By Ian Benn
There has been a tremendous amount of conversation recently around biometrics and its role in payments. The idea that your customers can pay for goods and services without having to carry a wallet, or even a phone, has competitive advantages, but what’s the current state of play? And where are we headed?
What is biometrics and what are the types used in payments? Let’s start with a definition. Biometrics covers the measurement of any aspect of our physical human characteristics — from the unique shape of our face or fingers to our DNA. Fingerprint scanning has been in existence for a long time and is one of the most popular biometric data points used for authentication: from immigration at an airport to unlocking your phones.
When it comes to payments, many methods that read biometric data are reliable, but not all are easy to manage or socially comfortable for consumers to use. Over the years, the payment industry seems more focused on two main approaches: Fingerprint analysis and Face/eye recognition. Both approaches are based on what today’s consumers are already comfortable with. Most high-end laptop computers are equipped with fingerprint scanners for better security. And if you look at the latest smartphones, they too have similar technology to use fingerprint or face scanning for security purposes.
How do biometric payments work?
Biometrics is used in payments mainly for authentication purposes. Data such as fingerprints, face/eye scans can help verify the identity of the person paying. It all works in two main ways:
• The first is by customer authenticating their identity on their device (for example, approving a transaction on a smartphone using the inbuilt fingerprint reader or face ID). This method is most common nowadays with mobile wallets that use fingerprint scanning or face ID to help customers pay with contactless technology such as Apple Pay and Google Pay.
• The second uses in-store hardware to capture the image, typically a high-definition camera and a large screen or a modified payment terminal that can capture this information. Though uncommon in North America, this in-store hardware can not only be useful for payment acceptance but may have other applications in the future, such as identity and age verification.
Phone-based biometrics are Simplest and most popular
In almost all markets, the preferred model is using the phone for authentication. This is driven primarily by consumer confidence in the technology. A typical consumer is happy to have their biometric information stored on a device that they own — as it seems they have more control over it compared to an external device. The secondary driver is cost. If the smartphone is handling the biometric identification, then, once approved, the transaction can flow to a standard POS terminal via NFC as a standard contactless card or mobile wallet transaction. For merchants, this means that they don’t need to make any changes to their POS system or get any complex development work done for the payment service provider.
Non-phone based biometrics are complex
As you move away from smartphones to non-phone-based biometric payments, the level of complexity increases for merchants. There is a lack of standards which makes the rollout of this technology internationally very difficult for manufacturers and implementation costs can be high, so merchants can be deterred from considering this option altogether. For now, non-phone-based biometrics creates more challenges for merchants who wish to adopt this technology.
What does this mean for the future of biometric payments?
In North America, biometric authentication is real and already happening, but mainly on smartphones. In this case, there is very little impact on a merchant or a technology provider. The smartphone may be running powerful and complex analytics in the background, but for the merchant, they simply see a contactless transaction, one that may be at a higher transaction value than they might normally be able to approve.
In the recent past, I’ve talked about the rise of biometric authentication in typical payment environments. That market is currently dominated by phone-based biometrics where consumers authenticate the transfer of payment information on their device via a fingerprint scanner or face ID. For the merchant, it is a simple contactless transaction.
Non-phone-based biometric payments, however, are more complicated. They generally require merchants to own payment terminals that are equipped with hardware and software powerful enough to read biometric data. While interest exists in non-phone-based biometric payments in certain countries around the world, implementation has barriers and options.
Here are the six main challenges.
1. Lack of Standards Make Rollout Challenging
Security standards are critical to the widespread adoption of any technology. Today, all the biometric payment solutions are tied to a single provider, each of which chooses to set its own standards. The privacy of personal data is enshrined in protective laws in almost all jurisdictions and these laws often lag technical change. Whilst the principles and purposes of data protection laws are consistent, their application and specifics are not necessarily. Both factors make widespread rollout challenging for any technology provider.
2. Concerns Over Biometric Data Privacy
Biometric data privacy a major market inhibitor. In many countries, we have seen concerns from consumer groups and governments where biometric cameras have been used for security or marketing purposes and governments also remain cautious over the creeping commercialization of such data.
Strangely, while consumers are expressing strong hesitancy about their image data being held for non-phone-based biometrics, the level of concern on the phone is far lower even though data is often held in the cloud. Maybe this is because many of us see our phone as an extension of ourselves – our brain’s external hard drive.
3. Biometrics Are Hard, But Not Impossible to Crack
Hackers have shown that it is possible to fool security systems that depend on fingerprint and even iris scanning with low-tech solutions based on high-quality photographs. One, for example, was able to beat an iris scanner simply by sticking a photograph of an iris to the inside of a hard contact lens to emulate the shape of an eye. Another popular video shows a shopper in China using face recognition at a self-service kiosk – as she bends down to tie her shoelace, instead of the camera scanning her face it simply recognizes the man behind her in the queue who is distracted by his phone and is billed for her purchases. The serious issue with biometrics is that, unlike with a password or token, once your face or finger has been compromised you can’t simply change it to another one.
4. Costs Are High for Non-Phone Based Facial Recognition
Most solutions in use today need a high-quality camera, considerable processing power and greater internet bandwidth. Facial and iris reading also depends on the right ambient light conditions, making the technology difficult to roll out in many circumstances. Cameras usually need to be mounted at face height which can be challenging in an in-store environment. All these conditions, though achievable, are expensive to implement and are difficult to roll out.
5. Limitations with Face Recognition
Facial recognition has come a long way but there are still many challenges with the technology when it comes to non-phone-based devices. From a payment environment standpoint, ambient light is a key factor since bars are often dark and retail stores can be overly bright in North America. This can govern what type of business opts for this technology. Another key limitation with facial recognition technology is skin tone. Research has shown that facial recognition is more accurate for white males and considerably less for dark skin toned females. One of the common inferences from the research reveals that the AI behind the platforms often uses the internet for source “learning” comparison data. As the population of faces on the internet is more skewed towards white and male images, there is a correspondingly more robust data set. There are also concerns for disabled users for more obvious reasons as well as countries where face coverings are common (although iris recognition is a potential solution here). In short, facial recognition is far from universal.
6. Fingerprint Adoption Is Likely to Be Set Back By COVID-19
Attitudes to physical contact have changed since the COVID-19 pandemic and the acceptability of public fingerprint readers may be affected for the foreseeable future. Fingerprint readers on personal phones, on the other hand, are not affected by this.
Future of non-phone-based biometrics
In markets such as China, where the adoption of facial recognition is high, special terminals equipped with super-high-resolution cameras and extra processing power can enable acceptance. However, I believe that the widespread international availability of such technology will depend on market standards. In countries where there is a lower penetration of smartphones, there is a lot more interest in a fingerprint as a relatively low-cost way to identify a consumer. Wider adoption of this into mainstream payments will depend on technology standards and on people’s willingness to use something touch-based.
We expect to see more use and acceptance of non-phone-based biometrics over time as standards for it emerge and consumers are satisfied with the security and reliability of the experience but in the meantime, the phone-based model provides a very easy bridge.
Ian Benn is head of Strategy and Market Development at Ingenico.