Biometrics, Payment & GDPR, An SPA Analysis
Analysing the Potential Impact of GDPR on Release 9 of the European Card Stakeholder Group (ECSG) SCS Volume
Biometrics is fast becoming a key verification and authentication mechanism for payment services. In recent years, fingerprint biometry has become ubiquitous for Apple Pay and Google Pay solutions, and now payment schemes and banks are looking to lead the innovation charge with match-on-card biometrics to enable the next generation of smart payment cards.
Biometric-enabled payment cards offer issuers a clear advantage, providing consumers and merchants with multiple authentication factors — not just ‘something I have’, but ‘something I am’. Also, should it be necessary, biometric-enabled EMV cards can provide ‘something I know’ with a PIN.
But the real benefit is the enablement of additional security for a fast and frictionless payment experience in the card-present physical environment that’s already familiar to consumers, as well as delivering an agile solution for tackling card fraud in the virtual e-commerce world.
Adding biometric functionality to an EMV card will also help address the global issue of financial inclusion, overcoming literacy or health limitations that currently deny individuals unfamiliar with PINs or passwords to access financial services.
In Europe, while GDPR does not prevent the use of biometric data in a card payments context, understanding the key ‘privacy by design’ principles and regulatory standards on strong customer authentication will be essential to assure conformance of the next issue (Release 9) of the ECSG SEPA for Cards Standardisation (SCS) Volume with GDPR requirements.
This SPA Analysis provides an analysis of the potential impact of GDPR on innovative payment technologies and how compliance could be achieved in relation to the capture of biometric information and authentication of the cardholder.
Biometrics in payment — making card payments conformant to GDPR
By 2023, nearly 579 million biometric payment cards will be used globally to enable frictionless customer authentication for transactions, according to Goode Intelligence’s latest report ‘Biometrics for Payments – Market and Technology Analysis, Adoption Strategies and Forecasts 2018-2023’.
Indeed, the results of a recent European Payments Council poll reveal that 60% of professionals in the payments industry firmly believe that ‘multiple’ and ‘fingerprint’ technologies will become commonplace biometric authentication mechanisms in the coming five years.
With biometric technologies poised to play such a prominent role in payment, it is vital to recognise that the GDPR considers biometric data, when used for ID purposes, as a special category data that is more sensitive and requires special protection.
GDPR Article 4 defines biometric data as the ‘physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint identification] data.’
While GDPR Article 9 states that states that biometric data cannot be used for the purposes of identifying a natural person, this prohibition does not apply if the cardholder (the ‘data subject’) has given explicit consent for one or more specific purposes.
While it is yet unclear which biometric payment technology aspects will be included in the SCS Volume v9.0, biometric enrolment and processing are obvious targets for GDPR compliance.
For this reason, the considerations that follow relate to the cardholder capture of a biometric sample and its subsequent comparison with a biometrics reference stored in a consumer device (a ‘local match’ in a mobile device or card) for contactless card payments over 50 euros, or online authentication using a consumer device.
Finally, for the purposes of the following impact assessment, we have designated the card issuer as the ‘GDPR data controller’ of a cardholder’s biometric data and the cardholder as the ‘GDRP data subject’.
Addressing GDPR conformance challenges – the legal requirement for consent
Biometric enrolment is subject to explicit cardholder consent, based on a clear understanding and acceptance for the purposes as described by the data controller (the card issuer). Similarly, explicit consent must be in place with respect to the processing of this biometric data for authentication purposes — consent can be revoked by the cardholder at any time.
In terms of addressing GDPR conformance requirements in relation to explicit consent:
• Explicit consent obtained during enrolment will need to comply with GDPR Articles 6, 7, 9.2 and 29 on Consent under Regulation 2016/679, Section 4.
In relation to obtaining consent during the payment transaction itself, while there is a common assumption that a cardholder implicitly provides sufficient proof of consent when presenting his or her biological feature to the biometric sensor, Recital 51 of the GDPR indicates that member states can introduce further conditions and limitations with regard to the processing of genetic data, biometric data, or data concerning health.
