"Biometrics are going to play a very important role in payments," says Paul Baker, Vice President, Product Management, MasterCard. "The [Samsung Galaxy] S8 with face and finger recognition, it's so much more intuitive than using a static password." Gadgets 360 got to talk to Baker in Bengaluru at the sidelines of the first MasterCard Innovation Forum to take place in India, along with Johan Gerber, Executive Vice President of Security and Decision Products, MasterCard. In the wake of the launch of the iPhone X and its Face ID technology that is also used to authenticate Apple Pay, we wanted to know more about how MasterCard viewed the innovation, and how it compared to PINs and other forms of security.
MasterCard has a similar feature that it launched last year,and unlike Apple's solution, MasterCard's Selfie Pay is not restricted to one phone right now. Baker demonstrates the function, which works pretty simply - instead of entering an OTP or a PIN, you are prompted to face the camera, and once you do that, you have to blink once. "The blink demonstrates liveness," Baker explains. This means that no one can use your sleeping face, or make a payment using a printout or other fake likeness.
However, Apple's huge user base can help ensure that the feature actually catches on, while Selfie Pay remains a niche offering for now. "We think it's a great thing that Apple is doing this, because it'll get a lot of people to trust facial recognition, and get used to this kind of behaviour," says Gerber.
Baker adds that MasterCard is aiming to build solutions that work across a range of devices. "We can't tell people that you have to use, say, a Samsung," he says. "Not all biometrics sensors are created equal, but the goal is to offer something that works reliably and securely across a wide variety of phones."
The iPhone X might have put the focus on Selfie Security, but fingerprint authentication has become a well accepted way of getting into our phones these days, and it's equally valuable for payments. Demonstrating a card not present transaction validated with a fingerprint, Baker mentions that in case a match isn't verified, you can still complete the payment with a PIN or OTP, as a failsafe. But that's not exactly a new development - these days, you can sign into some banking apps with a fingerprint. ICICI's iMobile app lets you sign in with a fingerprint if you have set it up on your phone, and you can use this to approve UPI payments, for example.
However, MasterCard has very recently come up with something new that Baker shows us - a credit card with a fingerprint reader in it. The company just released it a few months ago, and it's still only on the roadmap for India, but the way it works is really interesting. The card itself looks like a normal credit or debit card; it's the same thickness as well, and you can use anywhere you would use an existing card.
"You put the card into the terminal like any chip card, and then just put your fingerprint to authenticate it like you would on your phone," says Rajat Maheshwari, Vice President, Business Leader EMV and Digital Devices - Innovative Products, MasterCard. If your fingerprint isn't recognised, you have the option of entering your PIN. But how does your fingerprint get stored on the card? The chip-based cards have circuitry on them, and when you get a new card, you can enrol your fingerprint. "Either you could do this at your bank, they would have a tablet with the necessary software," Maheshwari explains, "or you know how you get the PIN mailer from the bank, so we could ship a cover with that, and you insert your card in that cover and the first three times you hold your finger against it, the fingerprint is registered. And after that it is only verified."
Sounds like money
That wasn't the only new mode of payment that was shown at the MasterCard Innovation Forum either. Another company that was showcased at the event was ToneTag, an Indian payments startup that has worked with the likes of Tech Mahindra, and FreeCharge. The way ToneTag works is a little similar to the American company Clinkle, which was founded in 2011, and launched in 2014, but failed to really take off. Google's newly launched Tez app also uses a similar audio-identifaction feature.
ToneTag uses sound waves to send data to your phone - it can be used to let your phone know that you're in front of a particular display in a store, for example, or to authenticate a payment. This can even work with feature phones, the company representatives say, using the bank's IVR line to securely handle the transaction. The merchant has a small speaker that works without the Internet or even phone connectivity. It broadcasts an audio code, and even if you have a feature phone, you just dial the IVR number, and then hold the phone near the speaker.
The audio code is transmitted and verified, identifying the merchant. Then, the customer can type in the amount, and press the hash key. Once that's done, the payment will be completed, and both the customer and merchant will receive an SMS confirming the transaction, allowing the payment to take place completely offline, without even a single smartphone. With a smartphone, the system is more along the lines of BharatQR, only using the audio tone in place of a QR code. This isn't supported by banks yet, but the company's representatives explain that talks are underway.
These were just some of the technologies that MasterCard showcased for Gadgets 360 at the Innovation Forum. All of this is still a work in progress in India though - the different ideas are still in the process of being rolled out, and talks are on with the regulators and banks, which will actually bring the technologies to the customers, but it's clear that there are going to be a number of new ways to pay, going forward.