Mastercard is trialling a Chip and PIN bankcard that includes an embedded fingerprint reader, introducing a biometric authentication layer for card payments — and taking a leaf out of the book of Apple Pay et al in the process. The thinking here being: why pay by entering a four-digit PIN when you can securely stick your thumb on it?
So far the biometric card has been trialled at two locations in South Africa, with additional trials planned over the next few months in Europe and Asia Pacific, according to a spokeswoman, and a full rollout expected later this year.
“We are targeting consumer rollout by end of 2017 through issuers that choose to offer biometric cards,” she told us.
Mastercard is touting convenience and security as the drivers for embedding a fingerprint sensor in plastic bankcards — after all, you can’t shoulder-surf a fingerprint as you can a PIN number. Although the use of contactless payment technology in bankcards (a tech that’s widespread in Europe) already offers a faster (and usually PIN-less) way to make card payments.
That said, there are some security risks with contactless payments, given there’s usually no authentication performed — so there could be an advantage to combining a contactless bankcard with a biometric one that also contains a fingerprint sensor in order to get speedy payments with at least a layer of security. Although mobile fingerprint sensors have been shown to be spoofable. So the size of the sensor and the process for capturing a user’s print during enrollment are key considerations here.
In this instance the Mastercard trial bankcard does not include contactless payment technology — although the spokeswoman told us that a future version will include contactless “adding to the simplicity, and convenience at checkout”. For now, testers are required to insert the card into the POS terminal and then place their finger/thumb on the reader to authenticate the payment, as pictured above (vs entering a PIN into the keypad in the usual way).
The spokeswoman said the card is configured to expect the fingerprint for authenticating a purchase but does still have a PIN as a fall-back. “If the finger is too greasy or sweaty and the biometric doesn’t go through, the cardholder would experience a small delay and then asked to put in their PIN to complete the transaction,” she added. “The PIN also allows cardholders to use the card at ATMS globally.”
One relatively large drawback for the convenience of the biometric card is that the spokeswoman confirmed users are currently required to go to a bank branch in order to register and enroll their fingerprint. (Which is then converted into an encrypted digital template that is stored on the card.) Whereas bankcard users are normally mailed both their card and its PIN through the post so there’s no need to go to a branch to register before being able to use the card.
When asked about this the spokeswoman said Mastercard is “exploring ways to make remote registration possible”. Although again, while remote registration would be more convenient it could also open up the possibility for vulnerabilities with the implementation of the biometric technology — depending on how the fingerprint enrollment is performed.
One thing is clear, global payments giants are taking inspiration from mobile tech.
“Consumers are increasingly experiencing the convenience and security of biometrics,” said Ajay Bhalla, president, enterprise risk and security, Mastercard, in a supporting statement. “Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It’s not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected.”
Mastercard has also previously trialled facial biometrics for payments — launching a so-called ‘selfie pay’ app last October which lets people authenticate an online payment by showing their face to their phone’s camera.