Strong Customer Authentication
The Future of Payments (webinar)
The Future Of Payments
Hello and welcome to the JP Morgan webcast. Before we begin, a few brief announcements. This webcast is being recorded, and will be available on demand for one year. Today's events will include interactive polling questions, which are optional for participants.
For an enhanced view of the presentation, click the Enlarge Slides button, located in the gray bar above the side window. We will consolidate questions received in advance or submitted in the question box, and address as many of these as possible during the Q&A at the end of the session. I will now hand over to the webcast host, Aimee McLaughlin of JP Morgan.
Welcome to the Future of Payments webinar. My name is Aimee McLaughlin, from the JP Morgan Payment Network office. I will act as your host and moderator today. We have an exciting presence today from some excellent speakers. During our presentation today, we will cover three key topics around the use of biometrics in the payment ecosystem. First, Strong Customer Authentication-- Biometrics in the World of Regulation. Second, From Password to Person-- the Evolution of Biometrics. And thirdly, Responsible and Ethical Use of Biometrics.
First we have Colm O'Monachain from JP Morgan. Com is responsible for chargeback fraud strategy and litigation for JP Morgan. Colm is also heavily involved in TSCQ implementation project, and is a subject matter expert on strong customer authentication.
Colm will focus on the use of Biometrics in a World of Regulations. He will identify different forms of biometric authentication, and will walk through some of the pros and cons of these different types of biometrics.
Next we will be joined by Jamila Hunter from Mastercard. Jamilla is the director of biometric authentication within Mastercard Cyber & Intelligence. Jamila's focus is on defining the strategies and capabilities to enable biometrics authentication solutions for customer verification using new and innovative technologies.
Jamila will take us through the evolution of biometrics, the current biometrics options, and the future space that we can look forward to in the payment space. Jamila will also discuss the responsible use of biometrics data.
Finally we will be joined by Isabelle Moeller, the chief executive of the Biometrics Institute. Isabelle has played a key role in the establishment of the Biometrics Institute, an independent, international, impartial organization established to promote the responsible use of biometrics globally. Isabelle will bring us to the responsible and ethical use of biometrics. She will discuss the future use and regulations for the use of biometrics.
We are hoping for an interactive session. So please ask any questions you have in the box provided. We will also be asking a number of polling questions, and we would encourage your participation.
So now, to get started, we would like to start off with two polling questions. Overall, how comfortable are you personally with using biometrics? Very comfortable; quite comfortable; not very comfortable, I have some reservations; not at all comfortable, I have many reservations. Just to go through that again, overall, how comfortable are you personally with using biometrics? Very comfortable; quite comfortable; not very comfortable, I have some reservations; not at all comfortable, I have many reservations. Please submit your answers now.
So we can look at the results of these questions straightaway. There's quite a spread of results across this question. 40% of participants are very comfortable with biometrics, 35% are quite possible, 20% are not very conservative and have some reservations, and 5% are not at all comfortable and have many reservations. Thank you for participating.
For our next question, what concerns you the greatest in the use of biometrics or authentication in payments? I worry about my data. I don't have any issues. The method can be spoofed. Stolen characteristics, e.g. fingerprints, cannot be reset. The procedures have too high an error rate. It is too expensive to implement.
Let's go over that again. What concerns me the greatest in the use of biometrics authentication in payments? I worry about my data. I don't have any issues. The method can be spoofed. Stolen characteristics, e.g. fingerprints, cannot be reset. The procedures have too high an error rate. It is too expensive to implement. Please submit your answers now.
So we can see there's some answers come through here. So what concerns you the greatest in the use of biometrics for authentication in payments. 46.7% worry about their data. 20% don't have any issues. 6.7% believe the method can be spoofed. 20% believe the stolen characteristics, e.g. fingerprints, cannot be reset. 6.7% believe the procedures have too high an error rate. 0% believe it's too expensive to implement.
Thank you very much for your participation in our polling questions. Now I would like to hand over to our first speaker, Colm O'Monachain, who will discuss Biometrics in the World of Regulation.
Thanks, Aimee. Hi, everyone. I hope everyone's keeping well and safe. I'm here to talk about biometrics within the regulatory world, particularly with an emphasis on PSD2. So if we look at the future payments of how we see it going forward, you can see there that research indicates that mobile biometrics will authenticate over $2 trillion dollars worth of sales by 2023. And with that, remote payments account for almost 57% of all biometric transactions by 2023. And this is primarily driven by, I suppose, the new methods and the new ways that people will pay away from desktop and point of sale, and moving towards more m-commerce and older forms of payment.
