Biometric Payment Cards – A natural next step for Contactless Cards

Tom Rapkoch, Director – Global Chip Product at VISA, explores the evolution of payment cards, while focusing on contactless payments. In a tête-à-tête with Zwipe, Tom shares some thoughts on the growing acceptance of biometric cards with banks and consumers.

Below are the excerpts from the interview...

Biometric Payment Cards – A natural next step for Contactless Cards
Megha Roy Zwipe 05. November 2021

Payment cards have evolved over decades from magnetic stripe to chip cards to contactless cards. We are now at an early stage of what could be the rise of biometric cards. How do you see these major technology shifts and specifically the biometric cards?

It’s interesting to see what drives technology – chip started out as a method to address counterfeit fraud, which reduces costs across the ecosystem. It soon became clear that other benefits could be realized – offline capabilities to reduce telecom costs being one.

So, what began to increase security, which in turn drives down costs, provided ancillary benefits elsewhere. In the current day & age, security is the number one issue that must be addressed – thus, biometrics is a natural fit. And added security drives down fraud-related costs, so the two are certainly linked.

However, you need to consider a third factor: user experience – commonly referred to as “friction (or a lack of it)” – when designing these solutions. With any solution, these three factors play critical roles.

The “cool factor” gets mentioned often when it comes to biometrics as well, and that is just fine. But if the other three factors aren’t addressed, it won’t matter how cool it is. It would become a niche product that a select few would carry simply because it’s cool, but that won’t drive widespread adoption. The “cool factor” is a nice cherry on top but isn’t really material in the early stages.

For which use cases are biometric cards most relevant?

The obvious answer is in a face-to-face environment because we aren’t to the point yet where these cards would be usable in a card-not-present situation (except where biometrics can be used for in-app purchases on mobile devices). Fortunately, initiatives are already underway such as EMV 3-D secure to support the transfer of biometric data in CNP transactions, along with work from other industry groups like FIDO and W3C.

But to drill down a bit further, biometric cards dovetail nicely with another major initiative that the entire industry is focused on currently – contactless payments. It’s a subtle thing but being able to tap your card on a terminal, holding it as you normally would hold it, but being able to use biometrics to authenticate the cardholder is a very attractive use case.

Tom Rapkoch, Director – Global Chip Product at VISA

Tom Rapkoch, Director – Global Chip Product at VISA

In which geographies will these cards be adopted faster?

For Visa, biometrics make sense in markets where the PIN is common for higher-value transactions. We see biometrics as a natural replacement for entering your PIN.

Are there some interesting lessons for the biometric payment cards that we can learn from the rollout of contactless cards?

Key learning from our work with issuers has been the readiness of the acceptance devices (merchant terminals). Namely, there were some terminals in the field that either didn’t support CDCVM or required a “default” CVM – typically a signature – that needed to be modified to allow for biometrics to be used as intended.

How well is the Visa initiative on biometric cards aligned with issuers globally? What has been their reception?

Biometric cards use parts of specifications and standards from other initiatives that already exist like CDCVM. So, from the actual processing of the payment application, there isn’t anything new with biometrics. What is different is how those standards are met (i.e., on a card instead of a mobile device).

HIGHLIGHTS

"Biometrics is gaining momentum"

"PIN-preferring markets are the best bet for Visa biometric cards"

"Identifying the target user base is important"

As for issuers, the reception has been one of heightened curiosity, but there have been challenges. Not with security – I think that everyone agrees that the security of biometrics is fairly established at this point. The challenges have been in the usability of the solution – leading to the development of home enrollment, efficiencies that reduce the time needed to match the fingerprint, etc.

And, of course, economics presents a challenge. New technology can be expensive to introduce for early adopters, and biometric cards are no exception. However, these challenges are all part of a natural progression, so, I believe that biometrics will gain momentum. We’re still in the very early stages of biometric card products being viable. The economics should be more feasible as we continue to move forward.

What is Visa doing to make biometric payment solutions more accepted by banks & consumers?

Visa has recently made the newest version of our biometric card specification available to the industry, and in fact, many of our vendor partners are developing that new specification. We are also supporting multiple pilots for banks around the globe, and are hopeful to have several “business as usual” products available in FY22. Momentum is strong with pilot programs with RBC in the UK, BNP Paribas in France, and others.

If an issuer wants to roll out biometric cards, what would be your recommendation to them?

First, the issuer should be in a market where the solution makes sense. As mentioned earlier, PIN-preferring markets are the best bet for Visa biometric cards.

Secondly, it is important for an issuer to find a good partner in the space. This typically means card manufacturers, but also extends to entities further down the line, such as the firms designing the fingerprint sensors, the software used to match the fingerprints, etc. An issuer’s first point of contact will probably be the manufacturer, but I know for a fact that providers (and Zwipe falls into this category) are eager and willing to show their wares to issuers to get them excited about the proposition.

Lastly, as with any new product, identifying your target user base is important. I mentioned earlier that the “cool factor” is not necessarily always the biggest consideration among issuers when making the decision to deploy biometric fingerprint cards, but after the decision is made it becomes more important – at this stage having an intriguing or “cool” product will help to attract cardholders who will be attracted to the tech, and willing to share information about their experiences with you.

It’s imperative that you find a way to get that feedback from your cardholders – it’s incredibly valuable to get feedback from general users (i.e., people not closely working on the product).

Do you foresee convergence or synergies between?

  • Biometrics and tokenization

Biometrics and tokens are complementary. Tokenization is intended to protect data in the wild (i.e., from data breaches), whereas biometrics are used to authenticate that the user of the data is the correct user – before it’s used. But they both are part of securing the transaction ecosystem.

  • Biometric and wearables

From the Visa perspective, these are both payment instruments and the use of biometrics can certainly extend to wearables. Mobile phones were the first to use this technology, cards are second, and wearables have potential as well.

  • Biometric and e-commerce

Biometrics are already part of the e-commerce infrastructure, and while it has yet to extend to cards with biometric sensors, I think it will only be a matter of time before this exists. It isn’t hard to imagine where a biometric sensor on a card could be used to authenticate someone sitting at home.

ABBREVIATIONS USED IN THE INTERVIEW

EMV 3-D secure: This is a messaging protocol that promotes frictionless consumer authentication & enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases

CNP transactions: This occur when neither the cardholder nor the credit card is physically present at the time of the transaction

FIDO: Fast ID Online (FIDO) is a set of technology-agnostic security specifications for strong authentication

W3C: The World Wide Web Consortium (W3C) is an international community where member organizations, staff and the public work together to develop web standards.

CDCVM: A type of consumer authentication method (CVM) supported by card networks, which allows users to authenticate on their mobile devices instead of payment terminal

CVM: CVM is a measure of a company’s customers’ view of the perceived value for money delivered relative to that of their competitors’ customers