Growing fraud boosts focus on identifying customers
Note from the editor
The COVID-19 pandemic surcharged e-commerce and buying online. Unfortunately, it also increased the incidence of fraudsters seeking to get their illegal cut of a barrage of new digital commerce.
The U.S. has long had extensive, and some would say cumbersome, know-your-customer requirements, but as the nature of e-commerce and in-store transactions have changed over the past three years, it has been difficult for merchants to keep up with criminals. A bevy of upstarts are pitching software services to fill the gap, tapping everything from biometrics to tokenization.
As retailers and other merchants move past the deadly pandemic this year and seek to keep recovering their businesses, the demand for increasingly sophisticated anti-fraud and identity verification tools is likely to keep rising. That is likely to keep investments flowing to this area.
While there will always be thieves that elude merchants’ defenses, venture capital will target startups seeking to beat back the crimes, and that, in turn, will keep incumbents trying to improve their strategies as well.
Mastercard, the No. 2 U.S. card network company, said Monday in a press release that it has purchased Baffin Bay Networks, but a spokesperson for the company declined to say how much it paid for the Sweden-based business.
The acquisition is aimed at better helping card customers “deal with the increasingly challenging nature of cyber-attacks,” Purchase, New York-based Mastercard said in the release.
Baffin Bay appears to be a relatively small company, compared to Mastercard, with annual revenue of about $5 million, according to an estimate from Baird Equity Research.
Card network companies, including No. 1 Visa, have increasingly added services to their portfolio of offerings to expand the value-added tools, beyond card services, that they can sell their customers.
The Mastercard spokesperson declined to say how many employees Baffin Bay has or whether they’ll be kept on after the merger, though he noted LinkedIn and Crunchbase estimate the company’s headcount at between 11 and 50 workers.
As part of the announcement Monday, Mastercard said it’s in the process of integrating its cyber defenses into a single cyber service that it makes available to all its customers.
“Today’s increasingly digital world has delivered greater convenience and increased opportunities for people, businesses and governments,” Mastercard said in the release. “At the same time, it has exposed the need to strengthen protection against criminals who exploit this technology through malware, ransomware and distributed denial of service (DDOS) attacks.” Mastercard noted DDOS incursions rose 22% last year.
Baffin Bay’s automated service uses cloud-based artificial intelligence filtering of internet traffic to spot malicious attack attempts and stop the attackers from taking down systems, the release said.
Article top image credit: Maks_Lab via Getty Images
Feds crack down on improper payments
By: Lynne Marek• Published July 20, 2022
A group of federal agencies working under the Joint Financial Management Improvement Program (JFMIP) released a report this week aimed at reducing improper federal government payments to individuals who aren’t who they say they are or otherwise provide inaccurate information about their identities.
The report explores identity verification strategies for cracking down on the fraud by individuals who seek government aid. The effort comes after the Government Accountability Office estimated in May that federal agencies sent $281 billion in improper payments in fiscal year 2021, excluding the extensive COVID-19-related fraud. That figure was more than double the $75 billion estimated in the prior year.
The Government Accountability Office, the Office of Management and Budget (OMB), the Office of Personnel Management and the Treasury Department collaborated on the 84-page report that resulted from reviewing studies, interviewing experts and convening government and industry officials and professionals for a two-day conference last month.
The new report is part of a broader federal government campaign in recent years to root out improper payments. As a result of the new effort, billions of dollars in government payments affected by fraud have been tabulated in recent years, the report said. Looking back, the report noted that estimated improper payments from fiscal year 2003 through 2021 amounted to $2.2 trillion, or about $7,000 for every U.S. citizen over that period.
The JFMIP report is part of a broader, ongoing initiative begun in October 2020 and will eventually feed key considerations and empirical data to an expected executive order from President Joe Biden calibrated to curtail identity theft in federal government benefits programs. In March, the White House announced it would implement the order this year to combat fraud particularly in pandemic relief programs.
“Federal agencies and oversight bodies have recently taken steps to determine the significance of misrepresented identity as a cause of improper payments and have begun to focus on identity verification as a means to improve payment integrity,” the report said.
A large share of the improper payments are to individuals who must meet certain eligibility requirements, the report said. Some strategies for preventing the fraud explored in the report include examining applicants’ digital footprints, reviewing bank account information, checking physical or email addresses and using biometric identification.
