Many people think, correctly, that biometrics can help to improve security for mass-market payment systems. But you have to use them the right way.
How would did you pay for your last car? Or your last cup of coffee? Did you use different payment products or technologies for these different purposes? I didn’t: I used my debit card for both. In order to buy the car, I just had to know the PIN. In order to buy the cup of coffee, I didn’t have to know my PIN (or signature or anything else) but I did have to provide photo ID. As a consequence, it took longer to buy the coffee and was less convenient. Welcome to the world of payment authentication.
I don’t think buying car using a chip and PIN card is remarkable or even interesting, by the way. I’m sure people do it all them time. Here’s a chap in Canada who did it, for example.
Monaco, the founder and managing partner of a Toronto investment relations firm, alleges in his lawsuit that he discovered the charge of $81,276 “during a routine check of his Visa account balance” in June 2010.[From Bank customer’s lawsuit raises questions about fraud liability – Canada – CBC News]
So the guy bought a car with a chip and PIN card. As I said, we’ve done the same. When my wife bought her new car, we paid using chip and PIN. Having test driven the car, a used Peugot, and decided that she wanted it, we arranged to go and complete the sale. I called the dealer and asked if he wanted me send him the money over the interweb tubes (in the UK, we have the immediate settlement Faster Payment Service, FPS, so I could have sent him the money by PingIt or mobile banking with no trouble at all) and he said that no, a debit card would be fine (*). We drove down to dealership, signed the papers, I put by bank debit card into the terminal and entered by PIN. Transaction accepted. I thought I might get a phone call from my bank just to double check that I was buying a $12,000 used car with my debit card, but I never did.
Compare and contrast this pleasant and quick purchasing experience with my most recent card purchasing experience in America where, as I mentioned before, I was required to produce photo ID to buy a $3 cup of coffee on my Simple card. As was Jim Bruene, who was similarly surprised by the state of payments in the US in 2014!
@dgwbirch wasn’t making up coffee shop example. Just had to show photo id on $3.75 purchase. Waste of time/money. #payconnect
— Jim Bruene (@netbanker) March 11, 2014
it was more of a waste of time that you might imagine, since the photo ID I showed was an expired building pass for our New York office. Anyway, back to my point. If had a card with an $80,000+ credit limit and I used it to buy a car, even with a PIN, I would expect another authentication factor. Maybe an SMS to my phone, a message to my Amex app, something. I might even, for charges in excess of, let’s say, $75,000, expect to have my picture taken or be required to use my iPhone fingerprint reader as an additional factor to confirm the transaction.
This is not because the iPhone fingerprint reader delivers James Bond-style nuclear-launch level identification. It doesn’t, because it’s about convenience. In fact it does not guarantee identification at all, but using it as an additional and convenient authentication factor with the range of factors present in the mobile makes complete sense in risk management terms. And I think the public would be happy with it.
One in two people surveyed (49%) stated they would like to have biometric payments, such as fingerprint, palm or iris scanners, far outweighing the popularity of emerging mobile technology options.[From Biometric payments are top option for security-concious shoppers, survey finds | Retail News]
What this means, other than customers have seen biometrics in Hollywood movies but not NFC, is unclear, but I do think that using biometrics as a convenience technology in authentication for retail payments makes complete sense.
“We expect to see biometrics becoming increasingly prevalent over the course of the next 3-4 years, driven by a desire among vendors and consumers alike to be better protected when accessing mobile services,” summarised [Jean-Noel Georges].[From Investorideas.com – Biometrics Can Revolutionise Mobile Payment Security, says Frost & Sullivan]
As our old chum Julian Ashbourn (you can listen to Julian in our podcast series here) points out in this excellent new book “Biometrics in the New World–The Cloud, Mobile Technology and Pervasive Identity“, there is a world of difference between using biometrics for identification and using them for authentication to establish entitlement. It is this latter mode, in combination with the mobile phone, that offers us a practical and cost-effective way forward.
* Actually, I know that I always say that I never buy anything with a debit card, but the dealership surcharged on credit cards. Since I figured I had ample warranty and associated legal protections, and that I was buying from a reputable dealership, and that the Avios or cashback that I would get weren’t worth a fraction of the surcharge amount, I decided to use the debit card.