Biometrics in payment: The case of the biometric bank card (white paper)

Smartphones are so widely used nowadays – 3.8B are in circulation in September 2021 - that we hardly believe they did not exist a few years ago. 

Unsurprisingly, consumers’ interactions with financial services have started to migrate to the mobile platform. 

• Smartphones have displaced desktop PCs for day-to-day banking, such as accessing online accounts, money transfers, P2P payments, and online payments. 
• Customers will soon sign up for more bank services via mobile devices, using online ID verification technologies such as facial recognition, and expanding biometrics in banking. 

So, what if I trust more my banking cards?

For the foreseeable future – and very likely beyond the next decade – cards and mobile are likely to coexist and share various payment scenarios.

The best part? 

Shortly, innovations reserved for smartphones such as biometric authentication will show up in payment cards too.

Let’s dig in with this white paper that you can either read online or download (see below).

Download the whitepaper

You don't have time to read this page? Download our white paper: " Biometrics for Financial Institutions - How the Gemalto Biometric Payment Sensor Card is simplifying consumer habits."

Why biometrics in banking?

Current and future biometrics for commercial use cases 

With a "What I am" authentication factor, biometrics have revolutionised the user experience by bringing an additional but convenient security dimension.

Biometrics fits exactly the "What I am" group of identification techniques because it measures an individual's unique physical or behavioural characteristics. 

Biometric authentication such as fingerprint verification or facial recognition – the two primary biometric modalities - are widely used today by government agencies and rapidly developing for many other use cases. 

For instance, the 1.2B electronic passports in circulation in 2020 are a windfall for access, travel (self-service kiosks and automatic gates) and civil identification, eKYC procedures, online customer registration and authentication, and more.

Commercial biometrics came in force as of 2013 with the introduction of the first iPhone 5 and its TouchID fingerprint verification. Facial recognition became popular with the iPhone X introduced in November 2017 (with FACE ID).

According to Counterpoint, manufacturers shipped more than 1B smartphones with fingerprint sensors in 2018. In 2020, 1B smartphones will come with some form of face unlock solution.

First used to unlock the phone, these features are also adopted to log in to mobile apps and perform mobile NFC payments in-store.

Primary biometric modalities in banking

Needless to say, that the five primary biometric modalities valued today for commercial use cases are driven mainly by smartphones.

They are:

• Fingerprint recognition, 
• Finger or palm veins,
• Facial recognition (with liveness detection), 
• Voice recognition,
• Iris scan. 

An additional biometric technique will emerge shortly for connected watches: infra-red imaging (and recognition) of wrist veins.

Fingerprint biometrics rank well when looking for accuracy and cost-effectiveness. Moreover, fingerprints are very stable over time, and recognition techniques have a long history.

Biometrics in banking: step by step

There are two steps to take to use biometrics for financial services on a customer device: 

• Enrollment: performed once per device. This creates reference data to be securely stored in the device and then used for comparison when a verification request is completed. The user can do the enrollment process online or with a bank employee's assistance at the branch. 
   
• Verification: performed each time the users want to identify themselves. This step ends a biometric capture that's then compared with the reference data. 

It makes sense when you think about it.

It protects user privacy as the service provider does not have to manage customers' biometric data.

A fingerprint credit card validates a POS payment (source Thales)

The EMV card use case: Biometric identification as a convenient method for payment

First, this new payment technology has to face numerous challenges.
 

• Does it comply with the EMV international payment security methods? 
• Does it strictly conform to the size and flexibility of existing credit cards?
• Is the fingerprint sensor's life expectancy in line with the card itself?
• How does the sensor get its power supply from?
• Is this new EMV biometric payment identification accurate? 

Let's dig in a little deeper.

EMV compliance 

Chip-and-PIN EMV banking cards currently support five different types of Card Verification Methods (CVM): 

1.    PIN offline 
2.    PIN online 
3.    Signature 
4.    No CVM 
5.    Customer Device CVM (CD-CVM) /On-Device CVM (OD-CVM) is mainly used for proximity mobile payment.

EMVco expanded this list (Bulletin 185) in 2017 by defining a biometric CVM. 

The type of CVM used for each payment application varies widely worldwide and from one issuer to another. 

The rise of contactless payments for low-value transactions has increased the number of scenarios in which no CVM is used. 

When considering the idea of using a biometric fingerprint instead of a PIN code for CVM for an EMV banking card, the product design must fit with existing CVM standards (biometric CVMs are already standardised for sensor-on-terminal use cases and sensor-on smartphones). 

In other words, the biometric system on the card provides the result of the fingerprint verification to the payment application. The app then uses the information to confirm a payment or switch to another CVM if another method is needed. 

There's more.

Conformity with ISO card standards

The addition of a fingerprint sensor on a card body for POS contact and contactless payments must fully comply with ISO standards for physical card dimensions and lifetime. 