So the research forecast the fastest growth has come from biometrically-verified, remote m-commerce transactions, reaching over 48 billion by 2023. And this will be around 57% of all biometric transactions that we see in 2023, up from around 28% in 2018. Indeed, this may be driven even further by COVID, and how we expect COVID to change the way people pay. And we've already seen a huge increase in, obviously, people moving away from point-of-sale and desktop payments this year towards more m-commerce type payments as people had to change their lifestyles to account for the COVID restrictions. So indeed these figures may even come before 2023 the way it's going.
And the main innovations that we see within the payments authentication space is around biometric as a service, so software that can be employed in between to both [INAUDIBLE] and the cardholder's issuing bank to be able to provide that authentication of biometrical solutions to be able to possibly authenticate and have more secure transactions.
With that in mind, I suppose I'll mention how people are paying in the world today. Nearly 90% of all smartphones currently can support software-based facial recognition, while almost 80% are capable of voice-based payments. And that's where we see the future of payments going, particularly as more and more technology maintenance advancements happen and people will start to pay via phones, and watches, and other smart channels. And that particular percentage may go up.
But the big thing here from a merchant perspective and from an e-commerce retailer perspective, is that it's going to implement a passive authentication method, which means less friction in the process, and therefore less chance of cart abandonment. As it stands today, if merchants wish to do two-factor authentication, they're pretty limited in terms of how they should do that in terms of either an SMS to a mobile phone or log into an [INAUDIBLE] browser, or potentially have a historical-based question. With the rise of biometrics, that should account for more password authentication, ensuring a seamless flow to the cardholder's account, and therefore increased security but less friction.
In terms of regulation-- and as you see today, I'm sure everyone's heard of the Payment Services Directive. But if they haven't, [INAUDIBLE] this is a regulation that's due to come into the EEA area by December 2020. And it's insisting that all e-commerce transactions have two-factor authentication, to essentially reduce fraud that we're seeing at the moment within the e-commerce space.
And the three independent factors that the EBA, the European Banking Association, has agreed that is sufficient is around something you are, something you know, and something you have. So in terms of biometrics, it is one of the three key independent pillars for authentication that the EBA has agreed to use going forward. And it's probably the most seamless and authenticated measure that we can have in terms of safety, frictionless flow, and that it also and quickly and safely integrates into the channels that people are using today to purchase things.
So the aim of the PSD2 was ultimately to reduce fraud and improve consumer choice, and strong customer authentication was a key tenet of that, I suppose it also breeds innovation. And innovation is how the industry is looking out at the moment. So while in 2018, 2019, 2020 as we are now, we know biometric authentication isn't quite as standardized as we see it, maybe possibly in two or three years' time, the pace of change and the pace of innovation we expect to change and increase as PSD2 gets implemented in December 2020, and for our UK colleagues in October 2021. So while PSD2 is essentially a way to reduce fraud, it is also a key driver by metric authentication within the wider payments industry. And we see that in the pace increasing as time goes on.
So if you look at the various forms of biometric authentication, there's many forms, as you can imagine. One of the key ones that a lot of merchants are using today is behavior biometrics. And so stuff that really is inherent to that particular user, such as keystroke recognition, how do they hold their mobile device, how quick do they swipe to purchase something or unlock their phone, and other behavior and biometrics such as where the device is located, when do they purchase their goods, have they purchased there before.
So these are all forms of biometrical behavior that I suppose can be used to identify and accurately identify, in a safe manner in an [INAUDIBLE] manner, that the customer looking to make that purchase is indeed who they say they are. And that can be used on many different forms and channels. Primarily it's used on m-commerce as people purchase on apps and on various [INAUDIBLE] desktops and other forms of e-commerce channels.
Secondly, we have fingerprint identification. And as I mentioned on the previous slide, it is very common on most of the smartphones we have today that fingerprint identification is there, readily available, and can be used fairly, fairly quickly. Thirdly is finger vein identification. It's one of the ones that maybe aren't that widely used at the moment. But it is one of the ones that can be used for authentication going forward. And I'm sure we'll talk more on that later on in the presentation.
And then the last two really are around facial features and iris recognition. So again, around face recognition, many smartphones have that particular capability today. They're able to unlock phones and identify how the customer is who they say are or if the phone owner is who they say they are. And this is very common in many phones today. So it isn't a huge jump to be able to use that within payment authentication.
And also iris recognition, another form of biometric authentication. Another form here that [INAUDIBLE] used here is actually also voice recognition, so using your voice and giving a coded word or an approval, to be able to authenticate using your voice. So these are all types of forms of authentication that potentially could be used within a payment flow or a payment authentication flow, where the consumer is prompted to be able to authenticate, either seamlessly through something like the biometrical behavior, or else something like a fingerprint recognition or a face recognition, where the consumer is asked to actually put their finger on a device or look into the camera to essentially authenticate where possible.
