Biometric Authentication in Payments · Biometric Authentication in aments 2 2.1 What Are...

Biometric Authentication in Payments 1

Biometric Authenticationin Payments CONSIDERATIONS FOR POLICYMAKERSNovember 2017


2.1 What Are Biometrics?2.2 What Is Authentication?2.3 How Does Biometric Authentication Work?2.4 Biometric Authentication Modalities

4.1 Outlook for the Use of Biometric Authentication4.2 Benefits of Biometric Authentication for Payment-System Participants

5.1 The Americas5.2 Europe5.3 Africa and the Middle East5.4 Asia-Pacific

6.1 Overview of Biometrics-Related Laws6.2 Applying Laws to Rapidly Evolving Technologies Such as Biometrics

3.1 Advancements in Technology3.2 Increasing Consumer Familiarity and Demand3.3 The Dramatic Rise of Mobile Devices3.4 Dual Objectives: Security and Convenience3.5 Government Focus on Identity Verification & Financial Inclusion

7789

16

17

19202122

2326

1112131415

Contents

5 Selected Deployments of Biometric Authentication in Payments and Financial Services

1 Executive Summary

2 Overview of Biometric Authentication

4 Biometrics in the Payments Ecosystem

6 Biometrics Legal Landscape

3 Drivers of Biometric Adoption

18

5

7

16

23

11


AppendixSelected Organizations Working on Biometric Issues in Payments 34

9 Conclusion

Endnotes

33

37

Promontory Financial Group, an IBM Company (Promontory or we), created this white paper solely for its client, Visa U.S.A. Inc. Promontory does not have any control over the particular purpose(s) for which the paper’s information or intelligence may be used. Promontory disclaims and excludes any and all liability (whether arising in contract, tort, or otherwise) for losses of any nature suffered by any party as a direct or indirect result of any error in or omission from this white paper, as a direct or indirect result of the use of any of the information in the paper or of making any business decision, or refraining from making any such decision, in reliance or based wholly or partly on any data, expression of opinion, statement, or other information or data contained in the paper.

This paper is intended for informational purposes only and should not be relied upon for operational, business, legal, regulatory, or other advice. While efforts have been made to ensure the accuracy of the content of this paper, errors may exist, and we do not guarantee the accuracy of the content. Neither Visa nor Promontory is responsible for any use of or reliance on the content of this paper. All brands and logos used in this document are the property of their respective owners, and uses of or references to such herein do not imply product affiliation or endorsement.

8 Guiding Principles on Biometric Authentication for Policymakers 30

7.1 Standardization and Interoperability7.2 Layered, Risk-Based Approaches to Payment Security7.3 Data Security – Storage and Transmission7.4 Consumer Privacy7.5 Accessibility and Inclusion

8.1 Foster Stakeholder Dialogue and Engagement8.2 Support Industry-Driven Standards and Interoperability8.3 Reframe Security Discussions to Reflect New Technology Developments8.4 Provide Legal Clarity for Payment-System Participants8.5 Lead by Example

2627272929

3031

313232

7 Advancing Biometric Authentication: Issues for Further Attention 26


Promontory Financial Group, an IBM Company, excels at helping clients resolve critical issues, particularly those with a regulatory dimension. Promontory professionals have unparalleled regulatory experience and insight, and provide our clients with frank, proactive advice informed by best practices and regulatory expectations. Founded in 2001 by Chief Executive Officer Eugene A. Ludwig, former U.S. comptroller of the currency, Promontory became a wholly owned subsidiary of IBM in 2016. More at promontory.com

Visa Inc. (NYSE: V) is the world’s leader in digital payments. Our mission is to connect the world through the most innovative, reliable and secure payment network – enabling individuals, businesses and economies to thrive. Our advanced global processing network, VisaNet, provides secure and reliable payments around the world, and is capable of handling more than 65,000 transaction messages a second. The company’s relentless focus on innovation is a catalyst for the rapid growth of connected commerce on any device, and a driving force behind the dream of digital payments for everyone, everywhere. As the world moves from analog to digital, Visa is applying our brand, products, people, network and scale to reshape the future of commerce. For more information, visit usa.visa.com/aboutvisa, visacorporate.tumblr.com and @VisaNews.

Visa’s Global Public Policy group, established in 2015, commissioned this study. The group’s mission is to inform public policy dialogue globally through thought leadership.

About Promontory Financial Group

About Visa


Biometrics have gained popularity as an authentication tool in a number of industries and contexts, including the financial services sector. Technology developments – notably, improved accuracy and lower costs of biometric solutions, coupled with the dramatic rise of mobile devices globally – have served as key drivers.

Business and consumer demand for secure, convenient payment options in today’s changing fraud landscape has also played an important role.

More broadly, biometrics represent one part of a growing tapestry of data on individuals and their transactions – including personal data, geolocation information, and device IDs – available to support new and enhanced authentication services.

As the use of biometric authentication has grown, governments and consumer groups have raised important public policy questions about data security and privacy issues. Businesses have also posed questions about standardization and interoperability in the biometric authentication landscape. These issues, and many others, have distinct implications when considering the growing application of biometric authentication in payments. What role can biometrics play in promoting both innovation and security? Are these two goals in conflict with each other? Addressing these questions will be key to the further advancement of biometric authentication in payments.

This paper leverages Promontory’s experience with financial services and risk management to outline the benefits of biometric authentication and issues for further attention by payment-system stakeholders. It also suggests activities that government agencies, lawmakers, regulators, and other rulemaking bodies (collectively, policymakers) may take to support the continued development of biometrics as an authentication tool in the payments industry.

Policymakers hold a powerful and unique position with great ability to influence the further development of biometric authentication. This paper proposes five specific guiding principles for policymakers to consider as they deepen their understanding of biometric authentication’s evolving role in the payments ecosystem.

1 Executive Summary


The next section provides an overview of biometric authentication, including key definitions and examples of biometric modalities. Section 3 summarizes drivers of biometric adoption globally, including discussion of technology developments, consumer preferences, and congruence with government policy objectives. Section 4 highlights the outlook for biometric authenti-cation and describes how biometrics are impacting payments. Section 5 provides examples of biometric deployments in payments and financial ser-

GUIDING PRINCIPLE DESCRIPTION

1.

2.

4.

5.

3.

Multi-stakeholder dialogue on evolving technologies such as biometric authentication solutions helps bring a range of voices to discussions that support advancements in the payments ecosystem. By engaging with a variety of payment-system participants, policymakers can deepen their understanding of technology trends, stakeholder perspectives, and potential congruence with policy objectives.

Standards support payments innovation by making it easier for all parties in the payments ecosystem to adopt and deploy new technologies. Interoperability provides the foundation for open and accessible payment systems, creating efficiencies that benefit all ecosystem stakeholders. By supporting interoperability and industry-led, principles-based standards not tied to a specific technology, policymakers ensure a lasting framework that can keep pace with both innovation and changing risks in the payments landscape.

By engaging in multi-stakeholder discussions on legal issues related to biometric authentication – such as data storage, usage, and transmission – before the passage of legal measures, policymakers can help build consensus around governance objectives, including assessing whether non-legislative responses such as industry standards may be sufficient. Where existing laws differ or conflict between jurisdictions, policymaker coordination can support a more efficient and certain operating environment for entities in the payments system.

Policymakers and governments can send a positive message to consumers and businesses alike by embracing biometric technology in their own products and services, as appropriate in their market.

Historically, many have viewed security and convenience as competing priorities. Biometric authentication, however, presents an opportunity to develop solutions that provide more convenience to consumers while also enhancing security. The next generation of authentication toolkits are being designed to support a layered, risk-based approach to payment security with complex verification methods that are difficult for criminals to steal and deploy. Policymaker guidance that reflects technology developments and evolving security strategies can strengthen payment-system security, allowing ecosystem participants to leverage innovative solutions and approaches to mitigate risk.

Guiding principles on biometric authentication for policymakers

FOSTER STAKEHOLDER DIALOGUE AND ENGAGEMENT

SUPPORT INDUSTRY-DRIVEN STANDARDS AND INTEROPERABILITY

PROVIDE LEGAL CLARITY FOR PAYMENT-SYSTEM PARTICIPANTS

LEAD BY EXAMPLE

REFRAME SECURITY DISCUSSIONS TO REFLECT NEW TECHNOLOGY DEVELOPMENTS


2 Overview of Biometric Authentication

vices around the world. Section 6 offers an overview of the legal landscape surrounding biometrics, including the application of existing data-security and/or privacy laws to the context of biometrics. Section 7 describes issues for further attention in the biometric authentication landscape, including standardization and interoperability, layered risk-mitigation strategies, data security, consumer privacy, and accessibility and inclusion. Finally, Section 8 provides more detail on these guiding principles on biometric authentication, outlining how policymakers can play a critical role in advancing biometric authentication in their markets.

This section provides an overview of biometric authentication, including key definitions and examples of biometric modalities.

2.1 What Are Biometrics?Biometric identifiers (biometrics) are unique, intrinsic physical or behavioral characteristics that can be used to identify or verify the identity of an individual. They are categorized as either physical or behavioral.

Law enforcement and government agencies have long used fingerprints to identify individuals in criminal cases.1 Even today the most common trait used for biometric recognition is the fingerprint. However, iris and facial recognition technologies are increasingly common. As the accuracy of these technologies increases and the costs decrease, their use continues to grow.

2.2 What Is Authentication?Authentication is the process of verifying that individuals or entities are who they claim to be. There are three main mechanisms for authentication:

Physical

Behavioral

Individual biological or physiological traits such as fingerprints, facial characteristics, and iris patterns.

Traits that describe how individuals operate or function, such as signatures, keystroke patterns, or gait.


2.3 How Does Biometric Authentication Work?Biometric authentication includes two key phases: enrollment and verification, as illustrated in the following graphic.

Three Main Mechanisms for Authentication

During enrollment, the individual’s biometric data is captured, converted into a “template,” and stored, either locally on a device or centrally on a server. An individual’s identity should be verified, such as by government identification or other reasonable means, prior to biometric data collection to ensure the integrity of the enrollment process. The stored biometric template is a coded digital representation of patterns extracted during the template generation process. During verification, the individual provides his or her biometric data via a sensor or reader, and the collected biometric template is compared to the stored template. If a match occurs, the individual is successfully authenticated.

As biometric systems have matured, accuracy has improved. Declining error rates have enabled biometrics to become an effective authentication mechanism in many payment use cases. As with other authentication

Something you “have”

Something you “know”

Something you “are”

Something only you possess, like a security token or a smart card.

Something known only to you, such as a password, personal identification number (PIN), or answer to a security question.

A personal characteristic that you use to authenticate yourself, such as your fingerprint or iris pattern – this is the foundation of biometric authentication.

