Two big pieces of news from the payments world have put the spotlight on biometric authentication tools for shopping and banking, and at a glance it seems like biometrics could fix a lot of the fraud challenges the retail and banking industries face. But other news and a growing chorus of input from security experts indicates that some types of biometrics are as vulnerable to exploitation as other consumer data—and far more potentially damaging once compromised.
As consumers may increasingly expect to be able to use a thumbprint, voice, or facial scan to shop, merchants need to understand the usefulness and limits of biometric data for fraud prevention and customer experience.
More banks and card companies adopt biometric authentication
Biometrics have been in the news on both sides of the Atlantic this year. In April, the four major card brands dropped some or all of their consumer signature requirements for POS purchases in the US in a bid to reduce friction at checkout and reduce merchant processing costs. To replace signatures for customer authentication, Visa is trialing EMV contactless-compatible cards that have built-in fingerprint sensors. At the point of sale, users will touch the fingerprint sensor to validate their identity by comparing the impression to their stored fingerprint data.
Meanwhile, in Europe, the implementation of the revised Payment Services Directive (PSD2) means that banks and other payment services must support two-factor transaction authentication on mobile devices. Industry watchers and app developers expect biometrics to figure prominently in new security protocols because they create less friction than keying in passwords or codes delivered via SMS. It’s clear that biometrics are becoming part of the fraud-prevention landscape. What’s less clear is what happens when, not if, biometric data is compromised.