Card schemes to drop signature requirement for EMV cards in North America, from April 2018; schemes say biometric and EMV technology could limit any fraud rise
Biometric authentication could improve both convenience and security of online and mobile payments
Privacy a major consideration when implementing biometric frameworks
Source: Credit Card Reviews
Point of View
Bricks-and-mortar merchants in North America will no longer be required by card schemes to authenticate customers with signatures, from April 2018. Nonetheless, merchants will have the option to do so. The change only applies to EMV chip cards – magstripe-only cards will continue to require signatures. Amex, however, has extended the change to all cardholders. Card schemes claim fraud will not increase with the rule change, citing that EMV and new technologies, including biometrics and tokenisation, will continue to mitigate fraud at the point of sale.
Visa has outlined its biometrics direction in the Future of Security Roadmap for Australia, published in December 2017, and is encouraging development of technologies by third parties and uptake of biometrics, through its Visa Ready Biometrics program. Head of Risk for Visa, Asia Pacific, Joe Cunningham, expects biometrics to become ‘commonplace within the next year’.
Visa is piloting its own biometric cards, which are compatible with existing terminals, with the Bank of Cyprus in Europe and Mountain America Credit Union in the US. To authenticate at the point of sale, the cardholder places their finger on the card sensor instead of using a PIN or signature. The fingerprint is compared with a reference fingerprint stored on the card. This protects user privacy as data is neither transmitted nor stored in a central repository. MasterCard is also trialling a fingerprint-authenticated physical card. The pilot was launched in April 2017 in South Africa.
By April 2019, MasterCard will require its issuers to allow customers to authenticate themselves biometrically for remote transactions and mobile payments, using MasterCard Identity Check – dubbed ‘selfie pay’. MasterCard rolled out MasterCard Identity Check, in Europe in October 2016, and in 2017 announced the biometric app would also launch in Australia.
Biometrics could be a significant step forward for authentication. Biometrics are considered more secure than PINs, passwords and certainly signatures, and are more convenient. Indeed, 93 per cent of UK consumers prefer biometrics over passwords, according to a joint study by the University of Oxford and MasterCard. Similarly, the Australian Institute of Criminology discovered that 96 per cent of Australians would be willing to use biometrics.
Ongoing EMV rollout in the US will continue to drive fraudsters online, notwithstanding the signature rule changes. As such, use of biometrics to authenticate customers online could be useful in fighting card-not-present fraud in Australia, but a number of challenges present themselves.
As with any payments initiative, the different needs and priorities of stakeholder groups must be aligned. If biometrics are to become widely used, the customer experience across platforms needs to be consistent, which would require a degree of standardisation. Moreover, user uptake of biometric technology relies heavily on customers trusting service providers.
One model of biometric authentication involves capture of a person’s biometrics on a service provider’s terminal with data stored in a central repository, which has implications for privacy. In Australia, certain firms capturing and storing personal information, including biometric data, are subject to the Privacy Act 1988. Additionally, the Biometrics Institute provides a set of privacy requirements. Accordingly, in future could consideration be given to developing Australian standards for accepting biometric authentication at the point of sale?
The alternate model, customer device-based authentication, which is used by the products described above, has virtually no privacy implications because biometric data is stored and compared solely on the user’s own phone. EMVCo and FIDO are working on a technical specification for this type of authentication, referred to as the Consumer Device Cardholder Verification Device Method (CDCVM). The specification will help third parties simplify and standardise applications for authenticating cardholders both for in-store mobile payments or in-app online purchases.
With the CDCVM specification being created, could we see more authentication products become available soon, and might we see widespread two-factor online authentication? Ultimately, could CDCVM be an important factor in helping curb card-not-present fraud?
Furthermore, in theory, we could share our biometrics data with third parties under the Government’s forthcoming Consumer Data Right. But what might that look like, and would it be valuable or even feasible? Most importantly, how would privacy be ensured?