Biometric Capturedon Device

Biometric Capturedon Device

BiometricCharacteristics

Extracted

BiometricCharacteristics

Extracted

Template Matchedon Device or Server

Template Created

Match Decision(Accept/Reject)

Template Stored onDevice or Server

Verification

Enrollment


methods, error rates vary based upon a number of factors, notably the modality used and the maturity of the technology. Errors typically fall into one of two categories – false accepts or false rejects. A “false accept,” or false positive, occurs when the system determines that an authentication template from one individual matches an enrollment template from another individual. A “false reject,” or false negative, occurs when the system determines that an authentication template and an enrollment template from the same individual do not match. The rate of false accepts is referred to as the “false accept rate” (FAR) and the rate of false rejects is referred to as the “false reject rate” (FRR).

2.4 Biometric Authentication ModalitiesModality refers to the trait used for authentication. Selecting an appropriate modality to use in a biometric authentication system depends on a host of factors, including the type of technology used for its deployment and the application in which it will be used.2 Performance, usability, and cost effectiveness of the biometric solution depend on technology maturity and other factors, which vary across modalities. The following table highlights common types of authentication modalities and provides examples of applications in the payments ecosystem.

MODALITY DESCRIPTION EXAMPLES/DEVELOPMENTS IN THE PAYMENTS ECOSYSTEM

PHYSICAL BIOMETRICS

Fingerprint

Face

Iris

Identifies individuals using the ridge-valley patterns present on fingers.

Identifies individuals using their facial characteristics such as shape of facial features and skin texture.

Identifies individuals using the detail-rich, intricate pattern of the iris.

Recent deployments include mobile wallets such as Apple Pay, Android Pay, and Samsung Pay; ATMs enabled with Apple’s Touch ID; and pilots of contactless payment cards integrated with fingerprint sensors.3

Visa has partnered with Banco Neon in Brazil to offer online authentication using facial recognition.4 Mastercard’s “Pay by Selfie”5 and Alibaba’s “Smile to Pay”6 allow users to authenticate payment transactions by taking a selfie.

Two major South Korean banks, KEB Hana Bank and Woori Bank, announced plans to employ an iris recognition solution to authenticate bank customers in the mobile environment.7

Palm and Finger Vein Identifies individuals using the vein pattern inside their palms or fingers.

Brazilian and Japanese banks have used palm and finger vein authentication technologies for ATMs.8 Tokyo’s plans for the 2020 Olympics include a system where tourists will pay for goods and services using only biometrics, including vein scanning and fingerprint biometrics.9


Gait

Heartbeat

Voice Recognitioni

Identifies individuals based on the manner in which they move in space (typically while walking).

Identifies individuals based on their electrocardiogram (ECG), a measurement of the electrical activity of the heart.

Identifies individuals based on voice characteristics such as the pitch, tone, and rhythm of their speech.10

Google’s Project Abacus represents an effort to move away from traditional passwords and PINs in favor of a combination of mobile-device measurements to authenticate the identity of a user. The project is intended to identify an individual by considering several biometric measurements, including gait.16

Royal Bank, TD Bank, and Mastercard tested electrocardiogram identification using a wristband designed by a Canadian authentication solutions company, Nymi, to make secure online payments.17 With the increased use of wearables, heartbeat analysis may have interesting future use cases.18 For example, researchers believe that heartbeat biometrics could be used by individuals to protect electronic health records and conveniently and quickly provide medical staff access to such information.19

In the U.S., USAA Bank’s mobile application allows users to use voice, fingerprint, or facial recognition as a biometric layer of authentication.11

Wells Fargo’s Commercial Electronic Office (CEO) mobile application offers voice biometric authentication, allowing users to authenticate themselves using their mobile phone’s front-facing camera and microphone in lieu of passwords.12

Biometrics companies Agnitio13 and VoiceVault have integrated their technologies for card-not-present payment transactions. They both supply biometric technology that analyzes the audio to authenticate the user’s identity.14

i Voice or speech recognition can be viewed as both physical and behavioral biometrics, as the authentica-tion method involves characteristics of both.

BEHAVIORAL BIOMETRICS

Keystroke Identifies individuals based on the manner and rhythm in which they type character sequences on a keyboard (virtual or physical).

The use of keystroke biometrics for authentication remains somewhat limited, as companies have expressed con-cern about its efficacy as a stand-alone solution. However, researchers believe that it may serve as a complement to traditional username/password combinations, where the user is granted access if he/she is also able to type a few words of a pass phrase within a reasonable threshold of latency variability (keystroke duration, finger placement, and applied pressure) from the reference signature.15

MODALITY DESCRIPTION EXAMPLES/DEVELOPMENTS IN THE PAYMENTS ECOSYSTEM


3 Drivers of Biometric Adoption

Each of these modalities may be deployed as part of a layered, risk-based approach to payment security. Emerging authentication solutions are exploring the possibility of combining multiple biometric authentication technologies and/or layering with non-biometric solutions. For example, Visa partnered with Safran Identity & Security and Delta ID to build a prototype that incorporates iris scanning and facial recognition technology into Visa Checkout, the network’s online payments service. Other emerging solutions incorporate physical location of the cardholder, and behavioral and contextual data, like IP address and device ID, into the authentication process. One biometric modality can also serve as a backup for another biometric modality (e.g., a user who does not have a smartphone with fingerprint recognition could use another authentication measure such as face or voice recognition as a default and/or backup option).

Several factors have driven the increased use of biometric authentication over the past few years. Technological developments, notably improved accuracy and lower costs, have played a key role. Demand from consumers and businesses for convenient and secure authentication solutions has also served as a driving force, bolstered by growing mobile-phone adoption in many markets. In addition, governments have pursued the use of biometrics to deliver on policy objectives such as expanding financial inclusion and reducing identity theft. Several of these factors are described below.

3.1 Advancements in Technology As biometric technologies have matured and improved – becoming more accurate and cheaper – they have become a cost-effective option for a growing number of use cases. And as with other digital technologies, the rapid rise of mobile-device availability and use has accelerated the advance-ment of biometrics.

Rapid Improvement in Sensor Quality and Accuracy As recently as the early 2000s, biometric technology lacked the consistent accuracy and ease of use necessary for widespread commercial applications. For example, tests of several biometric devices conducted and reported in 2000 showed actual FARs ranging from 0% to 6% and FRRs ranging from 8% to 70%, indicating relatively high and varied rates of false accepts and rejects.20 Sensors were once difficult to control, thwarted by minor variances that would obscure captured data. Early biometric deployments frequently had trouble extracting the minutiae of a fingerprint, which would undermine the entire authentication process. Early technology also operated at much slower speeds.21


The accuracy and performance of biometric sensor technology have increased considerably in recent years. Today, many consumer mobile devices are capable of scanning fingerprints with ease and are equipped with cameras and microphones so powerful that they can capture data at minute levels. Wells Fargo Bank’s eye-scan technology, for example, works so quickly that the developers had to slow it down so that customers would know it had actually registered their identities.22 Citibank’s voice-recognition system takes only 15 seconds to capture enough information about a customer’s vocal patterns to validate his or her identity.23 This voice imprint template shortens the time that customers spend identifying themselves to a Citibank call-center representative, with traditional methods typically taking 45 seconds. Despite these improvements, accuracy of biometric systems depends on a number of factors, such as the type of biometric data used, the maturity of the technology, and environmental conditions (e.g., noise for the voice modality and lighting conditions for the face modality).

Decreasing CostsLower implementation costs have also driven the increased use of biometrics. Before biometric sensors became widely available through smartphones, implementation costs were prohibitively high, with sensors costing thousands of dollars to install; the required large-scale data storage added further expense.24 To capture biometrics, companies had to pay to distribute the necessary technology to tens of millions of customers, and the lack of industry standardization contributed to the high cost. In comparison with other authentication measures such as passwords and PINs, the costs outweighed the benefits in most cases.

Today, less expensive sensors in smaller forms allow modalities that were previously too expensive to develop and too large for mass deployment to be available to millions of users via mobile devices.25 More complicated modalities, such as behavioral biometrics, are also poised to grow. Although only 22% of U.S. companies currently use behavioral biometrics, 54% plan to implement behavioral biometrics in the future, with decreasing costs making these technology applications more economically feasible.26

3.2 Increasing Consumer Familiarity and DemandThe ease and convenience of biometric authentication, in addition to its security advantages, are powering its rapid growth and adoption. For example, many consumers adapt with relative ease to authentication methods that seem familiar, such as selfie-like facial recognition and fingerprint recognition that require only a touch of a button on a smartphone.27 Fingerprint recognition is now the form of biometric payment most favored by European consumers for its ease of use and security.28 When asked how secure they think an authentication method is, over 81% of European consumers said they view fingerprint authentication as a secure form of payment, followed by iris scanning at 76%.29 Authentication occurs within seconds, and some modalities like iris recognition can be used without physical contact.

Previously, the inconsistent accuracy, high manufacturing cost, and


Source: Business Insider Intelligence, “Biometrics in the Payments Industry.” July 2016. www.businessin-sider.com/the-biometrics-report-2016-7.

Forecast: Biometrics-Enabled Share of U.S. Smartphone Installed Base, in Millions, 2013-2021

fragmented deployment of biometric authentication yielded a limited number of commercial applications. As a result, consumers only rarely encountered biometrics, and thus were relatively unfamiliar with the technology. Naturally, consumers were averse to entrusting unfamiliar technology with their personal data, even after the technology became more accurate and secure. Over the years, several large-scale biometric deployments helped carry the technology into the mainstream in a number of markets – for example, implementation of vein readers at ATMs in Japan and Brazil in the mid-2000s and the inclusion of Touch ID in the Apple iPhone 5S, launched in 2013 in multiple countries. In September 2017, Apple introduced its own facial-recognition program, Face ID, that unlocks its new iPhone X, replacing the Touch ID fingerprint authentication system on many of its other models.30 Given Apple’s influence in the mobile industry, its move to promote facial recognition could raise the profile of this biometric authentication modality.

3.3 The Dramatic Rise of Mobile DevicesRising mobile-phone use and improved mobile technology have also played key roles in driving the adoption of biometrics. Increasing levels of commerce and communications are taking place over digital and mobile channels. For example, in 2017, 77% of Americans owned a smartphone, compared to 35% in 2011.31 Many smartphones now have high-quality biometric sensors, making the technologies for biometric collection more widely available and literally placing them in the hands of users.

In 2013, the biometric landscape changed completely with Apple’s launch of the iPhone 5S, which came equipped with Touch ID, a fingerprint sensor and biometric-matching software.32 Consumer trust in the Apple brand, coupled with the device’s ease of use, triggered a wave of consumer and business interest in the technology. Soon after the release of the iPhone 5S, other manufacturers rushed to build and promote their own devices equipped with fingerprint authentication, such as Samsung with its Galaxy S5

0

50

100

150

200

250

20142013 2015E 2016E 2017E 2018E 2019E 2020E 2021E

Biom

etric

s-en

able

d sm

artp

hone

sin

the

U.S

., in

mill

ions

Smartphone installed base Biometrics-enabled smartphones

100% of iPhones are biometrics-enabled

100% of Androids are biometrics-enabled


phone. According to Apple, 89% of users with Touch ID-enabled iPhones use the fingerprint scanner to unlock their devices.33 This feature can also be used by individuals to access accounts and confirm payments or transac-tions via their mobile devices. Acuity Market Intelligence estimates that near-ly 1 billion biometric smartphones were in use in 2016, representing 40% of the global smartphone market. Acuity expects this percentage to grow to 100% of the 2 billion smartphones shipped annually within two years, reaching 100% installed-base penetration by 2022.34 Fingerprint scanning leads authentication methods in customer confidence, in both the propor-tion of consumers who believe it to be effective (49%) and consumers willing to use the solution (65%).35 Fingerprint scanning also appeals to customers because of its nearly frictionless experience, especially as deployed in Touch ID, where the iPhone typically unlocks within a second of placing a finger on the phone’s home button.

