The widespread use of fingerprint authentication in mobile devices has made many consumers comfortable with the technology. So is Mastercard's test of a biometric payment card a case of plastic catching up to a modern tech trend, or is it instead dragging biometrics back in time?
The challenge is bringing the technology to the point of sale. Most efforts rely on special hardware, such as the fingerprint readers used by the defunct Pay By Touch or, more recently, the Near Field Communication readers required by Apple Pay, which uses the iPhone's Touch ID system as part of the payment process.
Mastercard's recent effort shifts the hardware burden to the card itself, with the fingerprint sensor built into the plastic. It's somewhat reminiscent of the recent wave of multi-account cards such as the recently shuttered Plastc, which allowed users to lock and unlock the card with a security code.
It’s a catchy idea that may appeal to certain issuers seeking cachet with consumers, but for a variety of reasons Mastercard’s biometric card is unlikely to be an industry “game-changer,” said Brian Riley, director of the credit advisory service at Mercator Advisory Group.
Clearly payment card fraud is a top concern for issuers, merchants and consumers, thanks to a steady parade of data breaches in the news and growing concern about sharing personal data, Riley noted, but the most robust solutions can't be shrunk down to the size of a credit card.
Europe’s new PSD2 standards, for example call for multi-factor authentication around protocols such as Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP) that use triangulation to authenticate consumer transactions using a combination of security tools and data stored in the cloud, according to Riley.
“New multi-factor card security protocols rely on the full features of a mobile device, combined with tokenization, with emerging models including 3-D Secure 2.0, due out later this year,” Riley said.
Riley also pointed out that adding a fingerprint mechanism to a plastic card could even add new layers of vulnerability.
“Many might recall the security questions that arose from the ‘gummy bear’ infiltration when Apple Pay hit the market in 2014,” Riley said, recalling how hackers used the soft candy to replicate consumers’ fingerprints.
That said, issuers and card networks have an opportunity to refine their approach as the technology comes to market. “Mastercard will continue to test many variations of the payment card that supports its global business,” Riley predicted.
Mastercard did not respond to an inquiry by deadline.
On the consumer side, customers may be wary of sharing a vital biometric data element with third parties, suggested Madeline Aufseeser, CEO at card security technology Tender Armor and a longtime industry expert on payments fraud.
The bank may not care for such technology either, as cost of adding a fingerprint reader to every plastic card would likely be considerable, and replacement costs would drive expenses higher than they already are for EMV cards, Aufseeser says.
“Because of rampant data breaches, many banks already are routinely replacing one of every card in circulation, and the cost of reissuing a biometric card that’s even more expensive to produce would be very high,” Aufseeser said. “It’s hard to fathom what the return on investment would be for a bank using a biometric card, because as EMV has minimized most card fraud at the point of sale, a lot of fraud has shifted to the card-not-present channel."
Mastercard certainly sees a use case and said it plans to roll out the product widely later this year, following a successful test in South Africa with Absa Bank and local supermarket chain Pick n Pay.
The card network could have considerable success with a narrow market of issuers and consumers, said Al Pascual, senior vice president and head of fraud and security at Javelin Strategy & Research.
“There are clear benefits for integrating biometrics with a physical payment card, and if using a fingerprint for cardholder verification proves to be as seamless—or more so—than signature, then this could be a viable way to manage for the risk of lost and stolen cards,” said Pascual.
Consumers also might love the idea of using a fingerprint to confirm their identities when making a purchase, he suggested.
“I believe the cool factor is also at play here,” said Pascual. “Consumers are becoming increasingly aware of the risks to their finances and identities posed by fraudsters. I could envision offering this card to affluent customers as a way for an issuer to differentiate their card from those of competitors.”