May 4, 2018 at 12:22AM
Visa and Mastercard have chips embedded in hundreds of millions of credit and debit cards around the world. They're used in more than 200 countries and process billions of payments each year. And they're both intent on creating bank cards that use your fingerprint instead of a PIN.
Early trials of cards with fingerprint scanners built-in are underway and success could eventually result in the death of the humble PIN. "A four-digit PIN is pretty good security – obviously, six, seven or eight digits are better but it is very hard for people to remember," says Bob Reany, an executive vice president at Mastercard, who is working on the firm's biometric cards. "The security is going to be better than a PIN."
In April 2017, Mastercard started trialling a biometric card in South Africa. The card looks the same as any other bank card but has a small biometric scanner in the top right-hand corner. When a finger is placed on the sensor it is able to recognise if it is a match with stored data and authorise a payment.
Mastercard now has more trials running in Bulgaria and Reany says thousands of fingerprint-detecting cards will be trialled elsewhere in the world later this year. "We've gotten the algorithms in great shape, now we're doing matching on the native device where the template is captured, and we're ready to go to market at some scale," he says. Crucially, in the coming months, banks will be issuing them to regular customers for the first time. Reany won't reveal exactly where the cards will be given to people but says more announcements are coming. "I think you're going to see pockets of Europe go pretty quickly," Reany says of potential adoption.
Rival Visa is also testing biometric cards in Cyprus with the country's national bank and security company Gemalto, which has been creating the cards for both of the major payment companies, says it has produced "tens of thousands" of biometric cards for tests.
"In some countries where they like the added security of a biometric, it could roll out pretty quickly," says Howard Berg, the managing director of Gemalto UK. He expects a "significant rollout in next couple of years".
Scanning a finger
Biometric cards are a mashup of fingerprint scanners – similar to those that unlock and prove identity on smartphones – and technology used in chip and pin bank cards. The cards all use a standard called EMV (named after its creators: Europay MasterCard Visa).
EMV technology stores a users information on a card's chip and circuits. The system was developed to work on cards that need to be inserted into a reader, before a user enters their PIN, and contactless payment methods.
The payment units where cards are either inserted or held above are crucial to biometric cards working. Biometric cards don't include a battery and use power from the card reader to work. This power is used to activate the fingerprint reader and allow it to work out whether the finger being scanned is the right one.
"The first thing that happens is the chip is looking for a biometric match," Gemalto's Berg says. "When the finger is put on the sensor that is sent to the chip, the chip takes a look at the fingerprint that is stored and compares it to the one that is given."
Before this can happen, a fingerprint has to be captured. With Gemalto's card a person must go to a bank and have their fingerprint scanned at an in-store kiosk or tablet.
Mastercard's Reany believes the company has found a way to make biometric cards more accessible. The firm has created a "sleeve" that's able to help record a person's fingerprint. Essentially, the device is a cardholder, which has a battery built into it. A biometric card is inserted into the sleeve and power is provided to the card.
The first time the sleeve is used, a person places their finger on the fingerprint scanner three times and a recording is made. A fingerprint is stored as an encrypted template of numbers, not a physical image of a fingerprint and the sleeve doesn't connect to the internet of mobile data connections in any way.
"If you think about this thing being a global product, not everyone is going to have a smartphone to help enroll with it," Reany says. Each of Mastercard's biometric cards has the physical capacity to hold four different fingerprints. But, Reany says, as banks decide to use the biometric card in the real-world they will decide how many fingerprints should be stored.
During the biometric card's development, Mastercard has had to rework how the sensor scans a finger. Reany says there are some "idiosyncrasies" in how people use their fingers. "Some people put the tip of the finger down like they do with an iPhone," he says. "Some people put their full finger down flat and some people were doing some finger rotation.
"The early versions did not do well on the tip of the finger or the rotation of the finger. We had to go back and make the algorithms more powerful so they could account for that kind of thing." Each time a payment is authorised using a fingerprint, this information is also included in data sent as part of the transaction to help banks identify how money is being moved.
Are they needed?
"Biometrics is a way to make cards more secure to a large part of the planet that may not have access to smartphones today," says Peter Hahn, dean of the London Institute of Banking and Finance. "But you'd really wonder why someone who has a smartphone would need this."
Hahn says biometrics are a positive step forward for banking security – which has moved from written signatures to chip and pin – but is unsure if the technology is needed everywhere in the world. For multiple years, it has been possible to pay with smartphones, wearable devices and contactless cards.
Hahn adds: "Part of it is, is this about plastic trying to assure its viability when we really should be questioning why do we need plastic anymore at all? We've already got that step of security in a mobile."
But regardless of how much they're essential, biometric cards offer some benefits. There's the potential for card PINs to be stolen from databases by hackers. As far back as December 2013, there were attempts to steal credit card identification numbers.
"There's not a honeypot of fingerprint data sitting in Mastercard or a bank somewhere waiting for hackers to get into it and compromise that information," Reany says. Berg adds: "The card avoids the need for a central database". Each fingerprint stored is saved on a card and their inability to be connected to the internet means to be compromised a hacker would need physical access to the card. Biometric security solutions aren't infallible though, as Apple learned with its iPhone X facial recognition. Reany says Mastercard has tried to test against this. "Rubber fingers don't work because there are electrical capacitive sensing that is required," he says.
Ultimately, payment companies are continuing to develop biometric bank cards and trials are getting bigger. At their very least, biometric cards will offer a slightly more convenient way to pay, but they may also evolve with increasing use of fingerprint technology in other areas of people's lives. As Berg says: "People forget their PINs but very rarely do you go out without your fingers."