So as we move towards further biometric authentication within the wider payment ecosystem, as we saw in some of the polling questions earlier, it's a new form of authentication for many. And as people are changing and some technology is getting more advanced, biometrical authentication becomes more and more ingrained in how we purchase things, particularly as the way we purchase things and the channels that we purchase things through are becoming more and more diverse.
And I suppose, if you look at the benefits of biometrics purely from an authentication measure and payment measure, you know, we've all heard of phishing or social engineering where fraudsters can use various methods to try and extract passwords or passcodes from unsuspecting users to be able to get into banking apps and stuff like that. And biometrics can more or less put an end to that particular form of fraud and safety. And it also enables automatic positive identification of users. So it's quick, it's seamless, it can be identified very quickly. And again, it's inherent to that particular user. And it reduces the human behavioral vulnerabilities.
So as you mentioned, particularly with COVID, we've seen a large increase in fraud and social engineering fraud, where people have essentially been tricked into giving personal details or transferring money to additional accounts. Where biometrics can help in that regard is, again, it's inherent to that particular user. It's very difficult to be able to transgress in that particular regard, and have fraudsters be able to use those particular measures.
Again, as I mentioned, enhanced security measures-- so for the most part, when people use biometrical authentication, it's inherent to that particular user. They have this device in their person at that particular moment in time. It's also quick and seamless, and enables the issuer on the issuing side to be able to be confident that the person is who they say they are while making that particular transaction.
As we mentioned before, most fraud really attacks the human behavioral vulnerabilities. So by having biometrics as the key authentication solution can reduce that, and particularly reduce the forging that that process may be able to do on biometrics. And also non-transfer of accounts. So it would be difficult to be able to transfer accounts from one user to another [INAUDIBLE] the use of biometrics.
However, some of the stuff we're hearing within the marketplace, and cons and dependencies that we do see here is, I suppose, there is a dependency on the consumer to have a modern device on which to authenticate. So there may be vulnerable customers or particular customer demographics that may not have a device that can actually authenticate biometrically. So that is one area that [INAUDIBLE] reduce [INAUDIBLE] across the industry. [INAUDIBLE] traces the impact of a data breach if there was to be one, in terms of password and a passcode analyst who change inherent biometrics. So I suppose there's an onus there [INAUDIBLE] to be able to ensure that all persons' biometrics are kept [INAUDIBLE] secure manner. It makes it very difficult to be able to bypass.
And for me, I suppose, fraudsters [INAUDIBLE]. So as more security measures are developed, and increased, and brought into the industry, fraudsters are always looking at a way to try and get around that and try and look into breaching cyber defenses and biometric defenses. So I suppose everyone needs to be fully aware that that is a risk. But with the proper care and security that risk is minimized.
So I suppose that's just a quick overview of where we are in terms of biometrics in terms of the registry and standing weekly today. The EBAC biometric authentication is the key independent pillar for two-factor authentication. It's seamless. It can work very well at many different mobile channels. It's also frictionless. So it enables e-commerce merchants to be able to have a frictionless flow to check out. And essentially, as the increase in online and mobile m-commerce increases between now and the next few years, biometric authentication will become one of, I suppose, the key methods to, one, reduce fraud, and two, approving transactions going forward.
So I'd like to thank everyone who has listened to those few slides. And I'll pass back on to Amy. Thank you.
Thank you, Colm. Now before we hand over to Jamila from Mastercard, we're hoping to just go through our final two polling questions. So you'll see, there on your screen, and our third question. In your opinion, what is the top reason to use biometrics? Security, convenience, personalization. Let's go through that again. In your opinion, what is the top reason [INAUDIBLE] biometrics? Security, convenience, or personalization.
We can see there we've got some responses. Thank you for your participation. So in your opinion, what is the top reason to use biometrics? A good majority there, 66.7%, said the security is the top reason. And 33.3% said convenience. And personalization is at 0%.
Now, for our next [INAUDIBLE] question, we wanted to see what is the best way to secure payment? Fingerprint, [INAUDIBLE] signature, [INAUDIBLE]. Please submit your answers now. So we can see some results [INAUDIBLE]. Are saying facial. And 5.9% are saying voice. Behavioral biometrics have 17.6%.
Thank you for your participation. And please don't forget to add any questions that you have into the Q&A box. I will now hand over to our next speaker, Jamila Hunter, from Mastercard.
