Biometric cards could make a strong dent against credit card fraud, but several myths surround the technology.
Biometric payment cards offer the potential to slash credit and debit card fraud. By registering and using your fingerprint with your payment card, you provide a much more secure means of authentication than is currently found on traditional bank cards. In many ways, biometric payment cards are similar to the payment methods we use with our mobile phones. Just as many of us use fingerprint recognition to unlock our phones and authenticate a payment, we would do the same with a biometric payment card.
But several myths and misperceptions have arisen about biometric cards centered around security, compatibility, and cost. A recent post in Fintech Finance by David Orme, senior vice president at IDEX Biometrics ASA, attempts to shatter some of those myths.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
One misconception described by Orme concerns how and where your fingerprint would be stored. Your fingerprint data would not be saved in some central external database by the bank. Rather, the data would be stored locally on the card in an encrypted format. Using this method, people would be able to register their fingerprints at home via a remote process.
"Upon registration, the owner's fingerprint image is immediately transformed into an abstract biometric certificate via encryption technology," Orme explained. "This is then stored in the secure element of the card's EMV chip, and the owner's data never leaves the card. In this case, even if the fingerprint data was somehow extracted from the payment card, it cannot be used without the encryption key to unlock the biometric certificate."
The local storage used by a biometric card would be similar to the method used by mobile devices. iPhones and Android phones that use fingerprint recognition as authentication store your fingerprint information solely on the device.
To help people easily register their fingerprints, payment card issuers should supply a single-use, battery-powered enrollment sleeve, advised Orme. Such a dedicated sleeve would work only for registration and could not be used to override the stored fingerprint. Though the sleeve itself would require a battery for power, the payment card would work in a more passive mode. As such, it would draw power from the point-of-sale systems to authenticate the fingerprint and therefore would not need a battery.
As with any authentication system, there would be a certain failure rate in which the fingerprint could not be recognized or authenticated, in some cases due to damage to the card itself. But since biometric cards can use a contactless method of payment, there should be less wear and tear on the card itself. Still, some transactions are bound to result in false positives or negatives. In this case, however, a PIN would have to serve as a backup means of authentication to ensure that the customer can complete the transaction, according to Orme. This system would be no different than that used on mobile devices. If your fingerprint fails to authenticate a payment via your iPhone or Android phone, you turn to your PIN as backup.
One myth has been that biometric cards will require new point-of-sale and banking systems. But in fact, these cards will work with existing retail and banking systems, Orme asserted. Beyond compatibility with traditional card readers, the cards will work with ATMs so people will be able to use them to access money and complete automated banking transactions. Orme also sees further potential for biometric cards.
"While fingerprint biometric smart cards are primarily thought of as a payment technology, their potential as an authentication goes far beyond payments," Orme said. "As well as contactless transactions, biometric smart cards can also provide authentication for physical and virtual access control, such as to offices and company networks or mass transit ticket systems. When incorporated with biometric fingerprint data, smart cards can also prove valuable to combine government IDs, healthcare access, and payments, all into one single, convenient and secure identity card."
One perception about biometric debit or credit cards is that they'll cost most than regular bank cards. That perception is correct, according to Orme. The technology required for biometric authentication entails a higher expense than the technology used in today's payment cards. However, Orme believes that consumers would be willing to pay a small fee for a more secure payment card. Further, one reason for the higher cost would be the initial slow adoption rate. As biometric cards catch on with the public, the costs should go down. And technology itself may trim the higher price tag.
"Work is also underway to reduce these product costs further," Orme said. "Advanced technology, such as hot lamination, is currently being developed to aid the capacity for mass production of biometric smart cards, which will help further scale down card price points."
So far, biometric cards are off to a slow but steady start, as is the case with most new technologies. Credit card and SIM chipmaker Gemalto unveiled a contactless credit card with fingerprint recognition in 2018, a card currently in use through the Bank of Cyprus. Visa is currently running a pilot program for biometric cards with Mountain America Credit Union and the Bank of Cyprus. Mastercard has also been test piloting the use of biometric cards, announcing a trial run in Mexico this past May.
As the testing and pilot phases run their course, and the technology gains traction among consumers, biometric cards should become a more viable means of payment and a more secure way to protect credit and debit cards.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)