Biometric Cardholder Authentication
by Dave Tushie, Magellan Consulting, Inc., ICMA Standards and Technical Representative
Like all things with cards, especially technology on cards, cardholder authentication has seen long evolutionary change. When cards were in a rapid growth phase in the 1970s and 1980s, authentication was largely by signature. Most secure cards had a signature panel on the card, most transactions were “attended” by a merchant or service provider employee and signature on a receipt could be compared visually with the signature on the card. With the introduction of unattended, card-operated transactions, like those at ATMs, another automated means of cardholder authentication was needed.
The introduction of PINs at ATMs was the first attempt at fulfilling this need. Typically, the card issuer would generate a PIN for the cardholder and require them to memorize this (four-digit) number. Frequently, as was/is common with passwords today, the cardholder would write the PIN number on the card signature panel, defeating the security of the card if it was lost or stolen. Most cardholders had several cards, each with a different PIN, and found it difficult to memorize each specific card’s PIN. Thus, the customer-selected PIN became a common feature for card issuers to offer.
Many non-secure cards, particularly gift and loyalty cards, were issued with no cardholder authentication required. Such customers were often warned to treat their cards as “cash” since anyone in possession of the card would be able to transact with it. However, with the introduction of PINs and specifically, customer-selected PINs, these card issuers were now able to offer this option of a higher level of fraud deterrence.
Most recently, we see the COVID-19 pandemic driving the demand for contactless interaction at the point of sale (POS) or points of service. Financial transaction cards at the POS with “tap and go” functionality are in high demand. Will we be seeing similar uptake in demand for gift cards as consumers prefer contactless transactions? Similarly, the same question exists for secure ID cards at the points of service or admittance. Likewise for access control cards used at unattended points of entrance like buildings, rooms or doors. Will contactless demand drive the technology on these cards and the resultant means of cardholder authentication?
It appears as though biometrics on cards are the next technology advance to address this need. With an embedded sensor in the card body, a stored cardholder biometric like a fingerprint or signature/voice recognition characteristic can be compared to the actual person using the card. If the comparison matches, the transaction is allowed to be completed. No central database of biometric data, only a direct match of the physical cardholder with a biometric that is stored only in the secure memory of that specific card.
A card employing this technology would be able to both conduct a contactless transaction with the POS terminal or point of service reader and a contactless authentication of the cardholder. The cardholder, for example, would hold their thumb over the fingerprint sensor on the card while tapping the card reader. When the card determines that the cardholder is authenticated, it passes that information to the reader as part of the data necessary to successfully complete the transaction.
For many years, the card industry has developed sophisticated chip technology that processes cryptographic functionality and secure protection of data. These are all low-powered chips that are able to operate from the radio frequency (RF) energy supplied by the reader devices. Biometric sensors have evolved to this same level of sophistication whereby the RF field is able to power them as well. No battery is required on the card to accommodate these capabilities.
Cost is always a factor in card manufacturing and the cost of biometric sensors is not trivial. However, consumer devices like mobile devices and laptop computers commonly use biometric authentication for access to their use. The sheer volume of these devices will drive the cost of these sensors to an affordable level in cards, particularly as card production adds to that volume. We only need to look at recent history with EMV card volume and its impact on the price of chip cards to see evidence of this effect.
A bigger factor for card manufacturers to consider is the effect these developments could have on card production. The implications may be most acute for some non-secure manufacturers who have not had much experience with chips, antenna or inlay components. Production equipment, employee technical skills, inventory management and new supply chains will all need to be evaluated and addressed as this trend comes further into focus.
About the Author: David Tushie, ICMA standards and technical representative, has had a long and continuing career in the card industry, working for international companies such as DataCard, UbiQ and NBS Technologies. He has master’s degrees in engineering and business, holds U.S. and international patents in measurement and card issuance systems and has had several years of involvement with the ANSI, INCITS and ISO Standards process. ICMA is represented at six ISO and ANSI Standards Meetings through Tushie’s standards role within the association.