the time is now for biometrics in financial services
DESCRIPTION
To date, biometrics technologies have largely driven by the needs of governments to identity its citizens and protect its borders. But as the technologies mature and focus increases on payment security and anti-fraud measures, biometrics are finding a logical home in the financial services sector. Recent cross-industry ISO standards, and work addressing interoperability, scalability, privacy and security issues mean an industry-specific EMVCo biometrics profile is now an achievable reality. But challenges remain – in the definition and agreement of the best approach, in integrating biometrics into payment systems, and in encouraging adoption by both financial institutions and consumers. The presentation will focus on: • The use cases and biometric applications within the financial markets • International standards harmonization and the key role of SPA in promoting interoperability • The applications integration challenges facing payment systems • The vital importance of ensuring biometric data protection and privacyTRANSCRIPT
shaping the future of payment technology
The Time is now for Biometrics in Financial Services Lorenzo Gaston, Technical Director, SPA
Thursday 21st November 2013
shaping the future of payment technology
SPA: a short presentation1.
shaping the future of payment technology
Who we are
The Smart Payment Association addresses the challenges of today’s evolving payment ecosystem. We offer leadership and expert guidance to help members and their financial institution customers realize the opportunities of smart, secure and personalized payment systems and services - both nowand in the future.
Since 2004
Members:
shaping the future of payment technology4
What we do
The SPA works in partnership with global standards bodies, its own vendor community, and an expanding ecosystem of established and emerging brands to offer an ever-growing portfolio of advisory and support services.
Fig 1Extending advisory and support across the evolving community, the SPA is addressing today’s challenges and shaping the future direction of payment technologies, standards and business models.
Ecosystem Expert Advisor ServicesHelp shape the future of payments
Members Customers ServicesBring Value to Financial Institutions
Members ServicesTrade Organization
Non- Traditional
Traditional / Smart Card Advanced/ New
Customers
Technologies
shaping the future of payment technology5
How we do it By delivering the market’s most accurate barometer of
payment trends An annual analysis of payment trends based on actual manufacturer
sales data
SPA members = 85% of the total smart payments card market
By supporting the creation and adoption of standards and best practices EPC-CSG/SEPA: Card Representative and Vendor Sector
Spokeperson, Chair of the EPC-CSG Task Force to specify the SEPA functional and security requirements for emergent & remote payments (Internet + Mobile), Convenor of the new EPC-CSG Expert Team on Card Innovative Payments, Member of the Preparatory Committee of the SEPA Security Certification Management Body
EMVCo: Technical Associate and Board Advisor for Card Sector
EMVCo Next GenerationTaskforce: Contributor
By extending expert advice and support across the payments ecosystem An eye-catching library of expert technical resources and thought
leadership collaterals to shape the future of payment
shaping the future of payment technology6
SPA latest publications
Download at: www.smartpaymentassociation.com
Biometrics for EMV Payment Cards
UICC Application Lifecycle Management
Security Certification for Mobile Platforms
Security for Mobile Payments
PIN by SMS
Private Label Payment Solutions
Business Continuity in the Payment Card Issuance Industry
NEW!
NEW!
shaping the future of payment technology
The Time is now for Biometrics in Financial Services
2.
shaping the future of payment technology8
Three-Factor Authentication in eight- steps
1. The cardholder presents their EMV card to the acceptance device equiped with a fingerprint biometric sensor
2. A next generation secure channel is established with the card
3. The Cardholder presents the PIN code for verification
4. The Terminal Manager instructs the CVM to require the cardholder to present the finger to the biometric sensor
5. The Biometric sensor extracts the minutiae, generates the ISO 19794-2 template and sends it to the CVM
6. The CVM transmits to the card the captured template through the secure channel via contact or contactless
7. The card verifies and decrypts the captured template and matches it with the enrolled template , calculating a score of similarity
8. Depending on score and the pre-fixed threshold the card returns signed result (i.e., Yes/No) to the CVM of the acceptance device
Cartes 2013
shaping the future of payment technology9 Cartes 2013
This looks easy & forward but …
Introduction of biometric payment cards requires the careful consideration of a number of issues, including:
Decide the most suitable biometric modality to use
‘on card’ or ‘off card’ or ‘both’ biometrics verification
Trade-off performance vs transaction times
Design of the cardholder enrolment process
Lifecycle management of the biometrics data
Storage, retrieval and data protection of a cardholder’s personal biometric attributes.
shaping the future of payment technology10 Cartes 2013
Use Cases for biometrics in payment cards
Opening Payment Accounts Implement ‘Know your Customer’ (KYC) processes, use of existing biometric documents to enroll a bank biometrics
Authorization of Payment AML/CFT monitoring process Stronger proof of consent
Simplifying the use of payment cards in developing countries facilitate access to financial services for individuals unused to PINs or
passwords cash withdrawal and other transaction services at an ATM or self-service
bank kiosk
shaping the future of payment technology11 Cartes 2013
Use Cases for biometrics in payment cards
Contactless & Mobile Payments As CVM “hands free” Ability of the mobile to integrate many capture devices
Generation of non-repudiable electronic signaturesActivation of private signature key
· subscribing a contract for access to a new financial service· confirming a remittance· generating an e-Invoice· proceeding to a mobile commerce transaction· downloading and transferring electronic money.
