biometrics around the worldRegulating Security Gives a Leg Up to Realistic Authentication
As September 2019 draws near, various PSPs are making their moves towards full compliance with PSD2's regulatory technical standards regarding security and functionality. This comes on the heels of the implementation of another regulation, GDPR, whose online privacy rules also made upheavals in the financial sector. And just like with GDPR, PSD2's impact and consequences are yet to be seen.
PSD2 Boosts Biometrics
Among other things, PSD2's
security requirements have led to a rise in the use of biometric technology.
Many companies are making efforts to incorporate the technology into their
Mastercard is testing its fingerprint-scanning chip cards in South Africa and hopes to do the same in the UK. In the US, CaliBurger is testing a system that links customer faces to loyalty cards, while Fujitsu is developing payment terminals with palm and finger scanners.
This development is part of
the Strong Customer Authentication initiative, which requires several different
factors to allow a transaction to take place. One such factor is biometric
data, such as retinal scans or fingerprints, which is then combined with PINs
or passwords and device IDs to confirm customer identity.
Corporate to Implement Biometrics?
Biometrics are making inroads into corporate payments as well. A senior manager for Hitachi Europe, Elias Thomaidis, stated in 2018 that as the deadline for PSD2 implementation approaches, corporate PSPs are being encouraged to consider implementing biometrics as part of their own security measures, as well as their customers. But a point to consider in all of this is also the potential conflict between GDPR and PSD2.
While GDPR requires customer data remain private and secure, PSD2's aim of open banking requires banks to share customer data with their consent, since sharing and analyzing data is at the regulation's core. What will happen once both regulations are in full force simultaneously? Only time will tell.
Biometrics Not Legal Everywhere?
An interesting development regarding biometrics is taking place in Slovenia. The Slovenian Personal Data Protection Act (ZVOP-1) permits processing of biometric data only for company employees subject to prior written approval of the national Information Commissioner. Many companies have cited this as a reason for giving up on fingerprint authentication and biometrics in general.
However, experts are pointing out that this is in fact not so. Rather, the abandonment of biometrics for commercial use in Slovenia seems to be the perfect storm of the law that is not keeping up with the technical and security development on the one hand.
On the other hand, it is giving rise to Slovenian banks being reluctant to adopt biometrics in the first place due to unclear technical specifications behind the technology and its implementation, coupled with uncertainty of eventual updates to the Personal Data Protection Act with respect to widespread use of biometrics.
The EU's Digital Single Market strategy aims to make e-commerce as easy and safe as possible for the European consumer. It stopped geoblocking, a practice where online retailers discriminated against customers on the basis of their place of residence and refused to ship to them or even accept payments from certain locations.
Rules are now in place that ensure all EU customers are treated equally. The strategy also guarantees full price transparency for cross-border parcel deliveries, which allows for increased competition within the delivery service sector and provides customers with more delivery options.
What the Future Holds
A new VAT for online sales is coming in 2021 and before that, new rules for online consumer protection will be in place in 2020. These will enable the removal of sites or social media accounts involved in scams and make tracing rogue online traders easier by requesting information from ISPs and banks.
Certainly, there will be both plenty of room for biometrics in all these sectors in the near future, like verification of every fifth transaction on a card with a fingerprint from a previously authorized device. And plenty of need, as well.
As the payments industry grows and becomes more diverse, it makes sense to invest in and make use of the uniqueness biometrics inherently bring to customer authentication.