Opinion: Why fears around biometric credit cards are misplaced
06 March 2019 | Web Article Number: ME201913867
CONSIDER how everyday our use of biometrics is becoming. Increasingly, we are using it to log on to our computers and smartphones without batting an eyelid. Many of us have used fingerprints to access buildings at work, and we’ve happily given our fingerprints and ID photographs to the Department of Home Affairs for passports and other documents for the very same purpose of identification based on what we and our digits look like.
With this long history of biometrics identification, it should surely come as something of an anomaly that there are fears over the introduction of biometric measures to payment card providers (sometimes known as ‘EMV’, or Eurocard, Visa and Mastercard, the three most prominent providers of card payment systems).
Biometric measures are being introduced by card providers because of the limitations of the traditional PIN, or personal identity number. These limitations impose huge costs on these providers – costs incurred through the fraudulent use of cards, and which will ultimately be borne by customers in the form of higher card fees.
In fact, in just one year (2017), the South African Banking Risk Information Centre (SABRIC) reported that credit card fraud caused losses of R436.7 million. Debit cards racked up additional losses of R342.2 million in the same period.
That’s an enormous amount of money, and at least some of the losses arise because a PIN is nothing more than four numbers in sequence, and those four numbers have proven easy for criminals to compromise.
Biometric payment cards remove the need for a PIN, using instead an embedded fingerprint scanner. When paying, you simply place your fingerprint on a sensor on the card’s surface. If it matches the print stored in the card, the transaction is authorised. If not, no deal (though, at least initially, PIN codes are available as a backup).
This has obvious benefits from a convenience point of view, as you no longer must memorise a PIN. It also makes it a lot harder for criminals to get their hands on your money.
But along with the benefits have come new security concerns. As when ATMs, then credit cards, and in due course online banking were first introduced, people naturally worry about the risks involved in new ways of handling money.
The concern is that the card will somehow compromise personal information, or that fingerprints can be easily duplicated. Neither concern stands up to scrutiny.
Dispelling the myths
In an environment where cyber breaches of credit cards and personal data can happen, it’s natural to be concerned about our personal data. However, the fingerprint on biometric cards is not stored on a central database and is therefore not susceptible to data breaches like PIN and passwords are. Customers’ fingerprint data is only stored on the card itself and so cannot be accessed by hacking into servers.
Furthermore, it is worth bearing in mind the point of using biometrics in the first instance: security. Biometric EMV cards have security built into the design. This is the easiest way to ensure that these banking cards will be able to protect consumers against the banking and cyber threats of the 21stcentury.
The most common myth is that the fingerprint reader is no more secure than the PIN because it can be easily duplicated. But this is entirely false. The advanced solution within the card cannot be fooled by a copy of your print.
Moreover, the technology used to build the scanner will evolve and strengthen over time. As the technology improves, so will the readings of the fingerprints, enabling a clearer, more detailed capture that could even include the individual’s pores on the skin’s surface, making the solution resistant even to very sophisticated attacks. The card can also be cancelled remotely by a bank, just like a normal debit or credit card.
Fears that a hacker could still gain access and compromise the data inside the chip despite there being no database are also misplaced. The chip’s high-level encryption ensures that the card can withstand determined attempts to access its data.
Concerns that a change in fingerprint, or if the print is dirty or wet, could prevent the card from working would also be mistaken. The card’s reader is designed not to be affected by changes to your print. Moreover, if for any reason the print is not accepted at the point of sale, the card accepts a PIN code as a secondary form of ID verification.
Biometric cards are coming… and soon
Take another look at the massive amount of money lost to card fraud. At nearly a billion Rand in just one year, there is a strong incentive for our banks to introduce better technology to protect your money. Biometric cards are a perfect example, and moves are underway to do just that.
As far back as 2016, the Payments Association of South Africa introduced a fingerprint standard for biometric authentication, and in 2017, Mastercard trialled biometric cards with Absa Bank and Pick n Pay. Even more recently, Samsung Pay is using biometric payments, too. It is quite likely that all the major banks will continue to adopt the technology as they look to eliminate fraud and drive down the costs of card payment systems.
Ultimately, biometric payment cards are the future of consumer payments, providing easy, convenient, reliable and secure payment transactions. The technology behind the biometric payment card is not static but is constantly becoming stronger and more secure. When you consider what consumers want – security, convenience, something that simplifies their lives – the biometric card ticks all the boxes.
- Yogesh Mathur is Vice President for Sales, Telecom and Banking at Gemalto