Biometric cards, making convenience secure

Posted 30 June 2022 by IDEMIA

Biometric cards revolutionize payment authentication ౼ boosting convenience and security in the customer payment journey. Discover why and how these cards, with an embedded fingerprint sensor, are transforming payment transactions.

Biometrics leap out of science fiction into real life

In the 1971 James Bond movie “Diamonds are Forever”, biometrics was seen as a futuristic gadget used to miraculously lift a fingerprint off a glass just by taking a picture. Today, 50 years later, we use fingerprints and other forms of biometric authentication in our everyday lives. We unlock our smartphones with a quick glance (something that the average smartphone user does 80 times a day[1]), and we might also use our fingerprint to authenticate a payment transaction.

Why does biometric authentication trump PINs?

Researchers from around the world found that consumers not only think of biometrics as fast and convenient, but secure as well. Biometrics can eliminate the need to memorize multiple passwords and PIN codes. Afterall, despite their ubiquity, PINs and passwords create several drawbacks. They can be compromised or stolen by fraudsters and, in order to truly be effective, they need to meet four demanding criteria: the PIN must be complex, changed frequently, unique to each application or service provider, and never be written down.

For people on the move, biometric authentication is easier than entering a complex password or typing in a PIN several times a day. In a purchasing scenario, this technology adds an inherence factor to the payment transaction—meaning that a biometric card confirms that the person trying to pay is the eligible cardholder. In short, when a user enters the correct PIN code, they prove that they have access to the credentials; when they use a fingerprint sensor to scan their biometric data, they authenticate their identity. The use of biometric authentication further secures contactless payment transactions, be it with a smartphone or a biometric card. When combined, contactless technology and biometrics provide a truly frictionless experience as well.

With convenience and security in hand, it’s no wonder that 74% of global consumers have a positive attitude towards biometric technology[2].

Biometric authentication and biometric cards: the promise of a simpler and safer journey

Biometrics carry the promise of creating a convenient customer experience without compromising security. For example, banks can leverage biometrics to enable remote customer onboarding and identity verification via a customer’s mobile device. To prove their identity, customers are asked to submit ID documents, take a selfie and prove liveness by moving their head. The selfie is compared to the ID document to ensure that the claimed identity matches the customer’s. The customer can then access banking and payment service and authenticate themselves in a secure and convenient way when banking and transacting.

Biometrics is also used in various payment use cases, most notably when paying in-store with a smartphone through Apple, Samsung or Google Pay. Since Apple Pay debuted in 2014, biometrics have become an integrated part of more recent and emerging payment journeys, such as smart home devices or wearables with payment capacities and integrated biometric sensors.

Contactless payment authentication in a post-pandemic world

In the wake of the Covid-19 pandemic, contactless thresholds around the world have increased to enable more card POS transactions to be conducted without even touching the payment terminal or handing the card to the merchant. However: high-value payment transactions must still be carried out in contact mode. And in Europe, the PSD2 regulation requires that every fifth card transaction be carried out with strong customer authentication, typically by requesting the card PIN code (PIN code being the dominant payment authentication method in Europe).

A biometric card can easily overcome these two limitations:

  • A biometric sensor on the card surface seamlessly authenticates the customer’s fingerprint for every payment transaction (contact or contactless), regardless of the payment amount.
  • Strong customer authentication is no longer necessary every fifth transaction since every payment transaction is authenticated with biometrics.

In practice, using a biometric payment card is really no different than using a smartphone ౼ to which we are already accustomed. Afterall, the user behavior necessary to unlock a smartphone (pressing one’s finger on a biometric sensor) can also enable payment authentication when using a biometric card. This behavioral crossover is well timed, as 81% of global consumers say they are ready to use their fingerprint instead of a PIN code[3].

But in order for cardholders to benefit from the convenience and security of a biometric payment card, they must first enroll their fingerprint from home or in a bank branch:

  • Home enrollment: The cardholder inserts the biometric card into the sleeve it was delivered with.
  • Bank branch enrollment: The cardholder uses the bank’s tablet and inserts the biometric card into the integrated card reader.

Once the card is inserted in the sleeve or the bank’s tablet, the cardholder places their fingertip on the card’s biometric sensor several times — just like they would do to enroll their fingerprint in their new smartphone — and the biometric template (a mathematical conversion of key point descriptors and not an image of the biometric data) is saved in the chip of the card (and nowhere else).

Once enrolled, they can simply tap the biometric card onto a merchant’s POS terminal while holding their fingertip to the fingerprint sensor. In that very moment their fingerprint is compared to and matched with the enrolled biometric template. This matching occurs within the card’s chip, meaning the biometric data never leaves the card and is hence not shared with the POS terminal, nor the card issuer, nor sent over the air. If the match is successful, the payment transaction is strongly authenticated ౼ without inserting the card or entering a PIN code. The best part is, merchants do not need to upgrade their current POS terminals!

A bright future for the biometric card

Although fingerprint recognition may have seemed like a futuristic James Bond gadget in 1971, it is now so ingrained into our daily lives that we hardly even notice it. Moreover, by 2024, 66% of smartphone owners are forecasted to use biometric authentication (versus 27% in 2019)[4]. As we look to the future, the Smart Payment Association predicts that “the biometric payment card has the potential for tremendous growth”[5] and Mordor Intelligence expect the global biometric card market to register a CAGR of 155% from 2021 to 2026[6].

It is clear that authenticating one’s identity with a biometric card opens the door to a multitude of use cases in addition to payments. For example, securely signing crypto transactions or taking public transportation.

Regardless of how the future plays out, today, the biometric card already lives up to its promise of creating a more convenient and secure user experience!

[1] zyri.net, “How many times How many times a day do people unlock their cell phones?”
[2] Dentsu Data Lab, encompassing 3422 people in 14 countries, 2021
[3] Dentsu Data Lab, encompassing 3422 people in 14 countries, 2021
[4] https://www.paymentsjournal.com/by-2024-how-many-smartphone-owners-will-use-biometrics/
[5] SPA, “Biometric payment cards – The Next Evolution in Secure Contactless Transactions”
[6] https://www.biometricupdate.com/202201/biometric-payment-card-market-forecast-for-155-percent-cagr-through-2026