All right, good morning. Good afternoon. I appreciate this time, and hope everyone is staying well. Today I'll be focused on kind of the concept From Password to Person.
I like to start off with a quote from within my senior leadership. She mentions that security and a seamless experience should never be mutually exclusive. Physical biometrics solve for both helping us deliver greater trust in the digital payment ecosystem, particularly at a time when peace of mind is in such short supply. That's from Rangita Iyer, our senior vice president within Identity Solutions for Cyber & Intelligence.
So for many years, there was a trade-off between security and convenience. More security meant less convenience, with ever more complex passwords, PINs, memorable data, and Captcha technology. Biometrics has changed that. And as we've heard, more than 90% of users believe biometrics are more secure and convenient than passwords. And they are willing to adopt biometrics to replace the existing password-based authentication.
Advancements in biometrics, the technologies that we've spoke about, that use our unique attributes for identification authentication, are shifting from knowledge-based methods of verification to those that are recognition-based. The verification of biometric data, along with liveness detection and associated security processes, are key to this innovation. Physical biometrics such as the fingerprint, the face, and voice, or even palm, that were noted earlier, are being combined with technologies that recognize these behavioral traits and associated devices to create seamless, intelligent, and more secure methods of authentication.
Crucially, authentication techniques that apply intelligence to passive biometrics don't require extensive knowledge of the individual. They only need to recognize that the individual and the situation at hand with enough confidence that they can be trusted. So the use of active and passive biometrics helps to better distinguish the good users from the criminals, making life easier for consumers and harder for fraudsters.
So the first key to biometrics is a balance of user security and choice. Based on that poll that we just had, with behavioral analytics being used to data mine for the most accurate authentication results, it leads to the second key factor, which is the consideration of environment or external conditions that can affect a user's choice.
Now, while all biometrics can be strong, there are factors where offering only one choice can reduce usability. As we age, or depending on your profession, your hands can become rough, making the fingerprint modality less effective. If you're trying to authenticate with your face in bright light, you may have difficulty matching against your biometric template due to the camera exposure. And if you wanted to authenticate with your voice in a stadium or concert event, it would not work well in loud or noisy environments.
So we're taking these future-forward biometrics like heartbeat or pulse so that authentication can realize extremely high security. Since they can't easily reference samples like photographs or fingerprints for the prevention of spoofing. These methods of authentication will increase, especially in fields requiring high security such as those dealing with consumers' personal data and medical information, all of which can be applied to payments.
So no longer is biometric adoption a goal. But matching and embedding consumer expectation for easier use, we need to be able to provide solutions that are able to offer choice of authentication as well as a mixed or multi-modal support. Educating our consumers will be critical to helping them understand the benefits of biometrics within digital payments.
All right, so in the digital age, fundamental aspects of payments are evolving rapidly. There's a fine balance between giving consumers the convenience and simplicity they want along with safety and security. With the security enhancements implemented in the physical world, like what we've done with mag strip to chip, or contactless to NFC, consumers want their digital transactions to remain as safe as their physical ones with little effort.
As mentioned earlier, by 2023, it's forecasted that nearly 40 billion, if not closer to 50 billion, as Colm had mentioned, will be authenticated with biometrics, with a combined value of around $2 trillion worth of transactions. That is why it's better that we kind of have a better intelligence sharing and smarter decisioning in order to enable genuine transactions to flow while trapping or blocking those criminal activities. For this work not to be undone, we must embrace innovation and technology without leaving the door open for these types of exploitations.
So within these phases of engagement, identification, and decisioning, when we focus on the customer journey for digital payments, we traditionally think about biometrics as it applies to authentication within the identification vertical. But if we take a look from the beginning, you'll see that biometrics affects or influences each and every step.
As in-store purchasing has become more secure, fraud continues to increase online. Why? Because identity verification is a top challenge for both issuers and merchants. In fact, 50% of global login traffic is at high risk for potential account takeover or credential misuse. And consumers are frustrated when they don't have the same seamless secure experience at every transaction. There are complications to having all of this access to our personal information, as more devices are now storing our personal data and payment credentials. This brings a risk of exposing our data and identity if we don't secure the information.
The most complex aspect of the ecosystem is that the user is required to remember how they can be authenticated across a number of devices and channels. In payments technology, this is something we're closing in on as we move from cash to card, passwords to thumbprint, and beyond, to innovative technologies and environment mixed with physical and digital cards. So now, with an engagement, once biometrics are used to enroll a user for access to services in their account, that account can now be monitored with both active biometrics and behavioral analytics to ensure the genuine user.