New modalities are being tested as well. The Samsung Galaxy S8 smart-phone features facial-recognition and iris-scanning biometric authentication methods.36 Mobile growth also extends to wearables such as smartwatches and fitness activity trackers, which are equipped with sensors that enable the electronic collection and exchange of biometric data with other devices. Gartner, Inc., a technology research and advisory firm, predicts that 50% of consumers in mature markets will use smartphones or wearables for mobile payments by 2018.37 Wearables offer unique benefits as authentication devices, as they have the ability to collect behavioral biometric data on a near-continuous basis.

3.4 Dual Objectives: Security and ConvenienceProliferation of data and emerging technologies are enabling new secure and convenient authentication methods. Biometrics complement traditional forms of authentication such as passwords and PINs – which, while familiar, are susceptible to being forgotten, lost, hacked, or skimmed. Researchers recently found that requirements for frequent password changes meant to increase access security actually result in weaker security.38 Complicated passwords are easily forgotten, as well as inconvenient to reset.39 As an authentication method, biometrics are more complex, making them more difficult to operationalize for fraud. And, because biometrics are inherent to the account holder, they can’t be forgotten.

As fraudsters have grown more adept at targeting traditional authentication data points, the payments industry has developed new technologies to enhance security in the ecosystem. For example, the adoption of EMV-enabled chip cards has helped decrease fraud at the card-present point of sale (POS).40 However, fraud in the card-not-present (CNP) environment is increasing due, in part, to authentication challenges for online transactions.41

For CNP transactions, biometrics could improve customer authentication compared with more common methods such as static passwords and security codes (i.e., the three- or four-digit code on the front or back of most credit and debit cards). For example, consumers could authenticate online transactions using their face through their device camera, via voice through the device microphone, or using the device’s integrated fingerprint reader.Biometrics can also be deployed to improve authentication for mobile-based


3.5 Government Focus on Identity Verification & Financial InclusionAs biometric technologies have become more affordable and widespread, governments have turned to them to pursue social policies such as delivering public services more efficiently, combatting fraud within benefits programs, and bringing more people into the formal economy. A number of governments are implementing or exploring digital identity programs that incorporate biometrics. With over 1 billion participants enrolled, India’s Unique Identification Authority of India (UIDAI), also known as the Aadhaar project, maintains the world’s largest biometric database.43 Citizens receive a unique identification number linked to their fingerprints and iris scans, which are collected during an enrollment process and stored in a central repository. The scheme helps identify those entitled to government services, as well as those fraudulently receiving benefit payouts. Other countries such as Nigeria and Tanzania are studying the Aadhaar scheme to assess the potential benefits of migrating to biometrics to expand identity verification and social services to their citizens.44

Governments around the world are increasingly turning to biometric-identity management systems to protect citizens from identity theft and help prevent criminals and terrorists from using fraudulent identification documents. In a number of U.S. states – including Illinois, New York, and California – governments are fighting fraud by incorporating facial-recognition technology into the identification processes used by their Departments of Motor Vehicles. In Illinois, the technology supported a database of facial-recognition information that helped detect thousands of fraud cases, including financial crimes and, on occasion, auto-theft rings, gang activity and welfare fraud.45 In many cases, fraudsters were using multiple identities to commit crimes and escape detection.

Financial institutions and governments are also leveraging biometrics to advance the financial inclusion of underserved and unbanked populations. According to the World Bank, around 2 billion people across the globe do not use formal financial services and more than 50% of adults in the poorest households are unbanked.46 Biometrics can help overcome fundamental challenges to financial inclusion (e.g., unbanked people may not have the formal identity cards required by financial institutions). Coupled with tiered

payments. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) notes that financial institutions may consider leveraging biometrics to enhance authentication for mobile financial services.42

These technologies are being pursued to augment the evolving toolkit of authentication options available to financial institutions, merchants, and other businesses. Technology advancements can provide a broader range of data elements for authentication purposes – not only biometrics, but other data points such as IP addresses and device IDs. This additional information provides opportunities to enhance layered approaches to payment security with complex verification methods, which can strengthen defenses against data breaches and fraud.


Source: Juniper Research, “Mobile Biometrics: Consumer Markets, Opportunities & Forecasts 2016-2021.” December 2016.

know-your-customer requirements, biometrics can facilitate a smoother identity verification process for unbanked consumers. There are challenges to consider, however, including the cost of the biometric-related product (which may impact affordability for unbanked communities) and connectivity issues (which may impact reliability).

4 Biometrics in the Payments Ecosystem

This section describes the outlook for the use of biometric authentication and presents selected examples of biometric deployments in payments around the world.

4.1 Outlook for the Use of Biometric AuthenticationThe outlook for the use of biometric authentication in payments is positive. Biometrics are, in many ways, an ideal authentication solution for consumer payments – offering both convenience and security. The popularity of biometric technology as both a security measure and a tool of convenience is expected to drive its commercial growth, especially in trusted industries such as the financial sector.

Biometrics are, in many ways, an ideal authentication solution for consumer payments – offering both convenience and security.

Value of Biometrically Verified Smartphone Payment Transactions, Per Annum in Millions, 2016-2021

Goode Intelligence predicts there will be 1 billion users of mobile biometrics for financial services by 2020 – a 300% increase from 2015.47

North America

Western Europe

Far East & China

Rest of Asia-Pacific

Latin America

Central & East Europe

Indian Subcontinent

Africa & Middle East$0

$50,000

$100,000

$150,000

$200,000

$250,000


Consumers

Merchants

Security: Compared to passwords and PINs, authentication methods such as biometrics enhance security for consumers by making it more difficult for criminals to steal and deploy payment data.Convenience: Over 40% of Europeans say that biometric authentication could eliminate the need for multiple passwords and PINs.50 Because biometrics are inherent to the account holder, they can’t be forgotten. Biometrics can also streamline cardholder verification for operational processes (e.g., leveraging voice recognition to authenticate customers contacting a call center), limiting the use of weaker identity-verification solutions such as security questions and reducing customer frustration with the authentication process.

Security: By strengthening their payments environment through complex authentication solutions like biometrics, merchants can strengthen their defenses against data breaches and fraud.Improved Customer Experience: Biometrics can reduce friction in payment transactions and improve the customer experience in both in-store and online transactions, helping to generate more sales. Subject to applicable privacy laws, using biometrics can also help merchants differentiate their services to consumers looking for more convenient and secure payment options.

Financial Institutions and Payment Providers

Policymakers and Governments

Security: Financial institutions and other payment providers can leverage biometrics to enhance security for payment transactions and operational processes involving customer authentication, as well as to limit false declines.Improved Customer Experience: The improved customer experience tied to biometrics can lead to higher card usage, helping generate more revenue for financial institutions and other payment providers. Using biometrics can also help these entities differentiate their services to consumers and businesses looking for more convenient and secure payment options.

Security: The use of biometrics in the payments ecosystem can help governments meet policy objectives, including enhancing security and trust in the payments ecosystem. By making it more difficult for fraudsters to steal and deploy payment information, biometrics can support policymaker goals of preventing breaches of payment-card data and combatting fraud. For example, biometrics can help with proof of life for welfare, pension and other government disbursements.Promoting Electronic Payments: By making payments more convenient and seamless, biometrics can help drive the adoption of electronic payments and enable digital and mobile commerce.

Juniper Research expects that biometrics will be used for over 18 billion transactions by 2021, growing at a compound annual growth rate of 83.7% from 2016 levels.48 Juniper also expects that the value of biometrically verified smartphone payment transactions across the globe will exceed $210 billion in 2021.49

4.2 Benefits of Biometric Authentication for Payment- System ParticipantsBiometric technologies offer tangible benefits for payment-system participants, such as a more convenient payment experience and enhanced security, particularly when used as part of a layered approach to payment security that is commensurate with the risk presented. The following chart summarizes the key existing and potential future benefits of biometric authentication for payment-system participants:


Realizing these benefits requires cooperation across stakeholders. Coop-eration can help foster trust across ecosystem participants and incentivize the significant investments required to support the ongoing development of biometric authentication technologies.

5 Selected Deployments of Biometric Authentication in Payments and Financial Services

Biometric authentication technology is deployed for various uses in the payments ecosystem across the world. Several regions in particular have undertaken extensive biometric implementations. These have included deployments designed, for example, to ease customer authentication for online payments in Canada, streamline bank-employee activities in the Middle East, and facilitate regulatory compliance in the European Union. The following maps highlight selected examples of biometrics use in payments and financial services.


5.1 The Americas

New payment developments in Canada include the use of iris scans and voice recognition to authenticate customers in the mobile space. Another initiative is the Bank of Montreal’s biometric corporate-card program, which allows cardholders to use facial recognition and fingerprint biometrics to authenticate online purchases with greater security and convenience.52

In the United States, consumers use biometrics for authentication through a number of mobile wallets during debit and credit transactions. Similarly, a growing number of U.S. banks have implemented fingerprint recognition for authenticating account access and financial transactions and are actively exploring other consumer-friendly modalities, including retina-based eye scanning and voice recognition.53

Bancolombia’s mobile banking service, Nequi, recently became the first in Colombia to deploy mobile biometrics for authentication. The service relies on U.S. fintech company Daon’s IdentityX platform to identify customers through facial-recognition technology. Users authenticate with a selfie when changing devices or SIM cards, resetting passwords, or reactivating an account. The use of biometrics removes friction from the authentication process.54

Brazil is a world leader in the use of biometrics among consumers, with banks deploying biometric authentication-capable-ATMs since 2006.55 Brazilian banks were responding to widespread opening of fraudulent bank accounts to commit fraud and turned to biometrics to ensure the identities of account holders and protect their accounts. The majority of Brazilian banks now use some form of biometrics to authenticate users, though standards to promote interoperability and wider adoption are lacking.56

In 2013, Banco Supervielle, a large bank in Argentina, began installing fingerprint sensors across its network of branches to facilitate the easy and secure transfer of retirement funds to retirees.59 The new sensors simplified an extensive, complex authentication process that had been instituted to combat fraud (e.g., relatives of retirees receiving pension funds after the death of the retiree).

