Consumer and industry interest in biometric payment cards is building.
The pandemic transformed consumer behaviour and drove demand for touch-free payment methods, with the growing popularity of mobile payment solutions meaning consumers are more familiar and comfortable with biometrics for payments. Issuers are also exploring how biometric payment cards can help them to differentiate, while recent advances to biometric on card solution designs are leading to production efficiencies.
Amid these developments, there is growing industry consensus around the benefits that could be realised by promoting increased consistency and alignment across the requirements and testing processes for biometric payment cards.
In this EMV® Insights post, Jianhua Ni, Chair of the EMVCo Consumer Device Cardholder Verification Methods (CDCVM) Task Force, explores how EMVCo’s ‘Biometric on Card’ initiative is responding to this industry demand, and can further support seamless and secure payments globally.
What is a biometric payment card and how does it work?
Biometric payment cards include a sensor that captures the cardholder’s fingerprint as the card is inserted or tapped during the payment transaction. The fingerprint is then matched with a reference value. If it’s a match, the cardholder is authenticated.
What are the current challenges associated with biometric payment cards?
Using biometric cards for in-store payments presents unique performance and security considerations to successfully balance trust and convenience.
However, performance and security requirements for biometric payment cards have evolved organically across the different payment systems, leading to variations that increase the cost and complexity of developing, testing and deploying solutions.
Why is EMVCo best-placed to develop requirements and testing for biometric payment cards?
EMVCo creates, evolves and promotes technical specifications for EMV payment cards to work seamlessly and securely, and has a proven record facilitating the approval and evaluation of these products to test for compliance with the EMV Specifications, EMVCo functional requirements, and EMVCo security requirements and guidelines.
When talking about biometric payment cards, it is also important to understand Cardholder Verification Methods (CVM) and Consumer Device Cardholder Verification Methods (CDCVM).
A CVM is used to confirm whether the person presenting a payment card is the legitimate cardholder. When an individual enters a PIN to authorise a transaction, they are providing a CVM.
The growing use of mobile devices for payments has enabled consumer authentication to be performed on a consumer’s own device via passcodes, passwords and patterns, as well as biometrics such as fingerprint, iris, voice and facial recognition. This type of authentication on a consumer device is known as a CDCVM, and technologies that enable CDCVM are called CDCVM solutions.
Over recent years, EMVCo has successfully worked to promote confidence and consistency across CDCVM solutions by identifying and addressing the specific security, functional and performance needs to enable seamless and secure payments.
Supporting the growing use of biometric payment cards marks a natural evolution of this activity and similar principles apply, with the biometric payment card serving as the ‘consumer device’ and the fingerprint as the authentication method.
Given these considerations, EMVCo has received direct feedback from Associates, Subscribers and the wider payments community about the potential benefits of promoting increased consistency and alignment. Following this feedback, EMVCo launched its ‘Biometric on Card’ initiative.
What is the scope of EMVCo’s ‘Biometric on Card’ initiative?
EMVCo has engaged with the industry to explore the development of performance and security requirements for Biometric on Card, as well as the supporting approval and evaluation frameworks, that will help balance convenience and security, while considering the unique challenges biometric payment cards present. To optimise activity, EMVCo is solely focused on the use of a fingerprint as a biometric authentication mechanism on a payment card.
What are biometric performance requirements?
Biometric performance characteristics relate to how well a solution performs in capturing a biometric and matching it with a reference value. EMVCo has defined and published performance requirements to address reliability, liveness, and convenience. Specific metrics include:
Reliability: False Acceptance Rate (FAR) – the proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed.
Reliability: False Rejection Rate (FRR) – the proportion of verification transactions with truthful claims of identity that are incorrectly denied.
Liveness: Imposter Attack Presentation Accept Rate (IAPAR) – the proportion of imposter attack presentations using artefacts, such as a fake fingerprint, that are erroneously accepted.
Convenience: Transaction time – biometric authentication must be completed quickly to promote a seamless and convenient user experience.
Following the publication of the performance requirements, work is continuing on the development of a supporting approval process.
How is EMVCo addressing security requirements?
Firstly, it is important to recognise that when it comes to biometrics, performance requirements naturally impact security. A solution will not be secure if it incorrectly authenticates a fraudster as the legitimate cardholder or cannot detect a fake fingerprint or dummy finger, for example. This means that when it comes to biometric testing, a risk-based approach is required to strike the right balance between seamless convenience (which is impacted by the False Rejection Rate and transaction time, for example) without compromising on security (which is impacted by the FAR and Presentation Attack Detection [PAD] metrics such as the IAPAR).
Consequently, the boundaries between functional and security compliance overlap. In this context, therefore, security requirements address the environments in which the biometric verification data is captured, the reference data is stored, the captured verification data is compared with the reference data, and the result of the match communicated.
EMVCo’s existing Security Evaluation processes already encompass these environments, but there was the potential to explore additional considerations as part of the Biometric on Card initiative. Based on this, EMVCo has now published dedicated security requirements which have been incorporated into the existing chip security guidelines and evaluation process.
How can organisations get involved?
EMVCo encourages all stakeholders, particularly biometric card manufacturers and biometric sensor providers, to continue to engage with EMVCo and participate in the discussion.
This EMV Insights article, originally posted in June 2023, was updated in May 2025 to reflect the progress of the Biometric on Card initiative.
by Alan Mushing