In 2020, another federal agency group determined that the government wasn’t doing enough to track identity theft in those improper payments and, as a result, the OMB called on agencies to tally that particular payment fraud. In 2021, it found about $7.7 billion in the faulty payments were due to problems with identity verification.
“Some agencies are still in the beginning phases of determining whether misrepresented identity is a significant cause of improper payments and the total impact of misrepresented identity is still largely unknown,” the report said.
The report repeatedly warns of pitfalls if the government resorts to identification methods that present undue burdens for “socioeconomically vulnerable” people. The broader initiative under Biden’s direction seeks to cut the improper payments while also “protecting privacy and civil liberties and preventing bias,” the report said.
Article top image credit: Drew Angerer/Getty Images via Getty Images
Striking a balance between online payments compliance and smooth user experiences
Economic unrest, geopolitical turbulence, and emerging fraud and identity theft threats have made people more cautious when transacting online.
Recent research from Trulioo underscores that trend, with 73% of online payment service customers saying security is a more significant consideration than it was two to three years ago. Those customers are more cautious about how much they spend, where they spend and who sees their payment information.
Customers want more secure, trustworthy processes and have come to expect some friction when transacting, according to the research. Rather than viewing identity verification as unnecessary or inconvenient, people who use online payment services see it as a reassuring measure that companies take security seriously.
Meanwhile, 79% of payment service provider respondents agreed that security through identity verification is crucial in building trust with customers.
Searching for Agility, Resilience in Onboarding and Identity Verification
In the face of shifting compliance requirements, emerging threats and evolving customer expectations, payment service providers understand that agile and resilient identity verification can help them adjust quickly to change.
Still, there’s a divide in the payments sector between organizations with agile identity verification and those with rigid processes. The research from Trulioo shows only 24% said they anticipate market changes and have the agility to revise identity verification as needed.
The research also found that 86% of payments leaders say identity verification needs to be continuous rather than just a step during account creation.
Leverage a Trusted, Global Identity Platform
Many legacy identity verification solutions require organizations to cobble together different technologies as company needs and regulations evolve. That can create siloed, time-consuming, vulnerable technology setups that put a strain on businesses and add unnecessary friction for customers.
Anti-Money Laundering and Know Your Customer regulations vary among regions and countries around the world. Agile identity verification workflows can rapidly adapt to regulatory or market shifts while ensuring a secure payment environment.
A comprehensive, automated platform can give payments companies the flexibility they need to strike a balance between security and convenience and avoid the pitfalls of slow, disjointed onboarding.
Relationships with customers can change over time. Payments companies can stay up to date on current sanctions, adverse media and politically exposed persons through continuous global watchlist monitoring.
Providing a great user experience depends on how well an organization keeps pace with changing market conditions and adapts to shifting regulations without draining IT resources. Agile platforms enable payments companies to customize workflows and adjust processes based on specific scenarios and regulations to reduce friction, remove bottlenecks and increase conversions.
Entry into new markets
Identity verification across borders is complex. A global identity platform with a worldwide network of trusted data partners makes it easier to expand quickly and securely into new markets.
Build Customer Trust by Balancing Speed and Compliance
When consumers encounter robust, balanced identity verification, their trust in the transaction, the digital service, the company and the industry increases. Adopting a proactive approach to changing market conditions and evolving regulations through a comprehensive identity platform can help payment service providers build on that customer trust and expand their global reach.
Dedicated to verifying the identity of anyone and any business around the world, the Trulioo platform can drive global growth for payments organizations by helping them navigate the challenges of regulatory compliance and enabling real-time verification of more than 5 billion people and 300 million businesses worldwide.
By leveraging a suite of native services and world-class technology designed to make identity verification faster and more efficient, Trulioo opens the door to the digital economy for everyone on the planet.
Article top image credit:
Trulioo | Grant Harder
Bluefin, Visa pursue network tokenization
By: Tatiana Walk-Morris• Published Jan. 24, 2023
Bluefin, the Atlanta-based data and payment security firm, will integrate with Visa’s card network to provide tokens across card brands, the companies announced on Friday.
With the new network tokenization capabilities, card brands can issue a token and distinct transaction cryptogram that facilitates transactions across multiple payment processors, gateways and acquirers, the company explained in a Jan. 20 release.
