In a slight removal from ExchangeWire’s habitual coverage of ad tech and martech, we take a brief visit into the world of fintech, where we learn how biometrics is changing the banking industry, but it isn’t the silver bullet that people may expect it to be. Many considerations need to be made before biometrics become the norm. What makes this relevant for advertising? Biometrics in advertising has been talked about for a number of years; admittedly on a different scale, with the use of wearables, but when understanding where the use of biometrics could take the advertising industry, it’s worth looking at how it’s being used in other industries not only to bring improved targeting and consumer identification, but also to help reduce the instances of fraud. Timothy Hoyle, senior project manager, ETH Solutions with much experience in technologies, security and compliance, writes exclusively for ExchangeWire about biometrics in card payments; its efforts to reduce fraud and why biometrics isn’t the full story.
We have heard a great deal of chatter about Biometrics recently and how it may end the concerns of security in accessing various means of access cash via ATMs, POS systems and other means to access payments. Look at the direction followed by card processors so; fintech authorities have told the industry that common sense managing networks should be followed; that passwords must be changed on a routine basis and that that EMV card processing (Europay, Mastercard and Visa; the global standard for chip and pin cards and technology) – with its non-repeating numbers – will stop fraud on card payment systems. So Biometrics have now arrived and will stop the fraud we see today, once it is fully in place. Will it?
EMV has become the current “golden child” for payment card systems in the world. After all, it has significantly reduced the fraud resulting from skimming – copying card data to be used on counterfeits. Yet, we know that skimming continues throughout the world, though the size of the losses has diminished; barring the United States and a number of other countries in the world. It is apparent though the reduction of skimming is not going to reduce fraud from card skimming; as long as the magnetic stripe remains, skimming will continue, irrespective of the implementation of EMV. The stripe must be read, the service code validated to determine if the card is an EMV card, the pin processed, authorised and card restricted. With today’s Payment Card Industry Data Security Standard (PCI-DSS), configuration needs requires the magnetic stripe to remain. The continued need for the magnetic stripe requires another means for authentication to prevent fraud within the payment card industry. Fintech looks to biometrics to replace the magnetic stripe.
Is the use of biometrics a viable technology to prevent fraud? No – biometric technology relies on personal information; biometric information is not and will never be variable.
Today’s payment card information uses between four to eight KB to transfer a request to the issuer to validate a request. How much data does a biometric request require? What about storage of the mathematical data required to identify a customer? What changes does this manner of authentication require at the acquirer level or at the issuer? Will new classes of data be required at switches and other acquirers, e.g. merchant service providers? Fintech developers must develop standards for all payment card industry members; failure to do so will negate the power of biometrics. We must remember we only have ten fingers, two eyes, and only one voice print. Any physical change, whether by choice or accident, will change the biometric used and render it useless.
We must also address the legal and ethical requirements of the use of extremely private, non-repudiable data. Who protects this data and how does the federal government regulate this extremely private and sensitive information? Who protects us from the protectors? Finally, we must have a means to supersede existing biometric data if compromised.
A number of organisations in the financial industry are testing biometrics today, believing that such security answers the need for enhanced security and convenience for their customers. According to TheStreet in January this year, Affinity Federal Credit Union began offering touch ID biometrics to their customers. Citi Group launched a biometric pilot in April 2015 utilising voice authentication with approximately 250,000 customers. As noted above, there are legal and ethical questions that arise when such initiatives are undertaken. Lainey Feingold, a recognised advocate and attorney for disabled clients in many negotiations with large financial institutions, noted in a recent discussion, “I do know biometrics can pose a challenge if they are the only way to authenticate identity; for example, some blind people have no irises. Same is true with fingerprints — not everyone has fingers. So an important part of the conversation is making sure biometrics are one alternative – not the only. Biometrics can also be an advantage to disabled people, as these measures may be easier than handling paper, reading print, etc.” Are needs for people with disabilities considered?
It is a fact that biometrics is a solution to usage of pins and signatures in today’s payment card industry. It is the ultimate ‘one-to-one’ marketing solution. However, for the reasons noted, it cannot be the only manner of authentication. Dual authentication, using various combinations of factors we can change versus those we cannot change or share, will be the manner in which biometrics will find its place in the financial industry. Fintech, with its view of the future for financial institutions, will have to consider all the information noted. Not doing so will result in the same problems we face today with fraud, privacy concerns, data breach concerns and payment card needs to protect customers.