We are often asked when biometrics will be used in retail payments, usually after some show or event where biometrics applications have been showcased by one vendor or another. The stock answer has  been 'when the biometric industry has developed implementations that can cope with the scale required to support retail payments and with a false accept/reject rate that would be acceptable to both banks and consumers alike'.

For some time this answer has been enough to illustrate an underlying feeling that biometric applications were some way off satisfying either of these criteria and didn’t need serious consideration whilst PINs and passwords offered  less invasive methods of confirming a customer’s identity. The payments industry had a get out clause that allowed them to defer a detailed examination of all the issues that surround the question of verifying customers on the basis of a physical characteristic.

Today the position is less clear, we see applications that are beginning to be used at scale and with consumers seemingly happy to forgive and forget  when occasionally it all goes wrong (Apple iPhone, Touch ID users are a classic case). The introduction of biometric applications into consumers’ daily lives heightens interest in their use for banking and payment applications and builds pressure on the payment industry to adopt biometrics to secure all manner of services.

Why this is the case is unclear; is it that existing customer verification processes are deemed unfit in the modern age, or is there clear evidence of security failures?

It seems more likely that there is a simple assumption being made that because biometric technology exists it must therefore have application in payments. Can a biometric process, for example, make the payment process better or more secure? Here the jury is out. We must compare the complex registration processes that go with biometrics with the issuance of PINs or creation of passwords and then look at the user experience. How easy is it to incorporate biometrics into the transaction process, often with the need to provide specialist sensors?

To the informed it seems more likely that to introduce biometrics into a face-to-face retail payment process is going to add complexity and cost and the critical question would therefore be what are the potential benefits to be gained from such a step?

The answer from the biometric industry is that it’s more secure; authenticating individuals against their own unique physical characteristics gives you certainty that they are who they say they are. This may not always be true and we must consider the myriad of security vulnerabilities that exist in any biometric system.

All biometric systems are vulnerable to spoofing. Biometrics are not secrets, many are in plain sight and can be captured. Who will forget the infamous ‘gummy bear’ fingerprint attack, where an impression of someone’s fingerprint is capture in the gelatine-based sweet and then used to fool a range of commercially available scanners into believing the individual was present.

To prevent harvesting attacks, biometric data will need to be protected. It is argued that the digital templates of your characteristic can be vulnerable to attack and misuse and must therefore be treated sensitively. Can this be done effectively where the capture point is unattended, as is the case across many of our points of interaction with the retail world?

Accuracy is always going to be an issue for the banks. How well can a system distinguish between people, what should the false accept or reject levels be within a system, or should they be tuned to give an acceptable customer experience at  the sacrifice of security? 

There are also some very practical issues to be addressed: biometric characteristics change over time. Faces and voices change as we get older. This affects the accuracy of checking and unless the system is able to alter its reference sample there is likely to be an increased chance of false rejection. Then there is the issue of what you do if your biometric fails or is compromised. Recovery can be problematic, and it is difficult to imagine how you might change a physical characteristic!

One of the considerations may be that a biometric checking for retail payments is a sledgehammer to crack a nut and that we don’t actually need it to defeat fraud. There may be more effective behavioural controls and sophisticated fraud detection services to be explored. Biometrics may then have a place for on-boarding new customers to help ensure payment products are given to the right person.

We are confident that, over time, many of these issues will be addressed, but at this point in time it seems likely that biometrics applications will be tested in a safer environment than retail payments. We have already seen announcements that some banks are using voice and finger vein solutions for banking services.

The payment industry will learn from these smaller scale trials and looks on with interest at other industries’ use of the technology. So far there is no hint of a mass adoption for retail payments, where it is essential that whatever is done is universal and seamless in its integration into the transaction process.  

It will be interesting to see how things develop but what is very clear is that any move to introduce biometrics into retail payment processes will need to be done as part of a co-ordinated, multi-layered cross industries programme. Collaboration will be crucial in addressing the many issues that will need to be resolved. It will be no less significant than the Chip & PIN migration of ten years ago and critical to its success will be the buy in and education of retail staff and consumers alike.

David Baker is head of the payment innovations unit for The UK Cards Association. He will be writing a regular column for Essential Retail on the evolving payments landscape and its impact on the retail industry.

Click below for more information:

The UK Cards Association