CEO Editorial: A Call for “Payment Grade” Industry Standards

Author: Toby Rush, CEO and Founder of EyeVerify

Few argue there are benefits in using biometric authentication for mobile banking and payments, but there’s still significant uncertainty on the topic. EyeVerify is live in production with several banks, credit unions, and platform providers, including RSA Security, Digital Insight, Mountain America Credit Union and First Internet Bank. Wells Fargo is launching Eyeprint ID in 2016 in their CEO Mobile App. The payment network players are also close to launching biometric solutions as well. It is clear from conversations with those companies and many others that there isn’t a clear understanding of how to determine the strength of any particular biometric solution. Said another way, “What is good enough” when it comes to biometrics for mobile payments?

To that end, I propose that the industry defines standards around Payment Grade biometrics that answers that question.

What is the Payment Grade concept?
Payment Grade is an effort to help financial institutions gain confidence and move towards biometrics faster. As they begin to engage the biometric world, many financial institutions don’t have the bandwidth, depth or resources to thoroughly investigate how every biometric technology works. This creates a lot of the uncertainty, because they hear different things from different vendors based on what each vendor can do, and there is no consistent answer around key cornerstones for what financial institutions and other payment industry players need in a biometric solution. Payment Grade would provide a set of standards that define and measure what industry participants need to care about.

At EyeVerify, we believe there are three primary cornerstones that the payment industry needs to understand when assessing different biometric solutions: Accuracy, Liveness and Privacy.

Messaging around accuracy currently varies by vendor (based on their capabilities) and the financial institutions (based on their own risk assessments), but there is no consensus on what is truly “good enough” regarding accuracy in biometric authentication for mobile payments. If we could offer a standard such that banks and other payment players can start asking, “Does it meet the Payment Grade accuracy requirement,” instead of, “Is it accurate enough,” we can eliminate an entire layer of uncertainty.

For a specific accuracy standard, we propose a 1 in 50,000 False Accept Rate (FAR) as a requirement. Apple has publicly stated that Touch ID has a 1/50,000 FAR, and we have heard directly from several large OEMs and payment players that the 1/50,000 FAR metric is a requirement for biometrics in their devices or applications.  

This is as close to consensus as we’ve seen regarding accuracy, and we have yet to hear a stakeholder say it isn’t good enough.

The next cornerstone for Payment Grade is liveness, which prevents spoofing. This category is a bit more difficult to standardize. Currently, as an industry, we’re not only missing common metrics for liveness, we’re also missing standards for how to assess it.

There are three primary sensors for mobile biometrics today – the microphone (voice), the camera (face and eye), and the fingerprint sensor. Liveness has to be specific to each modality. If you are a camera-based biometric, you will need to use a camera-based liveness methodology. A microphone-based biometric will require a different methodology, and so on. We won’t be able to establish a single set of numbers like we did with the Accuracy cornerstone.

In lieu of a single methodology and set of metrics, it would be beneficial to have a series of tests that we set up with our customers. We can walk through those tests and determine how successful the technology is at stopping specific threats. Is it possible to authenticate using a picture of a face pulled off of social media, or a voice recording found online? Our initial approach will increase the level of sophistication of the industry’s liveness assessment.

The last major cornerstone is privacy. As the industry moves from passwords to biometrics, customers are watching very closely to see how we are protecting their data. As reporters point out every other day, end users can’t change a biometric if it is stolen, and we will not succeed as an industry if news such as the Office of Personnel Management’s fingerprint hack continue to happen. We propose that the privacy cornerstone consists of three checkboxes:  Is the biometric revocable, do you store it locally or on the server, and if you do store it on the device – do you ever unencrypt the template, and do you have a method to calculate a high entropy key?

What next?
In the early days of eCommerce, the VeriSign logo was a key factor in building end users’ confidence in the technology. Similarly, our industry needs a simple indicator that financial institutions can trust, with a process behind it that would eliminate the need for them to continually rebuild the wheel when assessing biometric technologies. To achieve that confidence, we’d have clear specifics developed by key stakeholders in the industry – banks, payment networks and device manufacturers. Third party groups would test these standards over a relevant population size to ensure validity. Solutions that pass get a Payment Grade mark.  

Are you in?