Biometrics, Payment & GDPR - Latest SPA Analysis - April 2019

Analysing the Potential Impact of GDPR on Release 9 of the European Card Stakeholder Group (ECSG) SCS Volume

Biometrics is fast becoming a key verification and authentication mechanism for payment services. In recent years, fingerprint biometry has become ubiquitous for Apple Pay and Google Pay solutions, and now payment schemes and banks are looking to lead the innovation charge with match-on-card biometrics to enable the next generation of smart payment cards.

Biometric-enabled payment cards offer issuers a clear advantage, providing consumers and merchants with multiple authentication factors — not just ‘something I have’, but ‘something I am’. Also, should it be necessary, biometric-enabled EMV cards can provide ‘something I know’ with a PIN.

But the real benefit is the enablement of additional security for a fast and frictionless payment experience in the card-present physical environment that’s already familiar to consumers, as well as delivering an agile solution for tackling card fraud in the virtual e-commerce world.

Adding biometric functionality to an EMV card will also help address the global issue of financial inclusion, overcoming literacy or health limitations that currently deny individuals unfamiliar with PINs or passwords to access financial services.

In Europe, while GDPR does not prevent the use of biometric data in a card payments context, understanding the key ‘privacy by design’ principles and regulatory standards on strong customer authentication will be essential to assure conformance of the next issue (Release 9) of the ECSG SEPA for Cards Standardisation (SCS) Volume with GDPR requirements.

This SPA Analysis provides an analysis of the potential impact of GDPR on innovative payment technologies and how compliance could be achieved in relation to the capture of biometric information and authentication of the cardholder.

Read full analysis here