Bluefin’s payment gateway will be able to process the network tokens as part of the new tie. Network tokenization will be available for Bluefin’s merchants and partners, according to the press release.
Bluefin’s partnership with Visa is aimed at reducing payment fraud. Per the announcement, Bluefin has 300 international partners that serve 34,000 enterprise and software companies across 55 countries.
Card fraud will cost the payments industry $408.5 billion internationally over the next decade, according to the research firm Nilson Report. In 2030 alone, the card industry is expected to lose $49.32 billion in fraudulent transactions as the overall payment card volume is predicted to surpass $79 trillion.
“Tokenization is a key aspect of securing the digital economy, replacing sensitive information with an token that helps hide sensitive information from cybercriminals,” AnsarAnsari, Visa’s global head of platform products, said in a statement. “We hope to continue to expand working with companies like Bluefin to help keep all members of the payments ecosystem secure, as well as remove friction in digital commerce.”
Fraud is expected to continue roiling the industry in coming years. Nilson Report predicts that U.S. fraud losses will reach $17 billion dollars by 2030 as the country’s total card volume balloons to less than $19 trillion.
“The acceleration of digital commerce and card-not-present (CNP) transactions has underscored requirements for secure payment processing and data input,” Bluefin Chief Information Officer Tim Barnett said in the release. “We are excited to provide our partners and merchants with greater flexibility around how they tokenize cardholder data through the addition of this network tokenization option.”
Similarly, other payment platforms are working to protect personally identifiable information and health information. Semafone, a payment security and compliance company, teamed up with Avaya in 2021 to safeguard payments for call centers amid the Covid-19 pandemic-driven remote work environment.
Payments fraud is a focus for service providers and regulators. Senator Elizabeth Warren has already raised the alarm on payments fraud via peer-to-peer platforms like Zelle and urged the Consumer Financial Protection Bureau to update Regulation E of the Electronic Fund Transfer Act to provide stronger consumer protections for peer-to-peer payments transactions.
Article top image credit: Poike via Getty Images
EMVCo rolls out new payment standard
The international standard-setting organization finalized a new specification for contactless and mobile payments, but adoption of the new approach by merchants may be slow-going.
By: Lynne Marek• Published Oct. 6, 2022
A new contactless and mobile payments software standard was approved Wednesday by the international standard-setting body EMVCo in an effort to coalesce the card industry around one approach.
The software, which EMVCo refers to as a “kernel,” allows for payment acceptance at point-of-sale terminals and ATMs for the processing of card transactions, even in instances when the card is embedded in a phone.
“The EMVContactless Kernel Specification is the latest example of the payments industry collaborating to deliver a specification that supports marketplace needs, and advances seamless and secure payments globally,” said EMVCo Executive Committee Chair Alisa Ellis said in a release Wednesday regarding the new software standard.
There are currently some 20 different contactless payment “kernels” in use by merchants around the world so the new specification is aimed at reducing complexity and costs.
The effort is driven by the owners of EMVCo, including the namesake companies Europay, Mastercard and Visa, as well as the U.S. card companies American Express and Discover Financial Services, plus JCB of Japan.
Invisible to the consumer
Switching to the new software may or may not require a merchant to swap out a POS device, depending on whether it can be done remotely by a merchant acquirer, said Stewart Watterson, a strategic analyst for Aite-Novarica Group who specializes in retail banking and payments. As for the consumer experience, Watterson said in an interview that he doesn’t see that changing much as a result of the new software, at least not for the moment.
EMVCo, which is controlled by the world’s biggest card companies, said in the release that the benefits of the new software include more security for channel privacy, eavesdropping prevention, and protection of sensitive data; card authentication via elliptic curve cryptography; biometric and mobile card verification support; optimization for use with cloud technology; and on-card data storage for privacy and integrity protection.
While the new software could improve fraud-prevention and efficiencies for card processing, it mainly guards against more sophisticated technical data breaches that aren’t very common, Watterson said. The new generation standard isn’t a big benefit now, or controversial either, for that matter, but it could be in the future as a stepping stone to more significant improvements, he said.
Little financial incentive to change
Merchants may not even have much financial incentive to pay for the switch anytime soon, given merchant acquirers are likely to charge for the upgrade, Watterson said. That’s because four of the five benefits, with the exception of cloud optimization, largely accrue to the card issuer, with less benefit for acquirers, so there’s less reason for the latter to rush adoption.
