The idea of carrying a template of some part of yourself around in your pocket is, well, a little unnatural. But it's becoming one of the preferred forms of identification, especially when compared with the alternativeÂ — storing biometrics data elsewhere.
Whether it's used to let a cardholder gain access to accounts at ATMs or to enforce security restrictions at airports, biometrics is finally attracting increased interestÂ — largely because of weaknesses associated with other verification methods.
Although biometrics technology has been around for more than a decade, it hasn't yet taken off as a form of identification, especially in the United States.
Mark Grossi, NCR Corp.'s chief technology officer, said that consumers weren't comfortable with biometrics in the 1990s. They didn't understand how biometrics information would be used and stored, and financial institutions weren't willing to tackle the infrastructure challenges that storing all of that data posed.
But experts like Francois Lasnier, North American vice president for Axalto Inc., a Texas-based provider of smart cards and point-of-sale terminals, believe that the challenges that slowed adoption of biometrics in the '90s can be overcome with smart cards.
It's not called smart for nothing
Card issuers around the world realize that online connections are not as secure as they need to be, Lasnier said.
Banks were initially eager to connect all transactions, from ATMs to online banking channels, but recent incidents of phishing and card skimming at ATMs and POS terminals, have forced banks to reconsider traditional methods of protecting data.
"It's really all about the communication channel," Lasnier said. "The U.S. is one of the leading countries in the world to address online security. But the whole online environment (is vulnerable). People can get into your account."
Lasnier said FIs in the United States have been reluctant to change the way they do things because they fear a consumer backlash.
"If they try to deploy something that protects consumers from fraud, then they have to admit that problems exist, and that's not something financial institutions want to do," he said.
Lasnier expects that to change over the next five years. As the rest of the world incorporates the Europay/MasterCard/Visa standard, the United States will be forced to catch up.
In 1996, Europay, MasterCard and Visa first released flexible specifications for smart card-based debit and credit payments. In 1999, the three card associations founded EMVCo, an independent organization, to manage and enhance EMV specifications as technology advances and the implementation of chip card programs become more prevalent.
Since then, EMVCo has published specification updates that factor in advancements in smart card technology, such as faster chip speeds.
EMVCo also established a single approval process for POS terminals and ATMs to ensure cross-payment system interoperability.
Because smart cards can hold far more information than magnetic-stripe cards, and because data cannot be copied as readily from them as it can from magnetic stripe cards, issuers throughout the world are beginning to adopt the EMV standard.
According to a report published by Verifone, entitled "EMV: Global Framework for Smart Card Payments," Visa estimates that counterfeiting can be decreased by at least 70 percent with smart cards.
The financial industry in the United Kingdom became one of the first to endorse EMV specifications when card fraud soared there during the mid-â€˜90s. In 1999, the UK began converting its approximately 80 million mag-stripe debit and credit cards to smart cards, and began requiring ATMs and POS terminals to be equipped with EMV-compliant card readers.
Going back to ATMs — having one common network to hold all of the biometrics data would be difficult. And you have the same sort of situation in the airports. It just would seem easier to put the information on to the card. -- Bryan Ichikawa, chief engineer for Unisys Corp.'s Registered Traveler Program
-- Bryan Ichikawa, chief engineer for Unisys Corp.'s Registered Traveler Program
Western Europe faced a deadline of January 2005 to make the smart card/EMV switch. Central and Eastern Europe, the Middle East, Africa and Asia/Pacific must make the move by January 2006.
Though Canada has yet to establish an EMV compliance deadline, Lasnier said smart card pilots are already underway there. "When that technology begins to unfold, you'll begin to see neighboring countries, like the U.S., begin to use it," he said.
American card issuers have been reluctant to adopt EMV because fraud has not been as great a problem as it is in countries like the UK. But Lasnier predicts that could change.
"We can suspect that fraud is going to begin moving to the U.S. as the increased use of smart cards spreads throughout the world," he said. "The fraud will move to the place of least resistance."
