advertisement
advertisement
advertisement

Major French Chains Testing Biometrics On Top Of A Contactless Smartcard, All Riding On EMV

Written by Evan Schuman
October 24th, 2012

American retailers have never been able to make biometric payment authentication work, but it has been years since anyone has attempted it. Is the time now ripe? Was the efficiency and speed of biometrics the right idea at the wrong time? Two major French chains—Leroy Merlin, with more than 300 home improvement stores in 13 countries, and the Auchan Group, with 639 hypermarkets and 2,412 supermarkets—are betting that shoppers are now ready.

But the six-month French trial that has just started is taking the efficiency goal one step further, by marrying a contactless smartcard—which holds the biometric data—with the POS-affixed biometric scanner. The retailers estimate that the contactless card’s transmission will be intercepted by the POS authentication element from two meters away, which is about 79 inches or about 6.6 feet.

This way, it literally asks the shopper to do nothing more than scan a finger or a hand. And given that it’s happening in Europe, this all sits atop an EMV transaction. The EMV part is where some of the efficiency—by comparison—happens, because the PIN that is normally required truly slows down checkout.

The trial is trying two different biometric tactics in two geographies. In Angoulême, shoppers will use digital fingerprints, while those in Villeneuve d’Ascq will be asked to have the patterns of their finger veins captured. The biggest downside is that shoppers must first visit their bank to have the biometric readings taken and to then have the results stored on their smartcard. Presumably, there would be extensive authentication done at the time the readings are taken. Hence, the convenience is a long-term concept, and getting customers to submit themselves to the initial phase will take some convincing.

Andre Delaforge, who runs marketing for the vendor coordinating the trials, Natural Security, said customers have thus far had no hesitation with cooperating. “We have gotten no resistance at all thus far,” he said. “Maybe this is a question of time to market?” meaning that other biometric trials may have launched too soon.

Possibly, but it’s hard to envision this flying in the U.S. Will consumers be worried about sharing that data with their banks and, by extension, all retailers where they want to shop? Will they be worried—and not without reason—that the absence of a PIN will make this approach a very tempting target for fraudsters? With the contactless card beaming the biometric details to anyone scanning the airwaves within six feet of a shopper, is it not possible to trick the machine into seeing an echo of those values?

All payment systems can be cracked, and some question whether putting too much reliance on any single authentication element is asking for trouble. On the other hand—literally—it is harder to fake a fingerprint that matches up with what’s on a card than it is to hijack a four-digit PIN.

The real issue is that this is a single element of authentication. If that element can be faked, the cyberthief wins. That’s no different than someone today cloning a payment card, where no PIN is needed and signature is worthless as an authentication element. That gets back to the difficulty of faking it. Is a cloned card harder or easier to deliver than tricking the biometric scan into accepting the numbers you wirelessly stole and decoded?

That all said, if this can be made to work securely, the convenience of no card, no swipe or wave, no PIN and no signature could make a lot of retail transactions faster.

Speaking of time to market, is it perhaps too late for biometrics, given the multitude of more complex ways mobile devices can now authenticate shoppers? Or could these approaches merge, with biometric data stored on the mobile device?


advertisement

Comments are closed.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.