In Bengaluru, at the first MasterCard Innovation Forum in India, the company showed Gadgets 360 a number of new payments systems, and talked about the impact that the iPhone X and its Face ID technology would have on payments systems. Aside from this, we also learned more about the company’s views on security and privacy, and how this can be reconciled with new methods of payments, which rely on things like biometrics such as fingerprints, iris scans, and face recognition.
“You have to understand that while there are a lot of things that you need to be aware of in terms of security, there is no getting around the world of digital now,” said Johan Gerber, Executive Vice President of Security and Decision Products, MasterCard. “The ecosystem is globally interconnected. Take a look at how Pokemon Go grew into billions in no time. Imagine growing a physical business at that scale, it’s simply impossible.”
Among the technologies MasterCard demonstrated is payments being authenticated with selfies, or fingerprint readers on credit cards. Keeping this secure is a big part of MasterCard’s business, and according to Gerber, the company relies of multiple layers of security, and a username and password, or biometric verification, is not necessarily a single step to grant access.
Explaining what this means, Gerber pointed to the acquisition of Canadian firm NuData, which allows it to carry out behavioural biometrics to the mix. What’s that? Well, you might have heard of “gait analysis” – essentially, the way each of us walks is also fairly unique. It turns out that these kinds of “behavioural biometrics” expand further. For example, the way you type a sentence on your computer (the time gaps between key presses) is fairly unique; the way you hold your phone, tilt it, and make swipes, and the duration of taps is also identifiable.
Gerber demonstrates this by typing in a username and password, and then asking a colleague to do the same. The demo showed a graph comparing the two typing patterns, and even with one-word entries, the system was able to show clear differences between the two.
“There are multiple layers of security that are being applied at any given time, not just your username and password,” he said. “The philosophy is security by design. So the first step is to try and prevent any attack, with EMV, tokenisation, PIN, all that.”
“The next stage is to detect, and we are doing a lot of checks at all times, with artificial intelligence, and a rules based system,” he continued. “And then you Enhance, by making transactions as convenient as possible, and using the rules to apply friction when needed to reduce fraud. We find new ways to do that using a ‘Decision Score’ based on customer behaviour. We acquired a firm called Brighterion, which allows us to apply AI in every transaction, tracking behaviour across the entire network, to detect cyberattacks at a global level.”
These systems are all layered together, which is actually already the case. Think about the last time you made a big transaction that’s out of the ordinary for you – didn’t you get a call from the bank asking to confirm where you shopped and how much you spent? That’s a layer of friction to confirm who you are, but Paul Baker, Vice President, Product Management, MasterCard added that that bank could instead do something like let you make your payment using an OTP, and then if the transaction seems unusual, it could send a push notification to your phone asking for a selfie to verify your identity over and above the OTP or PIN.
“Consumers and processors [like MasterCard] both hate static passwords,” Baker added. “That’s why we rely on numerous other factors to ensure that the transaction is genuine. It requires a complete upgrade with the banks, and it could take a couple of years to be widely implemented.”
At the same time, both Baker and Gerber stressed that the user’s privacy is also kept secure. “For the most part, almost all the data that comes to MasterCard is anonymised before we even get it, which is how we prefer it,” Gerber said. “There are a few systems where we have to handle the user data, but the vast majority of it is completely anonymous to us.”
“With your fingerprint, and your facial scan, you’re not uploading the prints or your selfie,” Baked added, “we have a special algorithm that turns the biometrics into a mathematical expression, and that’s the only thing that gets compared. So your data is completely safe at all times.”
Regulators – both around the world and in India – are also getting more active on new technology, and over the last few years, the understanding of the need for bringing in newer digital systems has also improved, he added.
That said, Baker added that the various new systems being demonstrated for us – such as Selfie Payments, Audio Payments, and fingerprint scanners on cards – are all on MasterCard’s roadmap for India, so it’s only a question of time before these systems get more widespread across banks.