Upon checkout, a consumer is authenticated, preferably with the biometrics, to inform or verify the transaction with strong consumer authentication within EMV 3DS. This need to transition from legacy passwords, PINs, and OTP as a form of authentication, along with consumers' desire to leverage technology to enable a simple, safe, and secure experience, is the catalyst for mobile biometrics within payments. And by the way, when SCA is applied properly, we are seeing greater than 93% approval rates on EMV 3DS transactions.
Which leads us to decisioning, where authorization and disputes have evidence or insights of the successful authentication of consumer with biometrics. So for merchants and financial institutions, this holistic flow will help isolate those bad actors and recognize good so we can, one, provide a more consistent, satisfying experience at each authentication touchpoint. We can enhance the consumer engagement and loyalty. We can provide strong protections for consumers' financial data, decrease fraud and operational calls, and of course increase revenues by enabling increased transaction completion and approval rates.
I've spent a lot of time on this digital transaction. But as I mentioned earlier, consumers want the same level of security and ease with both digital and physical transactions. One commercial example is the biometric card. Deemed as the cleanest form of contactless, the biometric card has a lightweight enrollment process where the cardholder's fingerprint template, a mathematical representation, is enrolled on the card and stored directly within the secure element. It works with existing EMV terminals, both contact and contactless, to perform biometric validation by just holding your thumb over the sensor while you either dip or tap. The fingerprint template never leaves the card, as the Mastercard app on the chip performs the verification of user.
You might ask, does this need a battery? And the answer is no. The card draws enough power directly from the POS terminal to perform authentication. That biometric success or failure is communicated to the POS, similar to that of offline PIN. So the consumer benefits from security and convenience, with the ability to use these cards for higher-value payments and physical locations that are both contactless and without PIN, with future acceleration adoption of biometric payment cards without disrupting the point of sale.
So from the work with standard associations like EMV and FIDO, we continue to work and understand the contributions that they've made to develop the guidance, rules, and infrastructure, that allow a vast network of payments to work globally. With biometrics, there are legitimate concerns about where the biometric data is stored, whether it's local or on-device, or in the cloud, PCI concerns with PII, or Personal Identifying data, being collected, and where it's being stored, as well as antispoofing measures to reduce replay attacks to ensure the liveliness right of our users. But we will need to be open to new standards and variations of use.
I'd like to conclude by saying that Mastercard is committed to a privacy-by-design approach in its product development, advocating for a usercentric and consent-driven approach to biometrics, which keeps an individual informed on the use of their data. Our authentication solutions and partnered solutions are built on the basis of this highest global privacy standard, but keep all of these pillars, including security, accountability, social impact, innovation, in consideration for use of this biometric data. I thank you for your time.
Thank you, Jamila. Now, finally, for our last speaker, I would like to introduce Isabelle Moeller from the Biometrics Institute.
Thank you, Aimee. And it's an absolute delight to be here, especially from what I've heard through the audience, it's an audience that I'm not all that familiar with. And we're always excited to share our passion about biometrics with the global community. But at the same time, it has to be a responsible and ethical use of biometrics. And that's what I'm going to talk about to you all today.
So let me just start off also with a few sets. And Colm and Jamila already have given you quite a few. But I came across one, actually, from Mastercard, a global consumer study Mastercard released in April 2020, saying that nearly eight in 10 say they've used contactless payments. And between February and March 2020, contactless transactions grew twice as fast as non-contactless transactions in the grocery and drugstore categories. Also, Juniper Research forecasts contactless transactions around the world will grow from roughly $2 trillion in 2020 to nearly $6 trillion in 2024. I think we get the feel it is a growing industry.
I wanted to share with you some results from our very own industry survey that we conduct annually with our members and key stakeholders, about 350. respondents. And we asked them-- because it was launched in March, so we could include some very timely questions-- what role biometrics play in the future of secure contactless payments. And you can see here on the screen that our community believes that biometrics will be absolutely key, and especially since the impact of COVID-19.
We also asked them about the future of digital identity management. And again, there was a clear view that we will see much greater uptake of digital identity management as a result of COVID-19. I think we all have experience we're no longer talking digital transformation, we are actually living it.
We ask this very question every year, expected developments in the next five years. And in the past, it was always dominated by border management and seamless journeys across borders and in aviation. Interestingly enough, there has been this shift where a really digital identity and artificial intelligence were seen as the key developments for the next five years. We do like to ask the beauty contest question, modalities. Colm talked a bit about it earlier on. And our community, not surprisingly, says that faith will be the dominant modality to look at, followed by multimodal, but also, interestingly enough, contactless finger and vein.
