Improving Cardholder Authentication
On-card fingerprint readers add an inherence authentication factor to payment cards for use in face-to-face retail transactions. Inherence factors rely on checking something physical about a person for authentication e.g. fingerprint, retina pattern or facial features. The addition of this complements the unique secret keys on an EMV card that are used to make it acts as a possession factor, and the PIN that is sometimes supported and acts as a knowledge factor. Requiring a possession factor and either of the other factors for a transaction creates a powerful two-factor authentication approach to mitigate against fraud.
Support for fingerprint biometrics on cards could be particularly useful as a mitigation against lost stolen face-to-face fraud in environments where transactions cannot be performed using PIN. An example of this is contactless UK credit card transactions. Unlike with a regular card, if a fingerprint card was stolen, the thief would not be able to use the card for contactless transactions as they would not pass the fingerprint validation.
According to the Fraud – The Facts 2021 report from UK Finance, face-to-face fraud losses at UK retail in 2019 (i.e. pre-pandemic) were £48.9M from an overall fraud loss total of £574.2M i.e. around 8.5%, with contactless fraud probably being less than one third of this (applying the proportions from 2020). However, post-pandemic, with new attitudes towards cleanliness, and the increase in contactless limits, we may see this increase, but this type of fraud is still likely to be small compared to other types, such as card-not-present fraud, as it does not scale well.
However, adding fingerprint readers to cards adds significantly to the cost of card issuance, in some cases increasing the cost of each card by several times. Consequently, the technology’s value as a fraud defence may not be sufficient to outweigh its cost, which could relegate the technology to being a niche value-add feature for the tech-savvy high-spend customer.
High Value Transactions and Strong Customer Authentication (SCA)
As a result of their cost, fingerprint readers on cards may not be viable solely as a fraud defence. However, they may be viable if their value as a fraud defence is augmented by their potential to increase spend by simplifying the user experience when using contactless cards as the primary means of payment or for high value transactions. The contactless limit in the UK has recently been increased to £100. This means that contactless payments on a regular card can be made up to £100, anything higher and a regular card must be used over the contact interface with PIN or a mobile device must be used (e.g. Google Pay or Apple Pay) which support passcode or biometric authentication for card payments. Additionally, PSD2 SCA requirements are now in force, meaning that there are now cumulative limits of 5 transactions and £100 (€100 in the Eurozone) on transaction without a second authentication factor (e.g. PIN or biometric).
Through the use of PINs and biometrics on mobile devices for card payments, the restrictions around high value transactions and SCA are mitigated and have no impact on the customer experience, but cards traditionally do not support such approaches for contactless transactions and so friction is present. Where these limits are tripped, contactless transactions attempted with a regular card would have to be redone using the contact interface and PIN or, another card or mobile device. This is particularly problematic at self-checkout where customers expect their cards to just work. This friction may be detrimental to keeping an issuer’s card front of wallet.
By including a fingerprint reader on the card, high value transactions and transactions in the scope of SCA can be performed with no additional steps. This could be valuable from a user experience perspective, and by avoiding the friction that can be present for some contactless transactions, this could help to ensure that cards stay front of wallet or gain that place over competitors’ products.
User Experience Considerations
There can be user experience challenges with fingerprint cards. Registering the cardholder’s fingerprint can require a process whereby the card is inserted into a special sleeve to activate fingerprint registration. This of course is something else that the issuer has to pay for supplying, causing further issues with financial viability. Tapping the card to a phone running a special app can provide an alternative registration approach, but care is needed in designing the user interface of the app as tapping cards to phones can be hit and miss if not handled with care by the developer as the card may have to be placed in just the right spot on the phone to work.
Care is also needed to avoid user experience issues in use. If the validation requires too close a match then false negatives can be a problem leading to a poor cardholder experience with the solution, requiring too loose a match and issues with false positives may arise. Furthermore, whilst some solutions include an indicator on the card to indicate successful / failed validation, some don’t, meaning that a cardholder may be confused if fingerprint validation fails. These user experience complexities may result in a negative opinion of the technology and of the issuer if not handled well, so there are significant risks to consider when deploying this technology.
The decision whether to implement fingerprint cards is complex and care must be taken to ensure that there is business benefit in doing so. Determining how enrolment should be done is also key to a successful implementation.
At Consult Hyperion we can help organisations understand the benefits of implementing biometrics on cards to support the development of a business case. Furthermore, by leveraging our deep understanding of payment technology and track record of successful EMV implementations, we can help institutions evaluate solutions and work with personalisation bureaus to implement them successfully for pilot and full production.