by Dave Tushie, Magellan Consulting, Inc., ICMA Standards and Technical Representative

Cards with biometric sensors are getting increasing visibility with large-scale test sites announced. This technology provides a solution for authenticating a person to the card credential. Smart cards themselves are good at authenticating the card to the system or network into which it is being used while a fingerprint biometric assures that the user of the card is the one authorized to use it. This is considered a stronger level of authentication than say a PIN since it is “something you are” whereas a PIN is simply “something you know.”

This is also a new personalization element since such biometrics are unique to the cardholder. However, historically, most personalization elements like name, account number, CVV and even natural PINs have been created in advance of the personalization process at a central data processing center. For a few reasons, such “data preparation” is not desired for a biometric personalization.

Because of privacy issues, most issuers of such cards so equipped are not interested in populating and maintaining a database of cardholder biometrics. Many cardholders are also resistant with a requirement for such a centralized registry of their biometrics, due to both privacy and security concerns. Consequently, the conventional manner of completely personalizing such a card from a central personalization bureau is not reasonably feasible. The biometric feature will have to be enrolled on the card, where its secure memory element will hold the biometric only on the card itself after the cardholder has received it. This means that the biometric is never stored anywhere outside of the card’s resident secure element. This is a new process where the cardholder will be actively involved in finalizing the card personalization.

When using the card, a cardholder biometric would be compared in real time with the stored biometric held only in the secure element of the chip on the card. In any transaction with the card, the card application would then pass an authentication result to the system in which it was being used that the biometric was either authenticated, or it was not. Therefore, any use of a biometric as a cardholder authentication method will require some kind of enrollment process of the biometric when the card is first issued. This would apply to any cardholder who wants to authorize another user of their card as well.

Personalization is generally divided between centralized, large volume issuance and instant issuance where a single card is produced at a time. Instant issuance systems could be readily adapted to enroll a biometric element since the cardholder is typically present at the time the card is personalized and presented to them. Another authorized cardholder would also have to be present or return to the instant issuance site with the named cardholder to get enrolled. Centralized issuance is more complicated for the reasons cited above. Thus, it has become apparent, that an enrollment process will need to be provided to a cardholder along with a newly issued, personalized except for biometric, card at the time it is mailed.

This cardholder biometric enrollment process needs to be simple and intuitive. Perhaps something like that in use with laptop fingerprint devices and/or smartphone fingerprint/face print devices where the device owner enrolls their biometric at the initial setup of the phone/computer. Something similar to this was used in initial smart card issuance programs when a reader/writer device that could be plugged into a computer was supplied with every card. Cardholder PIN selection was enabled by use of the reader/writer device when connected online as well as enabling the card for use in online transactions.

Card issuers are aware of this need and have been evaluating solutions offered by multiple suppliers. Ease of use by cardholders, accurate biometric capture and affordability are at the top of the feature list for these enrollment kits. Since the kit is essentially disposable after the biometric enrollment is complete, issuers are keenly attuned to the cost/benefit ratio of implementing this technology across their card portfolios. Instant issuance is also in the solution mix.

The conventional manner of completely personalizing such a card from a central personalization bureau is not reasonably feasible. The biometric feature will have to be enrolled on the card, where its secure memory element will hold the biometric only on the card itself after the cardholder has received it. Whether centrally or instantly issued, this is a new process where the cardholder will be actively involved in finalizing their card personalization.

About the Author: David Tushie, ICMA standards and technical representative, has had a long and continuing career in the card industry, working for international companies such as DataCard, UbiQ and NBS Technologies. He has master’s degrees in engineering and business, holds U.S. and international patents in measurement and card issuance systems and has had several years of involvement with the ANSI, INCITS and ISO Standards process. ICMA is represented at six ISO and ANSI Standards Meetings through David’s standards role within the association.