Biometrics applied in payments: considerations for development and implementation
This is an abstract of the complete document, Click here to download the complete document.
Context & Perspective:
Each of us, independent of our social status, economics, family or other differences, utilize biometrics to identify, verify, authenticate and validate ourselves to others. The simple act of answering a telephone and identifying the caller represents a biometric authentication; whenever we recognize a person’s face we are using biometrics as a mechanism for identification and authentication.
In small groups, this form of identifying, verifying, authenticating, and validating a person is very simple and useful. Nevertheless, as our societies grow, it becomes more difficult to identify who is who, resulting in difficulties to establish levels of trust. In this scenario, an opportunity is created to expand our capabilities and utilize this knowledge of measurements of biological characteristics, biometrics to organize our social structure, economy, security, and even methods of payment.
- Identification: Is the process of defining who are you as an individual, user, or citizen. (1-to-N1 )
- Q: Who is this person?
- Verification: Is the process verifying you are who you say you are (1-to-1), by providing identity proofing, documentations, background checks.
- Q: Is this person who he/she says claims they are?
- Authentication: Is the process authenticating the person after he/she has already been entered into the system that they are who they say they are, which can be verified.
- Q: Is this person really Mr. X
- Validation: Is the process of ensuring the person’s biometric is from the real person and the validation process is the information from a trusted or authorized source.
What is Biometrics?
Biometrics is any unique biological characteristic that can be measured, standardized, studied physically or digitally that facilitates the recognition of a living being. For decades, governments have gathered biometric information from their citizens and more recently private companies and financial institutions have also been drawn to save this information for the recognition of individuals and the authentication of payments. There are three types of biometrics – biological, morphological and behavioral – which can be passive, active, or combined, depending on the security or experience requirements set forth by the users.
The most common types of biometrics are: fingerprint, facial, behavioral, retina (iris), voice, and hand geometry. Some examples of biometric characteristics are dynamic, such as typing on a keyboard or cellphone, walking, handwritten signatures, lips formation, knuckle folds, the skin pores, and body scent, among others.
In the lifespan of a person, their biometric characteristics can change, some more than others. Therefore, no biometrics are considered 100% verifiable or identical. A biometric match represents the probability of correct recognition, while a nonmatch represents the probability of an individual not being known to a given system. In both cases the result is probabilistic (based on established acceptable percentages set forth by a government or private enterprise to validate a citizen or user) as opposed to an absolute conclusion. The only known biometrics that do not change with time are DNA and blood but use and utility of these biometrics beyond forensics is still in exploratory stages. After the age of 6 Fingerprints and iris biometrics are stable, unless affected by disease.
For years the most used biometric information has been fingerprint, which was initiated by police departments in the 19th century, as a method to identify and capture potential criminals. The advancements in technology have been able to modernize and streamline these processes in digital form of capturing and validating an individual’s biometric. It is for this reason that the terminologies of fingerprint and digital fingerprint are used indiscriminately, even though one can be in physical form and the other in a digital form.
Biometrics in Payments:
The use of biometrics as a method of payment has been explored in sci-fi movies, then moving to corporations. In addition to being an avant-garde technology for the authentication of people, it has the potential to transform the security aspects and the shopping experience. In the future, biometrics in payments could become a virtual wallet for the universal access of services.
The process of utilizing biometrics as a method of identification, authentication, and validation of a user to conduct a financial transaction can be complex, more so when variations exist among different biometric types. It is also difficult to understand which are extra functionalities, benefits, challenges, requirements, processes, use cases, relationships with other devices, and the parameters that guarantee the privacy of the user.
The methods of payments and biometrics technology live in an ecosystem of constant evolution and change. This document will help you understand this technologies in greater depth and improve the payments ecosystem by following its recommendations.
Types of Biometrics
The three main biometric categories are:
- Biological: Biometrics related someone’s unique biology. (e.g., DNA, blood)
- Morphological: Biometrics associated with the form and structure of a biological feature. (e.g., Shape of hand, palms, fingerprint, vein patterns, face, iris, vein pattern in the retina, voice, ear)
- Behavioral: Biometrics that can combine both morphological and behavioral components. (e.g., Walking, handwritten signatures, keyboard strokes)
Behavioral biometrics studies, measures and uniquely identifies patterns in human activities. Physical (Biological/Morphological) biometrics does this on the basis of given biological characteristics and features.
These biometrics are separated into categories:
- Passive: Biometrics not requiring a user to do an action for the acquisition, validation, and authentication of the characteristic.
- Active: Biometrics requiring a user to produce an action for the acquisition, validation, and authentication of the characteristic.
As an example, Voice recognition systems can be Passive or Active in nature. In an Active system, a customer may knowingly recite a specific phrase several times into a telephone to establish his voiceprint. By contrast, in a Passive system, a customer’s initial conversation with a service representative may be used to create the voiceprint automatically.
In government, the acquisition of biometrics is conducted by the legal competent authority, generally responsible for the emission of the citizen identification. These authorities assume the custodian responsibility of the citizen’s biometric and guarantee that the person is who he/she says he/she is.
In contrast, the financial sector’s process is more complex, given that many players in the ecosystem could use the biometrics to authenticate the user and may want to be the responsible custodian authority of the biometrics. Thus, it becomes important to have the necessary mechanisms in place to guarantee the security and veracity of the stored data.
The biometric template is responsibility of the custodian, which stores the biographical and biological information. Normally the biometric template is stored by the custodian of the user’s financial account, bank or its contracted authorized third-party service provider. This entity allows others to authenticate the stored biometric to provide access to services.
This model of the custodian of the biometric may vary on the application of use, objective, and parties involved in the development of the biometric for payments.
The payments ecosystem needs to exchange user information and data between different parties. This includes trusted services managers, device manufacturers, application providers, acquirers, processors, payment networks, issuers, and clearing houses.
Ideally, the entire process should be handled in a controlled environment. Technological advancements have led to many devices having the capability to store and read biometric data (e.g., mobile phones, tablets). These devices can provide a remote enrollment process option, which could be defined by the regulatory authorities defining the dependencies and requirements to establish the identity and verification process. This in turn generates great challenges for the payments industry to guarantee the integrity of the data, secure storage and that the adequate procedure has been followed correctly.
The storage of biographical and biometric data in mobile phones, computers, tables, and even wearables, expands the responsibility of the user to safeguard his own information in a secure manner, correctly conducting the enrollment process, defining who he/she shares/interacts the information, or with whom they would accept using biometrics as the authentication method or payments.
It is important to point out that the financial sector bases its decision making on determining the levels of trust and mitigating associated risk.
Click here to download the complete document.