To date, biometrics technologies have largely driven by the needs of governments to identity its citizens and protect its borders. But as the technologies mature and focus increases on payment security and anti-fraud measures, biometrics are finding a logical home in the financial services sector. Recent cross-industry ISO standards, and work addressing interoperability, scalability, privacy and security issues mean an industry-specific EMVCo biometrics profile is now an achievable reality. But challenges remain – in the definition and agreement of the best approach, in integrating biometrics into payment systems, and in encouraging adoption by both financial institutions and consumers. The presentation will focus on: • The use cases and biometric applications within the financial markets • International standards harmonization and the key role of SPA in promoting interoperability • The applications integration challenges facing payment systems • The vital importance of ensuring biometric data protection and privacy
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
The time is now for biometrics in financial services
1. The Time is now for Biometrics in
Financial Services
Lorenzo Gaston, Technical Director, SPA
Thursday 21st November 2013
shaping the future of payment technology
2. 1.
SPA: a short presentation
shaping the future of payment technology
3. Who we are
The Smart Payment Association addresses the challenges of today‟s evolving
payment ecosystem. We offer leadership and expert guidance to help members
and their financial institution customers realize the opportunities of
smart, secure and personalized payment systems and services - both now
and in the future.
Since 2004
Members:
shaping the future of payment technology
4. What we do
The SPA works in partnership with global standards bodies, its own vendor
community, and an expanding ecosystem of established and emerging brands
to offer an ever-growing portfolio of advisory and support services.
NonTraditional
Ecosystem Expert Advisor Services
Help shape the future of payments
Customers
Members Customers Services
Bring Value to Financial Institutions
Members Services
T
rade Organization
Traditional / Smart Card
4
Technologies
Advanced/ New
Fig 1
Extending advisory and
support across the evolving
community, the SPA is
addressing today’s challenges
and shaping the future
direction of payment
technologies, standards and
business models.
shaping the future of payment technology
5. How we do it
By delivering the market‟s most accurate barometer of
payment trends
An annual analysis of payment trends based on actual manufacturer
sales data
SPA members = 85% of the total smart payments card market
By supporting the creation and adoption of standards and best
practices
EPC-CSG/SEPA: Card Representative and Vendor Sector
Spokeperson, Chair of the EPC-CSG Task Force to specify the SEPA
functional and security requirements for emergent & remote
payments (Internet + Mobile), Convenor of the new EPC-CSG Expert
Team on Card Innovative Payments, Member of the Preparatory
Committee of the SEPA Security Certification Management Body
EMVCo: Technical Associate and Board Advisor for Card Sector
EMVCo Next GenerationTaskforce: Contributor
By extending expert advice and support across the payments
ecosystem
An eye-catching library of expert technical resources and thought
leadership collaterals to shape the future of payment
5
shaping the future of payment technology
6. SPA latest publications
NEW!
Biometrics for EMV Payment Cards
NEW!
UICC Application Lifecycle Management
Security Certification for Mobile Platforms
Security for Mobile Payments
PIN by SMS
Private Label Payment Solutions
Business Continuity in the Payment Card
Issuance Industry
Download at: www.smartpaymentassociation.com
6
shaping the future of payment technology
7. 2.
The Time is now for Biometrics in
Financial Services
shaping the future of payment technology
8. Three-Factor Authentication in eightsteps
1. The cardholder presents their EMV card to the acceptance device equiped with
a fingerprint biometric sensor
2. A next generation secure channel is established with the card
3. The Cardholder presents the PIN code for verification
4. The Terminal Manager instructs the CVM to require the cardholder to present
the finger to the biometric sensor
5. The Biometric sensor extracts the minutiae, generates the ISO 19794-2
template and sends it to the CVM
6. The CVM transmits to the card the captured template through the secure
channel via contact or contactless
7. The card verifies and decrypts the captured template and matches it with the
enrolled template , calculating a score of similarity
8. Depending on score and the pre-fixed threshold the card returns signed result
(i.e., Yes/No) to the CVM of the acceptance device
8
Cartes 2013
shaping the future of payment technology
9. This looks easy & forward but …
Introduction of biometric payment cards requires the careful
consideration of a number of issues, including:
Decide the most suitable biometric modality to use
‘on card’ or ‘off card’ or ‘both’ biometrics verification
Trade-off performance vs transaction times
Design of the cardholder enrolment process
Lifecycle management of the biometrics data
Storage, retrieval and data protection of a cardholder’s
personal biometric attributes.