In July 2016, Banco Inbursa announced plans to introduce biometric facial-recognition technology on its mobile banking application and web platform.57 Banco Inbursa, the first financial institution to offer facial-recognition technology in Mexico, signed a deal to use technology offered by the Spanish facial-recognition solutions provider, FacePhi, which has signed similar deals with banks in other countries – such as Costa Rica, Ecuador, and Guatemala – over the past few years.58


5.2 Europe

Dublin, Ireland–startup Touchtech Payments is one of the first technology companies in Europe to develop a solution that utilizes fingerprinting and retinal scanning to authenticate individuals conducting online payments.64 The company’s technology seeks to help increase online purchase completion rates given that approximately one-third of online transactions are abandoned because users have forgotten their passwords.65

In 2015, ING became the first bank in the Netherlands to introduce voice-activated payments through its mobile banking application, leveraging voice biometrics technology from Nuance Communications.62 With this enhancement, customers can initiate payments using either voice biometrics or fingerprint recognition.

In the United Kingdom, banks are implementing fingerprint recognition, voice recognition, and other biometric authentication solutions on mobile applications. In 2015, Halifax Bank, owned by Lloyds Banking Group, tested the use of a wristband to identify customers by authenticating electrocardiogram (heartbeat) signals.66 HSBC has deployed facial recognition to verify the identity of new account holders; with almost half of all new accounts opened online, the technology allows customers to open an account with a selfie. HSBC expects the process to “become the verification method of choice for its customers.”67

In March 2016, France’s data protection regulatory organization, CNIL, approved La Banque Postale to use a voice biometrics solution by Talk to Pay to authenticate card-not-present transactions for customers. To make an online payment, customers receive an automated phone call in lieu of entering personal information such as name, card number, and expiry date.68 After verifying his or her identity by pronouncing a predetermined sentence, the customer receives a random cryptogram online to finish the transaction. La Banque Postale deployed the program in June 2017.

A number of banks in Germany (e.g., Deutsche Bank and Norisbank) have incorporated Apple’s Touch ID into their mobile banking applications. With Touch ID, customers can gain access to banking services without needing to enter a password.60 Outbank, an independent multi-banking application that supports more than 4,000 banks in Germany, Austria and Switzerland, also offers Touch ID access.61

In Russia, the Ministry of Telecom and Mass Communications and the Central Bank of Russia are partnering with Rostelecom to implement the National Biometric Platform (NBP), a pilot project that will allow banks to use biometric identification techniques on clients using a federal information system (the Unified System of Identification and Authentication, or USIA) to verify remote bank-account applications and deliver other banking services.63 To register for remote identification through USIA and NBP, a bank customer visits a branch to undergo the identification process. Once the personal digital profile (including biometric data) is created, the customer will be able to open accounts remotely and access other financial services offered by banks registered with the pilot.


5.3 Africa and the Middle East

Ghana is in the midst of transforming its banking system to provide access to financial services for the unbanked and the underbanked. To promote financial inclusion, payment-solutions provider Ingenico Group is partnering with a number of local agencies and organizations to extend access using biometric-enabled POS devices; as of summer 2016, some 6,000 terminals had been deployed to enable services such as payments, salary disbursement, cash withdrawals, and bill payment.69

In February 2017, Emirates NBD – a bank based in Dubai, United Arab Emirates – announced a biometric-signature option for customers using specially equipped tablets at branches. The biometric signature aims to more quickly identify customers and thus streamline interactions with bank agents. Bank staff will use the biometric tablets in conjunction with Cockpit, a digital system that allows staff to view customer profiles in a consolidated dashboard.72

In 2016, Standard Chartered announced plans to roll out fingerprint biometric technology to several markets in Africa (Botswana, Ghana, Kenya, Nigeria, Tanzania, Uganda, Zambia, and Zimbabwe).70 Through the Standard Chartered mobile application, clients using touch login can immediately access the bank’s full range of mobile banking services with a registered fingerprint in place of ID and password.

In South Africa, the South African Social Security Agency (SASSA) oversees a biometric grant-disbursement program. The program aims to reduce fraud losses and administration costs and to promote financial inclusion throughout the region. The solution features a biometric-enabled chip card. The cardholder may withdraw the disbursement at SASSA cash pay-points, ATMs, and participating merchant stores.71

In 2016, the Guaranty Trust Bank of Kenya introduced fingerprint authentication to its mobile banking application. Bank executives stated that adding fingerprint recognition was key to providing customers with confidence in the ability to transact securely on its platform. The mobile application also provides customers with secure access to card services, including the ability to check card balances, pay and top up cards, stop card payments, and generate card statements.73


5.4 Asia-Pacific

In China, the online payments market has experienced significant growth over the past few years. The rapid adoption of online payments by Chinese consumers has led payments systems – most notably Ali-pay, Tenpay, and WeChat Pay – to use innovative biometric techniques to provide consumers a secure and uninterrupted user experience. Alipay uses facial recognition, and its parent Alibaba uses biometricsto recognize eye patterns, irises, palm prints, and handwriting.75

India’s Aadhaar project provides over 1 billion citizens a unique identification number linked to their fingerprints and iris scans. The project’s objective, to provide “proof of identity” to prevent welfare fraud and promote financial inclusion, is being leveraged to support payments initiatives, including the use of biometrics for authentication of POS and ATM transactions. In April 2017, the government launched Aadhaar Pay for merchants, which can facilitate payments and authenticate Aadhaar-enrolled consumers using a biometric reader at the merchant’s point of sale.76

At the end of January 2017, Thailand’s government began rolling out a national e-payment system to reduce the country’s reliance on cash and to support Thailand’s digital-economy policy.77 Additional-ly, the Bank of Thailand notified financial institutions that customer password-verification protocols would need to be updated due to increased instances of fraud.78 In light of these developments and the subsequent increasing demand for secure mobile payments, Samsung launched its biometric-backed Samsung Pay (leveraging fingerprint recognition) in the beginning of February 2017 to enable consumers to purchase items securely with their phones without cash. This was the company’s first Southeast Asian deployment.79

In Australia, Telstra is experimenting with blockchain technology, combined with facial and voice authentication, to add a layer of security for access to its mobile application.84 Australia’s government has explored wider use of biometric technology in airports, for visas, and in a new digital identity framework.

In Malaysia, in addition to using biometrics at ATMs, banks are using voice recognition for customer authentication when contacting call centers, alleviating the need for traditional PIN-and-security-question protocols and allowing customers to authenticate without any action other than speaking.82 Customers opt in to the program by recording their voice, with usage expected to save approximately 30 seconds per call.83

The Korea Internet & Security Agency announced in 2017 that it was developing a system for mobile banking authentication using a combination of a fingerprint, heart rate, and electrocardiogram.74 The biometric authentication technology reads heart rates and electrocardiograms on an individual’s smartwatch and then sends the information to his or her smartphone. The user then unlocks the smartphone with his or her fingerprint, enabling the use of mobile banking.

Banks in Japan have a well-established culture of using biometrics for authenticating customers. The government is testing a biometrics-based payment system that will allow foreign tourists to verify their identity and make purchases during the 2020 Tokyo Olympics.80 Tourists registering their fingerprints and credit card information will be able to transact without cash or cards at establishments located in tourist locations.81


Over the last decade, governments have taken steps to incorporate biometrics into their respective legal frameworks. A common approach has been to apply existing laws covering the collection and sharing of personal data to the context of biometrics. This section provides an overview of the legal landscape in this area.

6.1 Overview of Biometrics-Related LawsLaws related to biometrics typically revolve around issues of privacy, data protection, and consumer consent and disclosure. Where markets have existing laws covering these issues, some governments have expanded their application to biometric data – for example, adding biometric information to the legal definition of sensitive personal data. Common legal provisions for sensitive personal data include requirements that entities obtain consent before collecting covered data and before sharing that data with a third party. The following chart summarizes select laws and guidance related to biometrics.

6 Biometrics Legal Landscape

SUMMARY CHART OF SELECT LAWS, REGULATIONS AND GUIDANCE FOCUSED ON BIOMETRICS

MARKET KEY POINTS DETAILED DESCRIPTION APPLICABILITY

Australia Voluntary privacy code.

Builds on existing National Privacy Principles.

Developed and later amended with government-industry dialogue.

Companies and government agencies voluntarily sign on to the code. Some companies use the code as a reference point for privacy planning, though the number of signatories has remained low.

European Union

The current EU Data Protection Directive (Directive 95/46/EC) framework does not expressly address biometric data and does not include biometrics in the definition of “personal data.”

However, the General Data Protection Regulation (GDPR), which takes effect in May 2018, does include a definition of biometric data and includes biometric data in the list of special categories of personal data (i.e., sensitive personal data).

Australia instituted a Biometrics Privacy Code in 2006, with updates in 2015 and 2017. The code was based on privacy standards outlined in Australia’s National Privacy Principles (a section of Australia’s 1988 Privacy Act that regulates the handling of personal information), but also incorporated higher standards of privacy protection, including additional notice obligations and measures to secure the data.

The body responsible for developing the Privacy Principles, the Biometrics institute, is a membership organization comprised of government agencies and private companies. The government worked with the institute to revise the code in 2015 and 2017 and provide clarity around implementation responsibilities of the public and private sector, and across Australian state lines.

Current directive does not expressly address biometric data.

Forthcoming regulation will be applicable to all companies holding data on EU citizens.


Hong Kong

India

Japan

In 2015, the Office of the Privacy Commissioner for Personal Data (PCPD) issued guidance establishing that biometric data should be considered personal data, and that it should only be collected when necessary and not excessively. The guidance states that biometric data should only be collected when there is a clear legal purpose; the collector should conduct an analysis to determine whether biometric technology is essential; data should be secured; and the collector should establish a retention period and delete the data once it is no longer needed for the original purpose.86

Beyond this guidance, Hong Kong does not have a law formally distinguishing “sensitive” data from other personal data.

In 2011, India introduced rules on “sensitive” personal data, including biometrics, to an existing national law called the Information Technology Act, 2000. The rules require that any private or public entity obtain written consent, by fax or email, before collecting “sensitive information”; obtain consent before sharing information with a third party; and establish security practices to secure the data. The rules permit transborder data flows of “sensitive” personal data if: (a) the country to which the data is flowing provides the same level of data protection as India, (b) the transfer is necessary for the performance of a lawful contract between the body corporate or any person acting on its behalf, and (c) consent has been obtained.

In 2003, Japan adopted a data and privacy law called the Act on the Protection of Personal Information (APPI). In 2015, Japan amended the APPI to specifically classify biometric data as “personal identifier code.” The APPI states that an entity handling personal data, including personal identifier code, must communicate the purpose of collecting the data; keep collected data safe and secure; obtain consent to share the data with a third party (specific consent

Government-issued guidance defines biometric data as “personal data.”

No formal law distinguishing “sensitive” data from other personal data.

Government added rules on “sensitive” personal data to an existing national law.

Government amended an existing law to classify biometric data as “personal identifier code.”

Nonbinding, though degree of adherence to the code will be taken into account in any case related to data privacy laws.

