Biometric authentication is coming to numerous e-commerce merchants who may not realize that it will be a part of their checkout process, depending on the issuers involved.
MasterCard is planning to upgrade its SecureCode authentication process to MasterCard Identity Check, a fingerprint-or-facial recognition product more commonly known as "selfie pay," an emerging authentication option in the payments industry.
MasterCard has completed tests with two financial institutions and is underway with a pilot at a third, and once the product becomes commercially available, this system will automatically appear as an option at merchants that offer SecureCode.
Today, SecureCode - MasterCard's version of 3D Secure - typically appears during an e-commerce merchant's checkout as a prompt for a password to verify the cardholder's identity. But even though the consumer is interacting with a merchant website, the issuer determines the authentication method.
Thus, only the issuer needs to make any changes to enable biometric authentication for e-commerce purchases, said Catherine Murchie, senior vice president for processing and enterprise security and network solutions at MasterCard Inc., in an interview this week at SourceMedia's Card Forum and Expo in Los Angeles.
"Any merchant that's SecureCode enabled today … they don't have to do anything different," nor do they need to know that the change is coming, she said. "Essentially what we're doing is replacing the password with a biometric."
First Tech Federal Credit Union added SecureCode last year as part of its EMV migration plans. It piloted MasterCard Identity Check in October and November, and plans to go live with the product when it becomes commercially available.
MasterCard's other pilot partners are ICS, a unit of ABN Amro, which tested the technology in August 2015. BMO is began testing the technology in Canada and the U.S. in March of this year, and plans for its test to run through June, Murchie said.
MasterCard Identity Check uses a phone's built-in camera or fingerprint reader to scan the user's face or fingerprint during checkout. The phone itself is also identified during this process as an additional factor of authentication, Murchie said.
First Tech's pilot involved 300 employee/members, ranging in age from their mid-20s to their mid-60s, said Brian Ziff-Levine, the credit union's director of cards and payments. Individual testers had different preferences for using fingerprint or facial identification, but there were no patterns across age lines that would indicate any hurdles to adoption, he said.
"You get to add security without adding inconvenience," he said.
If some people prefer not to use biometric authentication, or they do not own a smartphone with the necessary hardware, the system also supports sending a one-time password to the user's e-mail, Murchie said.
Anecdotally, MasterCard has observed a slight preference for using fingerprints instead of facial recognition, she said.
"We think that had to do with the fact that people did it every day" to unlock their phones, she said. "People are really comfortable with [fingerprint authentication]."
There are still some quirks with facial recognition, she noted. The system may not recognize a user with very thick glasses, or with lenses that produce a lot of glare. If a user has an "evil twin," the system may not be able to tell the difference; for that scenario, Murchie advises using fingerprint authentication.
Murchie expects MasterCard's system to help with authorization rates at merchant websites, but issuers can also choose to add this security to their own online banking apps. First Tech already supports two-factor authentication for online banking, so it chose to focus on e-commerce during the pilot.
Since the credit union is nearly completed with its transition to EMV to protect transactions at the point of sale, it wants to be prepared for the expected rise in card-not-present fraud.
"We will never say 'no' to more and better payment security," Ziff-Levine said. "That's always been our goal."