The days of the credit card PIN may be numbered, thanks to an announcement this morning from the Payments Association of South Africa (PASA) along with Visa and Mastercard that it has developed a standard for using biometric authentication on payment cards in the country.
The standard will cover palm prints, voice, iris and facial recognition, and is open to other forms of biometric data too. The initial focus is on fingerprint biometrics though.
While some banks have been working with biometrics for a while now, and even work to capture such data on behalf of Home Affairs, the importance of today’s announcement is that it creates a standardised and interoperable way of recording biometric information.
In effect, it means your FNB card fingerprints will work with a Nedbank reader.
Walter Volker, CEO of PASA, says that while banks have been using biometrics to a certain extent, they’ve been limited to in-branch transactions due to the fact that there is no global standard for biometric data use and storage, and banks are locked into individual vendors who use proprietary systems.
“PASA’s role is to facilitate interoperability,” Volker says, “Multiple banks can issue cards, and those cards can be used at other banks’ ATMs. That’s what we mean by interoperabilty and it opens up network effects”
Volker says that he hopes the standard developed in South Africa will eventually be used globally for biometric data in payments.
At the moment, however, no banks are signed up to the system here, although he expects the social payments agency to sign up soon. Current fingerprint readers may be compatible with a software upgrade.
The standard deals with the danger of data loss by mandating that biometric data is only stored in an encrypted form on the card itself, and not held in a centralised database.
This distributed model, it’s claimed, limits the exposure to data loss. This is the same principle that phone companies use for fingerprint readers – all data is stored and authenticated locally (although not always that securely).
“The benefits of biometrics are security and convenience… People find keeping passwords secure and up to date difficult,” says Taurai Tarugarira, a senior director at Visa for sub-Saharan Africa. “The reality is that it’s harder to forge biometrics.”
Tarugarira says that the standard will call for ISO 19794 for authentication, but actual implementation of that standard and the format for biometric template storage will be down to individual card issuers. The new PASA-led standard will make sure other banks’ readers are compatible.
We’re awaiting more technical details on how the standard will be implemented, however Tarugarira said that it would call for readers which are capable of distinguishing between inert, fake fingerprint moulds and living tissue. This is done by testing for a pule or bloodflow in subcutaneous flesh.
“That information is going to remain stolen, and I’m not going to change my fingerprints. I also don’t know what they’re going to do with information about my children or about my husband or about his family,” Balebako said.
“I don’t know what to do. I work in this field. I’m a security researcher. I’m a privacy researcher. And I don’t know what to do. I can’t see there’s much I can do to protect myself,” Balebako said.