Expert opinions, TECHNOLOGY

The future is around the corner: Biometric payments

Technological progress is rapidly changing the ways we pay for goods and services. With biometric technology becoming increasingly widespread, a consumer can smile or wave to pay at checkout, or use their fingerprint or voice to authenticate the transaction. According to media reports, major retail chains Magnit, Pyaterochka and Perekrestok introduced an innovative pay-with-a-glance experience at self-checkouts as far back as 2021. According to Russia’s Center for Biometric Technologies (CBT), major marketplaces like Wildberries and Yandex also began testing this method in 2023.

In 2024, biometric technology will continue to penetrate the mainstream in Russia. Central Bank Governor Elvira Nabiullina has announced a pilot project to integrate biometrics with the Faster Payment System (FPS). However, certain security issues need to be addressed before this new payment method can be fully implemented. Below, we’ll explain how a payment is made using biometric identifiers, discuss the associated challenges and potential development scenarios.

Biometric authentication

Any non-cash payment requires buyer authentication. There are several types of identity-confirming credentials:

  1. The knowledge factor refers to something the user knows such as a password, a verification code, or any other information only a specific buyer would know.
  2. The possession factor, or something the user has, refers to some physical token the buyer can be identified by such as a key, a data card, or any other thing that can be presented and used for authentication.
  3. The inherence factor, or something the user is, implies biometrics. This type of authentication uses a physical trait unique to each person to prove their identity.

Biometric recognition methods include static and dynamic ones. Static methods refer to fingerprint or iris scans, reading the buyer’s palm print, or facial geometry and thermogram. These characteristics are difficult to change, with the exception of facial geometry, but that isn’t easy to do either.

Dynamic biometric methods include voice recognition, as voice characteristics change even over short periods of time (e.g., intonation in conversation), and handwriting, which is another ‘floating’ method of verification.

After user biometrics have been successfully verified, the system checks their access to their bank account or other financial resources to make sure they have sufficient funds to cover the transaction, and completes the payment.

How is biometric data collected and stored in Russia?

In Russia, biometrics cannot be used unless there’s an explicit user consent to processing their personal data. Federal Law No. 572-FZ of December 29, 2022, prohibits unauthorized collection of biometric data for any services, government or commercial. The collection of user biometrics is entirely voluntary.

The collection, processing and storage of user biometrics is regulated by personal data laws. Under Federal Law No. 152-FZ, any personal details can be stored only for as long as it takes to process them; after that, they must be anonymized or deleted. This also applies to storing biometrics, on digital platforms or on physical media such as flash drives or disks. Physical carriers of biometric information must comply with security standards of being protected from unauthorized access.

In 2016, Russia launched the Unified Biometric System (UBS), which is now integrated with the Unified System of Identification and Authentication (ESIA), the overarching government information system. This ensures frictionless processing and use of biometric identifiers. It is important to note that UBS is a public system, as opposed to private facilities that banks use. Banks were the first to collect their clients’ biometrics and use their own systems to store them. The 2022 law required banks to transfer clients’ biometric data to the UBS, where all biometrics must be stored. Users who had previously provided their biometric identifiers to their bank were to give their consent before their data could be transferred to the system.

The Unified Biometric System is an entry point shared by all systems that perform biometric authentication. The database stores anonymized and digitized biometrics in the form of templates, separately from personal data. A biometric template is a mathematical representation (a string of numbers) of the source data, used by the system as reference data.

The UBS became fully operational in 2024; as of last February, according to reports, over 55 million templates had been enrolled in the system. This is an impressive array of data. In the future, as the relevant infrastructure expands and the popularity of biometric identification grows, the system is going to provide a more convenient user experience.

Biometrics in retail

In Russia, pilot initiatives to integrate biometrics into various systems have been ongoing for several years. Since 2016, retail chains like Azbuka Vkusa, Magnit, Pyaterochka, and Perekrestok have been equipped with biometric technology for experimental purposes. Customers could complete transactions using their fingerprints, which were captured by biometric sensors at point-of-sale terminals. Currently, there’s active development of new biometric payment methods, including facial recognition, in Russia. However, these innovations are mostly confined to specialized projects by individual entities, such as Sberbank. The data processing for these methods typically occurs within the confines of these specific financial institutions.

Implementing such methods in retail necessitates suitable hardware for capturing unique identifiers. These data collection and analysis methods can be either hardware-based or software-based.

Hardware solutions encompass devices equipped with infrared sensors, 3D cameras, and scanners capable of reading various biometric traits like fingerprints and iris patterns. However, there are currently limited devices available that integrate biometric verification with traditional card payment processing.

With software-based authentication methods, users only need to provide their biometric data, which is then compared to stored metrics in the database. Additional actions such as turning the head, nodding, or smiling may be required to confirm the operation, enhancing security and minimizing errors. By gathering more biometric data, a more precise model can be generated for real-time comparison with previously uploaded samples.

Protection of biometric data in various countries

The global approach to handling personal data, including biometric data, can be categorized into three main regulatory models: European, American, and Chinese.

In China, facial recognition technology is extensively utilized within social systems, including social rating systems. These systems assess the trustworthiness of individuals and businesses by aggregating data from various sources, ranging from tax authorities and financial institutions to employers and online services.

