Biometrics and Payment Encryption Drive New Mobile Offerings

by Alex Johnson 0

Credit Union Times is reporting on three new developments in the mobile payments space and data security is at the heart of all of them.

First, is the recent unveiling of a MasterCard pilot project to use fingerprint authentication and facial recognition to verify identity and authenticate payment transactions:

“During fingerprint authentication, the user simply touches the device. For facial recognition, the user takes a selfie, but must also blink to become authenticated. MasterCard’s security researchers determined blinking prevents crooks from just holding up a picture and tricking the system.”

“Bhalla said MasterCard doesn’t actually retain individual fingerprints or face images. Instead, the process converts fingerprint scans to codes retained on the device. The facial recognition instrument maps out faces, converts them to a series of 1s and 0s and transmits it over the Internet to MasterCard.”

Next up is Apple, which may be extending the functionality of its biometrically-secured Apple Wallet in an interesting way according to a recently filed patent:

“The new patent allows iPhone users to activate their Wallet app, select a stored card to make the money transfer and type in the amount. The payment authentication takes place using Touch ID or the iPhone’s passcode. The wallet system would also let the individual select the funds recipient from nearby iPhone users.

Then, an encrypted “packet” is sent to the person receiving the payment, including the amount, verification and a payment “credential,” which could embody the sender’s credit card details. A third party, the user’s financial institution or credit-card provider, would complete the transaction, and the payee would receive a notification that the payment had gone through successfully.”

And finally, PCI SSC—the organization responsible for the ubiquitous payment card data security standards—published a major update regarding the development and use of point-to-point encryption (P2PE):

“One of the major features of the council’s new P2PE Version 2.0 is a stipulation that allows covered entities to employ and manage their own encryption tools at their POS systems provided the tools are compliant with PCI requirements.

“Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers’ payment information,” PCI Security Standards Council Chief Technology Officer Troy Leach said. “As these attacks become more sophisticated, it’s critical to find ways to devalue payment card data.”

Overview by Alex Johnson, Sr. Analyst, Credit Advisory Service at Mercator Advisory Service

Read the full story here