Biometrics FAQ

Background: In 2016 EMVCo worked to integrate biometrics as a cardholder verification method (CVM), allowing various biometric verification methods to be integrated into the EMV contact payment flow with limited impact on the acceptance infrastructure. The work supports EMVCo's goal of interoperability by optimising the existing EMV Integrated Circuit Card Specification for Payment Systems (EMV Chip Specifications) to reduce the impact of implementation.

  1. Why is EMVCo involved in this biometric activity?
  2. At a high level, what is EMVCo doing in this area?
  3. What does this mean in reality?
  4. What aspects of the EMV 4.3 Contact Chip Specification have been updated?
  5. Do all existing POS terminals and ATMs need to be updated to align with the specification update?
  6. Will EMVCo’s work be focused on one particular biometric modality such as fingerprint?
  7. When do you expect this functionality to be available for implementation?
  8. Is this the only biometric activity that EMVCo is working on?
  1. Why is EMVCo involved in this biometric activity?

    The payments community has been exploring how it can support biometric verification methods, such as fingerprint, voice recognition and facial recognition, to meet this growing market requirement

    EMVCo also recognises that regulatory activities, such as the European Directive on Payment Services 2 (PSD2), calls for strong authentication methods in payments and biometric verification is one means of achieving this.

    While there are already many implementations using biometric verification, to date they have not been globally interoperable. The payment industry recognises that if the biometric is captured on the merchant POS terminal or ATM and is to be matched with data on the consumer's chip card or server, the transmission of the biometric templates must leverage a universally accessible approach to reach interoperability needs. This transmission must also be done in a secure manner.

    Terminal and ATM manufacturers, alongside others within the payment community, acknowledged that updating existing EMV Chip Specifications would help to offer a global framework with minimum impact on the current contact payment flow.

  2. At a high level, what is EMVCo doing in this area?

    Firstly, it is important to note that the scope of EMVCo in this area is focused specifically on updating the EMV Contact Chip Specifications to allow the use of existing biometric methods as an EMV cardholder verification method (CVM).

    The EMV 4.3 Contact Chip Specification supports the acceptance of four cardholder verification methods (CVM): offline PIN, online PIN, signature and no CVM. The specification has been modified to now also support both match-on-card and match-on-server solutions by re-using the EMV concepts and logic of offline (enciphered) PIN and online PIN verification.

    The enhancements provide an interoperable mechanism to pass the biometric data from the reader on the POS terminal / ATM to the card in a secure manner, and for the card to return the “match” result to the terminal in a secure manner. Similar to online PIN verification, the verification of the biometric template can also happen on a remote server. Note that this is an implementation option and EMVCo does not define the mechanism of the biometric verification (or matching). That is outside of EMVCo's scope.

    This work also includes the definition of an EMVCo process to establish a Biometric Solution ID and will define the associated registration process. This is a unique number which identifies the solution supported on a card and enables the ATM / POS to recognise that it also supports the same solution.

  3. What does this mean in reality?

    The updates to EMV 4.3 Contact Chip Specification enable the payment community to add a biometric verification option into the current EMV contact flow with limited impact. This means that when the cardholder inserts their EMV chip card into the terminal, only in the case where both the terminal and the card are enabled to support the biometric CVM and have compatible biometric modalities, would a biometric capture be attempted. In this instance, the terminal would prompt the cardholder to offer a form of biometric for verification, for example, request a fingerprint image on the POS terminal.

  4. What aspects of the EMV 4.3 Contact Chip Specification have been updated?

    In order to achieve interoperability, EMVCo defines the new CVM for biometrics and a new variant of the “verify” command which includes how the template is secured, and the coding of the biometric-related values of terminal verification results. The updated EMV Specification also supports the use of issuer script commands to load, change, or unblock the templates after card issuance.

    The updates relate to EMV Book 2 – Security and Key Management, Book 3 – Application Specification and Book 4 – Cardholder, Attendant, and Acquirer Interface Requirements.

  5. Do all existing POS terminals and ATMs need to be updated to align with the specification update?

    No. The specification has been developed for full backwards compatibility and optional support of biometric-based verification. For example, if a card supporting a biometric CVM is inserted into a terminal that does not support this functionality, the transaction will be performed using another verification method. This ensures the co-existence of both cards and terminals with and without biometric CVM capability, with minimal risk of interoperability issues.

  6. Will EMVCo's work be focused on one particular biometric modality such as fingerprint?

    No. The EMV 4.3 Contact Chip Specification supports several types of biometric CVM: palm, voice, fingerprint, facial and iris.

  7. When do you expect this functionality to be available for implementation?

    The draft specification bulletin was published in November 2016 on the EMVCo website. Following market input, EMVCo aims to release the final specification updates in Q2 2017.

  8. Is this the only biometric activity that EMVCo is working on?

    No. EMVCo is working with the FIDO Alliance to determine how EMV payment use cases can be incorporated into FIDO Alliance's technical standards. The focus of this partnership is related to shared cardholder device CVM, for example, using the same biometric method to both “open” a smartphone and verify a payment made with it.