Thales has announced what it claims is the “world’s first” payment card to include an onboard fingerprint sensor, promising improved security and usability – and an end to contactless payment limits.
The Thales Gemalto Biometric Sensor Payment card (BSPC), the company explained, replaces the traditional PIN with an on-card fingerprint sensor and requires no modifications to existing point-of-sale (POS) payment terminals. Banks signing up to use it, though, will need to implement a procedure for enrolling users’ fingerprints onto the card’s secure element.
Thales claimed to have implemented the card with banks worldwide, boasting of 30 months of live trials and 10,000 users across nine countries including the UK. “Over 80 per cent of users interviewed confirmed they love it and feel it’s more convenient and provides greater security,” Frédéric Martinez, product line manager for biometric and advanced payment at Thales, told The Register.
“In terms of security, the biometric card ultimately means that a lost or stolen card is useless without the owner’s fingerprint to authenticate a contactless transaction. In such trustworthy payment environments, there is no need to set any payment limit.
“What’s more, whenever the cardholder’s fingerprint can’t be used – such as for ATM cash withdrawals – use of a PIN code is still possible as a fallback solution.”
It’s not just about convenience, though. Thales claims the system offers vastly enhanced security over the traditional PIN. “The probability of another user being recognised as the genuine user by the Thales Gemalto BSPC is less than the chance of another user guessing the card’s PIN code,” Martinez pointed out. “Fingerprint verification on the card has a False Acceptance Rate (FAR) of <1/10,000.”
There are concerns over using fingerprints as an authentication system. For starters, if the biometric data is leaked you can’t change your fingerprints as easily as a PIN or password. Criminals have also demonstrated how they can produce a replica fingerprint good enough to fool commercial sensors from a photo of someone waving – creating a mould which can be used in place of the target digit.
Martinez is unconcerned. “The biometric system on the card includes anti-spoofing features,” he told us, “making any mould based on a photograph of the fingerprint (even high resolution) not able to fool the system.
“When registering the customer’s fingerprint, the reference data of their fingerprint is only stored in the secure chip of the card. This does not include any biometric data per se, but is a mathematical conversion of single points that represent your fingerprint reference data. In addition, no personal data is stored in the services of the financial institution or sent to any other centralised database. Even if the card is lost or stolen, the data cannot be recovered by a third party.”
Thales’s biometric cards aren’t the first, despite the company’s claims to the contrary: Mastercard launched one of its own back in 2017, though its plan to follow trials with a commercial launch by the end of that year came to naught.
Martinez told us that Thales had implemented the card “with banks worldwide, including in Cyprus, the Middle East, France, Italy, Switzerland, and the UK,” but there’s no word yet on when eager punters can start paying with a poke. ®