the time is now for biometrics in financial services

shaping the future of payment technology

The Time is now for Biometrics in Financial Services Lorenzo Gaston, Technical Director, SPA

Thursday 21st November 2013


SPA: a short presentation1.


Who we are

The Smart Payment Association addresses the challenges of today’s evolving payment ecosystem. We offer leadership and expert guidance to help members and their financial institution customers realize the opportunities of smart, secure and personalized payment systems and services - both nowand in the future.

Since 2004

Members:

shaping the future of payment technology4

What we do

The SPA works in partnership with global standards bodies, its own vendor community, and an expanding ecosystem of established and emerging brands to offer an ever-growing portfolio of advisory and support services.

Fig 1Extending advisory and support across the evolving community, the SPA is addressing today’s challenges and shaping the future direction of payment technologies, standards and business models.

Ecosystem Expert Advisor ServicesHelp shape the future of payments

Members Customers ServicesBring Value to Financial Institutions

Members ServicesTrade Organization

Non- Traditional

Traditional / Smart Card Advanced/ New

Customers

Technologies


How we do it By delivering the market’s most accurate barometer of

payment trends An annual analysis of payment trends based on actual manufacturer

sales data

SPA members = 85% of the total smart payments card market

By supporting the creation and adoption of standards and best practices EPC-CSG/SEPA: Card Representative and Vendor Sector

Spokeperson, Chair of the EPC-CSG Task Force to specify the SEPA functional and security requirements for emergent & remote payments (Internet + Mobile), Convenor of the new EPC-CSG Expert Team on Card Innovative Payments, Member of the Preparatory Committee of the SEPA Security Certification Management Body

EMVCo: Technical Associate and Board Advisor for Card Sector

EMVCo Next GenerationTaskforce: Contributor

By extending expert advice and support across the payments ecosystem An eye-catching library of expert technical resources and thought

leadership collaterals to shape the future of payment


SPA latest publications

Download at: www.smartpaymentassociation.com

Biometrics for EMV Payment Cards

UICC Application Lifecycle Management

Security Certification for Mobile Platforms

Security for Mobile Payments

PIN by SMS

Private Label Payment Solutions

Business Continuity in the Payment Card Issuance Industry

NEW!

NEW!

http://www.smartpaymentassociation.com/


The Time is now for Biometrics in Financial Services

2.


Three-Factor Authentication in eight- steps

1. The cardholder presents their EMV card to the acceptance device equiped with a fingerprint biometric sensor

2. A next generation secure channel is established with the card

3. The Cardholder presents the PIN code for verification

4. The Terminal Manager instructs the CVM to require the cardholder to present the finger to the biometric sensor

5. The Biometric sensor extracts the minutiae, generates the ISO 19794-2 template and sends it to the CVM

6. The CVM transmits to the card the captured template through the secure channel via contact or contactless

7. The card verifies and decrypts the captured template and matches it with the enrolled template , calculating a score of similarity

8. Depending on score and the pre-fixed threshold the card returns signed result (i.e., Yes/No) to the CVM of the acceptance device

Cartes 2013

shaping the future of payment technology9 Cartes 2013

This looks easy & forward but …

Introduction of biometric payment cards requires the careful consideration of a number of issues, including:

Decide the most suitable biometric modality to use

‘on card’ or ‘off card’ or ‘both’ biometrics verification

Trade-off performance vs transaction times

Design of the cardholder enrolment process

Lifecycle management of the biometrics data

Storage, retrieval and data protection of a cardholder’s personal biometric attributes.


Use Cases for biometrics in payment cards

Opening Payment Accounts Implement ‘Know your Customer’ (KYC) processes, use of existing biometric documents to enroll a bank biometrics

Authorization of Payment AML/CFT monitoring process Stronger proof of consent

Simplifying the use of payment cards in developing countries facilitate access to financial services for individuals unused to PINs or

passwords cash withdrawal and other transaction services at an ATM or self-service

bank kiosk


Use Cases for biometrics in payment cards

Contactless & Mobile Payments As CVM “hands free” Ability of the mobile to integrate many capture devices

Generation of non-repudiable electronic signaturesActivation of private signature key

· subscribing a contract for access to a new financial service· confirming a remittance· generating an e-Invoice· proceeding to a mobile commerce transaction· downloading and transferring electronic money.


