisms appear in the form of “Remember Me” or “Save This Card” buttons and foster recurring or frequent electronic payments. By securely storing card data in their vaults, payment processors relieve merchants of the burden of protecting that data on their own servers and networks, further minimizing the risk of a data breach and reducing PCI compliance complexity. Some sort of vaulting feature is necessary to facilitate online and mobile buying and other card-not-present interactions where cardholder data cannot be verified in person with every transaction. Through biometric tokenization, as outlined above, sensitive passwords and biometric data are no longer stored on centralized servers, taking some of the liability off merchants and making it more difficult for fraudsters to launch widespread attacks.
As fraudsters look to target CNP transactions following the switch to EMV, biometric security can provide added identity protection for consumers. Through continued collaboration between merchants, payment processors and biometric security providers, consumers may soon see a more convenient and secure customer experience than before.