Biometrics aim to make payments more secure

By Benjamin Salisbury

When this reporter began working in a petrol station in 1990, I had to check customers' signatures on their credit or debit cards against their signatures on the receipts. Eventually, card readers and chip-and-PIN systems came about, lending more security and speed to transactions. In the near future, the unique characteristics of your physiology may become the favoured method of payment authorisation.

 "At Visa, we are trying to differentiate between being a standards provider and being flexible enough to incorporate new ideas," says Jonathan Vaux, director of innovations at Visa Europe. One of those new ideas is using biometrics as an extra layer of payment authentication.

"Just having one piece of data to authenticate the customer is outdated," Vaux says. "We want to combine the best bits of information. Like if you apply for a loan at a bank, you are asked a range of questions. We're aiming for an authentication system that incorporates this."biometrics-authentication

Visa isn't the only one. MasterCard, Apple, Samsung and other payments processing leaders have implemented various biometric verification technologies, too. Some companies are employing them in addition to regular verification methods such as PINs, and some are moving away
from traditional verification in favour of biometrics alone.

1. Facial recognition.
One of the newer entries into the biometric verification field is the PED
Cam (PIN Entry Device Camera) from Worldpay, a payments processing technology firm.

The PED Cam works with PINs in a double authentication process. The camera is attached to payment terminals, into which you'll still need to enter a PIN. After you enter it, the camera will photograph you and upload the photo into a unique biometric template stored in a database managed by Worldpay. The next time your card is used, PED Cam will do the process again, and compare the photo with the previous photo taken to be sure it's the same person using the card each time. If the image doesn't match, payment can be declined or the card provider can be sent an alert.

Worldpay began testing the prototype device in the UK in September 2015 to assess its effectiveness in reducing fraud. The company will evaluate reactions from customers and how they use the system.

Not only will the PED Cam work no matter what kind of card you're swiping, but it requires nothing from the consumer, a feature Worldpay feels will put it ahead of the curve.

"Biometrics has attracted a lot of attention, but achieving sufficient scale has always been difficult in a face-to-face environment," Nick Telford-Reed, Worldpay's director of technology, said in a statement to Worldpay's Better Business Conference. "It's partly because of cost, but also because people don't want the admin hassle of registering their details. With this prototype we would remove that hassle. Card users could be automatically enrolled in the system when they use their card."

MasterCard also is trying out facial recognition verification. It is developing a new biometrics payment system called MasterCard Identity Check, which "will be ready in mid-2016 for online transactions," Bob Reany, senior vice president of identity solutions for MasterCard, said in an emailed response to questions. Users set up a biometric profile for online shopping and then verify transactions by fingerprint or facial recognition.

With the latter, if you are making a mobile purchase with your MasterCard, you'll take a "selfie" to verify the purchase. MasterCard will compare this photo with a photo on file, and ask you to "blink to prove you are human".

However, the system has flaws. Some users involved in the test already found a workaround to the blink test by using an animated gif-style photo of themselves and holding that up to the verification camera instead of their actual face. However, combined with fingerprint verification, facial recognition could still be useful as an added layer of authorization.

2. Fingerprint scanning.
Fingerprint scanning is the most popular form of biometric verification. Fingerprints are unique to each individual, so they're considered a more secure verification method than facial recognition (even identical twins do not have the same fingerprints).

MasterCard incorporates fingerprint scanning in its Identity Check system. Additionally, Apple Pay already uses fingerprint scanning technology to verify payments, as does Samsung Pay, which should be available in the UK later in 2015.

Google is working with mobile phone networks to preload Android Pay onto its phones and utilise the new fingerprint scanner in Android M.

3. Retina and iris scanning.
A retina scan uses the unique patterns of your retina blood vessels to identify you. Iris recognition uses mathematical pattern-recognition techniques on video images of the irises of your eyes, which are also unique. High-tech cameras provide detailed images of the intricate structures of the iris to authorise transactions.

Visa is looking to incorporate iris scanning into its online payment service, Visa Checkout. Visa Checkout already supports Apple's Touch ID --  the company's fingerprint recognition feature -- and will support Android's similar authentication process when it arrives. Iris scanning would be an additional option, though it's not certain yet how it would be used.

With Visa Checkout, you store your existing credit or debit card information with the service (even non-Visa cards). Currently, when you're ready to make an online purchase at a participating site, you click the "Pay with Visa Checkout" button and enter your Visa Checkout username and password to complete the purchase. Iris scanning could be used in addition to your password or instead of it.

4. Heartbeat recognition.
Halifax Bank trialled a wristband that verifies your identity using your heartbeat rhythm. The electric wave pattern of your heartbeat is unique and, unlike your face, it remains the same over time. Customers used the wristbands as verification when logging on to their online banking system. The trial was conducted in a UK innovation lab, and the bank is still assessing results.

Pitfalls present, but overall, biometrics is secure
Biometric verification systems are not without their problems. You could be locked out of a fingerprint system, at least temporarily, if you injure your finger. What's more, fingerprints are on everything you touch, so there are opportunities for criminals to copy them. While a never-changing fingerprint can be great for never losing a password, it also means that if your print is copied, you won't be able to use it as identification for anything anymore.

Other forms of biometric verification, such as heartbeat recognition or retina scans, wouldn't have this disadvantage. However, there's always the chance you could have problems with the scanner.

In addition to the previously mentioned flaws with facial recognition, you could change your hair, need glasses, be in a dimly-lit place or just not take a good photo, which could hold you up. Or, someone who looks similar to you could be recognised as you.

However, the chances of a thief stealing your biological data to gain access to your system are unlikely. Replicating physiology is intrusive and expensive, and the odds of a criminal not only copying a fingerprint or scanning your retina, but having the technology and funds to replicate it on a separate apparatus and then steal your device are likely pretty slim. Biometrics are intentionally easy to use, but complex to design -- the more complex a system, the more difficult and expensive it will be to attack.

"People must feel safe and secure," Visa Europe's Vaux says. "Chip and PIN was successful because the industry put out a clear message and customers knew how it worked. Customers need to feel protected if something goes wrong rather than be told that the system is safe and no security breach will ever happen."

See related: Could mobile payments replace your plastic?, How payments will evolve in the next decade

Published: 6 November 2015