It can be easy to only see biometrics as a futuristic technology that is best suited for gaining access to something – like your mobile device. But Mark Nelsen, SVP of Risk Products and Business Intelligence at Visa sat down with MPD CEO Karen Webster to discuss how bridging the gap between biometrics and EMV is taking secure payments to a new level.
It can be easy to only see biometrics as a futuristic technology that is best suited for gaining access to something – like your mobile device. But Mark Nelsen, SVP of Risk Products and Business Intelligence at Visa, sat down with MPD CEO Karen Webster to discuss how bridging the gap between biometrics and EMV is taking secure payments to a new level.
Is biometrics the future of authentication, especially for secure transactions like payments?
Visa thinks it could be.
Its “first-of-its kind technology framework,” debuted two weeks ago, leveraging the EMV standard and opening the door to using biometrics to authenticate the consumer in an entirely new way.
“Biometrics have a really good way of creating better security for eCommerce and remote payments in particular, which is the most difficult channel to secure just because of the nature of the environment,” said Mark Nelsen, SVP of Risk Products and Business Intelligence at Visa. “Using a fingerprint on a handset to verify an eCommerce transaction is a really strong way to introduce better technology for a more convenient and secure payment.”
Visa announced its new specification earlier this month, which can enable fingerprint, palm, voice, iris, or facial biometrics to support open, globally interoperable solutions. A biometric template such as fingerprint is securely loaded onto a chip card; when the card is inserted into a reader with a biometric capture, the consumer would then be prompted to verify the transaction by using their fingerprint or the appropriate biometric application. The biometric is then encrypted by the reader and validated using “match-on-card” authentication.
[bctt tweet=”Biometric authentication is uniquely positioned to provide better security for eCommerce and remote payments”]
In instances where biometrics are captured when a consumer signs up for a new card at a bank, the financial institution can then load an encrypted version of that biometric onto the chip card itself, Nelsen explained.
“It is not like entering your biometric at the point of sale and it being sent to some cloud-based server where there is a chance of it being detected and stolen by malware,” Nelsen explained.
Instead, the specification simply matches the biometric entered to what’s on the card itself using the same existing cryptography Visa uses to protect PINs at the point of sale, he added.
The ability to avoid sending a valuable biometric to any “hackable” location is a distinguishable feature of the architecture Visa has designed and offered to donate to EMVCo in the hopes that it will become the standard for how biometrics are enabled for commerce.
For now, the specification is focused on markets where biometrics are already largely being captured by financial institutions or payments providers at some point in the enrollment process, such as India, South Africa and Brazil.
In those markets, combining EMV chip card technology with biometrics to help prevent fraud at the point of sale or at ATMs makes sense and Nelsen confirmed Visa has already seen a number of different use cases for the specification.
One specific use case involves authenticating government benefits to be sure that they are, in fact, being sent to legitimate people. When the recipient of government funds uses the card, the specification can confirm that benefits are not being used by a person who is deceased, and/or someone other than who the funds were intended for.
But it may be some time before Visa is able to bring the specification stateside.
“In the U.S. marketplace it’s less likely to have a near-term deployment because the use of biometrics in the U.S. is geared more towards mobile device authentication,” Nelsen said. Meaning that the mobile device itself owned by the consumer has the biometric reader in it, not the point of sale environment itself.
“We think that will likely be the path for the U.S. — introducing biometrics to better secure remote payments is probably the next logical progression, particularly in the U.S. marketplace,” he said.
According to Nelsen, Visa has already began experimenting with using the technology for remote payments, while making sure there is no impact to the consumer experience.
[bctt tweet=”Many challenges lie in establishing biometrics as a standard security measure in the payments ecosystem”]
As promising as biometrics are in securely authenticating the consumers, Nelsen admits that getting biometrics to move mainstream won’t be easy.
“I do think there are going to be some challenges because this is a touchy subject. There are people who feel strongly that if your biometric is stolen it is irreplaceable… But our goal at Visa is to make sure when we use biometrics at the point of sale or in payments there’s adequate security standards in place so that the data is encrypted and if it is stolen it can’t be reused,” Nelsen said.