Our members are very much on the border. I'll talk a little bit more about that later. So it is not surprising that when you are a government agency and you look at linking a digital identity to a human identity, identity documents that have biometrics or a face already are a good place to start to anchor an identity.
So with biometric passports, obviously, having a facial biometric image stored, it is quite not surprising that we are seeing this response. But it was interesting to see that, through COVID-19 contactless finger and vein solutions suddenly started become of great interest. And it really means, on your phone, you can use an app, and use the camera of the phone to scan your fingerprint. Now, it's not as accurate as contact-based fingerprints. But nevertheless, these are all modalities to watch.
So obviously we've already heard this. Why do consumers like it? Well, it is of course the ease of use that biometrics provide. And it was interesting-- I also read a little bit more about concerns. And we've just seen it in the very poll here. 74% of you said you are very or quite comfortable using biometrics. But you also said, 47%, that you're concerned about your data. And that is exactly what we are hearing. Customers love the ease of use, but they have a concern over data breaches.
From financial institutions, Colm and Jamila both have raised that, of course, there is fraud that can be cut out through biometrics. Cost and return on investment, security, risk balancing, all those elements are good reasons to look at biometrics. But I did also want to mention that identity fraud is on the increase. And as we are growing more digital, there is obviously an increased risk to the consumer that their identity is stolen. So I do believe organizations have a responsibility also towards the consumer to ensure that they are protected as they are using your services.
And finally, we shouldn't forget that also biometrics offer financial inclusion. I know that the Royal Institute of the Blind here in the UK, several years ago, was looking at voice biometrics to allow people who are visually impaired to still transact online on their bank accounts. And of course, developing countries, where people do not even have a birth certificate, biometrics give them an opportunity to finally conduct financial transactions.
However, there are concerns over biometrics. And there's a lot you need to consider. In our industry survey, we do ask about market restraints. And you see that data protection is the top concern, which is really the role of the Institute to talk about the responsible and ethical use of biometrics. But I've highlighted here, poor knowledge of decision-makers. Sadly we are seeing people basing their decisions and their knowledge about biometrics on a Google search. And I think we all know that that is no longer the place we should go and look.
Biometrics involve a lot of consideration and due processes. And it's very important to keep that in mind, we often see that when things go wrong with biometrics, the technology gets blamed. Most of you will have been in a border scenario, going through a gate, presenting your passport, having your face scanned. It doesn't work. You can't get out of the gate. The next thing is people shout, oh, that stupid biometric doesn't work. When, in reality, the issue is obviously with the people deploying it and putting the right processes in place.
Legislation-- we do ask about that as well, whether, in general, our members think that in their country legislation around biometrics is strict enough. And it was very interesting to see-- and maybe not surprising to this audience-- that in Europe, with GDPR, and obviously you have PSD2-- there was the view that there is sufficient legislation, while our American and Australian and New Zealand members and respondents felt it wasn't quite sufficient.
And asking them about what areas those concerns lie-- obviously there's a lot of headlines around the use, by police, of biometrics and fears of surveillance. But I did find it interesting that financial services came up third on this list. And I would actually love to learn more about that particular area.
Now, just quickly, to give you a feeling about who we are, because I think it is really important to understand, the Biometrics Institute was set up to promote responsible and ethical use of biometrics. We are a global, multinational, not-for-profit organization focusing on the users. We are guiding our user members-- the banks, the governments, the aviation industry-- through the queue processes for biometrics. But we also have the suppliers, the academics, and also international observers representing many United Nations agencies, who have come together to really get biometrics right.
That is reflected on our board of directors. I just highlight our chairman is from the Department of Home Affairs in Australia. We have a range of good practice tools. It was interesting to hear Colm earlier. And one of these recommendations we have, ideally, is to store biometric and biographic data, which is your name and date of birth, separately. So there are many, many things to consider.
We have done work around the vulnerability question, the spoofing of biometrics, again giving guidance there. We have privacy guidelines, 16 principles that take you through all the key questions you should ask, ethical principles, and a whole range of projects that are going on. And I will not go into the detail here, but to give you just one important message, we launched a Biometric Institute good practice framework in July this year, which is really the culmination of all our work over the last 20 years, work we've done with the United Nations on good practices for biometrics and counterterrorism. I can't show you here what this is, but this is just a feel for a one-page gridline, 25 boxes, that show you what the journey of biometrics involves.
And I think, if you just look at this very simplified version of it, you will find biometrics are not all that easy to implement. There is a lot to consider to protect your customers' data to secure this system from any breaches and vulnerabilities. And interestingly enough, the very thing to consider when you start biometrics is not the modality. You should not just get carried away by an exciting solution that is out there. It is really about having a clear concept of operation and a business case and to do meaningful stakeholder consultation.
