Biometrics for Payments: Are They Secure?

Biometrics securityBiometric technology has become routine for the everyday consumer, and experts predict that 1.5 billion mobile users will rely on it for device authentication by 2023. As use of biometrics grows, many merchants are looking into how the technology can be used in the retail environment to bring simplicity and convenience to customer experience.

Still, many are questioning the security of the technology. With reports of spoofing fingerprint sensors using 3D-printed fingerprints and bypassing Face ID using a pair of glasses, security has become a top-of-mind issue. According to a new survey from FreedomPay and Ingenico, “Emerging Trends at the Point of Sale,” 93 percent of merchants identified security as the highest concern around the adoption of different payment methods.

With these concerns in mind, merchants interested in enhancing customer experience by implementing biometrics technology may have questions around the how secure they are and how they can create a positive experience. Here’s what they need to know:

Understand That Biometrics Are, At Their Core, Secure

Biometrics are measurable characteristics that you are born with - for example, a fingerprint. Biometric technology uses those unique characteristics for access to services, relying on “what you are” for authentication. In effect, any service that requires a biometric for login or access can only be retrieved by the user who set up the account, because the access is dependent on biometrics that they singularly possess. While methods like 3D-printed fingerprints or molds have been used to bypass biometric technology in a lab setting, these are not viable ways to deploy attacks, as most hackers don’t have access to the materials or opportunities a lab setting can offer. Hackers would have to gather biometric data from one person at a time, which isn’t efficient, scalable or profitable. Many devices are also now equipped with liveness detection to avoid fraud with facial recognition. When it comes down to biometrics themselves, they’re unique to the user, very secure and hard to replicate in a profitable way.

Make Security of Biometric Data a Priority

When biometrics are captured, they’re stored as a template, which cannot be reverted to the actual characteristic. Similar to tokenized payment data, this template, if stolen, would not be representative in any way of the original biometric information. Extreme measures should be taken to secure this data to prevent large-scale breaches. What matters most for security is the way that these templates are stored. They should not be attached to a user identity or stored in the same server as user identities to prevent any kind of connection between the two.  Methods like tokenization and encryption are viable ways to protect this data through the authentication process and can prevent hackers from accessing readable information. Relying on a public-key infrastructure (PKI) and key rotation can also help to keep data safe by both minimizing the amount of information secured under one key and making it easy to mitigate suspected compromise by immediately rotating to a new key. Another solution is to rely on authentication methods that store biometric data exclusively on the user’s device, which eliminates the chance of a large-scale breach. Hackers would have to steal individual devices one at a time to capture biometric data, which is inefficient and unlikely.  

Communicate to Customers That Their Biometric Data is Secure and Kept Private

Part of creating a good customer experience is making them feel secure and comfortable - especially when it comes to new technology. When they first enroll their biometric data, customers will have to provide contact information in the very unlikely event of a breach. A good measure to ensure that they’ll always be the first to know of any changes is to encourage them to update their contact information frequently. This gives them a sense of control over their data and also makes security top of mind. According to the survey results mentioned earlier, 87 percent of respondents consider security a top attribute when choosing a payment method. That’s why they should feel safe when using biometrics to make payments, which merchants can support by providing education. One way to do this is by having information on your website about biometrics and how you’re ensuring security and privacy. Another way to communicate with your customers is by training cashiers and employees to be ready to answer any questions they may have about biometric data and security. The more access customers have to information about how the technology works and how it’s secure, the more comfortable they’ll be with using it.

The Future of Customer Experiences with Biometrics

Biometrics are on the fast track to becoming a major element in the customer experience. As the technology becomes more prevalent, expect to see multi-biometrics – or, technology that authenticates multiple biometrics at once to identify a user – appearing in more places. Understanding this technology is a key part in bringing it to your store and knowing how to make it secure is a crucial step. This requires careful thought on how biometric data is stored and never shared with a third party. All these efforts to make biometric data secure should be communicated with customers to provide a more positive experience, which will ultimately drive adoption.

If you want to learn more about the security of biometrics payments, get in touch with one of our experts!

Pierre Quentin is the Director of Technology and Innovation at Ingenico Labs 

Share your comments