A new biometric payment technology: The case of the biometric banking card
Smartphones are so widely used nowadays – 3.5B are in circulation in November 2020 - that we hardly believe they did not exist a few years ago.
Unsurprisingly, consumers’ interactions with financial services have started to migrate to the mobile platform.
Smartphones have displaced desktop PCs for day-to-day banking, such as accessing online accounts, money transfers, P2P payments, and online payments.
Customers will soon sign up for more bank services via mobile devices, using online ID verification technologies, and expanding biometrics in banking. According to Forbes, digital account opening (DAO) is one of the most popular technology in banking for the third year in a row. Close to 80% of all banks and credit unions are adding new DAO systems or enhancing their existing ones in 2020.
So, what if I trust more my banking cards?
For the foreseeable future – and very likely beyond the next decade – cards and mobile are likely to coexist and share various payment scenarios.
The best part?
Shortly, innovations reserved for smartphones such as biometric authentication will show up in payment cards too.
Let’s dig in.
You don't have time to read this page? Download our white paper: " Biometrics for Financial Institutions - How the Gemalto Biometric Payment Sensor Card is simplifying consumer habits.”
The Essentials of Biometrics for Financial Institutions
Check out the latest developments and technologies in biometrics
Current and future biometrics for commercial use cases
With a “What I am” authentication factor, biometrics have revolutionized the user experience by bringing an additional but convenient security dimension.
Biometrics fits exactly the “What I am” group of identification techniques because it measures an individual’s unique physical or behavioral characteristics.
Biometric authentication such as fingerprint verification or facial recognition – the two primary biometric modalities - are widely used today by government agencies and rapidly developing for many other use cases.
For instance, the 1.2B electronic passports in circulation in 2020 are a windfall for access, travel (self-service kiosks and automatic gates) and civil identification, eKYC procedures, online customer registration and authentication, and more.
Commercial biometrics came in force as of 2013 with the introduction of the first iPhone 5 and its TouchID fingerprint verification. Facial recognition became popular with the iPhone X introduced in November 2017 (with FACE ID).
According to Counterpoint, manufacturers shipped more than 1B smartphones with fingerprint sensors in 2018. In 2020, 1B smartphones will come with some form of face unlock solution.
First used to unlock the phone, these features are now also adopted to log in to mobile apps and perform mobile NFC payments in-store.
Major biometric modalities in banking
Needless to say, that the five main biometric modalities valued today for commercial use cases are mostly driven by smartphones.
Finger or palm veins,
Facial recognition (with liveness detection),
An additional biometric technique will emerge shortly for connected watches: infra-red imaging (and recognition) of wrist veins.
Fingerprint biometrics rank well when looking for accuracy and cost-effectiveness. Moreover, fingerprints are very stable over time, and recognition techniques have a long history.
Biometrics in banking: step by step
There are two steps to take to use biometrics for financial services on a customer device:
Enrollment: performed once per device. This is the process of creating reference data to be securely stored in the device and then used for comparison each time a verification request is performed. The enrollment process can be unattended by the user or with a bank employee’s assistance at the branch.
Verification: performed each time, the users want to identify themselves. This step ends a biometric capture that’s then compared with the reference data.
A self-enrollment solution distributes credentials to individually owned devices. It is currently the preferred method for commercial use cases with biometrics.
It makes sense when you think about it.
It protects user privacy as the service provider does not have to manage customers’ biometric data.
A fingerprint credit card is validating a POS payment (source Thales)
The EMV card use case: Biometric identification as a convenient method for payment
First, this new payment technology has to face numerous challenges.
Does it comply with the EMV international payment security methods?
Does it strictly conform to the size and flexibility of existing credit cards?
Is the fingerprint sensor’s life expectancy in line with the card itself?
How does the sensor get its power supply from?
Is this new EMV biometric payment identification accurate?
Let’s dig in a little deeper.
Chip-and-PIN EMV banking cards currently support five different types of Card Verification Methods (CVM):
1. PIN offline
2. PIN online
4. No CVM
5. Customer Device CVM (CD-CVM) /On-Device CVM (OD-CVM) is mainly used for proximity mobile payment.
The type of CVM used for each payment application varies widely worldwide and from one issuer to another.
The rise of contactless payments for low-value transactions has increased the number of scenarios in which no CVM is used.
When considering the idea of using a biometric fingerprint instead of a PIN code for CVM for an EMV banking card, the product design must fit with existing CVM standards (biometric CVMs are already standardized for sensor-on-terminal use cases and sensor-on smartphones).
In other words, the biometric system on the card provides the result of the fingerprint verification to the payment application. The app then uses the information to confirm a payment or switch to another CVM if another method is needed.
Conformity with ISO card standards
The addition of a fingerprint sensor on a card body for POS contact and contactless payments must fully comply with ISO standards for physical card dimensions, and lifetime.