One more thing I'd like to flag is the committee we have that focuses on biometrics for digital onboarding. This is very relevant for this audience here. How do we establish and how do we link the digital identity to the human identity. Because you have to get it right at the very start. Otherwise, you just don't know who you're dealing with.
And I want to finally just mention, these conversations we have, we have at our events. So these are not your normal conferences on biometrics. These are events aligned to the values of the biometrics institute about a trusted, impactful, collaborative, and accountable conversation, under Chatham House Rule. There is a lot to learn about biometrics. You might think it's easy. Let me tell you, sadly, it's not. But it is a very exciting technology. And it is absolutely critical that you keep in mind you have to start with your privacy and policy first, and then think about the processes, and only last think about the technology choice. On that note, I will close, Aimee.
Thank you very much, Isabelle, for that presentation. Now, we still have some time left. So we would like to do a question-and-answer session. We've got some questions in already from our audience. So thank you very much for your participation.
And our first question, I will direct to Jamila from Mastercard. One of the first questions we had is, what is the current roadmap for the rollout of the biometric card?
Thank you. That's a good question, because today it's an existing product. So issuers today can go through a certification process with specific card manufacturers to provide the biometric card in market today.
So we've had several pilots and implementations of use that are in the works right now with issuing customers to offer the biometric card in multiple regions. So this is a product that's available.
We know that, from some of the market research that we've done last year that was performed in both the UK and Australia, with some affluent and general bank, that the biometric card met and exceeded all of their benchmarks for the market success. And over 81% of those participants were willing to pay something for the card.
So when we talk about the range of costs for solutions like this, today, with it being more new in the market, the range of the cost may be somewhere around $20 to $40. But those surveyed were willing to pay up to $23 for the card. So they really saw the evidence of security and flexibility of structure while having this more biometrically-offered physical card.
Super. Thank you so much, Jamila. For our next question, I will direct to Colm. One of our attendees asked, how prevalent are biometrics and two-factor authentication today.
Sure. Thanks, Aimee. So as you might have heard, I referenced the Payment Service Directory very early on. And one of key mandates for PSD2 is two-factor authentication, of which something you own is one, something you know, and something you are. And something you are is the biometric part, essentially, of two-factor authentication.
What we're seeing at the moment, particularly across Europe, is that many of the issuers are focusing their efforts on trying to get two independent factors that are something you own and something you know, so whether it's an app-based banking app, and then something you know, such as a passcode or a question. And ultimately, then, they're moving towards biometrics over the next couple of years.
So as it stands presently, particularly in the European market, we don't see huge prevalence of biometrics and authentication as we expect to see probably going forward. But it is on the road map for many issuers. Many issuers identify and understand and accept that it is most likely the most seamless way for authentication, but also the safest way for authentication as well. It's just that the technology advancements under the regulations are working a bit slowly to get towards that figure yet that we saw on the first couple of slides.
But it is expected to get there. And as you mentioned previously, the majority of authentication that will happen post-2023 will be on biometrics. And the train has moved in that direction. But as we stand today, the majority of anyone who is on this call or who's listening in who may have had two-factor authentication apply to them this year-to-date, it's primarily an SMS call to your phone that you must put in on online. Or it may be an app where you agree to purchase something via the app. And biometrics isn't that prevalent yet. But we are getting there as an industry. And primarily, as Isabelle mentioned, fingerprint and voice recognition and facial recognition is the way that people see it going. And we expect to see that rise considerably over the next couple of years.
Yeah. And just to add to that as well, having kind of responsibility for some of these globally-delivered solutions within Mastercard, a lot of my customers are working towards implementations that are following some of the standards that we talked about earlier, such as FIDO. Because what FIDO does is it adds the ability for a two-factor authentication to be performed without all these secondary auth requirements like knowledge or OTP as part of the experience.
So when you perform that biometric, you have that possession and biometric all within that same authentication challenge. So it simplifies the user journey. And a lot of our issuers, when looking into biometrics, are considering these types of challenges for device-based authentication.
Super. Thank you so much, Colm and Jamila. That was really helpful. So our next question I'll direct to you, Isabelle. So one of our attendees would like to know, why should we invest in biometrics. What would you think are the key points that would promote investments in biometrics?
Well I think, as we've seen in all three of our presentations, it is just a very secure way to link the identity of a person and make that transaction very secure. So it's certainly a long-term investment that will help you to create that relationship between you and your customer. And I think that's probably all really there is to say.
