Why Contactless EMV Payment Cards with Fingerprint Authentication is the Future of Payment Cards?

Rise of internet based services in 1990s revolutionized many aspects of day-to-day life. You could shop, bank, pay, play, communicate and avail services sitting on your couch. Internet based banking services like account management, online payments, etc. changed the way people did their finances.

Now after three decades, internet based services do not seem as exciting as they did back then. They have become integral part of daily life. Smartphones have squeezed internet to our pocket. People can do all their online activities on the go. Even high value financial transactions are now being authenticated on mobile devices. And you do not need to sign a cheque to process payments, just a selfie or fingerprint payment would do. Biometrics is quickly taking over identity authentication for all sorts of applications.

This article takes a closer look at contactless biometric authentication, its advantages, disadvantages and applications while putting focus on biometric contactless payments.

In many services (including payments and other financial services), identity authentication is a key component. Process of ensuring that an access seeker is who he/she is claiming to be, is called identity authentication. When done using biometrics, this process becomes biometric authentication. When biometric authentication is done for payments (e.g. fingerprint payments, selfie-pay, etc.), it is called biometric payment authentication.

Biometric authentication is mainly categorized in physiological and behavioral traits depending on how they are characterized in human beings. If a biometric characteristic is originated out of human behavior, it is categorized in behavioral biometrics e.g. gait, keystroke dynamics, etc. If it is something found on or in the body of the person (e.g. fingerprint pattern, iris pattern, DNA, etc.), it is put in physiological biometrics.

Basis of this categorization is how a biometric trait is characterized a person (in/on his body or behavior). There can be many basis of categorization of biometric traits, and intrusiveness if one of them.

Now when biometrics has matured considerably and is increasingly creeping into our daily life, users as well as the experts have started considering one important factor while choosing a biometric modality: intrusiveness. Intrusiveness of a biometric trait signifies that how deeply it engages the user while performing identification or authentication, which may also cause annoyance and user discomfort, not to mention.

Since intrusiveness can be a viable factor while selecting a biometric authentication method, it can be a worthy basis to categorize biometric authentication types. On the basis of intrusiveness, two major categories of biometrics authentication can be: 1. Contact and 2. Contactless biometric authentication.

A biometric authentication done without the need of any physical contact with the authentication system (e.g. face recognition to unlock phone, iris recognition on airport immigration, etc.) is called contactless biometric authentication, e.g. face recognition, iris recognition. On the contrary, when it requires a physical touch, it is a contact-type biometric authentication, e.g. fingerprint authentication on mobile devices.

Applications of contact as well as contactless biometric authentication can be observed in daily life. People touch the fingerprint sensor at fingerprint attendance machines at workplaces, unlock their phones with fingerprint (contact) and iris scan (contactless), pay with face recognition (contactless), etc.

Contactless biometrics offers unique advantages over biometrics methods that require a physical contact.

Some users may not feel comfortable with intrusiveness of biometric authentication that requires them to touch or come in contact with the biometric equipment.

Some people may not be comfortable making physical contact with a biometric equipment used by many others. This may particularly be a case with biometric systems that are used in public application and touched by several people in a day. Placing your finger or palm on a biometric sensor that has been already touched by many other people can spread infections and make you vulnerable to diseases.

This can particularly be a serious concern when there is an outbreak of contagious disease such as influenza, conjunctivitis, etc.

Intrusiveness may lead to increase in time taken for successful authentication due to time wasted in making right contact with a biometric system. It can also increase friction and annoyance due to failed attempts and inaccurate touch.

Contactless biometric authentication offers many benefits over biometric methods that require a physical contact, however, it is not free from disadvantages and potential risks.

We have already seen it happening, the U.S. government was found running mass surveillance program which were covertly disclosed by Edward Snowden.

Face is the most exposed modality that can be captured from a distance. While it gives security officials ability to scan subjects that can be on government radar like terrorists or criminals, it also poses a threat to privacy of all individuals not on surveillance.

Government and law enforcement bodies may choose to put contactless biometric methods for public surveillance without a proper consent.

This is one of the major problems with contactless biometric authentication. Biometric systems, specially those which can scan a biometric modality (e.g. face) from a distance, can do so without proper and explicit user consent. It raises privacy concerns.

Contactless biometric authentication can be prone to large intraclass variations in a biometric sample. For example, resting your finger on the fingerprint sensor will have less possibility of error than a face recognition system due to intraclass variations.

Contactless biometric recognition methods can perform identification and authentication just like any biometric recognition method. For example, you can unlock a phone by touching its fingerprint sensor or you can chose to do the same iris or face recognition (if the phone sports all that), which does not require any physical touch (with the biometric modality).

Identification and authentication is a core requirement in many applications like patient identification, KYC, customer identification, etc. However, sometimes a particular application may be better served by contact biometrics than contactless, e.g. for patient identification, fingerprint biometrics will work better than contactless voice or face recognition (as the patent may not be in the condition to capture voice / face data).

