The time is now for biometrics in financial services


Published on

To date, biometrics technologies have largely driven by the needs of governments to identity its citizens and protect its borders. But as the technologies mature and focus increases on payment security and anti-fraud measures, biometrics are finding a logical home in the financial services sector. Recent cross-industry ISO standards, and work addressing interoperability, scalability, privacy and security issues mean an industry-specific EMVCo biometrics profile is now an achievable reality. But challenges remain – in the definition and agreement of the best approach, in integrating biometrics into payment systems, and in encouraging adoption by both financial institutions and consumers. The presentation will focus on: • The use cases and biometric applications within the financial markets • International standards harmonization and the key role of SPA in promoting interoperability • The applications integration challenges facing payment systems • The vital importance of ensuring biometric data protection and privacy

Published in: Technology, Economy & Finance
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The time is now for biometrics in financial services

  1. 1. The Time is now for Biometrics in Financial Services Lorenzo Gaston, Technical Director, SPA Thursday 21st November 2013 shaping the future of payment technology
  2. 2. 1. SPA: a short presentation shaping the future of payment technology
  3. 3. Who we are The Smart Payment Association addresses the challenges of today‟s evolving payment ecosystem. We offer leadership and expert guidance to help members and their financial institution customers realize the opportunities of smart, secure and personalized payment systems and services - both now and in the future. Since 2004 Members: shaping the future of payment technology
  4. 4. What we do  The SPA works in partnership with global standards bodies, its own vendor community, and an expanding ecosystem of established and emerging brands to offer an ever-growing portfolio of advisory and support services. NonTraditional Ecosystem Expert Advisor Services Help shape the future of payments Customers Members Customers Services Bring Value to Financial Institutions Members Services T rade Organization Traditional / Smart Card 4 Technologies Advanced/ New Fig 1 Extending advisory and support across the evolving community, the SPA is addressing today’s challenges and shaping the future direction of payment technologies, standards and business models. shaping the future of payment technology
  5. 5. How we do it  By delivering the market‟s most accurate barometer of payment trends  An annual analysis of payment trends based on actual manufacturer sales data  SPA members = 85% of the total smart payments card market  By supporting the creation and adoption of standards and best practices  EPC-CSG/SEPA: Card Representative and Vendor Sector Spokeperson, Chair of the EPC-CSG Task Force to specify the SEPA functional and security requirements for emergent & remote payments (Internet + Mobile), Convenor of the new EPC-CSG Expert Team on Card Innovative Payments, Member of the Preparatory Committee of the SEPA Security Certification Management Body  EMVCo: Technical Associate and Board Advisor for Card Sector  EMVCo Next GenerationTaskforce: Contributor  By extending expert advice and support across the payments ecosystem  An eye-catching library of expert technical resources and thought leadership collaterals to shape the future of payment 5 shaping the future of payment technology
  6. 6. SPA latest publications NEW!  Biometrics for EMV Payment Cards NEW!  UICC Application Lifecycle Management  Security Certification for Mobile Platforms  Security for Mobile Payments  PIN by SMS  Private Label Payment Solutions  Business Continuity in the Payment Card Issuance Industry Download at: 6 shaping the future of payment technology
  7. 7. 2. The Time is now for Biometrics in Financial Services shaping the future of payment technology
  8. 8. Three-Factor Authentication in eightsteps 1. The cardholder presents their EMV card to the acceptance device equiped with a fingerprint biometric sensor 2. A next generation secure channel is established with the card 3. The Cardholder presents the PIN code for verification 4. The Terminal Manager instructs the CVM to require the cardholder to present the finger to the biometric sensor 5. The Biometric sensor extracts the minutiae, generates the ISO 19794-2 template and sends it to the CVM 6. The CVM transmits to the card the captured template through the secure channel via contact or contactless 7. The card verifies and decrypts the captured template and matches it with the enrolled template , calculating a score of similarity 8. Depending on score and the pre-fixed threshold the card returns signed result (i.e., Yes/No) to the CVM of the acceptance device 8 Cartes 2013 shaping the future of payment technology
  9. 9. This looks easy & forward but … Introduction of biometric payment cards requires the careful consideration of a number of issues, including:  Decide the most suitable biometric modality to use  ‘on card’ or ‘off card’ or ‘both’ biometrics verification  Trade-off performance vs transaction times  Design of the cardholder enrolment process  Lifecycle management of the biometrics data  Storage, retrieval and data protection of a cardholder’s personal biometric attributes. 9 Cartes 2013 shaping the future of payment technology
  10. 10. Use Cases for biometrics in payment cards  Opening Payment Accounts  Implement „Know your Customer‟ (KYC) processes,  use of existing biometric documents to enroll a bank biometrics  Authorization of Payment  AML/CFT monitoring process  Stronger proof of consent  Simplifying the use of payment cards in developing countries  facilitate access to financial services for individuals unused to PINs or passwords  cash withdrawal and other transaction services at an ATM or self-service bank kiosk 10 Cartes 2013 shaping the future of payment technology
