Consumers will soon be able to authorise payments using fingerprint- or face-recognition systems. Such technology could significantly improve security, but it’s not without its risks
Once upon a time, making a payment with a little plastic card was seen as the height of convenience. Now you can leave that at home and pay with your phone – and before long, you might not even need that.
Biometric payment technology automatically identifies people from their face, fingerprint or any other unique physical characteristic. It isn’t a new concept: such data has been used as an identification method since the development of fingerprint analysis for criminal investigations in the 19th century. In fact, there is evidence that fingerprints were used to seal business contracts thousands of years ago in ancient Babylon, although it’s unlikely that they understood that a print was unique to a particular person.
But technology has massively expanded the potential of biometric verification. Whereas fingerprint matching once occurred in specialist labs, it’s become something that mobile phones do for many of us several times a day – and that’s not even counting other techniques, such as facial recognition or iris scanning.
Payment technology has advanced significantly since the start of the 21st century, when card payments were still primarily authenticated by signatures. Chip and PIN and contactless are now taken for granted with physical payments, while online authentication methods continue to evolve as the technology advances.
But security remains an issue. How do businesses ensure that the person using a card and PIN is the owner? Increasingly, biometrics will provide the solution.
The technology is already being used to improve security when making financial transactions. This is partly by default, as phones secured by biometrics are becoming a common payment method in themselves.
Beyond the phone, numerous other biometric security methods are being introduced. Mastercard and Visa have trialled payment cards that can be authorised via a fingerprint sensor built into the card itself. Mastercard is trialling payment tech with the Brazilian supermarket chain St Marche that lets customers pay by checking their IDs through facial recognition. The days of remembering PINs and passwords may be ove. Physical markers will be used instead to guarantee that the person making a payment is who they say they are.
There are numerous ways that biometric information can be a strong indicator of someone’s identity. A whole range may come into play in different payment scenarios. Biometrics can also be behavioural as well as physical, as Mark Nelsen, senior vice-president at Visa, explains.
“The way you type and swipe on your phone, for instance, is unique to you and can be used to confirm your identity when making a payment, without you actually having to do very much,” he says.
But will everyone be happy to give up their biometric data to make payments more convenient and secure? Ajay Bhalla, president of cyber and intelligence at Mastercard, says its St Marche facial recognition trial saw a “strong initial consumer response and repeat usage”.
According to the company’s global research, more than two-thirds of consumers agree that using biometrics for identification or payments is more secure than PINs, passwords or other forms of identification. The pandemic has also had an impact on payments: more than half of in-store payments have become contactless since the Covid crisis started.
Bhalla believes that “allowing card-holders to use their biometric data to initiate a transaction is the next step in terms of touchless payment experiences”.
It’s important that customers can choose payment methods they’re comfortable with, according to Nelson, who adds: “Everyone has their own preferences. The same consumer might be happy to pay with a biometric when using their mobile wallet on public transport, but they might want to pay for a holiday using their physical card and a laptop PC.”
Although it seems likely that most customers will be happy to use these methods, it’s important for retailers to factor in those who may be hesitant about adopting new payment technology.
And there are risks for businesses and their customers to consider. “The unique nature of biometrics is also its biggest vulnerability,” says Prakash Pattni, managing director of digital transformation at IBM Cloud for Financial Services. “Biometric data is either stored locally, perhaps on a mobile, or centrally in a database. If the data is stolen – for example, a fingerprint is copied – then little can be done to re-secure it.”
Poorly implemented verification tech could be a disaster, so it’s not something to take lightly. Companies need to be sure their customers can have faith in their systems.
The good news is that the technology to secure biometrics is advancing just as quickly as the technology to read them. Data will necessarily be encrypted, but specific techniques are also being developed, including ‘cancellable biometrics’. This, explains Pattni, is “biometric data that is transformed using complex algorithms that cannot be reverse-engineered. It is this biometric template that is used for identity verification and can be deleted and replaced in case of loss or compromise.”
Any security-related technology inevitably involves a level of risk. Mitigation strategies will have to evolve alongside the technology and as new vulnerabilities are discovered.
Biometrics are becoming an increasingly big part of our lives, from unlocking our phones to navigating passport control. It is a natural fit for the payment sector thanks to the security and convenience it offers to customers. But this will work only if companies are prepared to understand the risks, properly mitigate them and support any reluctant customers as the technology moves from the cutting edge to the everyday.