The card must still be capable of being used at any POS terminal and ATM. A fallback to using a PIN may be authorised when the biometric sensor is not accessible because the card is wholly inserted inside the ATM card slot. 

The power supply challenge

A fingerprint sensor is an electronic device that requires power both for enrollment and performing day-to-day measurements and match-on-card. 

So how do we get this new payment technology to work?
Thanks to the Thales solution, the POS can power the sensor via the ISO 14443 wireless bearer when the card is within 4cm of the device. There is no need for a battery inside the card nor recharging it.

Here, the biometric sensor is activated by the POS wireless mag field when the card is within range (4cm).

Accuracy of biometric credit cards

A typical criterion to measure accuracy is the FAR (False Acceptance Rate), the number of times a wrong user will be authorised for payment. 

An EMV banking card with a PIN code as the Card Verification Method (CVM) has a False Acceptance Rate (FAR)  of 1 per 10,000 because a four-digit PIN offers exactly ten thousand possible combinations.

Current fingerprint sensors for EMV banking cards typically have a FAR of 1 per 20,000, higher than a PIN code. 

Time matters here.

Improving FAR performance will still be possible with the future and continuous improvements in the solution.

Contact and contactless use cases for biometric payment cards

PIN replacement 

The principal value proposition of an EMV card with a fingerprint sensor is removing the need for a four-digit PIN entry or a signature. 

This can be a relief for consumers using many cards or regularly using mobile payment, as remembering multiple PINs can be difficult. 

Users always have to use their PIN today or signature for EMV payments using contact at the POS terminal, regardless of the amount. 

An on-card biometric CVM would apply to 100% of transactions and make paying much more convenient for cardholders. 

For EMV payments using contactless at the POS terminal, there are two scenarios: 

• For low amounts – and depending on the country where the technology is used, a biometric CVM can be set inactive for small amounts. Still, some issuers may require it for extra protection while preserving convenience. Since this is a very natural gesture, requiring fingerprint verification for a small amount has minimal effect on the user experience. 
   
• For high amounts - the threshold differs from country to country, some issuers block all contactless payments, and others authorise those with a CVM = online PIN. For that use case, biometric CVM offers a considerable benefit. It can replace the online PIN and deliver a seamless user experience, even in countries only supporting offline PIN. 

Thanks to biometric CVM, contactless can be safely used for all payment amounts and offers a similar customer experience for both contact and contactless. 

High-value contactless transactions 

By authenticating the cardholder with no extra effort thanks to its integrated fingerprint sensor, the biometric payment card unleashes the potential of contactless payment. 

It complies with PSD2 security requirements and most payment regulations, which require the cardholder to be identified regularly, generally after a certain cumulative amount is spent via contactless or after a series of contactless (typically a maximum of five). 

The fingerprint verification proves the cardholder's identity during each transaction, so contactless transactions can be authorised, whatever the amount.

It can be used indefinitely without inserting the biometric banking card in a payment terminal from time to time. If the POS terminal supports contactless, there's no need to touch the keypad or insert the card, and customers don't need to sign a sales slip.

The card also sends information to the bank's server that the cardholder has been biometrically authenticated. 

This can significantly facilitate their risk management process and avoid unnecessary declined transactions or customer support calls when the user is travelling or using their card in an unusual location. 

 Identification for social security benefits cards

Another attractive value proposition for the fingerprint EMV card is that biometry is an identification method, while a PIN code is an authentication method. 

Let us explain.

The cardholder can share a PIN with other persons but can't do that with biometric data. 

Issuers can utilise biometric identification to ensure that the genuine cardholder receives the card usage benefits. 

The good news?

Social security benefits can be distributed via an EMV payment card. 

• This method doesn't affect the card's EMV payment performance.
• It does provide concrete cardholder's identification 
• It helps slash fraud.

The Thales Gemalto biometric payment card: key features

No battery, no worry.

Thales holds patents for powered devices without using a battery and has made this choice for its biometric payment card. 

The biometric sensor is activated by the POS wireless magnetic field when the card is within range (typically, the optimum distance is between 0 to 4cm). 

Intuitive fingerprint positioning

Biometrics are expected to provide greater convenience for the user by not requiring them to enter a password. It is important not to add a new layer of difficulty, such as requiring a tricky finger position on the card body to measure the biometric. 

This action should be intuitive and natural for both contact and contactless modes.

 We believe users will find it easy to start using these cards, whether right or left-handed. 

Green light: GO!

Red/green LEDs for a better user experience CVM completion or failure can be indicated on the card body using green and red LEDs. 

• When the biometric verification is completed successfully, the user will be reassured by a green light displayed on the card body while the transaction is approved. 
   
• If the biometric doesn't match, a red light will inform the user about the unsuccessful CVM attempt.

