Increasing Regulation for New Biometric Payment Systems Likely on the Near Horizon

Biometric payment systems are point-of-sale technologies that use biometric authentication based on physical characteristics to identify users and subsequently authorize the deduction of funds from a financial account. The use of such technology is rapidly being deployed to authenticate and authorize faster payments. As this technology evolves, there are new privacy and cybersecurity issues that will likely be addressed by US federal and state legislators in the near future.

What Are Biometric Payment Systems?

Many technology and consumer goods companies are starting to deploy biometric payment systems, which is a form of payment using a consumer’s unique physical features (i.e., face or palm print) to authorize payments. According to a recent forecast, by 2026, about $5.8 trillion in annual payments are expected to be made using biometrics by more than three billion users.  

Biometric payment systems are point-of-sale systems that use biometric authentication based on physical characteristics to identify the user and then authorize the deduction of funds from a bank account. The biometric payment system generally uses two-factor authentication, in which the biometric scan (such as a fingerprint or a palm print) takes the place of the card swipe, and then the user types in their pin. Some additional biometric authentication methods include iris recognition, face recognition, retina recognition, DNA matching, voice recognition and vein patterns. A consumer will first register for a biometric payment card program at a business by presenting valid identification and bank account information. Then, the consumer will scan a biometric identifier into the business’s systems. The business’s scanning system generally then encrypts the multiple point-to-point measurements and stores the biometric information and bank account information in a database. When the consumer purchases anything, they conduct a biometric scan, which the business compares with their stored information to authenticate the transaction and transfer the funds.

Many companies are implementing these biometric payment systems.  For example: 

• Amazon.com Inc.-owned Whole Foods Market is implementing a new “Amazon One” biometric payment program.  Customers who sign up for the Amazon One biometric payment program will no longer need their wallets or phones to pay for groceries. By signing up for Amazon One and providing credit or debit card information or valid identification information to a retailer, the consumer is able to scan his or her palm to pay at participating locations. Whole Foods has pay-by-palm devices available at approximately 200 stores across the country and aims to equip all 500+ of its stores throughout the US with this technology by the end of the year. 
• Companies such as Panera Bread are rolling out Amazon One at select bakery-cafes in St. Louis. They plan to use Amazon One for both the loyalty program and payments. Consumers who link their MyPanera accounts with Amazon One will also be eligible to get tailored meal recommendations based on their preferences and previous orders as well as learn about available rewards.
• Other businesses such as Mastercard Inc. have tested new systems that rely on a consumer’s physical characteristics to confirm their identity as part of a purchase. The Mastercard Biometric Card combines chip technology and utilizes fingerprints to verify the cardholder’s identity or in-store purchases. The card contains an embedded sensor that’s powered by the chip, authenticates the identity through a fingertip, and can be used at payment terminals worldwide.
• J.P. Morgan has plans to pilot biometrics-based payments with certain retailers in the US. Their pilot program will include palm and face identification for authenticating payments in store. J.P. Morgan is leveraging their position as a trusted payments provider and financial institution worldwide to rapidly deploy these biometric solutions. Their first pilot programs will run at brick-and-mortar stores in the US and potentially include Formula One races. J.P. Morgan has also launched Commerce Solutions, a next generation suite of payments infrastructure that helps merchants accept consumers and B2B payments. Commerce Solutions can also accept biometric payment solutions.

Biometric payment systems may become a game changer for event venues as these venues can have a new ticketing and age verification program. Currently, members of CLEAR’s biometric program can take advantage of expedited entry for sports and entertainment events, and some venues allow CLEAR attendees to confirm their age eligibility for buying alcoholic beverages by snapping a selfie. Each time a consumer uses the CLEAR technology, they must opt-in and click a button to consent to data sharing.

What Privacy and Cybersecurity Issues Do Biometric Payment Systems Implicate?

