FAQs & Webinar Recording - Biometric Cards: Security Issues and Preventive Measures
The advent of biometric payment cards promises heightened security and increased convenience for users of payment cards. What’s needed to secure this promise?
UL’s Lin Chee Kheong and Marthinus Hadipranoto explored some of the potential security issues arising from the usage of biometric cards for payments, and proposed preventive measures to secure these cards during a recent webinar.
This webinar will be of interest to card vendors, card issuers, and biometric component vendors, who have plans to extend their products to biometric payment cards. Watch the webinar and find out what other questions were discussed at the end of the session!
- It seems that the concept of a biometric card is practicable for contactless cards but is it still better to use PIN for contact cards?
It depends on user experience and preference. Users might prefer to use fingerprint instead of PIN for contact only cards for the convenience. In any case most payment biometric cards today provide PIN as an alternative method for authentication. So users can choose to use either fingerprint or PIN.
- Would PIN be the backup solution in the case of authentication failure?
Yes, most biometric cards will also have a PIN as a backup in case the fingerprint authentication fails or is not available.
- Should the enrolment of the fingerprint be conducted during card personalization?
There should be a different process for fingerprint enrolment because card personalization can be done without the presence of the card holder whereas fingerprint enrolment needs the card holder to be present during the enrolment process.
- Can a biometric card contain more than one fingerprint for multi-user purposes? And if so, can another fingerprint be added later?
At the moment, a biometric card can only contain one fingerprint information.
- When will biometric cards be available in the market?
Biometric cards are already available in the market but most of the cards deployed are currently in pilot phases only.
- Can a user still contest payments made with a biometric card? And if so, is there a liability shift in the case of fraud?
This is dependent on the schemes. At the moment none of the schemes have defined guidelines for liability shift for biometric cards.
- How does this new authentication method impact the time needed and complexity of obtaining scheme card certification?
There are certainly additional complexities in terms of evaluating a biometric card. At the moment the security evaluation guidelines and certification process for biometric cards from schemes are not available yet.
- Which risk among those described is the most dangerous one and hardest to protect against?
Modification of the reference template would result in the greatest impact because once the reference template has been modified, the integrity of the card and the authenticity of the card holder cannot be guaranteed. Hardest to protect against is probably spoofing attack because that is done on the most visible and exposed part of a biometric card.
- Would a biometric card still be usable on ATMs?
It is possible to perform ATM operations using biometric cards. For this to happen, ATM machines will need to change their authentication method to support fingerprint scan.
- Is there a CVM limit for biometric authentication?
This is dependent on the schemes.
- Are there testing services for the various scheme certifications? If not, when will this be available?
The certification guidelines and requirements are not available yet but we will update everyone again once it is published.
- How long should a standard personalization validation of a biometric card take, compared to a traditional chip card? What steps does the biometric card testing cycle consist of?
Similar to the earlier question, there should be more clarity on this once the certification guidelines and requirements are made known to the market.
- You mentioned about the various architecture models (1-chip, 2-chip, BSoC) used for biometric cards. Which model is the most widely used today, and why?
The 2-chip model is probably the most widely used today. With the 2-chip model, existing secure elements which are already certified by EMVCo can be used in a biometric card with minimal changes to the card operating system and payment application. The 2-chip model also allows the biometric processor modules to be developed independently of the card operating system and payment applications.