Binding for all public and private entities.

Binding for any entity operating in Japan.



The GDPR prohibits the processing of biometric data for the purpose of uniquely identifying a person unless one of 10 exemptions for processing special categories of personal data applies. For example, the processing of biometric data is permitted where the data subject has given explicit consent to the processing. If explicit consent is relied upon, then the GDPR places the burden on the data controller to demonstrate that the consent is: active and freely given; under terms that are easy to understand; simple to withdraw; and provided for each individual processing activity.

The GDPR also allows EU member states to introduce further conditions, including limitations, regarding the processing of biometric data.85

Forthcoming regulation (effective May 2018) defines biometrics as “sensitive personal data.”


will be required in the case of cross-border transfer); obtain consent to use the information for a purpose that is beyond the reasonable scope of the purpose that was initially communicated; and retain records of receipt and provision of the data. The foregoing amendment to the APPI came into effect in May 2017. For data collectors in the financial services industry, the APPI and Financial Services Agency require consent to be in writing.

South Africa

United States

In 2013, South Africa enacted the Protection of Personal Information Act (PoPI), its first law around the protection of personal data. PoPI includes biometrics within its definition of personal data. It requires that any public or private body to obtain permission before collecting personal data and take adequate measures to secure that data. PoPI is modeled after the EU Data Privacy Directive.

At the federal level, the United States does not specifically regulate commercial collection and use of biometric data. Generally, federal law does not require companies that collect such information to follow specific standards for verifying data accuracy; and in most contexts, there is no legal right permitting individuals to correct, amend, or delete incorrect biometric data.

However, the Gramm-Leach-Bliley Act (GLBA) imposes strict privacy requirements on financial institutions with respect to information about their customers. A financial institution is subject to GLBA privacy and data-security requirements when collecting biometric information from a customer in connection with providing a financial product or service. For example, GLBA requires that consumers be provided with notice and an opportunity to opt out when customer information is disclosed to nonaffiliated third parties. GLBA also requires financial institutions to implement an information-security program that includes safeguards appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of customer information. As a result, a financial institution would be subject to GLBA privacy and data security requirements when collecting biometric information from a customer in connection with providing a financial product or service to that individual.

A small number of states have laws specifically focused on biometrics (e.g., Illinois,87 Texas,88 and Washington89). The laws impose limitations or requirements for the collection, use, disclosure and security of biometric information. Other state laws on data privacy and protection may apply to biometric information,90 though some explicitly state that the statute is inapplicable to a financial institution subject to or in compliance with GLBA.91

Government included biometrics in the definition of personal data.

No general national law regarding the collection of biometric information.

However, financial institutions must meet strict privacy requirements.

Small number of biometric-specific state laws.

Binding for any entity operating in South Africa.

No federal law specifically focused on biometrics.

Gramm- Leach-Bliley Act imposes strict privacy requirements on financial institutions.




6.2 Applying Laws to Rapidly Evolving Technologies Such as BiometricsBiometric technologies are rapidly evolving, with businesses and governments continuing to explore new use cases and applications in the payments environment. Applying existing laws to rapidly evolving technology like biometrics presents unique challenges. The benefits and costs associated with the new technology may change quickly, impacting stakeholders in unexpected ways. Striking a balance between diverse policy objectives – for example, protecting consumer privacy, promoting data security and supporting innovation – may also present challenges. Where laws are implemented, those that are technology agnostic and take a principles-based approach can offer policymakers flexibility as technologies evolve and business models change. Where laws differ across jurisdictions, policymaker coordination can enable an operating environment with more clarity and certainty for both businesses and consumers.

Biometric authentication is gaining wider acceptance for financial and payment transactions. Although the benefits of speed and convenience are significant, progress toward ubiquitous adoption will require additional effort and focus by a range of payment-system stakeholders. In this section, we describe some of the areas for additional attention, including addressing public-interest concerns around accessibility; developing technology standards to support interoperability; supporting layered, risk-based approaches to payment security; and ensuring the security and privacy of consumers’ personal information.

7.1 Standardization and InteroperabilityStandardization of biometric authentication is at an early stage. Standardization can help promote innovation in biometric technologies by making it easier for all parties in the payments ecosystem to adopt and deploy new technologies. Many biometric authentication deployments today operate within a closed-loop environment, in which each manufacturer uses its own proprietary algorithms, scanners, and software. This closed-loop approach ensures that the provider controls the overall user experience, but it also results in limited interoperability for consumers and the absence of a common user experience. If an individual grants a company permission to store biometric data using a proprietary biometric template, the data is not portable and is verifiable only by the technology that computed the biometric template upon enrollment. For example, in 2013 Brazil was among the leading countries globally in deploying biometric-enabled ATMs.

7 Advancing Biometric Authentication: Issues for Further Attention


However, the closed-loop nature of the deployments limited customers’ use of the more secure biometric authentication method to ATMs deployed by their own bank.92 Open, interoperable biometric authentication systems support a common user experience, while enhancing security.

7.2 Layered, Risk-Based Approaches to Payment Security In the face of an increasingly advanced cyberthreat landscape, biometrics may be most effective when used as part of a layered, risk-based approach to payment security. A risk-based approach allows entities in the payments ecosystem to focus resources and attention on transactions with higher risk profiles, reducing friction at the point of sale and promoting a positive user experience for the vast majority of legitimate transactions. Layering controls can provide enhanced security, as individuals enroll in biometric systems and conduct transactions using biometric authentication.

To mitigate the potential for identity theft and fraud during enrollment in a biometric system, a variety of approaches may be used to ensure that individuals are, in fact, who they say they are and that the linked biometrics are valid. Applying a risk-based approach to enrollment can help to mitigate the risks. For low-risk deployments, self-registration of biometric information may be appropriate. For higher-risk deployments, a more robust biometric enrollment process may be employed involving a review of official identity documents (e.g., government-issued identification) by a human or software trained in this area.

During transactions, authentication processes may take on many forms, with some requiring active involvement of the consumer and others taking place in the background. For example, consumers may be asked to actively provide two credentials to verify their identity. This two-factor approach leverages a secondary credential to mitigate the vulnerability of a single, often static element such as a PIN or password. However, it adds friction to the payment experience and may have a negative impact on completed sales. The growing range of data available on many payment transactions (e.g., device ID, IP address, and geolocation) provides new elements to strengthen authentication in the background, minimizing disruption to the consumer. Many of these data elements can be incorporated into a risk-based analysis of individual transactions, helping institutions focus fraud-mitigation efforts on higher-risk transactions and reducing friction at the point of sale.

7.3 Data Security – Storage and TransmissionA critical decision in implementing and deploying a biometric authentication system is whether the storage and matching of biometric templates take place locally or centrally. The decentralized (or device-based) model enables users to collect and store biometrics on their devices locally. The centralized model involves the collection and storage of biometrics in a central repository, which is used for matching and authenticating access

Open, interoperable biometric authentication systems support a common user experience, while enhancing security.


Less attractive as an attack target than a central repository of biometric templates

Less biometric data at risk in the event of a successful attack

Does not require the transmission of biometric data

Supports a higher level of individual choice and control

DECENTRALIZED/LOCAL MODEL CENTRALIZED MODEL

Example

Advantages

Dis- advantages

Mobile-phone fingerprint identification

Lack of software and hardware standardization among different manufacturers

Need to re-enroll with each new device

Potential for increased performance and functionality

Re-enrollment not required for each new device

Easier to connect individuals to government programs and benefits

Potential to identify multiple entries for the same individual (i.e., de-duplication)

ATMs in Brazil and Japan

One successful hack can expose the biometric data of many individuals

Need to ensure security of data during collection, transmission, and transfer

Elevated privacy concerns regarding security and use, transfer, and sharing of the data

Increased latency (the time the biometric system takes to verify a person’s identity)

In the payments environment, the device-based biometric model has gained popularity (e.g., Touch ID on Apple mobile phones) as it provides a secure way to store biometric data on an individual’s device. With Apple Pay, the biometric data does not leave the device’s operating system; biometric data is not transmitted through the network or through the cloud, making it difficult for hackers to intercept. Centralized storage raises the level of concentration risk, since one successful hack can expose the data of many individuals. For payments, secure solutions that store biometric data in a central database or in the cloud require additional research. Providers are continuing to explore new ways to mitigate risk in the centralizedstorage model.

New technologies are also being developed to address issues such as biometrics “spoofing.” A spoofing attack occurs when a party pretends to be someone else by falsifying data to gain unauthorized access to that individual’s information. For example, soon after the release of Apple’s Touch ID, hackers figured out how to create dummy fingerprints using Play-Doh to

and payment transactions. The advantages and disadvantages of both models are summarized in the table below. Implementing risk management practices and controls that are commensurate with the level and type of risk exposure can help mitigate the risks of either model.


fool the technology.93 While feasible, biometrics “spoofing” is rare today and not easily scalable.94 Anti-spoofing measures such as liveness detection, which make it difficult for fraudsters to use a fingerprint copy or a photo to fool biometric sensors, can help to mitigate this risk. A variety of liveness-detection techniques exist, including sensors that detect blood flow or pulse to differentiate spoofed fingerprints from live fingerprints, or cameras that capture 3D structure, micro-movements, or blinking to differentiate between the face of a genuine cardholder and a spoofed facial image ofthe cardholder.

7.4 Consumer PrivacyConsumers are cautious about giving up personal biometric data, which by nature cannot be replaced if compromised. Although consumers have largely grown comfortable with fingerprint recognition, their comfort with more invasive authentication methods such as iris scanning is not as widespread.95 As biometrics usage grows in new and varied ways, issues of transparency and consent become more high-profile. Facial-recognition technology, for example, can already be used inconspicuously without knowledge or consent. Behavioral biometrics involving passive participation (e.g., gait recognition without explicit consumer consent) raise questions about consumer privacy.96 Ensuring that consumer concerns around transparency and consent are addressed will be key to building consumer trust and comfort with biometrics. As outlined in Section 6, a number of governments have begun to incorporate biometrics into existing privacy-related laws.

Government entities collect and store biometric data for a variety of purposes, such as law enforcement. In parallel, organizations focused on consumer privacy, civil liberties and digital rights monitor governments ability to use and access biometric information for a variety of purposes, including surveillance, profiling, and criminal prosecutions.ii Protections against surveillance and government access can be complicated by laws that do not translate simply to modern technology. For example, in the U.S., a Virginia state trial court held that an individual can be legally compelled to unlock a smartphone via fingerprint reader, but not with a passcode. The court reasoned that providing a fingerprint was akin to providing a handwriting sample or an actual key, which the law permits; but a passcode requires the defendant to divulge knowledge, which the law protects against.97 Providing clear legal frameworks to manage government access to and use of consumer biometrics will help build consumer trust in the technology and its applications in a range of industries.

