A biometrics solution for Commercial Cards.

Fingerprints and selfies are coming to the Commercial Card world! I view this as big news. Last year, the headlines were all about EMV/chip cards. Now the tide is turning toward improving the security of online purchases, which often comprise a large portion of Purchasing Card transactions in particular. BMO Financial Group (BMO) and Mastercard have an answer. Following is content from their related press release.

These two organizations have begun a phased launch of the first biometric corporate credit card program in Canada and the U.S. that will enable cardholders to verify transactions using facial recognition and fingerprint biometrics when making online purchases. The introduction of this technology will increase security when making payments that do not include a face-to-face interaction, and will be integrated seamlessly for easy use in reducing the likelihood of a card being used by anyone who is not the cardholder.   

Beginning with corporate cards issued to BMO employees in Canada and the U.S., the Mastercard Identity Check mobile app will prompt participants to:

  • scan fingerprints or snap selfies to validate their identities via biometrics; and

  • when verified, return to the merchant site to complete the online purchase

“The use of biometric technology has become more common for consumers looking for convenient and secure ways to make purchases using their smartphones, so this was the natural next step for us as innovators in the payment security space,” said Steve Pedersen, Vice President, Head, North American Corporate Card Products, BMO Financial Group. “Mitigating the risk of fraud is always our top priority, and the inclusion of this technology is going to make payment authentication easier, and strengthen the security of the entire payments ecosystem.”

Mr. Pedersen added that the first phase will test the potential of delivering greater security and convenience using BMO employee corporate cardholders in the U.S. and Canada, including establishing and improving best practices in corporate environments, developing better protection against potential fraud and continually minimizing the need for customer service inquiries. Once complete, the next phase will be to make the technology available to customers more broadly beginning in the summer of 2016.

“With BMO, Mastercard is hosting our first Canadian and U.S. corporate card biometric user engagement. It’s always exciting to introduce biometrics to new cardholders. They quickly realize that they don’t have to sacrifice convenience for security. By snapping a selfie or scanning a fingerprint, the person becomes the password,” said Catherine Murchie, Senior Vice President of North America Processing, Enterprise Security & Network Solutions for Mastercard.

Biometrics offer another layer of security for online payments.

Biometrics offer another layer of security for online payments.

About BMO Financial Group

Established in 1817 as Bank of Montreal, BMO Financial Group is a highly diversified financial services organization and a leading provider of commercial card and treasury solutions based in North America.  With total assets of approximately $642 billion as of October 31, 2015, and close to 47,000 employees, the bank also offers a broad range of retail banking, wealth management and investment banking products and services to more than 12 million customers.

About Mastercard

Mastercard, www.Mastercard.com, is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard’s products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. Follow us on Twitter @MastercardNews, join the discussion on the Beyond the Transaction Blog and subscribe for the latest news on the Engagement Bureau.

What I Like About This

Besides this being good news overall, when I learned more about their solution, I was excited by a specific element. Any device, including a laptop or even desktop computer, can be used for the online purchasing process. (I was thinking about administrative assistants and others who work at their desks all day.) The authentication, however, will occur via the purchaser’s mobile device.

This is just one more evolving piece of card and payment security—a growing and important part of the industry.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Evolving security for online payments.

Worldwide, card not present (CNP) fraud continues to be a challenge in the payments industry. We have seen the warnings. Such fraud typically rises as countries migrate to EMV/chip cards in an effort to reduce other types of fraud like point-of-sale fraud and card cloning. This is indeed happening now in the United States. However, do not think industry players (e.g., issuers, networks, acquirers, merchants) are sitting idly. Following are a couple evolving tools to combat CNP fraud and/or the theft of personal data.

One-time Passwords 

Perhaps you have experienced one-time passwords or passcodes (OTP) already. My payment card processor utilizes this functionality. After I provide my ID and password for their site, I also have to enter a one-time, six-digit number that they send to my mobile device as part of the login process. It expires in five minutes. 

Every fraud prevention strategy should include a multi-faceted approach to increase effectiveness.

Every fraud prevention strategy should include a multi-faceted approach to increase effectiveness.

Julie Conroy, Research Director, Aite Group Retail Banking Practice, is someone who has studied security over the years. She stresses, “A big security weakness is our reliance on static passwords and the fact that most people use the same password for multiple sites. The industry must transition from static passwords to dynamic ways of confirming the identity of a user.”

There have been countless reports of fraudsters obtaining access to one account of an individual and using the stolen credentials to access other accounts belonging to that person. They are often able to gather enough personal data to commit more crimes like applying for a loan.

As individuals, we can do our part by not using the same password for multiple applications and sites. Also consider the strength of the passwords you use. One of the most common passwords continues to be password. Many organizations train their employees on strong passwords and other aspects of security. Further, it is a best practice to address security within your card program policies, procedures and training.

3-D Secure 

Despite being an international security standard for online card payments, 3-D Secure (3DS) has not received a lot of press, nor extensive use, in the United States. This is starting to change as CNP fraud makes more headlines and 3DS continues to improve. It provides another method for verifying someone’s identify during the online checkout process, but it requires participation from the merchant and their acquirer/processor, and the cardholder and their card issuer/bank. You might be familiar with the different names, depending on card brand; for example, Verified by Visa, Mastercard SecureCode and American Express SafeKey. 

The first iteration of 3DS relied on static passwords. During checkout, the purchaser (cardholder) would click a link to access a designated webpage by their card issuer, in which they must enter an additional password (previously established) to authenticate the transaction. Opponents of this arrangement argue it can result in the abandonment of legitimate purchases because of the extra step. However, as Julie Conroy shares, “The evolution of 3DS now gives merchants greater control—through a metrics-based approach—over which transactions are pushed down the 3DS path.” She also notes that many of the large issuers have moved to either risk-based authentication, which requires no interaction from the purchaser, or dynamic authenticators, such as a one-time passcode (OTP). Some countries are even mandating 3DS to some extent or are considering a mandate. Within the Commercial Card realm, 3DS is primarily used outside the United States.

Naturally, every fraud prevention strategy should include a multi-faceted approach to increase effectiveness. This post only references two of many.  

What's Next

Stay tuned to this blog for a related, upcoming post on a new security solution for Commercial Cards.   

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.