Still, the nation’s largest bank, JPMorgan Chase, operates on both sides of the equation, as a card issuer and merchant acquirer, but there still might not be much return on investment at this point, Watterson said. Other major acquirers include Fiserv, Global Payments and Adyen.
One of the biggest benefits of the new software might be with respect to rising use of biometrics for consumer authentication and fraud prevention. The new standard will let a POS device access biometric information more directly, providing another tool to check a user’s identity, Watterson said.
The new standard will likely be rolled out faster in Europe, where such technical upgrades tend to catch on faster, than it will be in the U.S., he said.
EMVCo, the company behind the contactless symbol at payment terminals, took input from outsiders on the software specification in recent months after it issued a request for feedback in May on a draft of contactless specifications.
The 312-page draft issued earlier this year was reviewed by EMVCo associates, including major payments processors such as FIS, Adyen and Fiserv as well as big tech companies like Microsoft and Google and newer fintechs such as Stripe and Square. Merchants, such as Target and Amazon, are also associates, according to the EMVCo website.
As part of the software approval process, the specification was subject to meeting discussions among the EMVCo associates, a full associate review as well as the public review, said Alistair Cochrane, a spokesperson for EMVCo. In conclusion, it was approved by a vote of the EMVCo board, which includes merchants, card issuers and acquirers, payment networks, financial institutions, and testing laboratories, among others, he said.
The new specification is “significant because it is the first industry standard kernel that simplifies global acceptance of contactless payments for merchants, payment systems, and solution providers,”American Express Executive Vice President Matthew Robinson said in an emailed statement, adding that the company is beginning to transition to the technology.
Article top image credit: Courtesy of GoodwillFinds.com
Will biometrics be the future of payments?
The use of biometrics to authenticate payments is poised to bring greater security and speed to transactions, but some say broad adoption by consumers and merchants is still far from reach.
By: Caitlin Mullen• Published Sept. 26, 2022
In the mid-2000s, when biometrics in payments was still a mysterious notion, a company called Solidus Networks developed a finger-reader for payments that was trotted out at grocery chains such as Jewel-Osco.
It allowed shoppers to pay at a Pay By Touch terminal with the touch of a finger. That payment method – which arrived a decade prior to a similar product, TouchID on Apple iPhones – failed to gain traction, and Solidus filed for bankruptcy in 2007.
“At that point in time, biometrics was just really an alien concept,” said Thad Peterson, a strategic adviser with consulting firm Aite-Novarica.
While biometrics was too early to market then, payments consultants and executives say now is the moment for the technology. The FIDO Alliance, which seeks to eliminate passwords and advance biometrics for authentication, is one of several actors pushing payments in that direction. In the U.S., the retail sector is expected to generate $5.5 trillion by 2027 and Aite-Novarica estimates fraud losses just for card-not-present transactions will reach $9.2 billion next year, so there’s strong appeal in making payments simpler and more secure.
Tech companies Apple and Google – major influencers of consumer behavior – have done the heavy-lifting when it comes to biometrics acceptance. Their tech tools and ubiquitous smartphones have primed consumers to use their fingerprints or faces to access their devices.
In addition, user IDs, PINs and passwords have become a friction-filled headache for many. Consumers who’ve grown weary of the need for unique passwords may increasingly view biometrics as a welcome change.
Those two factors have set the wheels in motion on biometrics in payments, said Peterson, who focuses on emerging payment technologies and digital wallets.
As the pandemic prompted a shift toward contactless, payments players want to make transactions as frictionless and quick as possible, both to increase volumes and please customers. Tapping biometrics takes that a step further, proponents say, with ease of use and security both necessities in the digital age. By combining biometrics with Near Field Communication (NFC) and EMVCo standards, “you get to a really secure transaction,” Peterson said.
Reducing fraud is crucial to payments companies, and brands want to be seen as modern, seamless organizations, said Andrew Shikiar, FIDO Alliance’s executive director, during a June interview.
There’s plenty of buzz around biometrics, but a number of questions remain regarding adoption and security. Paying by face has been around for at least five years in China, but privacy concerns are more of an issue in the U.S. than in that country, payments consultants and executives said. Additionally, the U.S. financial system is far more diverse and American consumers tend to be slower to use new technologies.