Just like any biometric recognition method that requires physical contact, contactless biometric methods can be leveraged in physical as well as digital access control. It can be used to control physical access at doors, as well as to unlock electronic devices like PCs and phones. Digital access control is laid to ensure information security with biometrics.

Surveillance is something where contact biometric methods fall short of any usability as they require subject to come in physical contact with the equipment. Contactless biometric methods (e.g. face recognition) can recognize people from a distance even in challenging scenarios (e.g. in moving crowd) by quickly analysing facial features. Gait recognition, which is also a contactless biometric recognition method, can also do the same thing in public surveillance applications by analysing gait of moving people.

Contactless biometric methods can also be useful in mass surveillance applications, especially those which can acquire biometric data from a distance.

Banking and financial services have shown positive outlook for biometric recognition for accurate identification and performing KYC and due diligence before customer onboarding. One of the quickly emerging applications of biometrics is payments. It has already claimed a large chunk of market share in mobile payments, in which payments are authenticated with one of the enrolled biometric identifiers of the user.

However, mobile payment is not the only niche where biometrics is changing how people authenticate their payments or financial transactions. Biometrics has already made its way to one of the most popular payment methods of the world: payment cards.

Mobile biometrics has actually helped payment service companies to bring biometrics to payment cards. How? Read on.

Mobile biometrics and ability to integrate it with third party apps have been largely adopted by banking and financial services apps. Modern smartphone operating systems (e.g. Android, iOS, etc.) are designed in such a way that third party service providers can only get access to the results out of a biometric operation (enrollment, authentication, etc.) and never reach the stored biometric data of a user. This ensures security of the biometric data.

Recent advancements in biometric hardware have resulted in smaller and compacter components. Along with that, success of biometrics on mobile devices, its efficiency and ability to ensure payment security made payment services firms to think about a way to integrate biometric recognition to payments cards.

Integrating a biometric sensing method on a payment card would require the biometric hardware to be unprecedentedly thin, durable, efficient, yet secure. Leveraging face or iris recognition was out of the equation as fitting a camera as thin as a credit card was not possible. Fingerprint recognition was the only viable choice for creating a biometric contactless payment card.

Fingerprint recognition is one of the most popular, used, trusted and secure biometric modality, however, the problem with fingerprint authentication is that it requires additional hardware (a fingerprint sensor). Mobile biometrics had already pushed manufacturer to invent fingerprint sensors compacter than ever but a biometric EMV card needed sensor to be even thinner.

FPC-1300 series sensors from Fingerprint Cards, a leading fingerprint hardware and software solution provider, are ultra-thin fingerprint sensors designed for payment card applications.

At mere 315μm thickness, these ultra-thin fingerprint sensors can face real world challenges that payment cards have to go through. They can endure more than 10 million finger placements, thanks to the protective coating on the sensing surface. Payment cards are mostly kept in wallet, and people may also sit on them when carrying it in the back pocket. These sensors can also endure weight and bend as they are manufactured from flexible yet durable material.

Making payments with a biometric payment card or biometric EMV card is not too different than making payment with any EMV payment card.

1. Biometric contactless payment card
2. Contact-type biometric payment card

• • To make a payment with biometric contactless payment card, cardholder has to tap the card on the card reader. In case of a contact card, it has to be inserted into the card reader.
  • The cardholder has to place his / her registered finger on the fingerprint sensor on the card, when the reader prompts for the same. The fingerprint image is sampled and compared against what stored on the card.
  • If the fingerprint comes from the authorized cardholder, the payment is processed, no need to enter PIN or sign.

Sometimes payment may fail even if the fingerprint scan comes from an authorized user. This may happen if the fingerprint sensor is not able to capture the fingerprint details adequately. If this happens, cardholder is asked to enter PIN or provide signature as an alternative method of payment authentication.

Generally, fingerprint biometrics is known to be a biometrics method that requires a physical contact with the sensor. Most of the deployments in commercial, identification as well as consumer electronics applications are contact-type. However, contactless fingerprint authentication has also been successfully tested and deployed in many applications; in which user can just hover his/her finger over the scanner to perform enrollment / authentication / identification.

Here our concern is about the biometric contactless payment card. It is indeed a contactless payment method, but we have just discussed in previous section that a cardholder has to place his/her fingerprint to authenticate a payment. Are we missing something?

Fingerprint authentication used in biometric EMV cards require a physical contact, however the biometric EMV card itself is contactless-type, i.e. it does not need to be inserted into the card reader. Hope we were able to make ourselves adequately clear while discussing Contactless biometric authentication and Biometric contactless payment.

We started this article discussing contactless biometric authentication, in which a subject does not require to come in physical contact to authenticate his/her identity. Later this discussion gradually moved to applications that use contactless biometric authentication and further we put our focus on fingerprint payments with biometric EMV contactless cards.

One of our main objectives behind this explainer was to clarify the difference between contactless biometric authentication and contactless biometric payment authentication with biometric payment cards, which sound quite similar but are not. What is your take on biometric contactless payment cards? Would you ditch your traditional chip and PIN card for contactless biometric payment cards? Do let us know in the comments below.