The card must still be capable of being used at any POS terminal and ATM. A fallback to using a PIN may be authorized when the biometric sensor is not accessible because the card is wholly inserted inside the ATM card slot.
The power supply challenge
A fingerprint sensor is an electronic device that requires power both for enrollment and for performing day-to-day measurements and match-on-card.
So how do we get this new payment technology to work?
Thanks to the Thales solution, the POS can power on the sensor via the ISO 14443 wireless bearer when the card is within 4cm of the device. There is no need for a battery inside the card, nor recharging it.
Here, the biometric sensor is activated by the POS wireless mag field when the card is within range (4cm).
Accuracy of biometric credit cards
A typical criterion to measure accuracy is the FAR (False Acceptance Rate) which is the number of times a wrong user will be authorized for payment.
An EMV banking card with a PIN code as the Card Verification Method (CVM) has a False Acceptance Rate (FAR) of 1 per 10,000 because a four-digit PIN offers exactly ten thousand possible combinations.
Current fingerprint sensors for EMV banking cards typically have a FAR of 1 per 20,000, which is higher than a PIN code.
Time matters here.
Improving FAR performance will still be possible with the future and continuous improvements in the solution.
Contact and contactless use cases for biometric payment cards
The main value proposition of an EMV card with a fingerprint sensor is removing the need for a four-digit PIN entry or a signature.
This can be a relief for consumers using many cards or regularly using mobile payment, as remembering multiple PINs can be difficult.
For EMV payments using contact at the POS terminal, users always have to use their PIN today or signature, regardless of the amount.
An on-card biometric CVM would apply to 100% of transactions and make paying much more convenient for cardholders.
For EMV payments using contactless at the POS terminal, there are two scenarios:
For low amounts – and depending on the country where the technology is used, a biometric CVM can be set inactive for small amounts, but some issuers may require it for extra protection while preserving convenience. Since this is a very natural gesture, requiring fingerprint verification for a small amount has a very minimal effect on the user experience.
For high amounts - the threshold differs from country to country, some issuers block all contactless payments, and others authorize those with a CVM = online PIN. For that use case, biometric CVM offers a considerable benefit. It can replace the online PIN and deliver a truly seamless user experience, even in countries only supporting offline PIN.
Thanks to biometric CVM, contactless can be safely used for all payment amounts and offers a similar customer experience for both contact and contactless.
High-value contactless transactions
By authenticating the cardholder with no extra effort thanks to its integrated fingerprint sensor, the biometric payment card unleashes the potential of contactless payment.
It complies with PSD2 security requirements and most payment regulations, which require the cardholder to be identified regularly, generally after a certain cumulative amount is spent via contactless or after a series of contactless (typically a maximum of five).
The fingerprint verification proves the cardholder’s identity during each transaction, so contactless transactions can be authorized whatever the amount.
It can be used indefinitely without inserting the biometric banking card in a payment terminal from time to time. If the POS terminal supports contactless, there’s no need to touch the keypad or insert the card, and customers don’t need to sign a sales slip.
The biometric card is a convenient and safe option that aligns with physical distancing guidance.
The card also sends information to the bank’s server that the cardholder has been biometrically authenticated.
This can significantly facilitate their risk management process and avoid unnecessary declined transactions or customer support calls when the user is traveling or using their card in an unusual location.
Identification for social security benefits cards
Another attractive value proposition for the fingerprint EMV card is that biometry is an identification method, while a PIN code is an authentication method.
Let us explain.
The cardholder can share a PIN with other persons but can’t do that with biometric data.
Issuers can utilize biometric identification to ensure that the genuine cardholder really receives the card usage benefits.
The good news?
Social security benefits can be distributed via an EMV payment card.
This method doesn’t affect the card’s EMV payment performance.
It does provide concrete cardholder’s identification
It helps slash fraud.
The Thales Gemalto biometric payment card: key features
No battery, no worry.
Thales holds patents for powered devices without using a battery and has made this choice for its biometric payment card.
The biometric sensor is activated by the POS wireless magnetic field when the card is within range (typically the optimum distance is between 0 to 4cm).
Intuitive fingerprint positioning
Biometrics are expected to provide greater convenience for the user by not requiring them to enter a password. It is important not to add a new layer of difficulty, such as requiring a tricky finger position on the card body to measure the biometric.
This action should be intuitive and natural for both contact and contactless modes.
We believe users will find it easy to start using these cards, whether they are right or left-handed.
Green light: GO!
Red/green LEDs for a better user experience CVM completion or failure can be indicated on the card body using green and red LEDs.
When the biometric verification is completed successfully, the user will be reassured by a green light displayed on the card body while the transaction is approved.
If the biometric doesn’t match, a red light will inform the user about the unsuccessful CVM attempt.
No impact on POS terminal
All existing POS terminals are ready to accept contact and contactless payments using the biometric sensor card.
No software modifications are required.