7.5 Accessibility and Inclusion Currently, the use of biometrics in most contexts and jurisdictions is voluntary, requiring that consumers opt in to participate. However, a small number of markets are working to implement more universal biometrics programs (e.g., national identity schemes) that link government services to a person’s digital identity.

ii In drafting this paper, Promontory spoke with a small number of civil liberties and digital rights organizations to supplement policy materials reviewed.


8 Guiding Principles on Biometric Authentication for Policymakers

The potential for biometric authentication is strong. As policymakers deepen their understanding of biometrics, related technologies, and their implications, they have an opportunity to support the development of this important tool to enhance security in the payments ecosystem. This section provides guiding principles outlining how policymakers can play a critical role in advancing biometric authentication in their markets.

8.1 Foster Stakeholder Dialogue and Engagement Cross-stakeholder dialogue on evolving technologies such as biometric authentication solutions helps bring a range of voices to discussions that support advancements in the payments ecosystem. Financial institutions, payment networks, industry associations, merchant groups, consumer organizations, regulatory bodies, academics, and think tanks each have unique perspectives to share on payment-system issues, including challenges that require coordination between various parties (e.g., implementation issues regarding deployment, enrollment, data storage, and interoperability).

Engagement may take a number of forms – roundtable discussions, innovation workshops, open comment periods, and other dialogue and feedback mechanisms – to meet the needs of different stakeholders. By fostering dialogue among these groups and engaging in discussions with them, policymakers can deepen their understanding of technology trends, stakeholder perspectives, and potential congruence with policy objectives. Cross-stakeholder discussions may also help build consensus for collective next steps on key issue areas, lessening the need for regulatory action and other government interventions that could negatively impact the long-term development of these rapidly evolving technologies.

For certain populations, such as those with physical limitations, biometric systems – which rely on functional physical body parts or traits to complete the authentication process – can impose barriers to essential services.98

Limitations may stem from physical challenges (e.g., impaired eyes and fingers with limited mobility) or degradation (e.g., worn fingerprints of the elderly or day laborers).

To accommodate users with special needs, policymakers may consider alternatives or fallback options, such as secondary biometric modalities and/or more traditional authentication mechanisms. By addressing these accessibility challenges, policymakers can help ensure that biometric systems serve as inclusive tools to meet policy objectives within their markets.


8.2 Support Industry-Driven Standards and InteroperabilityStandards support payments innovation by making it easier for all parties in the payments ecosystem to adopt and deploy new technologies. By promoting a standards-based approach to authentication, policymakers can help enable all stakeholders in the ecosystem to benefit and participate. Currently, businesses often use proprietary software and hardware in closed systems, limiting interoperability and creating an inconsistent user experience. Open-consensus bodies such as the International Organization for Standardization (ISO), Fast Identity Online (FIDO) Alliance, and EMVCo are currently working to build standards for the biometrics landscape, which is a step in the right direction. Further work by groups like these, in partnership with industry, is necessary to increase interoperability, define security requirements, and provide a consistent framework to evaluate new technology developments.

As technologies advance and connected devices continue to integrate biometric capabilities, it is critical that biometric-authentication policy remains technology-agnostic. Though fingerprinting may be the most common biometric authentication modality used today, we may not be far from wider use of other modalities – physical or behavioral. A policy focus on specific technologies may limit the ability of businesses to invest in new, innovative solutions to meet the rapidly evolving security and cyberthreat landscape. By supporting principles-based standards not tied to a specific technology, policymakers ensure a lasting framework that can keep pace with both innovation and changing risks in the payments landscape.

Interoperability provides the foundation for open and accessible payment systems, creating efficiencies that benefit all ecosystem stakeholders and making it easier to adopt new technologies. In practice, interoperability in the complex payments environment can be challenging to achieve as it requires significant coordination across stakeholder groups. Policymakers can support interoperability by encouraging dialogue and cooperation among the range of payment-system stakeholders involved in developing standards, innovating payment solutions, delivering financial services, and representing others who participate in the payments ecosystem.

8.3 Reframe Security Discussions to Reflect New Technology DevelopmentsLike all burgeoning technologies, biometrics bring both benefits and risks, many of which are discussed in this paper. The institutions that govern such innovation in the payments ecosystem face the constant challenge of keeping pace with technological change and ensuring the security of the payments system without constraining innovation. Historically, many have viewed security and convenience as competing priorities. Biometric authentication, however, presents an opportunity to develop solutions that provide more convenience to consumers while also enhancing security.Many next-generation authentication toolkits are being designed to support a layered approach to payment security with complex verification methods that are difficult for criminals to circumvent. This includes not only


biometrics, but the physical location of the cardholder, IP address, device ID, and other behavioral and contextual data. Many of these methods operate behind the scenes, enhancing security while providing consumers with a more seamless payment experience.

There is no one-size-fits-all solution to payment-system security. Local market conditions – stage of economic development, existing payments infrastructure, and consumer and business preferences about specific modalities – provide important context for discussions about biometric authentication implementation. Risk attributes – such as transaction size, payment channel, and market category – may also influence the appropriate implementation approach. Policymaker guidance that reflects technology developments and evolving security strategies can strengthen payment-system security, allowing ecosystem participants to leverage innovative solutions and approaches to mitigate risk.

8.4 Provide Legal Clarity for Payment-System ParticipantsPolicymakers around the world are starting to promulgate laws and guidance to govern the collection, use, and storage of biometric data, whether explicitly or as part of wider legal responses. This patchwork of laws, along with the lack of interoperable standards, creates uncertainty for ecosystem participants about current and future obligations related to biometric data. This may, in turn, slow user adoption and inhibit innovation.

By engaging in multi-stakeholder discussions on biometric-authentication developments and concerns before the passage of legal measures, policymakers can help build consensus around governance objectives, including assessing whether non-legislative responses – such as industry standards – may be sufficient. Likewise, by providing clarity about legal issues related to biometric authentication – such as data storage, usage, and transmission – policymakers can promote responsible innovation across the industry. Where existing laws differ or conflict between jurisdictions, policymaker coordination can support a more efficient and certain operating environment for entities in the payment system.

8.5 Lead by ExamplePolicymakers and governments can send a positive message to consumers and businesses alike by embracing biometric technology in their own products and services. Offering biometric-based payment solutions for consumer and business transactions with government – payments for licenses, registrations, taxes, etc. – can enhance security and improve the customer experience. At the local level, governments can incorporate biometric-based payment solutions for services such as public transportation and utilities.


Biometric authentication is experiencing rapid growth and shows great promise across a variety of financial applications in the coming years. Multi-stakeholder dialogue and partnership on solutions that address current challenges can help drive further adoption. However, biometric-authentication adoption across markets will likely be varied, reflecting different market conditions and user preferences. Policymakers play a critical role in cultivating an environment that supports payment-system innovations – not only in the area of biometric authentication, but across the range of authentication and security solutions being developed and tested by ecosystem participants in various markets.

Conclusion


Current efforts to develop global, interoperable standards for biometric authentication are still at a nascent stage. Several organizations are helping to shape the regulatory outlook on biometrics. However, current efforts have not yet led to a common approach in implementation and deployment. Descriptions of these organizations are provided below.

EMVCoEMVCo aims to facilitate worldwide interoperability and acceptance of secure payment transactions. It manages the evolving EMV Specifications and related testing processes, including card and terminal evaluation, security evaluation, and management of interoperability issues. This work is overseen by EMVCo’s six member organizations – American Express, Discover, JCB, MasterCard, UnionPay, and Visa – and supported by dozens of banks, merchants, processors, vendors, and other industry stakeholders.

In 2016, EMVCo worked to integrate biometrics as a cardholder verification method (CVM), allowing various biometric verification methods to be integrated into the EMV contact payment flow with limited impact on the acceptance infrastructure.99 The work supports EMVCo’s goal of interoperability by optimizing the existing EMV Integrated Circuit Card Specification for Payment Systems (EMV Chip Specifications) to reduce the impact of implementation. EMVCo is also working with the FIDO Alliance to determine how EMV payment use cases can be incorporated into FIDO Alliance’s technical standards. The focus of this partnership is related to shared cardholder device CVM, for example, using the same biometric method to both open a smartphone and verify a payment made with it.

European Banking Authority (EBA)The European Banking Authority (EBA) is developing regulatory technical standards on strong customer authentication and secure communication under the second Payment Services Directive (PSD2). Many industry bodies and nongovernmental organizations, such as the FIDO Alliance,100 were invited to join discussions about how to best promote innovation and improve security on payment transactions, while ensuring consumer protection.

FIDO AllianceThe FIDO Alliance is a nonprofit organization formed in 2012. Its mission is to change the nature of online authentication by setting an open, scalable, and interoperable mechanism that supplants reliance on passwords, in

AppendixSelected Organizations Working on Biometric Issues in Payments


order to securely authenticate users of online services.101 FIDO’s primary focus is to develop widely adoptable programs and specifications that can eventually be submitted for formal standardization by recognized standards bodies.

In July 2016, the FIDO Alliance joined efforts with EMVCo on a mobile-payment authentication initiative.102 The two alliances will collaborate and review how FIDO authentication standards can provide simpler and stronger authentication, such as biometric authentication, for EMV-based payments on mobile devices.

The World Wide Web Consortium (W3C) has also been influenced by FIDO Alliance specifications. The W3C First Public Working Draft, which focused on establishing secure web authentication, was published on May 31, 2016. It represented a landmark for the FIDO Alliance in its mission to spread strong authentication around the globe.103

International Organization for Standardization (ISO)The International Organization for Standardization (ISO) is an independent, nongovernmental standardization body with members from more than 163 countries. ISO plays an important role in the standardization of biometrics. The ISO/IEC JTC 1/SC37 working group focuses on standardizing vocabulary, interfaces, interchange standards, and implementation mechanisms. However, these efforts are generally directed towards government applications. The ISO 19092:2008 Financial Services Biometric Security standards describe a framework for using biometrics for authentication of individuals in financial services. In addition, the ISO/IEC 19794 series focuses on global biometric interoperability. Recent work includes the 2016 ISO/IEC TR 30125, which focuses on biometric personalization and authentication in a mobile environment.

Payments Association of South Africa (PASA)South Africa recently changed its specifications to facilitate biometric authentication on payment cards. The new specification was published by the Payments Association of South Africa (PASA) in July 2016 and is designed to allow interoperable solutions on various biometric modalities. Industry players are now able to develop solutions compliant with the standard. This development represents an opportunity for the private sector to deploy biometric authentication in commercial applications.104

U.S. National Institute of Standards and Technology (NIST)The U.S. National Institute of Standards and Technology (NIST) has conducted research on biometric modalities for over 60 years.105 NIST maintains numerous standards and working groups that focus on biometrics. The first standard in biometric authentication was published in 1986 by NIST forerunner the U.S. National Bureau of Standards, on fingerprint use by law enforcement. The ANSI/NIST-ITL standard


covers biometric data interchange in military, law enforcement, disaster management, and intelligence applications, but not use of the data.