U.S. adoption will come faster if biometric payment methods take off in Europe, where regulations are more stringent, Alessandro Chiarini, senior vice president of enterprise authentication for biometric software company Aware, said during a May interview.
As more companies turn to biometrics and collect consumer data, however, the odds of a major breach occurring increase. “You see one high-profile breach, and maybe consumer appetite and concerns completely change from what they were,” said Greg Szewczyk, partner and co-chair of the privacy and data security group at law firm Ballard Spahr.
Until the security of such systems has been tested further, biometric payment methods are unlikely to unseat other payment options, some professors and consultants said.
Biometrics in payments is “no silver bullet,” said Dave Lott, a payments risk expert at the Federal Reserve Bank of Atlanta, during an August interview. He noted the Federal Reserve has always maintained “a technology agnostic position.”
In payments, “there are applications that lend themselves to various forms of biometrics, and there’s others that don’t,” Lott said. “If I’m paying cash, there’s no biometrics involved in that.”
New payment methods emerge
Since the days of Pay By Touch, a crop of new biometric technologies have emerged: Methods asking users to hover or wave their palm over a scanner are factoring in unique features like the shape of the hand and the veins running through it.
Face-pay tools ask users to look into a camera as their image is captured and compared against facial scans; methods involving the eye can scan the retina or iris to authenticate payment.
People tend to be less comfortable with a biometric that involves the eye than a fingerprint, scholars said. In geographic regions of the world that have already turned to biometrics, like China, face-pay is more popular than palm-pay.
Consultants said biometric payment methods are far more likely to gain traction if they are geared to consumers using their smartphones, as opposed to requiring merchants to acquire and install in-store technology.
“I think absolutely people are ready for it, and they’re already using it,” Peterson said. As long as it’s device-dependent, “the merchant is kind of out of the equation,” he added.
Big names pursue biometrics
Consumers tend to be most familiar with the biometric method that employs a one-to-one comparison. That’s typical with phones using biometric sensors to verify users with a fingerprint or facial identification, said Anil Jain, a professor in the computer science and engineering department at Michigan State University.
“The advantage is that your template, or your reference biometric, is always stored in the phone, which is with you,” which is highly secure, Jain said.
That’s the approach that FIDO Alliance, a consortium of technology companies, has tapped in its effort to eliminate passwords. FIDO stands for fast identity online and the consortium is spearheading that change.
Pairing biometrics with cryptography allows a person to prove his or her identity to a device and then allow that device to provide proof to an approved third party, like a bank app, said Stephanie Schuckers, a professor at Clarkson University and director of the Center for Identification Technology Research. She was involved in the biometric certification process for FIDO.
PayPal, Bank of America, Wells Fargo and large retailers Best Buy, Wayfair and eBay are among those already accepting FIDO for log-in, said Megan Shamas, FIDO’s senior marketing director. It’s gained traction in online payments in Europe, because it’s easier for consumers than a one-time password or multi-factor authentication, Shamas said.
Products like Amazon’s palm-pay, called Amazon One, are different: Consumers enroll at a store and link their payment information. In a system like Amazon One, it’s a one-to-many comparison, with “one” being the customer paying and the “many” being the pool of Amazon customers who’ve opted into recognition by their palm, Jain said. This method can be highly convenient, but involves biometric data being stored in a central database.
“There is always a worry that somebody may either break into the central storage or, during the transmission of the data from the point-of-sale to the cloud, somebody may intercept your data,” Jain said. That’s why Amazon and other large companies ensure biometric data is encrypted, so even if it’s intercepted, it’s secure, he said.
The e-commerce giant opted for the palm biometric because it was important to the company to choose a method that doesn’t reveal a person’s physical identity, said Dilip Kumar, Amazon’s vice president of physical retail and technology.
“Unlike face or even your voice, which can give you clues about the person’s identity, a picture of your palm doesn’t give you a clue as to who the person is,” he said in an Amazon News video published in July.
Amazon also opted for “a very intentional gesture,” Kumar said in the video. Customers are accustomed to holding their phones over devices, so hovering their hand over a scanner would seem similarly active, said Kumar, who the company said wasn't available for an interview.
Amazon uses sophisticated cameras and computer vision technology to capture the details of the palm and subsurface images of veins, Kumar said. The company incorporated “liveness detection” to bolster accuracy and ensure hands being held over devices are real.
