MasterCard Tests How 'Selfies' Lift Security Where EMV Won't Go
MasterCard and First Tech Federal Credit Union are testing a system that might be the picture-perfect solution to the expected rise in e-commerce fraud following the October shift to EMV security in the U.S.
The previously announced pilot for facial and fingerprint recognition, beginning next month, marks the first biometrics test in the U.S. for the Purchase, N.Y.-based card network. The technology is focused on adding a second factor of authentication to e-commerce transactions, which typically see more fraud after EMV-chip card payments become the norm at the point of sale.
Calling the system "Selfie Pay" through the testing period, credit union members will be asked to take a "selfie" photo from a smartphone that has been previously registered with the service, or scan their fingerprint through an app. After this biometric trait is provided, the e-commerce transaction would be approved.
"Credit unions are member-centric, and our members are drawn from the largest Silicon Valley players, so they are extremely tech focused," said Brian Ziff-Levine, director of cards and payments at First Tech CU. The system will likely be renamed after the test period.
Because of the generally smaller size of a credit union compared to a large bank operation, First Tech is able to "move more quickly" on payments technology development, Ziff-Levine said.
The need for layered security will grow stronger as fraudsters step up their efforts to target Web transactions, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"It's also really a recognition on MasterCard's part that as card not present fraud continues to rise in Europe as a mature EMV economy and it will happen in the U.S. as EMV arrives there needs to be new, innovative dynamic mechanisms that can add more security," Conroy said.
In the payment security world, the potential use of selfies for authentication has picked up momentum in 2015, though the specific use cases vary widely. Sionic Mobile promotes the technology for mobile payments; NCR's Digital Insight is working to add selfie-based eye vein scanning to mobile banking; Alibaba's "smile to pay" system would be used for online shopping; and the defunct Square Wallet used images of faces as a digital version of a photo ID.
As has always been the case in payments security, the future of biometrics rests on consumer adoption, Conroy said.
"When it comes down to taking a few extra steps for security, for incremental precautions, some security-minded consumers will do it, but many will continue to go with the quickest and easiest route," Conroy said.
MasterCard "feels good about biometrics" because of recent consumer feedback that indicated 83% of consumers "are excited about new security technology" and 88% say they trust their payment network to deliver those products, said Carolyn Balfany, senior vice president of product delivery at MasterCard.
MasterCard views the First Tech pilot as a next step in its commitment to the Obama Administration to develop cybersecurity measures for payments, but it is open to testing other forms of biometrics, she said.
"It is likely that retina scans and voice recognition will continue to be tested and, depending on results, would also be rolled out on a broader scale," Balfany said. "We can't think we will universally authenticate every transaction in the same way, because consumers will have biometrics preferences."
First Tech will test "Selfie Pay" through simulated e-commerce transactions and members' virtual donations to the Children's Miracle Network Hospitals through October.
MasterCard has a similar biometrics test underway in the Netherlands with International Card Services in which consumers pay online through fingerprint or facial recognition. Authentication takes place through MasterCard SecureCode, a software platform often used in combination with a password or PIN.
Discover Financial Services has been separately testing a mobile payment system using biometric authentication technology at its Riverwoods, Ill., headquarters since late 2013, though it has not disclosed any plans for a wider rollout.