Global payment card provider, Mastercard, believes that 25% of online payments will require biometric security from September 2019. Mastercard claims that currently just 1-2% of online transactions require cardholder authentication. Those that are authenticated rely on passwords most of the time.
The change by September 2019 is as a result of new EU payment rules coming into force. Strong Customer Authentication (SCA), is part of the Payments Service Directive 2 (PSD2) legislation. It aims to reduce the amount of online fraud that is being committed.
According to Ajay Bhalla, President Global Enterprise Risk and Security, Mastercard: “The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.
“In payments technology this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies such as artificial intelligence. It’s far easier to authenticate with a thumbprint or a selfie, and it’s safer too.”
Haven’t we already done biometrics?
Yes and no. Mastercard has two projects of its own, Identity Check and a biometric payment card. Both have been field tested and are in the process of deployment around the world. Deployment is, however, limited by retailers being willing to upgrade their in-store and online systems.
In the mobile payment space, Apple Pay and other providers are already taking advantage of biometric security. They have enabled fingerprint authentication and, in some cases, facial recognition. However, the technology is not perfect.
At the NTT Security conference in Frankfurt recently, one keynote speaker showed how it was still possible to defeat biometrics. On stage, he demonstrated existing fingerprint hacks and a new facial recognition hack using a fairly basic mask. Biometrics have to get much better than they are today if they are to be fully trusted.
Despite this latest hack, biometrics are much better than existing password and PIN-based security. But for them to be fully effective, there needs to be a major shift in how payments are taken.
Retailers are dragging their feet when it comes to implementing new payment methods. Some high street stores and supermarkets have still not implemented touchless or contactless payment solutions. This is a technology that has been around for well over a decade.
Complexity and cost are mainly to blame for this problem. A recent Sysnet report showed that small merchants were struggling with compliance and cyber security. These are exactly the people that SCA is aimed at helping improve their security. For that to happen, card issuers need to stop fining them and start helping them.
What does this mean
Anything that improves the security on online and even in-store card payments should be welcomed. While there are still hacks that work against biometric solutions, they are far more secure than password or PIN-based solutions.
There are questions that still need to be answered. How quickly can card issuers get biometric cards in the hands of their customers? Can card issuers persuade users to adopt biometrics? Will solutions meet the GDPR requirements? Biometrics are classed as a special category of personal data and that means stricter processing and storage controls.
What is the cost to the retailer to integrate the solution into their website? How much will it cost to update in-store systems? Have the lessons from previous biometric failures been fully understood? How will card issuers, such as Mastercard, help small businesses? The latter is important given the failures already highlighted by Sysnet.
Andrew Shikiar, CMO of The FIDO Alliance said: “MasterCard is spot on in its assessment; the use of passwords is woefully outdated as a means of online authentication. The problem has long been overreliance on yesterday’s approach and a reluctance to embrace the ways in which technology has transformed both our habits and the options available to us.
“As the range of activities we undertake online using mobile devices continues to rise, the more sensitive transactions – such as payments and money transfers – can be facilitated using device-enabled strong authentication. However, its success hinges on the industry’s ability to offer this at internet scale.”
Biometrics do have the ability to improve payment card security. Will we see wide-scale adoption by September 2019? It’s extremely unlikely.