shaping the future of payment technology12
Comparison of physiological and behavioral biometric modalities
12
FaceRelia
bili
ty
Behavioral
User friendliness
Signature
Gait
Keystroke
User friendliness
Fingerprint
Hand
Iris/Retina
Physiological
Voice
+
++ -
-
-
Vein
Behavioral Traits
Physiological Traits
shaping the future of payment technology13
Setting Performances (I)
The profile proposes performance targets for biometric matchers configured and used in EMV Biometric authentication subsystems
The key criteria is security, meaning minimizing False-Match-Rate False Match Rate criteria can be met by simply setting an arbitrary high
score of similarity But that involves high False Rejection Rate and negative commercial
impact
The final tradeoff will of course be set by the card issuer Lower further FMR or prefer lower FNMR to facilitate acceptance of the
technology Set the number of consecutive tries Set the level of performance depending on the risk of the transaction
· A high transaction risk requires a higher score of similarity to proceed
Cartes 2013
shaping the future of payment technology14
On Error-Condition Performances
Different approaches for setting the comparison threshold for the application
shaping the future of payment technology15
Setting Performances (II)
The Profile proposes a trade-off minimum level of accuracy for EMV Match-on-Card fingerprint minutiae authentication
« The False Match Rate of FMR= 0.0001 should be achieved with a maximum False Non Match Rate FNMR = 0.02 on one finger »FMR≤0.0001 with FNMR ≤0.02
This FMR applies to zero-effort authentication This represents the case where a lost/stolen card is presented
by a random person who tries to impersonate but ignoring who’s the cardholder
Cartes 2013
shaping the future of payment technology16
Rationale for this level of Performance (I)
The proposed FMR/FNMR is a good level of performance for the current state of the art , similar to what is going to be required eg, in US PIV card program
Lowering the FMR further means increasing the FNMR that in addition becomes random and highly dependent on the individual characteristics
This FMR=0,0001 offers the same level of security than a PIN comparison Cardholders not eligible for minutiae enrollment will continue to use
the PIN and the risk is to be the same
In addition … it’s the level of performance announced by Apple Iphone 5S
A lower False Match Rate can be achieved by comparing more than one fingerprint or with biometrics multi-modality
Cartes 2013
shaping the future of payment technology17
Rationale on Accuracy Performance (II)
A Card can enroll up to 10 fingerprint minutiaeEffective to lower dramatically FMR without impacting FNMR but
10 finger biometric capture devices are expensive10 fingerprint matching requires 3 presentations ( 4+4+ 2
thumbs simultaneously) or 4 presentations ( 4+4+ left thumb + right thumb) + 10 consecutives match-on-card
At least one fingerprint from right hand and another from left hand should be enrolled – More than 4 fingerprints don’t bring significant benefit
Multi-modality could work but Expensive biometric capture device Transaction Time Minutiae is the only standard template format for card
Cartes 2013
shaping the future of payment technology18
On timing performances
PIN Verification is deterministic – Biometric Verification time is random This time depends in the number of minutiae to compare, the capture
device , the matcher algorithm and the cardholder
Commercial matchers are able to process 64 minutiae ( average 41 minutiae) Rule of thumb: 30 minutiae is a « big » fingerprint to treat
Level of performance for a Fingerprint Matcher qualified by MINEX Average comparison match time : around 500 msec ( but variable) With encrypted templates , add 10% Typical transaction time < 1 sec
Fingerprint matcher performances from Vendors measured in MINEX submission available in NIST site
Cartes 2013
shaping the future of payment technology19
Testing & Certification procedures
The profile will propose high-level guidelines for Testing & Certification procedures
These tests are used to certify implementations that generate and/or match the mandatory minutia –based biometrics specified in the profile
They include generators ( minuitiae extraction + biometric template) and biometric template matchers
A combination of generator and matcher is interoperable if both are able to work effectively together to achieve a required level of performance
NIST recommends to certify independently Generators of Biometric Templates and Matchers
SPA willing to work ewith EMVCo to specify testing & certification procedures
SPA 2013
shaping the future of payment technology20 SPA 2013
SPA initiatives
Submit to EMVCo a first document on the standardization context for Biometrics
Promote Biometrics as a CVM for EMVCo next generation
Propose to EMVCo to develop a Biometrics Profile
Prepare a White paper on Use Cases
Present at last EMVCo F2F meeting a proposal for performances and main design decisions
End : Proposal for a EMVCo Profile for integration in EMV Specifications
shaping the future of payment technology
Thank You for Your attention!
Download from www.smartpaymentassociation.com
#SmartPayment