Beyond some of the company’s Fresh, Go and Whole Foods stores, the technology also is being used in some U.S. airport stores and stadiums, an Amazon spokesperson said.
Other biometric uses are popping up in payments: Companies like Samsung are embedding fingerprint sensing, which eliminates the need for a PIN, into physical cards. Pasadena, California-based PopID has partnered with Visa and Mastercard to bring its face-pay technology beyond southern California to other regions of the world.
Mastercard’s biometric checkout program launched earlier this year with a pilot program in Brazil. The company also plans to test biometric payment methods in the Middle East, Asia and the U.S., although Nili Klenoff, senior vice president and head of authentication solutions at Mastercard, wouldn’t say when the program will arrive in the U.S.
The card network’s program lays out standards for how biometric service providers, digital players and merchants should develop their biometric tools and tests them to ensure the tools meet the company’s privacy and security standards, Klenoff said during a May interview.
“Ultimately, that’s the key to unlocking scale,” Klenoff said. “Our goal is to create an open environment that empowers different channel providers to play.”
Privacy, security concerns
No two people in the world have the exact same biometric traits – and that plays into the hands of those trying to reduce fraud and enhance security in payments.
Consumers are still coming around to the idea, however. About half of U.S. adults favor the use of facial recognition technology for security purposes, such as enhanced security with a credit card payment, Pew Research Center determined in March.
When it comes to checkout, 74% of U.S. adults expressed privacy concerns about their biometric data, like fingerprints or retina scans, being stored by a marketer, according to data from an upcoming issue of Ipsos' strategic foresight magazine, What the Future. Respondents were polled in late August.
Consumers tend to view biometric checkout technology as reliable and trustworthy, but the next hurdle “is the security piece of it,” said Oscar Yuan, CEO of Ipsos Strategy3. The security factor is “particularly challenging” because it’s not just biometric data security that impacts consumers’ nervousness, “it’s general data security that’s giving people pause,” Yuan said.
Mastercard’s data from June also indicate about two-thirds of global consumers say biometrics is more secure than a PIN or password, but 71% are concerned about which parties have access to their biometric data.
From FIDO Alliance’s perspective, it’s critical that all biometric data remain in the device, not in a central database, Shikiar said. That’s a comfort to consumers who are trusting that their biometric information is being handled responsibly. FIDO’s user testing showed that “once they understood that the data was on their device, they loved it,” Shamas said.
Still, consumer advocates worry there’s a false hope the new systems being touted are more secure, when that might not be the case.
“My sense is that consumers are not going to wholeheartedly embrace all of this biometric stuff that’s being sold to them,” said Ed Mierzwinski, senior director of the federal consumer program at advocacy organization Public Interest Research Group. Consumers “are very concerned about databases containing their information that could then be misused.”
OfFIDO’s locally stored approach, Mierzwinski said: “I’m not endorsing it, but I’m saying it’s better.”
Others suspect consumers aren’t thinking about the different approaches to data storage. “I don’t think there’s that divide in their mind, that, oh, this one’s saved on my phone, so this one’s safer,” Yuan said. “They think in terms of, ‘OK, they have my data and I want it to be secure, whether that’s the device that stores it, whether that’s Amazon that stores it, whether that’s Apple that stores it, whether that’s AT&T that stores it.’”
With sensitive data in play, it’s incumbent upon companies to be transparent. Those capturing biometric information need to “be really clear about what’s being captured, how it’s being used and how it’s being protected,” said Adam Pressman, a managing director in the retail practice at consulting firm AlixPartners.
Among U.S. states, Illinois, Texas and Washington have biometric identifier laws, requiring specific consent from consumers before companies can collect biometric data. But all 50 states have breach notification laws, and most of those include biometric information, Szewczyk said.
If the biometric method used is something consumers are familiar with, it’s less likely to raise concern on the consumer front, Szewczyk said.
The usability factor
A handful of different biometric methods are being pursued in payments, but certain types have greater usability than others, depending on the setting.
“There are a whole bunch of biometrics,” Jain said. “The question is, what makes most sense in a given scenario?”
Background noise in a crowded store may interfere with the use of a voice biometric at a kiosk. Paying by face could be particularly useful at drive-thru restaurants. Merchants will assess biometric technologies and pick the right tool for their business, Klenoff said.
