The mention of biometric cards may be met with a raised brow or a quizzical look. But if you offer a further explanation and ask a consumer if they can see the convenience of holding a payment card with a biometric sensor on it to make a high value payment without having to enter a PIN, things suddenly become clear and are generally very well received.
UK’s Natwest, France’s Société Générale and Italy’s Intesa Sanpaolo are all in the race to deliver this added convenience to their customers. The solution consists of having a physical card, with a fingerprint reader embedded in it, enabling the cardholder to authenticate themselves before tapping the card on the terminal. An interesting solution to a problem already solved by Apple Pay and the likes, you might be tempted to think.
Not quite. Market segments either left behind by or averse to the mobile payments revolution, can finally be targeted. My mother is part of that category. She fully adopted contactless payments when she visited me here recently, finding PINs to be too much of a hassle but quickly reverted to cash when she realised that contactless wouldn’t get her the weekly shop at Monoprix, by default greater than the 30 EUR limit, without the PIN accoutrement.
This biometric card offering also resolves the customer pain that is likely to hit contactless card payments as from the 14th September 2019, when the Regulatory Technical Standards (RTS) start to apply.
In less than six months, unless applicable exclusions apply, conventional contactless cards would, in all likelihood, need to be chipped and pinned again after as little as 5 coffees. These new biometric cards offer an edge on this issue.
Biometrics as a CVM enable, like PINs, fulfilling the Strong Customer Authentication (SCA) requirement of having at least two of three independent elements:
- Knowledge (e.g PIN)
- Possession (e.g Card Possession)
- Inherence (e.g Biometrics)
The difference however lies in the perception of this SCA transaction. Where PINs would require lengthy Online PIN authentications in contactless or cumbersome and disruptive step-ups to contact transactions, biometrics on card offer a seamless continuity in payment ergonomics.
Moreover, biometrics are expected to be non-repudiable. Back in the days, signatures could make up for extravagant excuses like those of Rebecca Bloomwood’s in Sophie Kinsella’s ” The Secret DreamWorld Of A Shopaholic”:
I never go to Millets. […]. Some criminal’s pinched my credit card and forged my signature. Who knows where else they’ve used it? No wonder my statement’s so black with figures. […]. Someone must have pinched it from my purse, used it – and then put it back.Sophie Kinsella: ” The Secret Dreamworld Of A Shopaholic”
Such excuses are less likely for PINs, but not impossible, considering shoulder surfing. And nearly impossible for biometrics.
The appreciation of “nearly” is key here. Fingerprint sensors on cards are not the same as those on border controls – they are primarily meant for convenience. This might sound obvious, the smaller the sensor, the less minutiae are read, the less precise is the biometric match.
There is therefore a risk, albeit infinitesimal of a wolf, someone whose subset of “8 features on a 100mm2 fingerprint sensor” being a match, going on that Millet’s spending spree. A little far-fetched certainly, when working out the probabilities.
The greatest challenge however, lies, at the very heart of the solution: Biometric self-enrolment. The enrolment procedures on roll-out have not been entirely unveiled yet. A proper enrolment procedure design is crucial to the whole lifecycle of the card, requiring a careful balance between the comfort of an easy procedure, maximum assurance that the right individual is being enrolled and well-suited risk mitigation actions. Unlike the OEM-Pays which, being based on phones, have the ability of having interactive onboarding checks, enrolment for the card form factor is not straightforward. Various solutions are being proposed, ranging from a controlled enrolment at the bank to checking-in on a banking portal, or online equivalent after enrolment. It is not clear that any one of these is the right answer for all customers.
Finding an optimal solution is vital. As Mastercard puts it, “it’s all about providing options that make life easier and more convenient, ultimately improving the shopping experience without compromising safety and security.”