For this reason, to achieve GDPR compliance:
• Consent would be considered stronger if a cardholder is free to use a ‘fallback’ authentication method should they revoke the original explicit biometric authentication consent order. For this reason, any biometric solution should be designed in a way that allows individuals to cancel biometric functionality when they revoke consent.
Addressing GDPR conformance challenges — minimizing intrusion
With respect to gaining widespread social acceptance of biometric payment mechanisms, some biometric modalities will be perceived by consumers as being less intrusive. Furthermore, certain modalities may well be subject to additional compliance and regulatory requirements — GDPR Recital 19 opens the way for EU states to introduce extra provisions for biometric modalities that are deemed to be more intrusive.
To address the impact of these twin challenges, the SPA observes that:
• EU Article 29 has produced specific guidelines in relation to fingerprint and facial biometric recognition.
• If more than one biometric modality is available in the capture device, and these modalities have been enrolled, it would be good practice to give cardholders the freedom to choose whichever one they perceive as being the less intrusive option.
Addressing GDPR conformance challenges — data protection by design and default
The design of a biometric solution’s architecture may enhance or weaken privacy (and security) – furthermore, GDPR stipulates that the processing of biometric data should be relevant and not excessive in relation to the declared purpose.
Below, SPA provides a number of recommendations for implementations that will enable the data controller (the card issuer) to comply with GDPR Article 25-1, which stipulates that the controller shall implement appropriate technical measures that implement data-protection principles.
Similarly, these recommendations will also enable compliance with GDPR Recital 78 and Recital 108, which advise that the data controller must adopt internal policies and implement measures that meet the principles of data protection by design and default.
Recommendation #1. Store the biometric reference sample as a template, not an image.
The biometric captured sample should be immediately processed and transformed into a template — a unique binary representation of an individual’s biometrics — and the raw biometric data (the image) should be automatically deleted.
The biometric template in itself will not expose information about the identity of the cardholder if the template is generated using an algorithm that has a one-way function; the associated metadata does not include personally identifiable information (PII); if the metadata includes PII, this information is protected in confidentiality.
Recommendation #2. Develop a template with a structure and encoding that is specific to cardholder authentication purposes.
While using templates to encode cardholder biometrics mitigates the risk of privacy infringement, however it does not completely eliminate this. Similarly, it may be possible to link the templates of different databases to identify individuals without their consent – moving beyond the original purpose of using biometric data as declared by the data controller.
Recommendation #3.Minimise the volume of metadata associated with the biometric reference data and/or captured biometric samples.
Metadata associated with the biometric reference template might include personal identifiable information (PII); any compromise of the biometric reference would represent a serious risk of identity fraud.
Recommendation #4.Comparison with the reference biometric sample should only occur in a protected and isolated tamper-resistant component that is under control of the cardholder.
Biometric data are irrevocable, and any breach of the biometric reference data will have extremely serious implications for the cardholder. GDPR Article 29 contends that decentralised systems provide an enhanced protection of biometric data by design, as the cardholder stays in physical control of their biometric data. Storing the biometric reference template, and only comparing the reference with the biometric sample in a protected and isolated tamper-resistant component that is under the control of the cardholder (a card and/or mobile device) makes it possible to perform a ‘local match’ against the enrolled reference biometric template in the card/mobile device.
In this way, biometric data and personally identifying derivations of such data are protected against unauthorised access or disclosure and are never transmitted outside the cardholder’s personal computing environment.
Biometry-based payment offers significant benefits in relation to enabling compliance with the legal requirements set out by PSD2 and the Regulatory Technical Standard on Strong Customer Authentication.
The ongoing evolution of the SCS Volume will need to conform to the requirements of the privacy requirements of GDPR as these relate to:
• the capture and processing of biometric data for authenticating a cardholder without exposing their identity
• the data controller appropriately describing the purpose for using biometric data – for example providing a convenient strong cardholder authentication based on biometric data for compliance with PSD2
• ensuring that biometric enrolment is subject to explicit cardholder consent.
This SPA assessment of the impact of GDPR on Volume 8.5 and beyond provides insights and considerations that will inform the ECSG as it prepares future iterations of the Volume, updating it to include biometrics.