PIN code entry or signature can still be used as a back-up solution for a user who may not use the biometric sensor – for example, after a finger injury.
Secure by design
All the operations involved in the biometric acceptance decision (including calculating the match score) are executed inside the Secure Element (match on SE).
Using an EMVCo security approved chip, Thales platform, and biometric payment applications implement similar security measures as standard payment cards.
They ensure compliance with EMV schemes’ security requirements, such as the Mastercard-CAST Program and VISA VCSP.
Additional security assets (data or mechanisms) related to biometry have also been developed.
This product has been assessed by an accredited security evaluation lab as resistant to a “High attack” potential as defined by the JIL “Application of Attack Potential to Smartcards and Similar Device” criterion.
In terms of fraud and spoofing prevention, Thales’ solution exceeds the FAR and FRR levels required by EMV payment schemes.
Its resistance to spoofing (Imposter Attack Presentation Match Rate) is also assessed by the payment schemes during card certification.
Getting started with the biometric payment card
It sounds simple, and it is.
Self-enrollment for distributed credentials – no central database
A fingerprint sensor on the card body and the “match on card” approach means that when the cardholders receive a new card, they just need to go through an enrollment process on the card itself.
That process will be performed only once during the lifetime of the card.
When using the card, the user’s biometric data will be compared with the reference data.
To top it off, it is possible to enroll multiple fingerprints: the product specifications and the issuer requirements set this number.
The experience from Smartphone makers such as Apple and Samsung demonstrate that commercial biometrics became successful when:
The notion of self-enrollment appeared,
When the reference data was no longer in a central database but locally in a device that remains in possession of the user.
Simple process for registering the fingerprint to the card
When users receive their biometric payment card, they have several options for setting it up.
The most accessible and most universal solution involves a small card reader, sent together with the card, which starts the registration process when the card is inserted into it.
The cardholder simply has to present one finger to the card sensor several times to capture the fingerprint details.
This creates a reference template, securely stored in the card, used for fingerprint comparison during payments.
The operation can be repeated for several fingers if the issuer authorizes several fingerprints. Thales has designed several card readers, tested and approved following numerous user surveys and pilots.
They include a basic model made from recycled plastic and recyclable, and other, more advanced, devices, including one with a digital screen to display instructions and a keypad.
Secure set up of the card
After registering the fingerprint to the card, one additional step is needed to ensure the genuine cardholder has set up the card.
During the first transaction or cash withdrawal, the PIN code is needed to finalize the operation, and activate the card’s fingerprint functionality, and lock the stored reference templates.
This process prevents fraudsters from registering their fingerprint to a stolen card and using it for transactions.
Alternatively, in countries where chip and PIN transactions are not supported, the fingerprint functionality can be activated after a first successful online payment.
A kiosk that enables card activation 24/7 is also a possibility.
Thales has developed a multi-service kiosk that enables instant card issuance at a bank branch. It could be developed to perform more services for all aspects of ID verification for enrollment, including the personalization of the biometric CVM for EMV cards.
9 pilots as of December 2020
Thales biometric payment cards have been widely deployed and tested in customer trials around the world.
As of November 2020, pilots had been conducted in nine countries over 30 months, generating considerable positive feedback.
More than 80% of the people who used it said they were satisfied with their experience of using a fingerprint for contactless transactions.
They mainly appreciated the extra convenience.
Since 2018, pioneering banks in Cyprus, Italy, and Lebanon have rolled out their first contactless biometric payment card provided by Thales.
In 2019 and 2020, several banks in the UK, France, and Switzerland began customer trials and are preparing for commercial launches.
Major issuers plan the first significant deployments in Europe in the next quarters.
Biometrics and contactless: the ultimate EMV card experience in-store
Biometrics for the EMV card offers more than just convenience.
It’s the final element needed to migrate the entire card experience to contactless, regardless of the payment amount.
The fact the card keeps its ISO form factor and can be used in contact mode is a long term step ensuring that EMV payments will remain the only truly universal payment device for many years to come.
Contactless payment acceptance is growing fast everywhere globally, but 10 or 20 years from now, it is likely there will still be places where inserting a card will be mandatory to complete a purchase at the POS.
The Thales Gemalto Biometric Sensor Payment Card bridges the future with the entire legacy of EMV.
It offers the ultimate in convenient user experience as well as the trust that is associated with biometrics.
Thales is preparing for the future of payment where cards, wearables, and mobile phones coexist, each with their areas of excellence.
Now it’s your turn
If you've something to say on biometrics in banking, a question to ask about new payment technologies and the biometric payment card in particular, or have found this content useful, leave a comment in the box below.
We'd also take any suggestions on how we could enhance our content for future articles.
For more information regarding our services and solutions contact one of our sales representatives. We have agents worldwide that are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how we can assist you.
Please note we do not sell any products nor offer support directly to end users. If you have questions regarding one of our products provided by e.g. your bank or government, then please contact them for advice first.