March 12, 2020
Testing, testing…Milestones on biometric payment cards’ path to mass market
By Michel Roig
By Michel Roig
It’s no secret the payments world is immensely complex. But the extent of the testing and certification behind the card in your wallet would likely surprise many.
The processes and standards in place to ensure our payment cards are robust, secure and work in harmony with the rest of the ecosystem are given little spotlight, but they’re invaluable to the payments world’s smooth operation.
When Fingerprints first began its mission to develop biometric payment cards, it was important for us to sing from the same song sheet. And, we’ve made immense progress. All our R&D sites are EMVCo accredited since October and November 2019, our technology is in use in over 20 contactless pilots across the globe, included in the first commercial biometric bank card, and, earlier this year, we were part of the first global network commercially certified biometric payment card with Thales.
But what does all this testing and certification mean? And where are we now on the path to mass market launch?
Any payment card has several boxes to tick before it can enter the hands of consumers. EMVCo is the organization at the center of the ecosystem and, in many ways, top of the checklist. It manages and evolves the EMV®* specifications and related testing processes, the standards and processes that enable the worldwide acceptance, interoperability and security of contact and contactless chip cards and terminals.
In addition to achieving certification and adhering to EMVCo requirements, any payment card or chip-based payments product also needs to comply with the unique requirements implemented by the payment network, whose rails the transaction will run over.
These requirements differ from network to network, but broadly define a series of physical, performance and security requirements that are fundamental before being put in the hands of consumers. On completion of these tests, the payment network issues a certificate, enabling the product to go to market. It’s this that was issued to Thales for its biometric payment card – the first for such a solution.
So, what’s entailed in the testing processes? The processes are similar across payment networks and includes several hardware and software tests.
From a hardware perspective, the card needs to prove its flexible, robust, slim and resistant enough to survive the rigours of daily life. In real terms, this means subjecting both the card and our sensor to battering, bending and various pressure tests. These include assessing the thickness and size, temperature and humidity exposure thresholds, abrasion and heat resistance, durability, and even chemical and UV light testing. Thanks to extensive R&D, we’ve been able to develop a sensor that can withstand this testing and integrate seamlessly into the traditional card ecosystem.
It looks and feels like a standard payment card then, but any new technology added also needs to show it’s able to live up to the proven high security and performance standards set already by the payment eco-system. In accordance with the payment network requirements, we conducted a full security audit of our software and algorithms that also feature on the Thales implementation. Solutions also undergo vulnerability analysis and penetration testing that essentially attempt to identify where and if a software solution is vulnerable to hackers or data compromise. Conducted by an expert independent lab, areas of weakness are more easily spotted and scrutinized than simply internal testing – a testament to the rigorous nature of these testing processes. The successful completion of these tests demonstrated the biometric authentication process on-card matched the levels of privacy and security of the payments industry.
As our solution sees no biometric data leave the card and the matching process is confined to the card itself, it’s worth stressing this has had no impact on security testing for payment terminals or banks and, reassuringly for consumers, there’s no cloud-based database of biometric data.
Sticking with security, it’s here where the EMVCo site accreditation comes into play too. Interestingly, though, this isn’t an evaluation of our solution. This process validates that the development sites where our code is created operate in compliance with security best practices.
These points combine - our approved development sites with our hardware and software, mentioned above – demonstrate the quality and security of our platform. This is why our technology features in every announced contactless biometric card pilot to date.
The significance of the first commercial certification by a global payment network cannot be underestimated. With all testing and certification delivered by an independent third-party lab or body, it indicates that biometric payment cards can meet the needs of the payments ecosystem and stand up to consumers busy lives.
For banks, it’s a hallmark of quality and trust that will undoubtedly encourage more to kickstart their projects. For other payment networks, its an incentive to redouble efforts to enable acceptance of biometric payment cards over their rails. It shows the technology is ready and eases the path to further certifications on the road to volume deployments.
*EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.