For in-store payments, FIDO has been working with EMVCo on allowing the FIDO biometric credential to be used to authenticate at the point of sale, erasing the need for another verification method like PIN or a signature. Mobile payment providers like Apple and Android are beginning to implement that credential, Shamas said.
But if the biometric payment method involves the merchant obtaining and installing new technology – like a kiosk with a camera that scans a customer’s face – envisioning that is harder, consultants said.
That approach could be costly for merchants, requiring added hardware or software at each store, and customers would have to be taught how to use it, said Jeff Fortney, a senior associate with payments consulting firm The Strawhecker Group, in June.
The path to broad adoption
The pace at which biometrics in payments could take off in the U.S. remains unclear.
Some payments professionals pointed to the persistence of cash or the arduous adoption of chip cards. The latter were rolled out in 2015, and gas pumps just reached compliance this year. QR codes were used to make payments in India in the mid-2000s, but it took the pandemic to get consumers to use QR codes in the U.S.
“I’ve seen a lot of new technology that I thought would just be a game-changer, but it either didn’t have financial support or merchants weren’t going to do it,” Fortney said. “It’s going to be a 10-year cycle, in my opinion, before [biometrics] really makes an appearance.”
Klenoff pointed to greater adoption of tap-to-pay during the pandemic, predicting biometrics will follow a similar trend. “We’ve taught consumers to swipe, then to dip, then to tap and now, biometrics,” she said. “With any of those experiences, it takes the consumer a couple of times to experience the technology, try it out and become comfortable with it before it becomes a habit.”
The older the technology is, the more consumers trust it. In the earlier days of the internet, people were afraid to use their credit cards online to pay. At that point, “we were looking at the same thing – 75 percent -80 percent of people were nervous,” Ipsos’ Yuan said.
Over time, technology improved and the convenience factor outweighed concerns, causing that percentage to shrink, Yuan said. He suspects consumer comfort with biometric payment methods will follow a similar path.
There’s still work to be done in biometrics on the technology side, in terms of improving accuracy. Shikiar noted false rejections can be an issue in biometrics, particularly for Black users. That’s something the industry continues to address, “to make sure that bias goes away through stronger testing, improvements in algorithms, things like that,” he said.
As Apple, Android and Windows products roll out new operating systems in the coming months that support FIDO credentials, Shamas expects that will be the spark that fuels further adoption on the part of financial institutions and merchants.
Rather than having shoppers input payment details such as card security code at each site, merchants want to move toward a process that has customers “form fill your credential in the browser, and then you authorize it with your biometric,” Shamas said. “I think we’re going to see these things come together in the next couple years or so.”
Looking ahead, consultants envision the use of biometrics to unlock a mobile device being applied to authorize a payment made shortly thereafter, without having to re-authenticate, Peterson said.
For his part, Lott expects to continue to see a “buffet of payment choices.”
“Ultimately, it is the consumer that’s going to make the decision as to what method of payment they prefer to use,” Lott said. “If a merchant doesn’t support that particular method of payment, it’s highly likely that consumer [is] going to find a merchant that does.”
Article top image credit: Prostock-Studio via Getty Images
Big tech pushes passwordless for payments
Google, Microsoft and Apple this month began a big, new push in their campaign for a passwordless standard that's aimed at improving digital identity verification, including for payments.
By: Lynne Marek• Published May 23, 2022
Big U.S. technology companies Google, Apple and Microsoft are campaigning to make this the year that a new passwordless standard becomes more widely accepted, including for payments.
The companies argue the new standard not only avoids the consumer headaches of being forced to remember countless passwords, it also provides a more secure approach to e-commerce and a better guard against fraud and phishing attacks.
“This is the year,” Christiaan Brand, Google’s product manager for identity and security, declared at the American Banker media outlet's Payments Forum in Phoenix last week. “If there isn’t a password, there is nothing to keep updated.”
Google has been working with the FIDO Alliance, short for the Fast Identity Online Alliance, since 2013 to create a new passwordless era, as have other technology companies. The alliance was founded in 2012 when digital payments pioneer PayPal and other companies began brainstorming a passwordless authentication protocol that would be driven by biometrics and public-key cryptography.
Google, Apple and Microsoft publicly bolstered their support for the new standard earlier this year in a May 5 public statement of support for the FIDO Alliance and World Wide Web Consortium.
