EMVCo to issue performance requirements for biometric payment cards

EMVCo has launched a biometric payment card initiative with the aim of producing a performance requirements document and associated approval and evaluation frameworks that will “enable biometric payment cards to deliver both seamless and secure payment experiences”.

NI: Risk-based approach is needed for biometric security testing

The performance requirements document is anticipated to be published for EMVCo Associate review and input by the end of Q2 2023, chair of the EMVCo Board of Managers Jianhua Ni says. “A Technical Special Interest Meeting is then planned to be held in Q4 2023 to discuss and explore the requirements in detail.”

EMVCo’s Biometric on Card initiative will focus solely on the use of a fingerprint as a biometric authentication mechanism on a payment card, Ni adds.

The exact performance metrics to be included in the document have not yet been defined but those under consideration include:

False Acceptance Rate (FAR): The proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed.

False Rejection Rate (FRR): The proportion of verification transactions with truthful claims of identity that are incorrectly denied.

Imposter Attack Presentation Accept Rate (IAPAR): The proportion of imposter attack presentations using artefacts, such as a fake fingerprint, that are erroneously accepted.

Transaction time: Biometric authentication must be completed quickly to promote a seamless and convenient user experience.

“It is important to recognise that when it comes to biometrics, performance requirements naturally impact security. A solution will not be secure if it incorrectly authenticates a fraudster as the legitimate cardholder or cannot detect a fake fingerprint or dummy finger, for example,” Ni explains.

Convenience and security

“This means that when it comes to biometric testing, a risk-based approach is required to strike the right balance between seamless convenience (which is impacted by the FRR and transaction time, for example) without compromising on security (which is impacted by the FAR and Presentation Attack Detection [PAD] metrics such as the IAPAR).

“Consequently, the boundaries between functional and security compliance overlap. In this context, therefore, security requirements address the environments in which the biometric verification data is captured, the reference data is stored, the captured verification data is compared with the reference data, and the result of the match communicated.

“EMVCo’s existing Security Evaluation processes already encompass these environments, but there is the potential to explore additional considerations as part of the Biometric on Card initiative.”

“To help reduce testing complexity and costs, EMVCo will be exploring how testing can be optimised as part of a platform approach that leverages the existing and established Level 1 Approval and Chip Security Evaluation processes,” Ni says.

Linxens VP Thomas Decker included a detailed evaluation of the current status and outlook for biometric payment cards in a recent presentation for NFCW’s Contactless World Congress that is now available to view online.

EMVCo to issue performance requirements for biometric payment cards was written by Sarah Clark and published by NFCW.