Biometric technologies find application in educational institutions and government agencies for attendance tracking, payment processing, and engagement monitoring. For instance, in a school in Hangzhou, China, a smart classroom behavior monitoring system has been implemented. This technology analyzes students’ facial expressions and observes their activities during class. Despite the system’s imperfections and occasional errors, Chinese authorities perceive positive outcomes from its use: teachers’ effectiveness has improved, and students’ focus has increased.

India employs a similar system for gathering citizens’ biometric data called Aadhaar ID. Biometric information is stored in a centralized database, assigning each citizen a unique identification number, facilitating identity verification in government agencies.

Contrastingly, the European model prioritizes safeguarding citizens’ privacy from excessive surveillance by both governmental bodies and corporations aiming to implement biometric authentication systems.

The US model for gathering and utilizing personal data falls somewhere between the approaches of China and Europe. It balances freedom of information and commercial activity with the imperative of ensuring public safety. While some states prohibit the use of facial recognition technologies in public spaces, the country permits the collection of citizen data at the state level for security purposes.

Since 2019, Russia has enforced the Code of Ethics for Data Usage, which outlines professional standards for ethical conduct in information processing. This code includes measures to safeguard user rights and regulate citizens’ access to their data. It also addresses the issue of corporate and government access to citizens’ biometric information. The principles outlined in the code are akin to the American model, representing a unique blend of the Chinese approach – exercising full control over biometric data – and the European model, which aims to shield personal data from third-party management. Despite this, Russia officially categorizes its model as European according to its laws.

To adopt a human rights-based approach, it’s crucial to legislate and oversee security guarantees. Experts suggest establishing independent oversight bodies tasked with monitoring the collection and utilization of biometrics by both governmental entities and private enterprises. These entities should ensure the protection of privacy and personal data.

Pros and cons of using biometric payments

One of the benefits is the capability for swift, contactless payments, eliminating the necessity of carrying a card, inputting a PIN code, or scanning QR codes.

Among the disadvantages are:

  1. Advance registration is required. To utilize bioacquiring, individuals must provide prior written consent and register in a unified biometric system.
  2. Biometric data is immutable. Features like the face, iris, and fingerprints are challenging to alter. If this data is compromised, there’s a risk of it being replicated by others. Unlike conventional payment methods such as bank cards, usernames, and passwords, biometric data cannot be instantly replaced in the system. Moreover, there are currently no methods to unequivocally confirm identity after biometric characteristics have changed.

The latter issue poses a significant obstacle to the widespread adoption of biometrics. Users are concerned that if their biometric data is compromised, its use could become exceedingly problematic. In the event of a breach, this data would need to be deleted, updated, or reclassified, which presents considerable challenges.

Prospects of biometric payments

Consumers are still grappling with the adoption of biometric technologies, which is understandable as it requires a shift in habitual behavior patterns. With biometric acquiring and biometrics in general, it seems that technology is outpacing the current societal development stage. In this scenario, it’s crucial for companies introducing biometric payment methods and their retail partners to actively educate consumers about the convenience and security of the technology. In case of issues like biometric data falsification, the system should offer a refund option. Either government agencies or financial organizations and corporations should bear the risks. This is essential for building trust in the system, ensuring customers understand they are safeguarded.

The primary concern revolves around the vulnerability of biometric data. In the event of a breach, it can profoundly affect a user’s digital security. As previously mentioned, unlike a PIN code or a bank card, altering biometric data is challenging.

Furthermore, the matter of data updates presents a pressing challenge. Determining the frequency and ensuring the secure updating of biometric information within a unified system remains unresolved. Simple methods, like capturing a photo in a booth, do not offer the necessary level of security to prevent data falsification during updates.

In 2024, the prevalence of biometric payment systems is expected to increase. Sberbank is poised to play a significant role in this trend, having already initiated several successful pilot projects on biometric payment methods with various retailers. Two key observations emerge from this development:

  1. Sberbank has been stepping up investment in biometric systems’ development. The growing concentration of monopoly power led to regulator concerns about potential market failure; the Bank of Russia launched the Unified Biometric System to improve the competitive environment in the financial sector. Other initiatives aimed at reducing such risks are possible as well.
  2. No publicly available information provides sufficient grounds to assess the security of pilot biometric projects. Therefore, at this stage, it is up to the buyer to decide if using biometrics for payment (including with Sberbank’s equipment), is secure enough.

Biometric acquiring services will sooner or later lead to a breakthrough in Russia’s financial sector, providing customers with a fast and convenient method of paying for goods and services. Banks, too, will stand to gain in the long run, when they won’t be spending as much on issuing cards and purchasing equipment for them. However, to move to the next stage of biometric systems’ penetration, it will be essential, first, to popularize the technology, proving that it is easy and safe to use, and second, to reduce the cost of biometric readers.

A more ambitious expectation is for this market to go global. This will require standardizing the process the same way as card payments, which are now universal and available worldwide. At present, biometric payments, as well as paying with QR codes, can only be used locally (within one country). To expand the method internationally, countries will need to cooperatively develop international regulations and approve an arbitrator. That may be problematic because many states are reluctant to share their citizens’ personal data, including biometric identifiers.

By Dmitry Lukyanov,Lead Developer, Sky Technologies (Softline Group)

Previous ArticleNext Article