Comparison of physiological and behavioral biometric modalities

12

FaceRelia

bili

ty

Behavioral

User friendliness

Signature

Gait

Keystroke

User friendliness

Fingerprint

Hand

Iris/Retina

Physiological

Voice

+

++ -

-

-

Vein

Behavioral Traits

Physiological Traits


Setting Performances (I)

The profile proposes performance targets for biometric matchers configured and used in EMV Biometric authentication subsystems

The key criteria is security, meaning minimizing False-Match-Rate False Match Rate criteria can be met by simply setting an arbitrary high

score of similarity But that involves high False Rejection Rate and negative commercial

impact

The final tradeoff will of course be set by the card issuer Lower further FMR or prefer lower FNMR to facilitate acceptance of the

technology Set the number of consecutive tries Set the level of performance depending on the risk of the transaction

· A high transaction risk requires a higher score of similarity to proceed

Cartes 2013


On Error-Condition Performances

Different approaches for setting the comparison threshold for the application


Setting Performances (II)

The Profile proposes a trade-off minimum level of accuracy for EMV Match-on-Card fingerprint minutiae authentication

« The False Match Rate of FMR= 0.0001 should be achieved with a maximum False Non Match Rate FNMR = 0.02 on one finger »FMR≤0.0001 with FNMR ≤0.02

This FMR applies to zero-effort authentication This represents the case where a lost/stolen card is presented

by a random person who tries to impersonate but ignoring who’s the cardholder

Cartes 2013


Rationale for this level of Performance (I)

The proposed FMR/FNMR is a good level of performance for the current state of the art , similar to what is going to be required eg, in US PIV card program

Lowering the FMR further means increasing the FNMR that in addition becomes random and highly dependent on the individual characteristics

This FMR=0,0001 offers the same level of security than a PIN comparison Cardholders not eligible for minutiae enrollment will continue to use

the PIN and the risk is to be the same

In addition … it’s the level of performance announced by Apple Iphone 5S

A lower False Match Rate can be achieved by comparing more than one fingerprint or with biometrics multi-modality

Cartes 2013


Rationale on Accuracy Performance (II)

A Card can enroll up to 10 fingerprint minutiaeEffective to lower dramatically FMR without impacting FNMR but

10 finger biometric capture devices are expensive10 fingerprint matching requires 3 presentations ( 4+4+ 2

thumbs simultaneously) or 4 presentations ( 4+4+ left thumb + right thumb) + 10 consecutives match-on-card

At least one fingerprint from right hand and another from left hand should be enrolled – More than 4 fingerprints don’t bring significant benefit

Multi-modality could work but Expensive biometric capture device Transaction Time Minutiae is the only standard template format for card

Cartes 2013


On timing performances

PIN Verification is deterministic – Biometric Verification time is random This time depends in the number of minutiae to compare, the capture

device , the matcher algorithm and the cardholder

Commercial matchers are able to process 64 minutiae ( average 41 minutiae) Rule of thumb: 30 minutiae is a « big » fingerprint to treat

Level of performance for a Fingerprint Matcher qualified by MINEX Average comparison match time : around 500 msec ( but variable) With encrypted templates , add 10% Typical transaction time < 1 sec

Fingerprint matcher performances from Vendors measured in MINEX submission available in NIST site

Cartes 2013


Testing & Certification procedures

The profile will propose high-level guidelines for Testing & Certification procedures

These tests are used to certify implementations that generate and/or match the mandatory minutia –based biometrics specified in the profile

They include generators ( minuitiae extraction + biometric template) and biometric template matchers

A combination of generator and matcher is interoperable if both are able to work effectively together to achieve a required level of performance

NIST recommends to certify independently Generators of Biometric Templates and Matchers

SPA willing to work ewith EMVCo to specify testing & certification procedures

SPA 2013

shaping the future of payment technology20 SPA 2013

SPA initiatives

Submit to EMVCo a first document on the standardization context for Biometrics

Promote Biometrics as a CVM for EMVCo next generation

Propose to EMVCo to develop a Biometrics Profile

Prepare a White paper on Use Cases

Present at last EMVCo F2F meeting a proposal for performances and main design decisions

End : Proposal for a EMVCo Profile for integration in EMV Specifications


Thank You for Your attention!

Download from www.smartpaymentassociation.com

#SmartPayment

the time is now for biometrics in financial services

Technology