U.S. National Science and Technology Council (NSTC)The White House established the National Science and Technology Council (NSTC) Subcommittee on Biometrics and Identity Management (IdM) with the primary objective to advise and assist on policies and procedures. The subcommittee was also tasked with creating plans for federally sponsored biometric and IdM activities. In 2007, the NSTC established a “Policy for Enabling the Development, Adoption and Use of Biometric Standards” in the U.S.106 This policy consists of a framework to reach interagency consensus on biometric-standards adoption for the federal government.


1 Peter T. Higgins, Nicholas M. Orlans, and John D. Woodward, Jr., Biometrics (2003).

2 “Biometrics in Payments: Touching Convenience,” MobeyForum, November 25, 2015, http://www.mobeyforum.org/biometrics-in-payments-touching-convenience/.

3 “The end of plastic cards nears: Over 70,000 ATMS will soon support Touch ID withdrawals,” 9to5Mac July 15, 2016, https://9to5mac.com/2016/07/15/atm-withdrawals-with-iphone-fis-partnership/.

4 “Diga X: Visa e Banco Neon lançam serviço que permite que consumidores usem a selfie para confirmar com- pras online,” Autenticação Selfie Neon | Visa, https://www.visa.com.br/mais-visa/sobre-a-visa/sala-de-imprensa/ autenticacao-selfie-neon.html.

5 “Mastercard makes fingerprint and ‘selfie’ payment technology a reality,” Mastercard Social Newsroom, https:// newsroom.mastercard.com/eu/press-releases/mastercard-makes-fingerprint-and-selfie-payment-technolo-gy-a-reality/.

6 “Alibaba launch pay by selfie,” Retail Innovation, April 19, 2015, http://retail-innovation.com/alibaba-launch-pay-by-selfie/.

7 “Banks to introduce iris recognition system for mobile banking,” Yonhap News Agency, August 3, 2016, http:// english.yonhapnews.co.kr/business/2016/08/03/0501000000AEN20160803007300320.html.

8 “ATMs Use Biometrics to Combat Fraud,” The Balance, February 6, 2016, https://www.thebalance.com/atms- use-biometrics-to-combat-fraud-315794.

9 “Vein Recognition,” FindBiometrics, 2016, http://findbiometrics.com/solutions/vein-recognition/.

10 How Speech Recognition Works (Microsoft.Speech), 2017, https://msdn.microsoft.com/en-us/library/ hh378337(v=office.14).aspx.

11 USAA Military Home, Life & Auto Insurance | Banking & Investing,” Welcome to USAA!, https://www.usaa. com/inet/pages/enterprise_howto_biometrics_landing_mkt?akredirect=true.

12 “4 Unique Applications of Voice Recognition,” FindBiometrics, May 25, 2016, http://findbiometrics.com/4-applications-voice-recognition-305180/.

13 “AGNITIO to Address Mobile Transactions and Fraud Detection With Voice ID at Money 2020,” AGNITIO - VOICE ID - VOICE RECOGNITION, October 16, 2015, http://www.agnitio-corp.com/company/news/press-releases/agnitio-address-mobile-transactions-and-fraud-detection-voice-id-money.

14 “VoiceVault Biometrics to Protect Payments,” FindBiometrics, May 13, 2015, http://findbiometrics.com/ voicev-ault-biometrics-to-protect-payments-25131/.

15 Lucian Constantin, “AI-based typing biometrics might be authentication’s next big thing,” PCWorld, January 27, 2017, https://www.pcworld.com/article/3162010/security/ai-based-typing-biometrics-might-be-authentications- next-big-thing.html.

16 “Google plans to bring password-free logins to Android apps by year-end,” TechCrunch, May 23, 2016, https://techcrunch.com/2016/05/23/google-plans-to-bring-password-free-logins-to-android-apps-by-year-end/.

17 “Nymi, TD and MasterCard Announce World’s First Biometrically Authenticated Wearable Payment Us-ing Your Heartbeat,” Marketwired, http://www.marketwired.com/press-release/nymi-td-mastercard-announce-worlds-first-biometrically-authenticated-wearable-2046600.htm.

18 Dominic Basulto, “The heartbeat vs. the fingerprint in the battle for biometric authentication,” The Washington Post, November 21, 2014, https://www.washingtonpost.com/news/innovations/wp/2014/11/21/the-heartbeat-vs-the-fingerprint-in-the-battle-for-biometric-authentication/?utm_term=.d9b5b5890fc0.

19 “Heartbeat Could Be Used as Password to Access Electronic Health Records,” Electronic Component News, January 18, 2017, https://www.ecnmag.com/news/2017/01/heartbeat-could-be-used-password-access-electronic-health-records.

Endnotes


20 Zdenek Riha and Vaclav Matyas, “Biometric Authentication Systems,” Faculty of Informatics Masaryk University, November 2000, http://www.fi.muni.cz/reports/files/older/FIMU-RS-2000-08.pdf.

21 Stephen Mayhew, “History of Biometrics,” Biometric Update, January 14, 2015, http://www.biometricupdate. com/201501/history-of-biometrics.

22 James Koren, “Cutting Edge Wells Fargo Looks to Eye-Scan Security,” Los Angeles Times, March 6, 2016, http://www. latimes.com/business/la-fi-cutting-edge-eyescan-20160306-story.html.

23 Tom Groenfeldt, “Citi Uses Voice Prints To Authenticate Customers Quickly And Effortlessly,” Forbes, June 27, 2016, https://www.forbes.com/sites/tomgroenfeldt/2016/06/27/citi-uses-voice-prints-to-authenticate-customers-quickly-and-effortlessly/#b59e285109c2.

24 “BIOMETRICS,” Reference for Business, http://www.referenceforbusiness.com/small/A-Bo/Biometrics.html.

25 Carnegie Investment Bank, “Technology Hardware & Equipment-Fingerprint Cards,” September 8, 2015, http://theleadmagnet.com/CarnegieGoldfinger.pdf.

26 “Beyond the Password: The Future of Account Security,” Telesign, 2016, https://www.telesign.com/wp-content/uploads/2016/06/Telesign-Report-Beyond-the-Password-June-2016-1.pdf.

27 Rachel Gee et al., “Why Lloyds and Mastercard are banking on selfies,” Marketing Week, March 28, 2017, https://www.marketingweek.com/2016/10/17/why-lloyds-and-mastercard-are-replacing-passwords-with-selfies/.

28 “European consumers ready to use biometrics for securing payments,” Visa Europe, July 14, 2016, https:// www.visaeurope.com/newsroom/news/european-consumers-ready-for-biometrics.

29 “European consumers ready to use biometrics for securing payments,” Visa Europe, July 14, 2016, https:// www.visaeurope.com/newsroom/news/european-consumers-ready-for-biometrics.

30 Seung Lee, “Apple’s iPhone X: Facial recognition called a marvel, and a concern,” September 18, 2017, http:// www.mercurynews.com/2017/09/15/apples-iphone-x-facial-recognition-called-a-marvel-and-a-concern/.

31 Aaron Smith, “Record shares of Americans now own smartphones, have home broadband,” Pew Research Center, January 12, 2017, http://www.pewresearch.org/fact-tank/2017/01/12/evolution-of-technology/.

32 Ben Majarin, “Apple’s Penchant for Consumer Security,” TechOpinions, April 19, 2016, https://techpinions. com/apples-penchant-for-consumer-security/45122.

33 Ben Majarin, “Apple’s Penchant for Consumer Security,” TechOpinions, April 19, 2016, https://techpinions. com/apples-penchant-for-consumer-security/45122.

34 Acuity Market Intelligence, “Biometric Smartphone Update,” 2017, www.prnewswire.com/news-releases/biometric-smartphone-market-explodes-in-2016-100-growth-with-346-models-from-87-vendors-300386541.html.

35 Al Pascual, Kyle Marchini, and James Wilson, “The Future of Cardholder Verification Methods: Beyond Chip and Signature,” Javelin, August 2016.

36 Zamira Rahim, “Samsung’s New Galaxy S8 Will Have Facial Recognition Technology,” Fortune.com, March 16, 2017, http://fortune.com/2017/03/16/samsung-galaxy-s8-facial-recognition/.

37 “Gartner Says By 2018, 50% of Consumers in Mature Markets Will Use Smartphones or Wearables for Mobile Payments,” December 15, 2015, http://www.gartner.com/newsroom/id/3178217.

38 Dan Goodin, “Frequent Password Changes Are the Enemy of Security, FTC Technologist Says,” Ars Technica, August 8, 2016, http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/.

39 “DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline,” National Institute of Standards and Technology, 2016, https://pages.nist. gov/800-63-3/sp800-63b.html.

40 “EMV Cards are Proven to Reduce Fraud,” Gemalto, http://www.gemalto.com/emv/fraud#.

41 “EMV One Year Later, and the Rise of Card-Not-Present Fraud,” HPE Security - Data Security, October 27, 2016, https://www.voltage.com/payments/emv-one-year-later-rise-card-not-present-fraud/.


42 FFIEC, “Retail Payment Systems,” FFIEC IT Handbook InfoBase, https://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/appendix-e-mobile-financial-services.aspx.

43 Soutik Biswas, “Aadhaar: Are a billion identities at risk on India’s biometric database,” BBC News, May 04, 2017, http://www.bbc.com/news/world-asia-india-39769322.

44 Rawison King, “Developing countries demonstrate interest in Aadhaar model,” Biometric Update, September 12, 2016, http://www.biometricupdate.com/201609/developing-countries-demonstrate-interest-in-aad-haar-model.

45 Chandler Harris, “Biometrics Stems Driver’s License Fraud,” Government Technology, 2008, http://www. govtech.com/pcio/Biometrics-Stems-Drivers-License-Fraud.html.

46 “Financial Inclusion Overview,” World Bank, 2015, http://www.worldbank.org/en/topic/financialinclusion/overview.

47 Justin Lee, “Good Intelligence Names Five Key Drivers of Biometrics Adoption for Financial Services,” Biomet- ric Update, February 4, 2016, http://www.biometricupdate.com/201602/goode-intelligence-names-five-key-drivers-of-biometrics-adoption-for-financial-services.

48 James Moar, “Mobile Biometrics: Consumer Markets, Opportunities & Forecasts 2016-2021,” Juniper Research, December 2016, https://www.juniperresearch.com/researchstore/enabling-technologies/human-in- terface-biometric-devices/consumer-markets-opportunities.

49 James Moar, “Mobile Biometrics: Consumer Markets, Opportunities & Forecasts 2016-2021,” Juniper Research, December 2016, https://www.juniperresearch.com/researchstore/enabling-technologies/human-in- terface-biometric-devices/consumer-markets-opportunities.

50 Visa, “Visa Biometric Authentication study” 2016, http://bankingreview.nl/download/29157.

51 “Tangerine First Bank in Canada to Launch ‘EyeVerify’, ‘VocalPassword’ and In-App Secure Chat,” Tangerine Bank, April 26, 2016, https://www.tangerine.ca/en/about-us/press-releases/pr-2016-04-26.

