Why it Matters
Securing payment through "biometric identification" has advantages. Taking a selfie is much easier than remembering one of the dozens of intricate passwords you have for various accounts and devices. Biometric identifiers can also be more secure than traditional passwords because of the need to scan your fingerprint or face in real time; requiring customers to participate in the security scan for each transaction presents a significant hurdle for identity thieves. Indeed, companies like MasterCard have begun exploring new ways to use biometric information to authenticate purchases because, for so long, the physical credit card never actually needed to be present to conduct an online purchase. Now, you or any other credit card holder must be physically present and responsive to the biometric scan in order to finish the online purchase.
But heightened security through biometric technology also poses major privacy risks. Opting into MasterCard's biometric security feature requires the customer to allow MasterCard to convert his face or fingerprint into a digital file. Once digitized, that file may prove quite difficult to protect. MasterCard explained that during pilot program testing of their "selfie pay" feature, fingerprint data were maintained on customers' phones, but MasterCard kept and stored the facial recognition data. Currently, MasterCard has yet to finalize plans for securing all of the data collected once the app is rolled out to customers.
How the App Works
First, you download the app onto your device. Second, you enter your credit card information, and then allow the device to scan your face (by taking a selfie) or fingerprint, if your device has a fingerprint scanner. Once the face and fingerprint data are saved on the app, you can shop normally. When you are ready to complete an online transaction, you need to use only your mobile device's camera to scan your face again to confirm your identity as the cardholder. To ensure that it is your face being scanned in real time (as opposed to someone using another image of you), you need to blink at least once while your face is scanned. You can also use your device's fingerprint scanner to confirm your identity. If your face or fingerprint matches the data from the original scan, the transaction will be approved.
What Companies Will Need to Keep in Mind
The challenge in figuring out how to properly secure this data demonstrates the difficult balancing act that all companies must perform between increasing security and valuing privacy. Proper securitization of biometric identifiers is something that companies should carefully consider before they begin tracking customer biometric data, particularly if they are considering other types of biometric data, such as iris scans, voiceprints, or DNA profiles. All of this data, once digitized, is potentially accessible by hackers; as technology advances, this data could be used in terrifying ways to either steal a consumer’s identity or commit a fraud. The concern is evident: customers can replace a swiped credit card with relative ease, but changing the patterns of your fingerprint is an entirely different matter. As technology becomes more sophisticated, biometric identifiers that were once thought to be the gold standard of security may prove to be easily manipulated in the coming years, leaving consumers at risk.
How a Company Can Protect its Customers
Companies should approach biometric security features from a privacy-by-design approach by valuing customer privacy on each end of the security feature's use. This means that companies should look at security features from both sides of the coin: as a tool to combat identity theft and as a feature that needs appropriate security of any data collected. Accordingly, privacy protection becomes a value that is adhered to at every step of the engineering and concept-development process and not just a feature slapped together at the last minute. As companies explore ways to use biometric data to increase customer security, they will need to cooperate with customers to develop open standards that meet the demand for commercial security, while also demonstrating the protection of personal privacy. Most customers and companies have mutual interests in achieving the proper security/privacy balance. Customers are increasingly demanding heightened protection against identity theft, and companies want to satisfy customers by offering such protections. But, neither customers nor companies want any data to be at risk. After all, it does not make much sense if the price for preventing identity theft of your credit card information compromises potential theft of your biometric information.
Ultimately, MasterCard's "selfie pay" app is a good step forward in finding innovative methods for combating identity theft. But, with increased security often comes increased risks to privacy. Companies wishing to value customer security must also work to value customer privacy. Achieving that balance will best enable companies and customers to put their money where their mouths are.