What could be more secure than using your own physical body to authenticate payments? As the payment industry continues to grapple with breaches, hacking and theft, it seems only natural that industry leaders would turn to authentication technologies that are harder to fake. Biometrics, if they work as intended, could be a great step towards safer payments. Just imagine if no one could successfully fake your identity, because they physically aren’t you. That’s the concept, and it’s a good one, what remains to be seen is if the execution can match the theory. 

 

According to a recent report by Acuity Market Intelligence, mobile biometrics is set to secure 65% of all mobile commerce transactions by 2020, generating $34.6 billion in annual revenue. The driving force behind this change is the desire for increased security. Biometrics represent the potential for safer, harder to replicate authentication techniques, but they haven’t been thoroughly tested on the market. Hackers are experts at finding weaknesses unforeseen by developers, so we can be assured that there will be some issues as this technology comes to market. As with any young technology, it’s never perfect straight out of the gate. Biometrics do bring many benefits, they could make it easy to conduct “card not present” transactions and eliminate the need for a physical wallet. 

 

Currently, EMV is helping us make strides in payment security, particularly when paired with tokenization and encryption. By adding chip and pin cards to the market, we are making it significantly harder to steal credit card data used when cards are present. Looking past these, biometrics offer a new option for yet another layer of added security as hackers become savvier and continue to find ways to exploit new safeguards as they are deployed. Biometrics provide the added benefit of being harder to fake than passwords, as it’s not easy to duplicate a body part. 

 

The industry is still exploring how consumers can use their own bodies to maximize security. Many companies are testing the use of fingerprints, voices, irises and faces to validate that you are who you say you are when making a purchase or other transaction. MasterCard recently announced that it is testing facial recognition technology to authorize transactions, with an anticipated rollout to the general public this fall. Alibaba is looking at using a selfie to pay and verify with facial recognition. Samsung is looking at both fingerprint, voice and iris recognition for its Samsung Pay offering. Apple allows fingerprint authorization for iTunes purchases and payments with Apple Pay. With industry giants like these looking at biometrics, you can bet they will be a big part of our future. 

 

Real-world limitations to current imaging technology, however, cause concerns about how successful biometrics will be at preventing fraud. If you use your smartphone camera to authenticate a payment, what stops fraudsters from using images or video clips stored on that very same device to fake your identify? Additionally, what if someone stole your biometric data? That could be a far worse crime than having your credit card number stolen. You certainly can’t call up and have a new body re-issued if the numbers are stolen. That type of personal data poses much greater risk than data that is solely associated with bank or credit accounts. There are also legal issues that become tangled here as well: Who has access to the biometric data on your phone? Could your carrier be selling that data to companies looking to target your demographic?

 

While there are potentially great benefits to the security that could be offered by the biometrics field, the risks should not be ignored. It’s impossible to tell what hackers may do to thwart or take advantage of biometrics, but we should definitely spend far more time investigating the repercussions before mainstreaming this sort of authentication to smartphone users.  Is biometrics the way of the future for payments? Likely. Are we there yet? Not even close. This is something the entire industry needs to evaluate and test, to determine how it can be used to best meet the needs of both merchants and consumers, offering them both as much protection as possible, with the least amount of associated risk.

 

– Brian Sadowski, Chief Information Officer