Biometrics 101
By Ross Federgreen, CSRSI
dentity theft is one of the fastest-growing crimes worldwide. For victims, it's a nightmare. For the rest of us, the mere thought of it causes a strong visceral reaction. People in all walks of life want solutions.
In February, in response to increasing concerns about this issue, the Leahy-Specter Personal Data Privacy and Security Act of 2007 was introduced into the U.S. Senate.
The bill delineates certain responsibilities of merchants who accept personal data, including credit card data. Merchants face the burden of not only securing information they obtain, but also discerning its legitimacy.
Accepting payment cards is risky. One of the greatest challenges in card present and card not present environments is determining and documenting that the person presenting a bankcard for payment is actually authorized to use the card. To this end, biometric identification is gaining traction among financial institutions. It is being deployed to safeguard financial transactions in several areas, including ATM access, online banking, and authentication at retail POS and card not present environments.
An emerging marketplace
Biometric systems designed for the payments industry are an emerging vehicle ISOs and merchant level salespeople (MLSs) can use to obtain and retain merchant clients.
A growing number of multilane retailers are implementing biometric solutions. The main reasons for this are processing speed, security, cost and implementation.
A considerable number of businesses in the food vertical market have adopted biometric payment devices. Some of the major providers are Pay By Touch, NTT DoCoMo Inc., US Biometrics and Ingenico Corp.
Body language
Finger, iris, voice, hand, facial characteristics, keystroke patterns and DNA _ what do these have in common? They are biological or physical markers being used with increasing frequency to identify and authenticate individuals.
Biometrics is the study of such characteristics. The financial transactions sphere is using unique biological or physical markers for the purpose of identification.
After a characteristic is selected for a biometric system, the following three steps are required:
- Capture the necessary information pertaining to the chosen characteristic. This is done with a mechanical device such as a fingerprint sensor.
- Manipulate the captured data using an algorithm to put it into electronic form. This allows it to be compared to pre-existing information.
- Compare the extracted data to a repository of information so that a match can be made.
A biometric system has enrollment, verification and identification functions:
· Enrollment consists of adding biometric information to a database. It may also include various screens to make sure that duplicate or other compromised information is not added.
· Verification is based on a one-to-one match against a single record. This answers the question, "Is this the person who he or she claims to be?"
· Identification is based upon matching against all of the records in a database. It is a one-to-many sort. And it answers the question, "Is there a pre-existing record on this individual?"
Essential attributes
In addition to being secure, the critical qualities of a useful biometric system are that it be unique, permanent and easy to use. The technology must also be fast, accurate and low cost.
People must also respond favorably to the solution. (The public had a strong negative reaction at the Super Bowl in Tampa several years ago when facial recognition software was used to check attendees for matches with a criminal database.)
Multilayered authentication is important, too. It consists of four layers of security:
- The lowest level is a single item that you know, such as a PIN.
- The second level is a single item that you know, such as the PIN, plus something that you have, such as a credit card.
- The third level is a single item that you have, such as a credit card, plus something that you are, which is affirmed by a recognized biological or physical marker, such as a fingerprint.
- The strongest form of authentication is something you know, something you have and something you are. So, remember the three key components: know, have and are.
Biometric systems are superior to other common means of confirming identity, such as tokens or passwords. Tokens are defined as something one possesses; passwords are something one knows.
Tokens and passwords cannot ensure a positive identification because they are both routinely compromised. Alternatively, biometric identifiers are linked to persons themselves and therefore cannot be forgotten. They are much more difficult to counterfeit or steal.
Biometrics is not a fad
Many biometric issues are unresolved; two are immediately compelling.
From the positive viewpoint, evidence suggests that if a store acts as a biometric registration site, its foot traffic increases. However, not every location is set up to accept and register new users of a given system.
Remember, for a biometric system to be effective, an existing database must contain the specific information being sought so that a match can occur.
Common standards exist for biometric data acquisition. But there is no sharing of databases among different commercial providers. In addition, standards are voluntary, not mandatory.
Be careful when selecting a biometric system. Make sure as many merchants as possible in your area are using the system you employ.
From the negative view, MasterCard Worldwide and Visa U.S.A. resist classifying transactions generated with the use of biometrics as card present versus card not present.
If a biometric transaction is classified as a card not present transaction even in a traditional card present environment, costs will go up, and chargeback defenses will become more difficult. This ongoing issue needs resolution.
Biometrics is a growing part of the payment processing landscape. It is imperative that ISOs and MLSs thoroughly understand how it can benefit their clients. Remember, knowledge is power.