[Dave Birch] I’d never been to a BankCarCamp before so I wasn’t sure what to expect at the BarCampBank London last week. I needn’t have worried: as well as Forum friends such as Chris Skinner, Stephen Mason and James Gardner, there were both old pals and new acquaintances. The discussions were open and fluid and the combination of views did its job in generating new thinking. I was only sorry that I had to leave at lunch time to get over to OpenTech. One of the groups that I took part in was looking at the use of biometrics at retail POS and I tried to write up some notes to report on the key issues, as I thought blog readers would find them interesting. The discussion ranged over three fairly distinct areas: the drivers for biometrics at POS, the technologies and the business case. So far as the drivers go, the CHYP position has been reported before:
Biometrics work well in controlled environments such as ATMs, it’s true. But it’s not clear — despite a number of roll-outs — whether they offer a realistic alternative to cards at POS because, as we have consistently advised our clients, biometrics at POS are driven by convenience, not by security.
[From Digital Money Forum: Fingering suspects]
I think it’s fair to say that most people felt the same way, although there was some discussion on whether POS fraud is high enough to demand more security but the consensus was that it was not. As for the issue of technology, framed by the debate about convenience, it was not clear to me that the example often used, the fingerprint, has much role to play going forward. It doesn’t provide a particularly good trade-off between convenience and security, for one thing, and to many people it has connotations of criminality. Nevertheless, the technology is moving along and standardisation will help it:
“I think that ISO 19092:2008 will certainly be the kick start that biometric security needs, as it will provide the financial industry with some fantastic guidelines to enable them to implement both the architectural and policy/procedural changes required,” says Jason Pearce, director of sales engineering in Asia-Pacific for RSA, the security division of EMC.
[From Vendor Articles: 4/7/2008 Biometrics usage to pick up with new ISO standard?]
There are plenty of other biometrics to choose from, but surely we will end up using voice, for the straightforward reason that it can function in both local and remote environment, unlike biometrics such as fingerprints (because a remote service provider couldn’t tell if you were really putting your finger on the reader or replaying someone else’s. But for the purposes of the discussion, we can assume that the technology is there (provided it’s main purpose is convenience rather than security). A couple of people mentioned the combination of biometrics and mobile phones as being a promising avenue for exploration and I must agree. The mobile phone is clearly going to be the key device in the consumer space, so for biometrics to go with the grain they have to embrace the mobile from the start.
The business case discussion naturally focused on fraud and the relationship between biometrics and other technologies (eg, contactless) at point of sale. I can’t say that this part of the discussion came to any particular conclusions (if it did, they’re not in my notes) but the fact is that the chip and PIN migration has led to substantial reductions in POS fraud (and substantial increases in CNP fraud) so there’s no desperate need for another technology at POS, especially when the retailers and banks are already engaged in rolling out contactless.