Of course it all depends on the application, on the risk you are managing. And we always, in our recommendations, say, as well, that's the very first thought-- is there an alternative? And that decision will always be related to the risk that you are addressing, to your consumers, the users, whether they are happy with the introduction. But once you go through all the processes, I think there's no question that the investment will be well worth it over time.
Thanks, Isabelle. I actually have another question here from one of our attendees for yourself. Is there a concern or a recognition in the Biometrics Institute that attempts to steal and fraudulently use biometric data will increase as the-- excuse me, sorry-- biometric data will massively increase as the adoption increases, and that the impact for the victim may be significantly greater.
Oh, look, obviously, I mean, I think that's part of our role, that we do want to see greater take-up of biometrics. But what we promote is that you have to go through all the important considerations to make this a secure implementation. It's not actually that easy to steal a biometric. It's certainly not if you have gone through the proper processes of securing the biometric template. It's not all that easy, and costs a lot of effort and investment of recreating the biometric, which is really-- it's a template. And it should be encrypted. So the question is, how attractive is it, actually, for anyone to try and steal that biometric and do something with it?
There's liveness detection system that can also detect fakes or recreated biometrics that are created by the potential hacker. And as far as we know, all the attacks that have been successful have actually happened in labs, and not in real life. And do not forget, you should, of course, not only rely on the one biometric. It's part of an implementation. So there's a lot to consider. So I hope that answers the question.
Thank you, Isabelle. We have another question for you, Colm. Will biometric authentication differ by device?
Yeah, essentially. So as we move towards further and further different ways to pay-- and consumers are paying here in many different ways today already. But as we get further along the biometric journey, people paying with their mobile phone, whether it's POS, in-store, or online, will become the norm. Also paying with their watches and other forms of e-commerce purchasing and even point-of-sale purchasing. The biometrics will change to fit that particular device.
So as it stands today, the majority of biometrics is done on the m-commerce side of the house. So the biometric [INAUDIBLE] towards what can be achieved on a mobile phone. So it's either in retina display, facial display, and fingerprints. But if you start to use your phone, or your watch, or there's talk of using various other types of devices such as a ring or whatever it may be, your glasses, as technology advances, the use of biometrics will be dependent on the device. So as that happens, the industry has to work towards that. And more often than not, the payments industry moves along with the times in terms of merchants are driven by how consumers want to pay. And they're solutions-driven, so essentially "pay anywhere, anyhow." And biometrics will have to try and fit into that.
But yeah, it will definitely device. And primarily the device of choice these days is the mobile phone. But it could change over time as technology advances even more. And the importance of biometrics will be even more so as these devices start getting rolled out over the next few years.
Thank you, Colm. And so I think we have time for one final question. This is for you, Jamila. Biometrics clearly have a significant and privacy-centric role in payments. How do biometrics play out beyond payments?
Absolutely, of course. So even at Mastercard, our biometric solutions started with payments first. But these have been extended to, these in-band-- these opportunities for account login, for account access, for sensitive-data types of interaction, as well as out-of-band authentication, which are those that are externally initiated, something from our fraud system, something to check for things like suspect transactions and those kinds of events.
So as we veer away from our devices, what we're seeing is another push towards biometric-only use cases, where we'll see the evolution of new challenges. But this model exists today in familiar scenarios like what was mentioned in airports, where biometric kiosks are being used for identification and access to help streamline a traveler's experience. We will likely start to see that evolution also in the payment space.
Thank you very much, Jamila. And thank you, everyone, very much for your participation and sharing of your questions as part of this webinar. We'll close off our webinar now. But thank you very much for your attendance and for your participation.
Thank you for joining today. As a reminder, this webcast will be available on demand. And you will receive a link in the next couple of days that will give you access to the archive and additional resources that may be of interest. This concludes our webcast. You may now disconnect.
Disclaimer: The information in this presentation is for informational purposes only, does not constitute an offer for products or services and should not be construed as an offer to buy or to sell. There is no warranty, express or implied, for the accuracy, completeness, or correctness of the information contained in this presentation.
The information herein or any document attached hereto does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. The information provided herein may not be copied, published, or used, in whole or in part, for any other purpose other than expressly authorised by Chase Paymentech Europe Limited. © 2020, JPMorgan Chase & Co. All rights reserved.
Chase Paymentech Europe Limited, trading as J.P. Morgan, is regulated by the Central Bank of Ireland. Registered Office: J.P. Morgan, 200 Capital Dock, 79 Sir John Rogerson's Quay, Dublin 2, D02 RK57, Ireland. Registered in Ireland with the CRO under the Registration No. 474128. Directors: Catherine Moore (UK), Carin Bryans, Dara Quinn, Steven Beasty (US), Eilish Finan.