"Most people only know of biometrics from the movies, or if they have been fingerprinted for a driver's license or for work. This limited exposure tends to make some people worry that we are sending their fingerprints to the FBI, or that if their fingerprint file is stolen that it can be used for some sort of identity theft. In reality neither of these things is true." — Vance Bjorn, chief technology officer and co-founder of Digital Persona
Beginning in May, patrons of the Piggly Wiggly grocery chain in South Carolina and Georgia were able to shave a little bit of time off their shopping trip.
After a six-month pilot program, the chain expanded the Pay By Touch biometric payment system into all of its stores. Today, customers wanting to use the system go through a one-time enrollment process; after that, paying for their groceries is as simple as scanning their finger.
According to Pay By Touch spokesperson Shannon Riordan, the enrollment process takes about two minutes, during which time the store employee gathers ID and payment information from the customer. Meanwhile, that customer is having his finger scanned, and the resulting information stored and linked with his funding source.
"Once a user is enrolled and ready to shop, transacting using Pay By Touch takes approximately 15 seconds, versus the time you'd spend fumbling with your wallet or writing a check," Riordan said.
Riordan said that response so far has been positive, both from consumers who appreciate the convenience, and from retailers who find themselves paying lower transaction fees – since the purchase is treated as an ACH debit, fees are about 75 percent lower than comparable credit or
signature-debit transactions.
Consumer education
Any new technology has to face the inevitable consumer learning curve, but fingerprint payments might be facing a tougher challenge than most. This is chiefly due to misconceptions in the popular mind — after all, when you think of a fingerprint, what image first pops into your head? Most likely, it is a detective spreading dust on a crime scene, or the killer in a murder mystery wiping down everything in the room with a cloth before fleeing.
"Even today, the average person has had very limited exposure to biometrics," said Vance Bjorn, chief technology officer and co-founder of Digital Persona, a company that develops and licenses biometric and fingerprint-based security and authentication systems. "Most people only know of biometrics from the movies, or if they have been fingerprinted for a driver's license or for work. This limited exposure tends to make some people worry that we are sending their fingerprints to the FBI, or that if their fingerprint file is stolen that it can be used for some sort of identity theft. In reality neither of these things is true."
All of the fingerprint authentication systems providers we talked to for this article said that they do not store consumer fingerprint data. Like Pay By Touch, Herndon, Va.-based BioPay takes the scan of a fingerprint and converts it into a number of "data points," according to vice president of marketing Donita Prakash.
"Some worry about ‘giving away their fingerprint,' but the finger scan is captured and converted to 40 data points for purposes of identifying a customer at the time of transaction," Prakash said. "We do not ask for or keep social security numbers for our enrolled customers. Today's typical identity thief has to get your SSN in order to steal your identity. What can they do with 40 data points that equate to your fingerprint? The answer is ‘Nothing.'"
Bjorn said that would-be conspiracy theorists not only needn't worry about identity theft, they should relax about government snooping on fingerprint data as well.
"We don't keep the fingerprint image at all, and once we have converted your fingerprint into a binary file these binary files are then encrypted," he said. "Even if someone were to find a way to disassemble the encryption protecting the digital fingerprint, the fingerprint file itself is stored in a format which is incompatible with any federal systems."
Emphasis in the wrong place?
All this talk of security might be pointing in the wrong direction, hints Nikki Baird, consumer markets senior analyst with Forrester Research.
Like the careful online shopper who refuses to give out his credit card online, yet happily hands the card over to a restaurant waiter who takes it in the back room and out of the patron's sight, people concerned only about consumer data security on the front end are missing at least part of the point.
"You know, especially given the recent publicity around data thefts at the back-end, I think security within the banking industry is a much greater concern than the security at the front-end, at the point of payment," she said. "Retailers are concerned about wireless security at the same time that they're deploying more wireless in the store, and looking at things like line-busters, where a wireless handheld becomes a POS device. But those concerns aren't about making sure that no one else can use your credit card – it's making sure that even after they've validated who you are, someone doesn't capture the transaction info as it's passed over the wireless network."
Baird said that fingerprint payment methods and other biometric devices are great to the extent that they offer a speed gain and perhaps convenience and customer happiness, but ultimately the transaction generated goes through the same gatekeepers as before.
"Retailers and vendors alike can tout the consumer benefits of not carrying cash around, and the idea that biometrics are a lot harder to steal – but in the end, encrypted or not, your account information gets sent over the Internet," she said. "That's the security we need to shore up. The front-end, the point of payment, is going to be all about convenience."