No impact on POS terminal

All existing POS terminals are ready to accept contact and contactless payments using the biometric sensor card. 

No software modifications are required. 

PIN code entry or signature can still be used as a backup solution for a user who may not use the biometric sensor – for example, after a finger injury. 

Secure by design 

All the operations involved in the biometric acceptance decision (including calculating the match score) are executed inside the Secure Element (match on SE).

Using an EMVCo security approved chip, Thales platform, and biometric payment applications implement similar security measures as standard payment cards. 

They ensure compliance with EMV schemes' security requirements, such as the Mastercard-CAST Program and VISA VCSP. 

Additional security assets (data or mechanisms) related to biometry have also been developed. 

• An accredited security evaluation lab has assessed this product as resistant to a "High attack" potential as defined by the JIL "Application of Attack Potential to Smartcards and Similar Device" criterion. 
   
• Thales' solution exceeds the FAR and FRR levels required by EMV payment schemes in terms of fraud and spoofing prevention. 
   
• The payment schemes also assess its resistance to spoofing (Imposter Attack Presentation Match Rate) during card certification.

Getting started with the biometric payment card

It sounds simple, and it is.

Self-enrollment for distributed credentials – no central database

A fingerprint sensor on the card body and the "match on card" approach means that when the cardholders receive a new card, they just need to go through an enrollment process on the card itself.

That process will be performed only once during the lifetime of the card.

When using the card, the user's biometric data will be compared with the reference data.

To top it off, it is possible to enrol multiple fingerprints: the product specifications and the issuer requirements set this number.

The experience from Smartphone makers such as Apple and Samsung demonstrate that commercial biometrics became successful when:

• The notion of self-enrollment appeared,
• When the reference data was no longer in a central database but locally in a device that remains in possession of the user.

Simple process for registering the fingerprint to the card 

When users receive their biometric payment card, they have several options for setting it up. 

The most accessible and most universal solution involves a small card reader, sent together with the card, which starts the registration process when the card is inserted into it. 

The cardholder has to present one finger to the card sensor several times to capture the fingerprint details. 

This creates a reference template, securely stored in the card, used for fingerprint comparison during payments. 

The operation can be repeated for several fingers if the issuer authorises several fingerprints. Thales has designed several card readers, tested and approved following numerous user surveys and pilots. 

They include a basic model made from recycled plastic and recyclable, and other, more advanced, devices, including a digital screen to display instructions and a keypad. 

Secure set up of the card 

After registering the fingerprint to the card, one additional step is needed to ensure the genuine cardholder has set up the card. 

During the first transaction or cash withdrawal, the PIN code is needed to finalise the operation, activate the card's fingerprint functionality, and lock the stored reference templates. 

Why?

This process prevents fraudsters from registering their fingerprint to a stolen card and using it for transactions. 

Alternatively, in countries where chip and PIN transactions are not supported, the fingerprint functionality can be activated after a first successful online payment. 

A kiosk that enables card activation 24/7 is also a possibility. 

Thales has developed a multi-service kiosk that enables instant card issuance at a bank branch. It could be extended to perform more services for all aspects of ID verification for enrollment, including personalising the biometric CVM for EMV cards.
 

Nine pilots as of December 2020

Thales biometric payment cards have been widely deployed and tested in customer trials around the world. 

As of November 2020, pilots had been conducted in nine countries over 30 months, generating considerable positive feedback. 

They mainly appreciated the extra convenience. 

Since 2018, pioneering banks in Cyprus, Italy, and Lebanon have rolled out their first contactless biometric payment card provided by Thales. 

In 2019 and 2020, several banks in the UK, France, and Switzerland began customer trials and are preparing for commercial launches. 

Major issuers plan the first significant deployments in Europe in the next quarters. 

Visit our website for more details of our recent rollouts with major financial institutions. 

Biometrics and contactless: the ultimate EMV card experience in-store

Biometrics for the EMV card offers more than just convenience. 

It's the final element needed to migrate the entire card experience to contactless, regardless of the payment amount. 

The fact the card keeps its ISO form factor and can be used in contact mode is a long term step ensuring that EMV payments will remain the only truly universal payment device for many years to come. 

Contactless payment acceptance is growing fast everywhere globally, but 10 or 20 years from now, it is likely there will still be places where inserting a card will be mandatory to complete a purchase at the POS.

The Thales Gemalto Biometric Sensor Payment Card bridges the future with the entire legacy of EMV. 

It offers the ultimate in convenient user experience as well as the trust that is associated with biometrics. 

Thales is preparing for the future of payment where cards, wearables, and mobile phones coexist, each with their areas of excellence. 

Now it's your turn

If you've something to say on biometrics in banking, a question to ask about new payment technologies and the biometric payment card in particular, or have found this content useful, leave a comment in the box below.

We'd also take any suggestions on how we could enhance our content for future articles.

We look forward to hearing from you.