The Payments Association of South Africa (“PASA”), the payments system management body of that country, recently announced a new biometric verification specification, which is set to become the standard for biometric payments throughout South Africa. The new specification will facilitate biometric authentication on payment cards. Visa and Mastercard are partners in the initiative.
Typically, biometric authentication standards are particularized to the company or financial institution facilitating payment. The biometric standard accepted for authenticating payment at one vendor would not necessarily, or even generally, be the same as the standard accepted at another vendor. The PASA standard is designed to eliminate or at least minimize these discrepancies and permit authentication of a payment via the same biometric standard at any vendor.
Biometrics in Canada
Biometric authentication is not unique to South Africa. Closer to home, Tangerine recently re-released its mobile app for iOS, which includes biometric authentication features allowing users to protect their accounts via iris scan or vocal password. In the first quarter of 2016, the Bank of Montreal released a biometric corporate credit card in partnership with Mastercard, which relies on facial recognition and fingerprint biometrics.
Financial institutions are not the only groups interested in biometrics—the Canadian Border Services Agency is running a trial project with the federal Immigration Department to use biometric technology to catch individuals traveling with fraudulent documents. A waterpark in Ontario, realizing their swimsuit-clad patrons had few places in which to carry a wallet, employs cashless fingerprint payments.
Finally, as noted in recent CyberLex blog posts (here and here), provincial governments in British Columbia and Manitoba are investing in all-in-one identification technologies also targeted at improving identification and authentication for payments.
Considerations for Business
Biometric measures are appealing to businesses because they are convenient (no need to remember a PIN, or enter a code) and they automatically identify people or verify their identity. However, biometric characteristics (such as fingerprints, voiceprints, retina scans and so on) are personal information under provincial and federal privacy laws and as such, must be treated in accordance with those privacy laws. One of the chief concerns is that biometric information collected for one purpose (e.g. payment account identity verification) will be employed for another (e.g. routine surveillance, stored to be matched against future samples, targeted advertising, etc. ).
In biometrics, the potential for multiple uses originates from the fact that they are relatively permanent and highly distinctive, making them a convenient identifier that is both constant and universal. These characteristics are difficult, if not impossible, to change – which heightens the need to protect this type of information. While the breach of a database of PIN numbers is problematic, at the end of the day, the PIN numbers can be changed; a breach of a database of DNA or fingerprints does not permit such risk mitigation.
The Privacy Commissioner of Canada has suggested businesses ask themselves four questions before undertaking a biometric system:
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Would the loss of privacy be proportionate to the benefit gained?
- Is there a less privacy-invasive way of achieving the same end?