Banks and card companies are adopting biometric authentication such as fingerprint, voice, and facial scans to reduce checkout friction, including Visa fingerprint-sensor cards and biometric options under Europe's PSD2 two-factor rules. But security experts warn that some biometrics are as vulnerable to exploitation as other consumer data, and far more damaging once compromised because a fingerprint or face cannot be reset. Merchants need to understand both the usefulness and the limits of biometric data for fraud prevention and customer experience.
Two big pieces of news from the payments world have put the spotlight on biometric authentication tools for shopping and banking, and at a glance it seems like biometrics could fix a lot of the fraud challenges the retail and banking industries face. But other news and a growing chorus of input from security experts indicates that some types of biometrics are as vulnerable to exploitation as other consumer data—and far more potentially damaging once compromised.
As consumers may increasingly expect to be able to use a thumbprint, voice, or facial scan to shop, merchants need to understand the usefulness and limits of biometric data for fraud prevention and customer experience.
Biometrics have been in the news on both sides of the Atlantic this year. In April, the four major card brands dropped some or all of their consumer signature requirements for POS purchases in the US in a bid to reduce friction at checkout and reduce merchant processing costs. To replace signatures for customer authentication, Visa is trialing EMV contactless-compatible cards that have built-in fingerprint sensors. At the point of sale, users will touch the fingerprint sensor to validate their identity by comparing the impression to their stored fingerprint data.
Meanwhile, in Europe, the implementation of the revised Payment Services Directive (PSD2) means that banks and other payment services must support two-factor transaction authentication on mobile devices. Industry watchers and app developers expect biometrics to figure prominently in new security protocols because they create less friction than keying in passwords or codes delivered via SMS. It’s clear that biometrics are becoming part of the fraud-prevention landscape. What’s less clear is what happens when, not if, biometric data is compromised.
Click here to continue reading.
Biometrics reduce friction at checkout compared with signatures, passwords, or SMS codes. In 2018 major card brands dropped some or all signature requirements for US point-of-sale purchases, and Visa began trialing EMV contactless cards with built-in fingerprint sensors.
Europe's revised Payment Services Directive (PSD2) requires banks and payment services to support two-factor transaction authentication on mobile devices. Industry watchers expect biometrics to feature prominently because they create less friction than keying in passwords or SMS codes.
No. While biometrics can help reduce friction and add a layer of security, they are not a cure-all for card-not-present fraud. Security experts warn that some biometric data is as vulnerable to exploitation as other consumer data.
Compromised biometric data is far more potentially damaging than other consumer data because a fingerprint, voice, or face cannot simply be changed like a password. The article frames this as a question of when, not if, such data is breached.
Visa's trial cards include built-in fingerprint sensors compatible with EMV contactless. At the point of sale, users touch the sensor to validate their identity by comparing the impression to their stored fingerprint data.
As consumers increasingly expect to shop with a thumbprint, voice, or facial scan, merchants need to understand both the usefulness and the limits of biometric data for fraud prevention and customer experience. Biometrics are becoming part of the fraud-prevention landscape but do not eliminate the need for broader protection.