Lasnier estimates that 50 percent of the POS devices being sold in the United States include smart-card readers. Approximately 35 percent of the country's installed base of POS devices is ready for EMV now, he said.
"The last link is the smart card infrastructure," he said. "So in the next two or three years, there won't be anything to hold it up. You will begin to see smart card connections in the United States."
Lasnier believes that Visa and MasterCard may even mandate the technology in the United States as they have elsewhere around the world.
If you build it, they will come â€¦
Most experts agree the issue of where to store biometric data has been one of the primary issues blocking the use of biometrics at the ATM. If smart cards are adopted in the United States, those barriers could begin to disappear.
As card fraud becomes a greater concern throughout the world, the use of smart cards at the ATM must be considered, said Randy Vanderhoof, executive director of the Smart Card Alliance.
"There's no concrete evidence at this time but as more people use debit cards with traditional PINs and mag-stripes in the United States, fraud will increase," he said. "It will become increasingly easy for someone to go to the ATM and empty someone's account. With a smart card, you eliminate the fraud that occurs from people reading the mag-stripe information from the swipe, like from the card reader."
Evidence of growing consumer acceptance of smart cards in the United States is popping up, Vanderhoof added.
Last November, the Transportation Security Administration launched an 11-month worker identification credential prototype that requires transportation employees to present smart cards that contain biometrics information for admittance at ports, airports and other sites. Gordon Hannah, a senior manager for BearingPoint, which is overseeing the $12 million project, said 200,000 credentials will be issued over the course of 11 months.
BearingPoint is running the prototype project at 10 sites, some using contact smart cards and others using contactless versions that communicate with smart card readers via radio waves. At the end of the 11-month period, the project will be implemented at 30 sites.
Hannah said biometrics data, including fingerprint templates and facial and iris images, are being stored in a database, a government requirement for the project, and also on the cards themselves.
"For this program, we had a requirement to use the database, to make sure that we hadn't seen the person before, so that we didn't issue more than one card," Hannah said. "Or, for the scenario of re-issuance, I want to make sure that I only have to make the match once to get a new card, so that I don't have to come back in."
But using smart cards alone for biometrics information could be appropriate in other situations, Hannah said — including ATMs, where creating a database to hold all users' information would be cumbersome, if not impossible.
For instance,Â an Axalto smart card being used in another interesting biometrics project — one which is underway at the Minneapolis, Los Angeles, Houston International, Boston Logan and Washington Reagan airports — can hold about 64 KB, 13 times more information than a standard mag-stripe.Â
A mag-stripe, on average, can hold aboutÂ 140 bytes.Â The average fingerprint template consumes around 500 bytes.Â
The airports project involves select frequent flyers who now only present cards with biometrics data to verify their identities when they go to the airport. About 10,000 frequent flyers — 2,000 at each site — are participating in the pilot.
The expectation of the pilot, which is being administered by Unisys Corp., is that airports throughout the country will be able to quickly usher frequent flyers through security checks.
All five sites are using iris and fingerprint biometrics. Three of the five airports store information only on cards, while the other two are using a database.
Bryan Ichikawa, chief engineer for Unisys' Registered Traveler Program, said the pilot has been extended until the end of September 2005.
Because the program is voluntary, Ichikawa said, there hasn't been any resistance from consumers. In fact, he said cardholders are pleased with the program because it has eliminated the need to wait in long lines at security checkpoints.
"Security is the catalyst," he said. "If you think in terms of a haystack, there are something like 60 million passenger boardings per year. Half of those are performed by about 8 million people. So if you know who the 8 million are, you've cut the haystack of boardings in half; you've narrowed that down to 30 million boardings."
"It's not about looking for needles when it comes to terrorists," he added. "It's about making the haystack smaller."
Using smart cards to store biometrics templates is logical, Ichikawa added, because the cards "are inherently secure." There is plenty of room to store biometrics data on smart cards, especially if only a biometric template, and not the entire image, is used.
"Going back to ATMs — having one common network to hold all of the biometrics data would be difficult. And you have the same sort of situation in the airports. It just would seem easier to put the information on to the card," Ichikawa said.