52 Matt Schuffham, “Bank of Montreal, Mastercard launch biometric corporate cards,” Reuters Canada, March 23, 2016, http://ca.reuters.com/article/businessNews/idCAKCN0WP2GD.

53 Claire Groden, “Wells Fargo is Testing Eye Scanning to Replace the Password,” Inverse, June 22, 2016, https://www.inverse.com/article/17384-wells-fargo-is-testing-eye-scanning-to-replace-the-password.

54 “Bancolombia’s Nequi first in Colombia to deploy mobile biometrics,” Banking Technology, http://www.bank-ingtech.com/564602/bancolombias-nequi-first-in-colombia-to-deploy-mobile-biometrics/.

55 “Brazilian banks lead way on biometrics,” Marketplace, https://www.marketplace.org/2013/08/06/ tech/brazil-ian-banks-lead-way-biometrics.

56 “Leveraging biometric authentication for ATMs,” BSO, https://www.bai.org/banking-strategies/article-detail/ leveraging-biometric-authentication-for-atms.

57 “Mexico’s Banco Inbursa deploys FacePhi solution,” Planet Biometrics News, http://www.planetbiometrics. com/article-details/i/5053/desc/mexicos-banco-inbursa-deploys-facephi-solution/.

58 “FacePhi Beyond Biometrics - Face Recognition,” Facephi, http://www.facephi.com/en/content/facephi/.

59 “Banco Supervielle debuts fingerprint sensors for pension claimants,” Finextra Research, October 3, 2013, https://www.finextra.com/newsarticle/25280/banco-supervielle-debuts-fingerprint-sensors-for-pension-claimants.

60 “7 Banks Integrated Touch ID, 2 More to Follow,” Let’s Talk Payments, August 18, 2016, https://letstalk- pay-ments.com/7-banks-integrated-touch-id-2-follow/.

61 “Supported Banks,” Outbank, https://outbankapp.com/supported-banks/.

62 “ING Netherlands Launches Voice Biometrics Payment System,” Nuance Communications, https://www. nuance.com/about-us/newsroom/press-releases/ing-netherlands-launches-nuance-voice-biometrics.html.

63 “Rostelecom to become National Biometric Platform operator in Russia,” website, June 08, 2017, https://www.rostelecom.ru/ en/ir/news/d440655/.


64 Trish Dromey, “Dublin startup Touchtech Payments makes plans for international expansion,” Irish Examiner, March 12, 2017, http://www.irishexaminer.com/business/dublin-startup-touchtech-pay-ments-makes-plans-for-international-expansion-445082.html.

65 Tim Johnson, “Forgot your password? You have too many and stores are losing business over it,” Miami Herald, http://www.miamiherald.com/news/business/article156636084.html.

66 Kevin Lonergan, “4 things the IoT will make redundant in day-to-day security,” Information Age, October 2, 2015, http://www.information-age.com/4-things-iot-will-make-redundant-day-day-security-123460265/.

67 “Smile please, you’re on HSBC,” Finextra, September 5, 2016, https://www.finextra.com/newsarticle/29387/ smile-please-youre-on-hsbc.

68 Jihane Bensouda, “Paiement par authentification vocale: La Banque Postale se lance (enfin),” Billet de banque, March 23, 2017, http://billetdebanque.panorabanques.com/banque/paiement-par-authentification-vocale-la-banque-postale-se-lance-enfin/.

69 Alex Perala, “Ghana Bank, Ingenico Launch Biometric POS Solution,” FindBiometrics, July 8, 2016, http:// findbiometrics.com/ghana-bank-ingenico-biometric-pos-307083/.

70 “We’ve kicked off a major roll-out of biometric technology across Asia, Africa and the Middle East,” August 15, 2016, https://www.sc.com/en/news-and-media/news/global/2016-08-15-biometric-technology-roll-out-.html.

71 “Biometric grant cards beating fraud,” South Africa Info, August 22, 2013, http://www.southafrica.info/about/ social/grants-220813.htm#.V9mP3vkrJhE.

72 “Emirates NBD Deploys Mobile Biometrics,” Mobile ID World, February 7, 2017, http://mobileidworld.com/ emirates-nbd-mobile-biometrics-002073/.

73 Stephen Mayhew, “Guaranty Trust Bank Kenya adds fingerprint authentication to mobile banking app,” Biome- tricUpdate, May 29, 2016, https://www.biometricupdate.com/201605/guaranty-trust-bank-kenya-adds-fingerprint-authentication-to-mobile-banking-app.

74 http://www.biometricupdate.com/201706/korea-internet-security-agency-developing-biometric-authentication-for-mobile-banking

75 Jillian Yue, “Alibaba Doubles Down On Tech Research To Serve 2 Billion Customers Globally,” China Money Network, March 13, 2017, https://www.chinamoneynetwork.com/2017/03/14/alibaba-doubles-down-on-tech- research-in-order-to-serve-2b-customers-globally.

76 “After BHIM, government to launch Aadhaar Pay,” Economic Times, http://economictimes.indiatimes.com/ news/economy/policy/after-bhim-government-to-launch-aadhaar-pay/articleshow/57864986.cms.

77 Wichit Chantanusornsiri and Somruedi Banchongduang, “E-payment countdown,” Bangkok Post, June 27, 2016, http://www.bangkokpost.com/tech/local- news/1020981/e-payment-countdown.

78 Suchit Leesa-Nguansuk, “Biometric ID systems gain Thai traction,” Bangkok Post, March 3, 2017, http://www.bangkokpost. com/tech/local-news/1208041/biometric-id-systems-gain-thai-traction.

79 “Samsung Pay launched in Thailand,” Planet Biometrics News, http://www.planetbiometrics.com/article-details/i/5515/.

80 Stephen Mayhew, “Japan to Pilot Biometric Payment System for Tourists,” Biometric Update, April 11, 2016, http://www.biometricupdate.com/201604/japan-to-pilot-biometric-payment-system-for-tourists.

81 Stephen Mayhew, “Sources reveal more about Japan’s biometric cashless payments plan for tourists,” Biometric Update, April 20, 2016, http://www.biometricupdate.com/201604/sources-reveal-more-about-japans- biometric-cashless-payments-plan-for-tourists.

82 Alex Perala, “Citibank Malaysia Launches Voice Authentication System,” FindBiometrics, August 24, 2016, http://findbiometrics.com/citibank-malaysia-voice-308244/.

83 Allie Coyne, “Citibank to use voice biometrics to authenticate customers,” itnews, May 20, 2016, http://www. itnews.com.au/news/citibank-to-use-voice-biometrics-to-authenticate-customers-419862.

84 Corinne Reichert, “Telstra explores blockchain, biometrics to secure smart home IoT devices,” ZD-Net September 22, 2016, http://www.zdnet.com/article/telstra-explores-blockchain-biometrics-to-se-cure-smart-home-iot-devices/.


85 See, e.g., Irish Data Protection Commissioner, Biometrics in the workplace, https://www.dataprotection.ie/ docs/Biometrics-in-the-workplace-/244.htm.

86 Office of the Privacy Commissioner for Personal Data, Guidance on the Collection and Use of Biometric Data, July 2015, Hong Kong, https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_biometric_e. pdf

87 Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. Ann. 14/1, et seq.

88 Texas Use of Biometric Identifier Act, Tex. Bus. & Com. Code Ann. §503.001.

89 Washington State House Bill 1493 (2017).

90 See, e.g., Cal. Pen. Code § 637.3(a), N.C. Gen. Stat. § 75-66.

91 See, e.g., Tenn. Code Ann. § 39-14-150, Ky. Rev. Stat. §§ 365.720 – 365.730.

92 “Balancing Cooperation and Competition in Retail Payment Systems,” World Bank, November 2008, http:// siteresources.worldbank.org/EXTPAYMENTREMMITTANCE/Resources/BalancingCooperationCompetitionRetail- PaymentSystems.pdf.

93 Maya Kosoff, “A Hacker Reveals How Your Fingerprint Could Be Easier To Hack Than A Traditional Password,” Business Insider, January 7, 2015, http://www.businessinsider.com/biometric-fingerprint-password-hack-ing-2015-1; Antonio Villas-Boas, “You can use putty to get past the iPhone’s fingerprint security,” Tech Insider, February 25, 2016, http://www.techinsider.io/hack-iphone-touch-id-with-play-doh-2016-2.

94 “Consumer Biometrics Month: Why Average Users Shouldn’t Worry About Spoofing,” FindBiometrics, June 23, 2017, https://findbiometrics.com/consumer-biometrics-month-spoofing-406230/.

95 Luke Graham, “Apple’s Face ID security technology may not prove popular with consumers,” CNBC, Septem-ber 13, 2017, https://www.cnbc.com/2017/09/13/apples-iphone-face-id-security-system-may-prove-unpopu-lar.html.

96 Ian Muller, “Will Behavioral Biometrics be How We Authenticate Change?” December 8, 2016, https://www. veridiumid.com/blog/will-behavioral-biometrics-change-authenticate/.

97 See Virginia v. Baust, No. CR14-1439 (Va. Cir. Ct. Oct. 28, 2014).

98 Marc A. Kowtko, “Biometric Authentication for Older Adults,” 2012.

99 EMVCo, “Contact Chip-Genral FAQ,” 2017, https://www.emvco.com/wp-content/uploads/2017/03/EMV- Co-Website-Content-2.1-Contact-Portal-plus-Biometric-FAQ_v2.pdf.

100 “FIDO Submits Comments to European Banking Authority,” FindBiometrics, February 10, 2016, http://findbiometrics.com/fido-submits-comments-to-european-banking-authority-302106/.

101 “About the FIDO Alliance,” FIDO Alliance, https://fidoalliance.org/about/overview/.

102 “EMVCo and the FIDO Alliance Collaborate on Mobile Payment Authentication,” FIDO Alliance, July 12, 2016, https://fidoalliance.org/fido-emvco-mou/.

103 “Web Authentication: An API for accessing Scoped Credentials, W3C Working Draft,” World Wide Web Consortium September 28, 2016, https://www.w3.org/TR/2016/WD-webauthn-20160531/.

104 “The Payments Association of South Africa collaborates with MasterCard and Visa to create interoperable biometric specification,” Payments Association of South Africa, July 26, 2016, http://www.pasa.org.za/ home/2016/08/01/the-payments-association-of-south-africa-announces.

105 “Biometrics,” NIST, September 28, 2016, https://www.nist.gov/programs-projects/biometrics.

106 “NSTC Policy for Enabling the Development, Adoption and Use of Biometric Standards, NSTC Subcommit- tee on Biometrics and Identity Management,” National Science and Technology Council, September 7, 2007, https://www.nist.gov/sites/default/files/documents/2017/04/12/nstc_policy_bio_standards.pdf


For more information, please visitpromontory.com

Copyright ©2017 Promontory Financial Group, LLC, an IBM Company.

Date post:	17-Apr-2018
Category:	Documents
Upload:	vuongmien
View:	246 times
Download:	3 times

Biometric Authentication in Payments · Biometric Authentication in aments 2 2.1 What Are...

Documents