{"url":"https://www.clear.sale/blog/biometric-customer-authentication-is-not-a-cure-all-for-cnp-fraud","title":"Biometric Customer Authentication It’s Not a Cure-All for CNP Fraud","tldr":"Can biometric authentication stop CNP fraud? Fingerprints and facial scans cut friction but cannot be reset once stolen. Know the limits first.","markdown":"TL;DR\n\nBanks and card companies are adopting biometric authentication such as fingerprint, voice, and facial scans to reduce checkout friction, including Visa fingerprint-sensor cards and biometric options under Europe's PSD2 two-factor rules. But security experts warn that some biometrics are as vulnerable to exploitation as other consumer data, and far more damaging once compromised because a fingerprint or face cannot be reset. Merchants need to understand both the usefulness and the limits of biometric data for fraud prevention and customer experience.\n\nTwo big pieces of news from the payments world have put the spotlight on biometric authentication tools for shopping and banking, and at a glance it seems like biometrics could fix a lot of the fraud challenges the retail and banking industries face. But other news and a growing chorus of input from security experts indicates that some types of biometrics are as vulnerable to exploitation as other consumer data—and far more potentially damaging once compromised.\n\nAs consumers may increasingly expect to be able to use a thumbprint, voice, or facial scan to shop, merchants need to understand the usefulness and limits of biometric data for fraud prevention and customer experience.\n\n##### More banks and card companies adopt biometric authentication\n\nBiometrics have been in the news on both sides of the Atlantic this year. In April, the four major card brands [dropped some or all of their consumer signature requirements for POS purchases](https://www.upi.com/All-4-major-US-credit-cards-ditch-signatures-with-eye-on-biometrics/4711523330286/) in the US in a bid to reduce friction at checkout and reduce merchant processing costs. To replace signatures for customer authentication, Visa is trialing EMV contactless-compatible cards that have[built-in fingerprint sensors](https://usa.visa.com/about-visa/newsroom/press-releases.releaseId.15401.html). At the point of sale, users will touch the fingerprint sensor to validate their identity by comparing the impression to their stored fingerprint data.\n\nMeanwhile, in Europe, the implementation of the revised Payment Services Directive (PSD2) means that banks and other payment services [must support two-factor transaction authenticatio](https://www.secureidnews.com/news-item/new-mobile-authentication-strives-use-biometrics-address-psd2-banking-rules/)n on mobile devices. Industry watchers and app developers expect biometrics to figure prominently in new security protocols because they create less friction than keying in passwords or codes delivered via SMS. It’s clear that biometrics are becoming part of the fraud-prevention landscape. What’s less clear is what happens when, not if, biometric data is compromised.\n\n## Physical biometrics are vulnerable to hackers and fraudsters\n\n[Click here to continue reading.](http://paymentsjournal.com/biometric-authentication-not-cure-cnp-fraud/)\n\n## Frequently Asked Questions\n\n### Why are banks and card companies adopting biometric authentication?\n\nBiometrics reduce friction at checkout compared with signatures, passwords, or SMS codes. In 2018 major card brands dropped some or all signature requirements for US point-of-sale purchases, and Visa began trialing EMV contactless cards with built-in fingerprint sensors.\n\n### How does PSD2 affect biometric authentication?\n\nEurope's revised Payment Services Directive (PSD2) requires banks and payment services to support two-factor transaction authentication on mobile devices. Industry watchers expect biometrics to feature prominently because they create less friction than keying in passwords or SMS codes.\n\n### Is biometric authentication a complete fix for CNP fraud?\n\nNo. While biometrics can help reduce friction and add a layer of security, they are not a cure-all for card-not-present fraud. Security experts warn that some biometric data is as vulnerable to exploitation as other consumer data.\n\n### What happens when biometric data is compromised?\n\nCompromised biometric data is far more potentially damaging than other consumer data because a fingerprint, voice, or face cannot simply be changed like a password. The article frames this as a question of when, not if, such data is breached.\n\n### How do Visa fingerprint cards work?\n\nVisa's trial cards include built-in fingerprint sensors compatible with EMV contactless. At the point of sale, users touch the sensor to validate their identity by comparing the impression to their stored fingerprint data.\n\n### What should merchants understand about biometrics?\n\nAs consumers increasingly expect to shop with a thumbprint, voice, or facial scan, merchants need to understand both the usefulness and the limits of biometric data for fraud prevention and customer experience. Biometrics are becoming part of the fraud-prevention landscape but do not eliminate the need for broader protection."}