Biometric Payment Cards Can Help Bridge the Authentication Gap as Contactless Spending Limits Set to Increase Further

Increasing payment-card-based security remains an industry duty toward which all ecosystem players need to strive. As fraudsters become more sophisticated in their methods, the strengthening of authentication security and methods also needs to evolve in order to ensure that payment card technology, authentication, and security remains one step ahead.

Security within payment cards has by no means remained static since EMV inception, and notable upgrades have been completed (although primarily addressed in the background) with static data authentication and then with a move to dynamic data authentication and, more recently, combined dynamic data authentication as well as the enhancement of backend systems designed to flag unusual or suspicious transactions.

With the COVID-19 pandemic pushing adoption of contactless and touchless proximity payments, the security piece in the physical world is becoming more important than ever via additional layers of authentication to ensure that a contactless payment card can only be used by the card owner.

New innovative card form factors continue to be developed to help enhance transactional security. For example, dynamic Card Verification Value (CVV), designed for Card-Not-Present (CNP) transactions, essentially replaces the static and printed CVV number with a display screen that changes the CVV periodically, replacing a static code with a one-time password that is dynamic in nature.

Tokenization is another technology that has had great success within the mobile payments space, tokenizing payment card details digitally onto a device. Tokenization vendors are now looking to other use cases, most notably, the ability to tokenize payment card information on e-commerce platforms that save payment card details on file. In this instance, a user would have a different token for each merchant, so even if the details were somehow extracted, the risk would be greatly reduced.

These innovations have been primarily focused on the e-commerce world. However, Card-Present (CP) transactional security remains a critical piece of the payment card security puzzle. Fraudsters will evolve and adapt, targeting the weakest link, particularly for a physical contactless form factor that doesn’t require a secondary factor of authentication such as a PIN and is fully reliant on back-end systems, challenging a user to enter a PIN either after a set number of transactions or if a transaction is deemed suspicious.

Although the overarching trend to contactless was well in place prior to COVID-19, the pandemic has further increased the speed of contactless adoption, particularly within countries and economies where cash remains king—with usage not only being encouraged by payment ecosystem players and suppliers but also by governments and health organizations, including the World Health Organization.

Major payment networks, including Visa and Mastercard, are aiding the fight against the pandemic by increasing contactless card spending limits. Many national and local authorities, governments, and merchants are also encouraging digital payments over cash and are using the digital transaction method to limit contact with items and objects that are communal in nature and used by multiple people—in this instance, point-of-sale terminals.

Contactless is considered the more hygienic way of making proximity payments, and this is being reinforced by ecosystem players that are shifting their marketing messages to use contactless payments for convenience, safety, and health. So contactless adoption is increasing, and migration strategies have been accelerated. To date, the majority of increased contactless activity has been noted in “contactless mature” countries, but increased contactless migration activity is expected to accelerate to less “contactless mature countries” throughout 2021.

What’s more, it is clear that contactless transaction limits are not expected to remain static. Although over 100 countries across the globe have already significantly increased their contactless spending limit in reaction to the COVID-19 pandemic, there are expectations that limits will be increased further. For example, in March 2021 the United Kingdom announced its intention to raise the contactless spending limits from US$45 to US$100 later in 2021 compared with the pre-COVID-19 level of US$30. Any raise in transaction limits will significantly increase the associated security risk.

For the physical-proximity-payments world, the addition of a biometric sensor not only addresses the need to enhance transactional security but also provides a level of privacy consumers have become accustomed to, thanks to a match-on card authentication method. The user’s fingerprint is bound to a user’s card via remote enrollment, giving complete end-user control. In addition, the fingerprint is simply used to authenticate a transaction, and none of the biometric details are shared with or communicated to any backend system.

Today a lost or stolen contactless card can be used by another person either until the owner reports the card lost or stolen to their issuer or until an issuer’s back-end system picks up unusual transaction behavior and intervenes and challenges the card user, typically by asking for a PIN entry. The biometric card ultimately means that a lost or stolen card is rendered redundant without the owner’s fingerprint—in essence using the individual fingerprint as a unique PIN to authenticate a contactless transaction.

Evolving regulations will play a major role in the success of the biometric payment card. Directive (EU) 2015/2366 on payment services (PSD2) is a European regulation designed to make payments more secure across Europe. One of the major developments of PSD2 is the introduction of new security requirements defined as Strong Consumer Authentication (SCA), requiring the use of two factors of authentication while providing stronger definitions on the types of authentication that are appropriate—most notably, combining something the user knows with something the user has. To date, online activities related to online account access and online CNP purchases have been the primary focus of SCA implementations. SCA enforcement is expected to come into effect by early 2021, and ultimately it is expected that SCA will also impact the physical-proximity-payments space at some point, with SCA regulations likely to be extended into the physical-proximity-payments world eventually.

Despite SCA’s focus on online transactions, the biometric payment card can also play a significant role in CNP transactions. It is a common misconception that the biometric payment card is a CP-only technology, but this is not the case—for example, a biometric payment card can be combined and used in conjunction with a near-field-communication mobile device to enable a user to “tap and pay” for an online transaction to fully adhere with SCA requirements.

However, the first use cases of the biometric payment card will reside within the CP transactional space, and increases to contactless spending limits will further pressure issuers to review methods in order to help reduce associated fraud rates. It is clear that these increased contactless transaction limits are here to stay and, in the post-COVID-19 world, are likely to increase further. The market tone has been set, and so contactless will one day become the de facto card payment method likely to replace the chip and PIN. The COVID-19 pandemic has pushed the boundaries relating to the touchless experience and has indirectly resulted in higher-level transactions now being processed without a secondary factor of authentication. The biometric payment card is well positioned to address what will be a growing issue: privacy in a fully functional end-to-end touchless physical-payments experience.