JCB to trial palm vein authentication for cardless payments

JCB riding of Biometric Authentication for Payments and joining party with MasterCard.

Seems to be interesting authentication sequence which some how remains incomplete.

"Depending on the number of people registered, however, a multi-digit number key may need to be input to narrow down the authentication process."

My understanding:

Customer swipes card, uses the Palm vein sensor attached to TABLET ( looks to be Embedded Win OS tablet :)) and Palmvein authentication server sends card data which needs to be inputted through Key Pad.

Why card data is returned or is it some kind of random number for additional security?

What happens for E-commerce transaction as customer can use palm vein authentication with App on my smartphone similar to Barclays?

Remember the FBI data breach a couple of months ago, where their entire fingerprint database got stolen?

Having to change your fingerprints is difficult enough, but I'd really like to know how anyone would change palm vein patterns. I certainly don't envy those 63 million people...

@Hitesh There is no physical card involved here. The use of palm vein - as oppoosed to a single fingerprint or finger vein - is so that the identification data is unique enough to not require a second authentication factor (i.e. only palm vein rather than card + fingerprint).

Yet, if there are "too many" registered users, and given that biology by nature has its variances at time of day, based on a person's health, depending on age etc., even palm vein may not work well enough to be single-factor. Hence the possibility to need an additional multi-digit number key.

@Mark While I don't have insight to on how this particular implementation works, in general it is possible to be storing only the hashed signature of the palm vein ID. Meaning if the biometric database is lost, it is highly difficult or practically impossible for the original palm vein information. Fujitsu simply has to change their hash algorithm, get users to re-register, and they would be back in business again, and the stolen data is virtually useless anywhere else too. Of course that's only my guess of how this should work. 

@Kevin: All biometric data is stored and transmitted in a digitised form, which means that it can be intercepted, stored, and re-used to impersonate the owner. This is why the FBI is a bit worried, since their operatives can now be identified by border security, secret police, foregn military and other unpleasant people.

Even if the data is stored as a hash - which I doubt - changing the hashing algorithm, and getting a huge number of users to re-register is a non-trivial exercise.

@Mark Yes, but the potential damage should be limited to within the Fujitsu ecosystem. At least the users should not have to use a knife or otherwise to amend their palm veins... or so we hope! :)

@Kevin Thanks for views. I agree Palm vein has advantages over finger prints. I had case study of few banks in Brazil started few years back using Fujitsu 's palm vein solution at their ATMs.

India being largest biometric citizen database owner such developments are always tracked for serious business case for India. Ofcourse we have KYC done using biometric database as part of customer onboarding.