Advocates for biometric payment transactions state that biometrics are more secure and fraud resistant than card transactions since they require two-factor authentication. They also eliminate the need for PIN numbers and reduce operational costs by decreasing customer service requests. Additionally, these systems will increase the number of transactions, as it reduces human error (i.e., forgotten PIN codes).  In a post COVID-19 era, technology systems that provide convenient and contactless payment systems will become increasingly attractive.

Although some may argue that biometric markers are unique and cannot go missing like a credit card, these types of biometric payment options are sparking some concerns for technology and cybersecurity experts. There are concerns that AI technology can be used to create fake users based on altered versions of a consumer’s voice, face or handprint and then used to confuse biometric payment systems. As hacking becomes more prevalent and omnipresent, there is also an increased risk of hackers accessing these biometric databases. Hackers may be able to control us anywhere in the world and manipulate a consumer’s ability to enter into a given space.

Technology is being developed to address some of these concerns.  For example, scanners are being developed that employ “liveness detection.”  Liveness detection is a technique used to detect a spoof attempt by determining whether the source of the biometric sample is a live human being or a fake representation. This is accomplished through algorithms that analyze the data collected from the biometric sensors to determine whether the source is live or reproduced. There are two main categories of liveness detection: (1) active and (2) passive. Active liveness detection technology prompts the user to perform an action that cannot be easily replicated with a spoof and may incorporate multiple modalities, such as keystroke analysis or speaker recognition (i.e., movement of the mouth). Passive liveness detection technology uses algorithms to detect indicators of a non-live image without user interaction. Amazon noted that their palm scanners currently employ this technology and have tested the technology against silicone and 3D-printed palms.

Additionally, businesses deploying biometric payment systems should apply security controls such as encryption, understanding data flows, and increasing protection around data storage. They may also consider saving the computer’s interpretation of the physical feature, rather than the raw biometric information.

What Is The Current Legal Landscape?

As businesses increasingly collect biometric information, state legislators are enacting more robust consumer data privacy and biometric laws. In 2008, Illinois became the first state to enact the Illinois Biometric Information Privacy Act (BIPA) to require entities that use and store biometric identifiers to comply with certain requirements and also provide consumers with a private right of action for recovering statutory damages when entities fail to comply. Texas and Washington have subsequently enacted broad biometric privacy laws, but neither one of these provides consumers with a private right of action. California, Colorado, Connecticut, Utah and Virginia have comprehensive consumer privacy laws that will govern the processing of biometric information. There are also some additional data breach notification laws that explicitly govern biometric data.

As biometric payment systems become more prevalent, state law makers are introducing new bills regulating this new technology. There is a bill pending before the New York State Senate which would authorize the use of biometric identity verification to determine a person’s age for purchase of alcohol and tobacco products. This new bill would require merchants using biometric payment systems for this purpose to secure biometric records in an encrypted and centralized database to protect the biometric data from hacks and leaks.

Washington state legislators are considering implementing a new rule that would add biometric screenings as an acceptable form of identification under Washington’s administrative code. Customers could register with a third party company, complete a biometric scan, and then submit a copy of their government identification. When the consumer goes to purchase drinks, his or her ID would pop up for the bartender to approve. 

Some legislators are concerned that there are still a number of unknowns with third-party data collection and how the third parties will use this data on a go-forward basis. Washington recently passed a law that protects health data, including biometric data, from being collected and shared without an individual’s consent. This type of legislation will add in layered protections on the downstream sale of this data. Although Washington has this type of legislation, many other states fall short on these types of protections and state legislators may consider new bills targeted at biometric privacy and payment system regulation. 

Given the rapid deployment of these biometric payment system technologies, it may be worthwhile to consider developing guardrails and advocating for stronger security measures to protect such sensitive information. Legislators may consider implementing biometric payment laws based on Washington’s new health privacy law, which prevents third parties from collecting or sharing any biometric information without the consumer’s consent. Companies may consider including stronger consumer protections against sharing biometric information with government agencies or law enforcement officials and more layers of authentication for accessing any centralized databases that house biometric information. As the biometric payment ecosystem evolves, legislators will ultimately need to step in to ensure that consumers’ biometric information is protected.