Although biometric payment cards have been deployed in the marketplace for many years, issuers have primarily explored the technology through pilot projects and volumes have been limited. For various reasons, this is now starting to change.
The pandemic transformed consumer behaviour and has driven demand for touch-free payment methods (made clear by the significant increases in contactless payment adoption). The growing popularity of mobile payment solutions also means consumers are increasingly familiar and comfortable with biometrics for payments. And thanks to the recent advances made in biometric on card solution designs, production prices are dropping.
Given these developments, deployments are scaling as issuers are increasingly turning to biometric payment cards to differentiate from the competition, boost consumer confidence and address regulatory demands.
As scale builds, there is growing industry consensus around the benefits that could be realised by promoting increased consistency and alignment across the testing requirements for biometric payment cards.
In this EMV® Insights post, Jianhua Ni, Chair of the EMVCo CDCVM Task Force, explores how EMVCo’s new ‘Biometric on Card’ initiative is responding to this industry demand, and can further support seamless and secure payments globally.
What is a biometric payment card and how does it work?
Biometric payment cards include a sensor that captures the cardholder’s fingerprint as the card is inserted or tapped during the payment transaction. The fingerprint is then matched with a reference value that is stored within the secure EMV chip. If it’s a match, the cardholder is authenticated.
What are the current challenges associated with biometric payment cards?
Using biometric cards for in-store contactless payments presents unique considerations for performance and power consumption in order to successfully balance security with convenience.
And as deployments have been relatively limited, performance and security requirements for biometric payment cards have evolved organically across the different payment systems, leading to variations that increase the cost and complexity of developing, testing and deploying solutions.
Why is EMVCo best-placed to develop requirements and testing for biometric payment cards?
EMVCo creates, evolves and promotes technical specifications for EMV payment cards to work seamlessly and securely, and has a proven record facilitating the approval and evaluation of these products to test for compliance with the EMV Specifications, EMVCo functional requirements, and EMVCo security requirements and guidelines.
When talking about biometric payment cards, it is also important to understand Cardholder Verification Methods (CVM) and Consumer Device Cardholder Verification Methods (CDCVM).
A CVM is used to confirm whether the person presenting a payment card is the legitimate cardholder. When an individual enters a PIN to authorise a transaction, they are providing a CVM.
The growing use of mobile devices for payments has enabled consumer authentication to be performed on a consumer’s own device via passcodes, passwords and patterns, as well as biometrics such as fingerprint, iris, voice and facial recognition. This type of authentication on a consumer device is known as a CDCVM, and technologies that enable CDCVM are called CDCVM solutions.
Over recent years, EMVCo has successfully worked to promote confidence and consistency across CDCVM solutions by identifying and addressing the specific security, functional and performance needs to enable seamless and secure payments.
Supporting the growing use of biometric payment cards marks a natural evolution of this activity and similar principles apply, with the biometric payment card serving as the ‘consumer device’ and the fingerprint as the authentication method.
Given these considerations, EMVCo has received direct feedback from Associates, Subscribers and the wider payments community about the potential benefits of promoting increased consistency and alignment. Following this feedback, EMVCo has launched its ‘Biometric on Card’ initiative.
What is the scope of EMVCo’s ‘Biometric on Card’ initiative?
EMVCo is engaging with the industry to explore the development of performance and security requirements for Biometric on Card, as well as the supporting approval and evaluation frameworks, that will help balance convenience and security, while considering the unique challenges biometric payment cards present.
To optimise activity, the initiative will solely focus on the use of a fingerprint as a biometric authentication mechanism on a payment card.
As an initial first step, EMVCo is developing a performance requirements document to enable biometric payment cards to deliver both seamless and secure payment experiences.
What are biometric performance requirements?
Biometric performance characteristics relate to how well a solution performs in capturing a biometric and matching it with a reference value.
This encompasses various areas and examples of performance metrics under consideration by EMVCo, including:
- False Acceptance Rate (FAR) – the proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed.
- False Rejection Rate (FRR) – the proportion of verification transactions with truthful claims of identity that are incorrectly denied.
- Imposter Attack Presentation Accept Rate (IAPAR) – the proportion of imposter attack presentations using artefacts, such as a fake fingerprint, that are erroneously accepted.
- Transaction time – biometric authentication must be completed quickly to promote a seamless and convenient user experience.
What about security requirements? Is EMVCo exploring these?
Firstly, it is important to recognise that when it comes to biometrics, performance requirements naturally impact security. A solution will not be secure if it incorrectly authenticates a fraudster as the legitimate cardholder or cannot detect a fake fingerprint or dummy finger, for example. This means that when it comes to biometric testing, a risk-based approach is required to strike the right balance between seamless convenience (which is impacted by the False Rejection Rate and transaction time, for example) without compromising on security (which is impacted by the FAR and Presentation Attack Detection [PAD] metrics such as the IAPAR).
Consequently, the boundaries between functional and security compliance overlap. In this context, therefore, security requirements address the environments in which the biometric verification data is captured, the reference data is stored, the captured verification data is compared with the reference data, and the result of the match communicated. EMVCo’s existing Security Evaluation processes already encompass these environments, but there is the potential to explore additional considerations as part of the Biometric on Card initiative.
How is EMVCo approaching the development of supporting testing processes?
To help reduce testing complexity and costs, EMVCo will be exploring how testing can be optimised as part of a platform approach that leverages the existing and established Level 1 Approval and Chip Security Evaluation processes.
How can organisations get involved?
The performance requirements document is anticipated to be published for EMVCo Associate review and input by the end of Q2 2023. A Technical Special Interest Meeting is then planned to be held in Q4 2023 to discuss and explore the requirements in detail. EMVCo encourages all stakeholders, particularly biometric card manufacturers and biometric sensor providers, to engage with EMVCo and participate in the discussion.
by Carey Ferro