The European Union’s new regulations, the General Data Protection Regulation (GDPR) and Second Payment Services Directive (PSD2), require secure transactions and data handling as well as good customer experience. PSD2, in particular, requires strong customer authentication (SCA) methods, which dictate “two-factor authentication” to ensure all payment approvals are in place. Two-factor authentication means that authentication of a customer’s identity must be based on two or more of these elements: knowledge (something the user knows), possession (something only the user has) and inherence (something the user is).
The strict PSD2 RTS requirements may lead to friction in the payments process in online and POS (point-of-sales) checkout. Existing SCA methods such as SMS-TAN and iTAN will be considered non-compliant and not user-friendly. However, PSD2 aims to improve user experience and keep security—namely inherence. Inherence is the element that allows leveraging of biometric data and mechanisms for SCA.
Technological advancements are augmenting e-commerce payments and payments innovation methods, which further enhance the consumer appetite for seamless, frictionless and secure payments experiences. Biometrics is one of the latest and most cutting-edge technologies being adopted. It’s usually integrated into applications to strengthen security and curb identity fraud. Fingerprint payment is the most common biometric payment method; however, experts predict that other systems—including face, eye and voice recognition—will become more widespread over time. The question is, are these mechanisms compliant with the new regulations and what do banks need to consider about biometrics in a highly regulated business?
The RTS indicates the following high-level criteria must be applied while assessing whether an authentication method qualifies as SCA:
- Dynamic linking: All information about the amount paid and payment recipient must be passed on across all phases of the authentication. For biometrics, the numerical representation generated from the data points collected at the customer’s device needs to be dynamically linked.
- Independence of channels: The channel used for the initiation of a payment or account information transaction must be separate from the channel used for the receipt of the authentication code.
- Creation and validation within the bank’s environment: For biometrics, the creation of the templates needs to be performed in the bank’s environment. The software that collects data points from the device must also be provided by the bank.
- Underivable authentication codes: The biometric data points collected from the device must be changed in such a way that every data point package can be considered a new “authentication code”, which is unique for every request and, at the same time, is capable of being verified by the bank in the matching process.
- Non-disclosure: Biometric data points or raw data and matching templates must not be stored in the device or the bank to prevent reverse engineering of the raw biometric data.
Customers and banks are keen to use biometrics
Consumers are inclined toward using biometric solutions to protect their transactions because of their convenience and speedy authentication process—and more and more banks are adopting biometric technology as part of their identity verification process to improve user experience. The future of biometrics in the online payment process is promising.
Innovation in biometric technology
New technologies are now enabling rapid innovation in two areas of biometrics: visual biometrics (face recognition, fingerprints, finger-vein, hand/finger geometry and iris/retina recognition) and behavioral biometrics (dynamic signature verification, keystroke dynamics and voice recognition). Alongside the emergence of these new modalities, other innovations are also in development:
- Biometrics as a Service (BaaS), which is based on sharing data with a remote server holding a centralized biometric database and offering biometric-based authentication as a service over the internet.
- Biometrics and the Internet of Things (IoT), which enhances security for the millions of new devices joining an IoT network by combining passwords with an additional layer to achieve two-factor authentication.
As biometric solutions gain momentum and uptake, they face challenges associated with their implementation, such as the need to comply with the PSD2 RTS requirements, technology to ensure the solution’s functionality and security, and the need to develop an ecosystem in which biometric methods are used in a consistent and standardized way, across multiple markets benefitting from network effects.
Though not without its obstacles, adopting biometric payments provides a future roadmap for a seamless, safe and frictionless payments experience. It will be interesting to see how biometrics develops in the coming years, adapting to customer expectations and overcoming the hurdles of implementation.
For more detailed information on this, please contact me to get your copy of our point of view, “Connect to Your Customers with Secure Biometrics Banking under PSD2”.