9
Cartes 2013
shaping the future of payment technology
10. Use Cases for biometrics in payment cards
Opening Payment Accounts
Implement „Know your Customer‟ (KYC) processes,
use of existing biometric documents to enroll a bank biometrics
Authorization of Payment
AML/CFT monitoring process
Stronger proof of consent
Simplifying the use of payment cards in developing
countries
facilitate access to financial services for individuals unused to PINs or
passwords
cash withdrawal and other transaction services at an ATM or self-service
bank kiosk
10
Cartes 2013
shaping the future of payment technology
11. Use Cases for biometrics in payment cards
Contactless & Mobile Payments
As CVM “hands free”
Ability of the mobile to integrate many capture devices
Generation of non-repudiable electronic signatures
Activation of private signature key
subscribing a contract for access to a new financial service
confirming a remittance
generating an e-Invoice
proceeding to a mobile commerce transaction
downloading and transferring electronic money.
11
Cartes 2013
shaping the future of payment technology
13. Setting Performances (I)
The profile proposes performance targets for biometric matchers
configured and used in EMV Biometric authentication subsystems
The key criteria is security, meaning minimizing False-MatchRate
False Match Rate criteria can be met by simply setting an arbitrary high
score of similarity
But that involves high False Rejection Rate and negative commercial
impact
The final tradeoff will of course be set by the card issuer
Lower further FMR or prefer lower FNMR to facilitate acceptance of the
technology
Set the number of consecutive tries
Set the level of performance depending on the risk of the transaction
A high transaction risk requires a higher score of similarity to proceed
13
Cartes 2013
shaping the future of payment technology
15. Setting Performances (II)
The Profile proposes a trade-off minimum level of accuracy
for EMV Match-on-Card fingerprint minutiae authentication
« The False Match Rate of FMR= 0.0001 should be achieved
with a maximum False Non Match Rate FNMR = 0.02 on one
finger »
FMR≤0.0001 with FNMR ≤0.02
This FMR applies to zero-effort authentication
This represents the case where a lost/stolen card is presented
by a random person who tries to impersonate but ignoring
who‟s the cardholder
15
Cartes 2013
shaping the future of payment technology
16. Rationale for this level of Performance (I)
The proposed FMR/FNMR is a good level of performance for the current
state of the art , similar to what is going to be required eg, in US PIV
card program
Lowering the FMR further means increasing the FNMR that in addition
becomes random and highly dependent on the individual characteristics
This FMR=0,0001 offers the same level of security than a PIN
comparison
Cardholders not eligible for minutiae enrollment will continue to use
the PIN and the risk is to be the same
In addition … it‟s the level of performance announced by Apple Iphone
5S
A lower False Match Rate can be achieved by comparing more than one
fingerprint or with biometrics multi-modality
16
Cartes 2013
shaping the future of payment technology
17. Rationale on Accuracy Performance (II)
A Card can enroll up to 10 fingerprint minutiae
Effective to lower dramatically FMR without impacting FNMR but
10 finger biometric capture devices are expensive
10 fingerprint matching requires 3 presentations ( 4+4+ 2
thumbs simultaneously) or 4 presentations ( 4+4+ left thumb +
right thumb) + 10 consecutives match-on-card
At least one fingerprint from right hand and another from left hand
should be enrolled – More than 4 fingerprints don‟t bring
significant benefit
Multi-modality could work but
Expensive biometric capture device
Transaction Time
Minutiae is the only standard template format for card
17
Cartes 2013
shaping the future of payment technology
18. On timing performances
PIN Verification is deterministic – Biometric Verification time is
random
This time depends in the number of minutiae to compare, the capture
device , the matcher algorithm and the cardholder
Commercial matchers are able to process 64 minutiae ( average 41
minutiae)
Rule of thumb: 30 minutiae is a « big » fingerprint to treat
Level of performance for a Fingerprint Matcher qualified by MINEX
Average comparison match time : around 500 msec ( but variable)
With encrypted templates , add 10%
Typical transaction time < 1 sec
Fingerprint matcher performances from Vendors measured in MINEX
submission available in NIST site
18
Cartes 2013
shaping the future of payment technology
19. Testing & Certification procedures
The profile will propose high-level guidelines for Testing & Certification
procedures
These tests are used to certify implementations that generate and/or
match the mandatory minutia –based biometrics specified in the profile
They include generators ( minuitiae extraction + biometric template)
and biometric template matchers
A combination of generator and matcher is interoperable if both are able
to work effectively together to achieve a required level of performance
NIST recommends to certify independently Generators of
Biometric Templates and Matchers
SPA willing to work ewith EMVCo to specify testing & certification
procedures
19
SPA 2013
shaping the future of payment technology
20. SPA initiatives
Submit to EMVCo a first document on the standardization
context for Biometrics
Promote Biometrics as a CVM for EMVCo next generation
Propose to EMVCo to develop a Biometrics Profile
Prepare a White paper on Use Cases
Present at last EMVCo F2F meeting a proposal for
performances and main design decisions
End : Proposal for a EMVCo Profile for integration in EMV
Specifications
20
SPA 2013
shaping the future of payment technology
21. Thank You for Your attention!
Download from
www.smartpaymentassociation.com
#SmartPayment
shaping the future of payment technology