Note: This is one in a series of blogs about Fingerprint on Card technology.
These days, when you’re issued a new payment card equipped with an electronic circuit to secure the transaction, the card is essentially ready to go as soon as you get it. Your bank may assign a PIN code to use with the card but, beyond that, once you’ve notified the bank that you’ve received the card, you can usually start using it right away to make purchases.
With cards that use Fingerprint on Card technology, it’s a little different. Your new card is issued as a blank of sorts, with nothing stored on it for use with biometric authentication. Before you can use it to make purchases that are authorized using your fingerprint, you need to configure the card so it knows what your fingerprint looks like. This configuration step, which essentially teaches the card who you are so it can recognize you during a payment, is called enrollment.
How Enrollment Works
During the enrollment process, you store (or enroll) a copy of your fingerprint on the card, so the card has biometric data to refer to when authorizing a payment. The biometric data associated with your print is called a reference template and is stored on the card´s secure element.
To make sure the card has enough biometric data to perform a reliable match, the enrollment process usually saves more than one version of your print by having you move your finger up and down on the sensor with slightly different placement each time. Doing this repeatedly creates a fuller description of your print, so the card does a better job of verifying your identity during a transaction. That translates into greater convenience because there are fewer hiccups or retries at the point of sale.
High-Touch Enrollment Improves Performance at the Payment Terminal
There are two main reasons why the card needs to store multiple views of your print. First, the sensor on the card isn’t big enough to capture your entire print. The sensor is only large enough to read portions of your print and needs to have those various portions described and stored as reference templates that reside in the secure element. Second, you’re unlikely to hold the card in exactly the same way each time you make a payment, so having multiple views of your print helps the card work with whatever way you happen to be holding the card while you’re at the payment terminal.
Deciding just how many touches are required for enrollment involves making a tradeoff in convenience. For example, having to enroll too many views of your print can be seen as a nuisance. On the other hand, the upfront time spent enrolling views can save time (and thereby increase convenience) when the card is put to use, since the card will do a better job of matching your print if the card has more reference templates to work with.
A high-touch enrollment process may be more time-consuming to complete but it makes the card better at recognizing the authorized user, resulting in greater convenience because there are fewer hiccups or retries at the point of sale. Another way to say this is that a full enrollment process, involving many views of your print, improves a primary aspect of performance, called the FRR (false rejection rate). With a higher FRR, the card does a better job of knowing that you, the authorized user, are requesting the payment. The enrollment process doesn’t, however, change the other primary aspect of performance, called the FAR (false acceptance rate). That’s because the card will refuse to make a payment if there’s no match, regardless of the number of reference template stored.
High-touch enrollment means less frustration at the payment terminal
Direct On-card Enrollment on the Card Is Safest
It’s important to note that we’re describing an enrollment process that takes place directly on the card. When you press your finger onto the card, the onboard sensor takes the image and transfers data associated with the print to the card’s onboard microcontroller. The microcontroller then extracts the fingerprint data to be stored as a reference template in the card’s secure element. Aside from a power supply, there’s nothing else needed for direct on-card enrollment.
On-card enrollment ensures highest security
On-card enrollment is possible because all the necessary security and intelligence features needed to perform enrollment are already built into the card. There’s no need for an external enrollment device, such as a standalone fingerprint sensor, to read your print. Your print data goes directly from your finger to the card. This essentially eliminates the risk of someone stealing your biometric data, since your print isn’t stored on a third-party device and hackers can’t copy, manipulate or steal your print before it reaches the card.
Off-card enrollment opens the door for manipulation and theft
How Banks are Approaching Enrollment
Since enrollment is a new concept for consumers, banks are discussing how they’ll manage the process so their customers become comfortable with the idea and get the best possible experience with their cards. There are a few different approaches being considered.
For example, some banks are considering having in-branch enrollment. The bank retains control over the process and can ensure the highest levels of security, but forcing you to make a special trip to the bank isn’t particularly convenient. There may not be a branch nearby and since so many banks now operate as online-only businesses, it may be difficult to find a physical location where you can do in-person enrollment. A standalone kiosk or ATM machine can serve a similar purpose, having you interact with a bank-owned machine to do enrollment, but there still has to be a location nearby and you still have to make a special trip to configure the card before you can use it.
The more convenient approach is to let you do enrollment yourself, at home. The bank might, for example, supply you with a smartphone app, so you don’t have to find a branch office or ATM machine and you can complete enrollment on your own terms, whenever it’s best for your schedule. The drawback of an app, however, is that the smartphone needs to be equipped with near field communication (NFC), so the phone can deliver power to the card the same way a payment terminal does. While a growing number of today’s smartphones support NFC, banks can’t assume that everyone will have it.
As an alternative to an app, banks can send you a special device, called an enrollment sleeve, along with your card. The sleeve can power the card and guide you through enrollment. NXP´s developers are working on reference designs for various enrollment sleeve formats, so card issuers can configure the enrollment process during the initial pilot phase. Our standalone enrollment devices, called Enrollment Kits, use an integrated battery to deliver power to the card, are inexpensive to produce and quickly take you through enrollment using optical indicators for feedback and guidance.
The card’s biometric authentication process can be configured so it doesn’t activate until the first time you use your PIN code at a payment terminal. That way, even if you lose your card or it’s stolen before you complete enrollment, nobody else can configure the card and use it while pretending to be you.
NXP´s Secure Processing Module Supports Every Enrollment Option
These are early days for biometric payments and only time will tell which enrollment method will emerge as the preferred option. The outcome will depend strongly on consumer preferences, which means it’s likely approaches will vary across geographic regions and banks.
It’s likely that several different approaches will be in use worldwide. As a result, it’s important that Fingerprint on Card solutions be flexible enough to handle these variations, so individual deployments can satisfy consumer expectations.
The NXP Secure Processing Module is designed to support any type of enrollment setup and NXP offers whatever support is needed to configure enrollment in the setup phase.
Next Up: Infrastructure
Our next blog, on the payment infrastructure, will gauge how prepared today’s large-scale payment network operators (PNOs) are to support biometrics and how close we are to seeing fingerprints replace PINs as the main authentication mechanism for payments.