Mastercard: Australian banks could build selfie pay
If Australian banks wanted customers to verify by selfie, the building blocks are there for them to do so.
Mastercard recently unveiled its latest method of verification for online payments, via "selfie" photographs. On the surface that might sound slightly odd, but the idea is that you use an image of yourself to verify your identity when making a transaction. You have to blink during the process to prove that you’re not just being scammed by a criminal type with a printed photo of your face. Mastercard plans to roll out the functionality via a partnership with First Tech Federal Credit Union in the United States along with a European rollout later this year.
But what about Australia? At the recent Mobile World Congress conference in Barcelona, finder.com.au sat down with Mastercard’s European VP of digital commerce Johan Lindstrom to discuss selfie pay and the concerns of consumers around biometric security generally.
On Selfie Pay, Lindstrom is keen to point out that Mastercard’s role in the process is as a back-end solutions provider.
"Here’s how (Selfie Pay) fits with everything else that we do. We’re a card network, and what that means to us is that we build the slightly boring underlying technology infrastructure -- that permits security, scalability, all of these things -- that sits behind the payment.
"So we build the tokenization technology that sits behind Apple Pay, Samsung Pay, Android Pay, all these things; we have our old classic card payments network sitting there as well, making all this possible.
"We also have security protocols that allow communication between consumers and banks, to allow the bank to check that the consumer is who they say they are when they’re trying to pay. The name of that protocol today, which is used by Mastercard and Visa, is 3D Secure. We’re upgrading that protocol to make it smarter, so more information can pass back and forth.
"The sort of information we can pass back and forth is things like information around what your face looks like, so we can verify that you are who you are. Or fingerprint information, or maybe scan your ear or some other body part.
"The point with that is that we actually in a way care less about the specific application and how you create the user experience. We build a network that makes all these things possible. Then we collaborate with partners who build really great user experiences on top of that network that we create.
"So Selfie Pay is a specific example where we have partnered with somebody and created an experience that is being offered to banks and others. But that does not preclude other entities in the world from going and building their own version of this and connect this our network and use the rails that we've put in place -- in fact, that’s what we want to happen. So we’re doing it right now more as a showcase to illustrate what could happen.
"So, Selfie Pay in Australia -- any bank, or any third party that sells to banks could go and build this today, based on the network and technology that we have put in place."
To date, only one provider in Australia has implemented a selfie-style verification scheme. Banjo Loans uses a fixed selfie as part of its application process.
The issue of using your face to verify your identity brings with it the genuinely worrying prospect of having biometric data, including your face, misappropriated. That’s a concern given that you can’t exactly easily change your fingerprint, your iris or your face.
Lindstrom agrees that the loss of biometric data would be a concern. "It’s difficult to have your face replaced -- it’s not ideal!"
However, he feels that the shift to biometric verification, and the security protocols in place around it, mean that it’s not something that consumers should have to worry about. Instead, the move has made it easier to provide both security and ease of use.
"For me, the really cool thing that has happened with all the mobile payment solutions that are coming out right now is that for the first time ever, we can improve usability and security at the same time. Traditionally this was the big dilemma with payments. You want them to be really user friendly and easy.
"You also want them to be really safe. Traditionally we had to choose, or put a marker somewhere on that spectrum. If you wanted it safer, it tended to be less user friendly, because you needed more passwords or longer, complicated passwords, and if you make it more user-friendly, then it’s less secure. That was the traditional tradeoff you had to make.
"Suddenly now with a mobile device, you can achieve both. We really can make transactions far more secure while making them easier to use. By for example, scanning your thumbprint or your face, or whatever it might be. The thing that makes all this possible is the super smartness of a mobile device and the network innovation and the stuff that we have built on the back end.
"If you use a payment system on a phone, it’s not your card that’s present; it’s a token that points to your card details that is itself encrypted. We use the same principle when we deal with any biometric information. Everything is encrypted; the full biometric data is not stored in one place.
"It would be a very unlikely scenario, but say that some super clever hacker breaks into one of the places where it is stored, that won’t be enough, because they will only get part of the information that is required for the full picture.
"Data privacy is huge; any serious threat to that would be a massive problem. But it’s essentially a non-existent threat."
The other side of the biometric payment equation is the growth of smartphone-based payment systems such as Apple Pay, Samsung Pay and Android Pay. It’s a feature that’s been a long time coming, according to Lindstrom.
"Technically it’s been possible to do what Apple’s done with Apple Pay, or Samsung, or Google, for years. We know the technology is there, we know it’s secure, but nothing has really happened.
"Everyone’s been talking that 'this is the year of mobile payments', and I’ve been doing interviews here at Mobile World Congress for the past three years, and every time it’s 'it’s going to happen this year, it’s going to take off!', and it didn’t.
"The view is that this is stuff for techy geeks. Mainstream users don’t really know about it, and they’re not interested.
"Suddenly, after Apple Pay launched, consumer attitudes have shifted. We did a study on social media conversations around mobile payments, and in the past year it’s shifted dramatically. It’s not strange, and it’s not seen as early adopter stuff any more. We’re seeing transaction volume growth taking off quite steeply. This is all thanks to these companies coming in, picking up the technical building blocks and creating a great user experience, making it a mainstream thing."