  11. 11. Use Cases for biometrics in payment cards  Contactless & Mobile Payments  As CVM “hands free”  Ability of the mobile to integrate many capture devices  Generation of non-repudiable electronic signatures Activation of private signature key subscribing a contract for access to a new financial service confirming a remittance generating an e-Invoice proceeding to a mobile commerce transaction downloading and transferring electronic money. 11 Cartes 2013 shaping the future of payment technology
  12. 12. Behavioral Traits Physiological Traits + Iris/Retina Fingerprint Hand Voice Signature Vein Face Gait Keystroke + User friendliness - - Behavioral User friendliness + Physiological Comparison of physiological and behavioral biometric modalities 12 12 shaping the future of payment technology
  13. 13. Setting Performances (I)  The profile proposes performance targets for biometric matchers configured and used in EMV Biometric authentication subsystems  The key criteria is security, meaning minimizing False-MatchRate  False Match Rate criteria can be met by simply setting an arbitrary high score of similarity  But that involves high False Rejection Rate and negative commercial impact  The final tradeoff will of course be set by the card issuer  Lower further FMR or prefer lower FNMR to facilitate acceptance of the technology  Set the number of consecutive tries  Set the level of performance depending on the risk of the transaction A high transaction risk requires a higher score of similarity to proceed 13 Cartes 2013 shaping the future of payment technology
  14. 14. On Error-Condition Performances Different approaches for setting the comparison threshold for the application 14 shaping the future of payment technology
  15. 15. Setting Performances (II)  The Profile proposes a trade-off minimum level of accuracy for EMV Match-on-Card fingerprint minutiae authentication  « The False Match Rate of FMR= 0.0001 should be achieved with a maximum False Non Match Rate FNMR = 0.02 on one finger » FMR≤0.0001 with FNMR ≤0.02  This FMR applies to zero-effort authentication This represents the case where a lost/stolen card is presented by a random person who tries to impersonate but ignoring who‟s the cardholder 15 Cartes 2013 shaping the future of payment technology
  16. 16. Rationale for this level of Performance (I)  The proposed FMR/FNMR is a good level of performance for the current state of the art , similar to what is going to be required eg, in US PIV card program  Lowering the FMR further means increasing the FNMR that in addition becomes random and highly dependent on the individual characteristics  This FMR=0,0001 offers the same level of security than a PIN comparison  Cardholders not eligible for minutiae enrollment will continue to use the PIN and the risk is to be the same  In addition … it‟s the level of performance announced by Apple Iphone 5S  A lower False Match Rate can be achieved by comparing more than one fingerprint or with biometrics multi-modality 16 Cartes 2013 shaping the future of payment technology
  17. 17. Rationale on Accuracy Performance (II)  A Card can enroll up to 10 fingerprint minutiae Effective to lower dramatically FMR without impacting FNMR but 10 finger biometric capture devices are expensive 10 fingerprint matching requires 3 presentations ( 4+4+ 2 thumbs simultaneously) or 4 presentations ( 4+4+ left thumb + right thumb) + 10 consecutives match-on-card  At least one fingerprint from right hand and another from left hand should be enrolled – More than 4 fingerprints don‟t bring significant benefit  Multi-modality could work but Expensive biometric capture device Transaction Time Minutiae is the only standard template format for card 17 Cartes 2013 shaping the future of payment technology
  18. 18. On timing performances  PIN Verification is deterministic – Biometric Verification time is random  This time depends in the number of minutiae to compare, the capture device , the matcher algorithm and the cardholder  Commercial matchers are able to process 64 minutiae ( average 41 minutiae)  Rule of thumb: 30 minutiae is a « big » fingerprint to treat  Level of performance for a Fingerprint Matcher qualified by MINEX  Average comparison match time : around 500 msec ( but variable)  With encrypted templates , add 10%  Typical transaction time < 1 sec Fingerprint matcher performances from Vendors measured in MINEX submission available in NIST site 18 Cartes 2013 shaping the future of payment technology
  19. 19. Testing & Certification procedures  The profile will propose high-level guidelines for Testing & Certification procedures  These tests are used to certify implementations that generate and/or match the mandatory minutia –based biometrics specified in the profile  They include generators ( minuitiae extraction + biometric template) and biometric template matchers  A combination of generator and matcher is interoperable if both are able to work effectively together to achieve a required level of performance  NIST recommends to certify independently Generators of Biometric Templates and Matchers  SPA willing to work ewith EMVCo to specify testing & certification procedures 19 SPA 2013 shaping the future of payment technology
  20. 20. SPA initiatives  Submit to EMVCo a first document on the standardization context for Biometrics  Promote Biometrics as a CVM for EMVCo next generation  Propose to EMVCo to develop a Biometrics Profile  Prepare a White paper on Use Cases  Present at last EMVCo F2F meeting a proposal for performances and main design decisions  End : Proposal for a EMVCo Profile for integration in EMV Specifications 20 SPA 2013 shaping the future of payment technology
  21. 21. Thank You for Your attention! Download from #SmartPayment shaping the future of payment technology