JCB to trial palm vein authentication for cardless payments

Japanese card scheme JCB is to trial the use of palm vein authentication technology from Fujitsu for cardless purchases at ATMs and merchant terminals.

  21 6 comments

JCB to trial palm vein authentication for cardless payments

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

In July, JCB confirmed the system's effectiveness in a field trial involving several hundred employees who used the technology to pay for food and beverages at the employee cafeteria in JCB's headquarters.

The palm vein data from JCB's customers, along with their payment card information, is registered in advance in Fujitsu's datacenter.

When making a purchase, the customer waves their hand over a palm vein sensor. From the palm authentication servers, the corresponding payment card's information is then read, and the transaction is processed. Depending on the number of people registered, however, a multi-digit number key may need to be input to narrow down the authentication process.



Tac Watanabe, EVP, brand infrastructure and technologies, JCB, says: "We are planning pilots in different global markets in order to develop a unique biometric-based program using the most secure accurate palm vein authentication. I am confident that this new payment method using innovative technology will be in line with the needs of JCB customers and partners around the world."

Fujitsu says it has shipped a cumulative total of 470 thousand palm vein authentication devices, which have been used by over 63 million people in approximately 60 countries around the world.

Recent research from consultancy Technavio suggests that the global vein recognition biometrics market in the banking, financial services and insurance (BFSI) sector is set to grow at a compound annual growth rate (CAGR) of 27.83% from 2014-2019.. “Vein recognition biometrics is gaining importance in the BFSI sector for applications such as logical access control, physical access control, mobile banking, branch banking, kiosks, ATM and safe deposit locker,” the company states.

Sponsored [Webinar] Operational Resilience in the age of DORA

Comments: (6)

Hitesh Thakkar

Hitesh Thakkar Technology Evangelist (Financial Technology) at SME - Fintech startups (APAC and Africa)

JCB riding of Biometric Authentication for Payments and joining party with MasterCard.

Seems to be interesting authentication sequence which some how remains incomplete.

"Depending on the number of people registered, however, a multi-digit number key may need to be input to narrow down the authentication process."

My understanding:

Customer swipes card, uses the Palm vein sensor attached to TABLET ( looks to be Embedded Win OS tablet :)) and Palmvein authentication server sends card data which needs to be inputted through Key Pad.

Why card data is returned or is it some kind of random number for additional security?

What happens for E-commerce transaction as customer can use palm vein authentication with App on my smartphone similar to Barclays?

A Finextra member 

Remember the FBI data breach a couple of months ago, where their entire fingerprint database got stolen?

Having to change your fingerprints is difficult enough, but I'd really like to know how anyone would change palm vein patterns. I certainly don't envy those 63 million people...

Kevin Yee

Kevin Yee Manager at OCBC Bank

@Hitesh There is no physical card involved here. The use of palm vein - as oppoosed to a single fingerprint or finger vein - is so that the identification data is unique enough to not require a second authentication factor (i.e. only palm vein rather than card + fingerprint).

Yet, if there are "too many" registered users, and given that biology by nature has its variances at time of day, based on a person's health, depending on age etc., even palm vein may not work well enough to be single-factor. Hence the possibility to need an additional multi-digit number key.

@Mark While I don't have insight to on how this particular implementation works, in general it is possible to be storing only the hashed signature of the palm vein ID. Meaning if the biometric database is lost, it is highly difficult or practically impossible for the original palm vein information. Fujitsu simply has to change their hash algorithm, get users to re-register, and they would be back in business again, and the stolen data is virtually useless anywhere else too. Of course that's only my guess of how this should work. 

A Finextra member 

@Kevin: All biometric data is stored and transmitted in a digitised form, which means that it can be intercepted, stored, and re-used to impersonate the owner. This is why the FBI is a bit worried, since their operatives can now be identified by border security, secret police, foregn military and other unpleasant people.

Even if the data is stored as a hash - which I doubt - changing the hashing algorithm, and getting a huge number of users to re-register is a non-trivial exercise.

Kevin Yee

Kevin Yee Manager at OCBC Bank

@Mark Yes, but the potential damage should be limited to within the Fujitsu ecosystem. At least the users should not have to use a knife or otherwise to amend their palm veins... or so we hope! :)

Hitesh Thakkar

Hitesh Thakkar Technology Evangelist (Financial Technology) at SME - Fintech startups (APAC and Africa)

@Kevin Thanks for views. I agree Palm vein has advantages over finger prints. I had case study of few banks in Brazil started few years back using Fujitsu 's palm vein solution at their ATMs.

India being largest biometric citizen database owner such developments are always tracked for serious business case for India. Ofcourse we have KYC done using biometric database as part of customer onboarding.

[New Impact Study] Catering to a new generation through unified card programmesFinextra Promoted[New Impact Study] Catering to a new generation through unified card programmes