“The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms,” the tech companies said in the statement.
Under the new standard, users would verify their identity with their fingerprint or face, or by using a device PIN.
The tech companies said they expect the new capabilities to become available on Apple, Google and Microsoft products and services over the coming year.
The federal government also favors moving consumers past the use of passwords, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said in the statement. “Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords,” she said in reference to the enhanced support from the three big tech companies.
A powerful aspect of the new standard, and the technology developed around it, is that users will be able to transfer their login credentials, called a passkey, to a new device where they haven’t used the passwordless sign-on previously, Brand said at the conference.
“This is a technology that transcends just an application on a single phone,” with the same credential used across web and app use on various devices, Brand said in speaking on a May 17 panel at the conference.
KeyBank is piloting the use of the new passwordless standard and reviewing its feasibility, Jen Martin, head of enterprise fraud services at the bank, said in speaking on that Payments Forum panel.
Still, some cybersecurity consultants have their doubts about the use of passwords expiring anytime soon. Merritt Maxim, who specializes in security and risk as a research director at Forrester Research, told the Wall Street Journal that he doesn’t believe passwords will disappear anytime soon.
Passwords are “the cockroaches of the internet,” Maxim said, suggesting they’re irritating and hard to kill, but worth getting rid of.
But Tom Thimot, CEO of Denver-based identity verification company authID.ai, has more faith the tech companies’ new push will make a difference, "after everyone has been talking about passwordless forever." He called the renewed support a “monumental” development.
The world will quickly move away from username and password, he predicted. When Google, Microsoft and Apple together send notices to customers that they're doing away with passwords, "there's going to be a giant hallelujah," he said.
Then, it will be a matter of educating consumers, their getting used to no more text message authentication and asking people to occasionally turn their phones to their faces, Thimot said.
Article top image credit: Ian Waldie via Getty Images
Apto Payments, Sardine team on anti-fraud tools
By: Tatiana Walk-Morris• Published March 20, 2023
Apto Payments, the San Francisco-based card issuer, teamed up with Sardine, a fraud prevention, compliance and settlement company headquartered in Miami, to enable clients to launch card programs with anti-fraud prevention capabilities, according to a Thursday press release.
The partnership will let Apto customers issue cards “with support from comprehensive transaction monitoring tools to identify and prevent fraudulent behavior,” according to the press release.
Sardine’s fraud and compliance technology, including its real-time risk-scoring engine, will help Apto generate revenue while reducing risky transactions, Sardine CEO Soups Ranjan said in the statement.
The partnership with Sardine is part of Apto’s efforts to build high-end developer tools and comprehensive card management services for its customers, the company noted in a press release. The deal follows Apto’s October announcement that it was partnering with Patriot Bank to help clients issue cards.
“We are focused on ensuring that our customers can be successful with their card programs, even in the most challenging, highly evolving environments,” Apto Payments CEO Meg Nakamura said in the statement. “Partnering with Sardine allows us to bolster our own fraud and risk engines, resulting in the best cardholder protections in the industry.”
The deal between Sardine and Apto Payments follows a $51.5 million investment funding round for Sardine six months ago, with money flowing from Andreessen Horowitz’s Growth Fund, card giant Visa, tech behemoth Google’s venture arm and other investors, TechCrunch reported. The company had previously raised $19.5 million last February, TechCrunch reported.
Apto made an important acquisition in September 2021, buying credit card startup Vertical Finance for an undisclosed sum. Through that purchase it was able to strengthen its management team, adding that company’s co-founder and CEO, Matthew Goldman, who is now Apto’s president. With Vertical Finance under its ownership, Apto can provide its customers with the subsidiary’s credit card and rewards technology.
Article top image credit: NicoElNino via Getty Images
Identity verification in the era of digital payments
As the nature of e-commerce and in-store transactions has changed over the past three years, it has been difficult for merchants to keep up with criminals. A bevy of upstarts are pitching software services to fill the gap, tapping everything from biometrics to tokenization.
included in this trendline
Bluefin, Visa pursue network tokenization
EMVCo rolls out new payment standard
Will biometrics be the future of payments?
Our Trendlines go deep on the biggest trends. These special reports, produced by our team of award-winning journalists, help business leaders understand how their industries are changing.