“Buy with your eyes, pay with your glance!”
After running pilot tests in Brazil and parts of the Asia Pacific for roughly two years, Mastercard is finally rolling out its biometric retail payments system in Europe. The world’s largest payment card company appears to be determined to wean consumers off not only cash, its eternal rival, but also credit and debit cards, its main line of business until now. To that end, it is piloting its Biometric Checkout Program in Poland in collaboration with local fintech company PayEye, which will be providing its iris and face biometric technology.
Mastercard’s global Biometric Checkout Program, represents a first-of-its-kind technology framework to help establish standards for new ways to pay, allowing cardholders to use a wide range of biometric payment authentication methods such as palm, face or iris scan. This simplifies the checkout process in store, as consumers no longer need to use a physical payment card, cash or a mobile device to pay for purchases. With Mastercard Biometric Checkout Program, secure and convenient experiences are possible simply by using your biometrics.
“Mastercard is a pioneer of innovative payment methods and drive security, and standardization and Poland is an (sic) perfect place for such a groundbreaking pilot,” said Marta Życińska, general manager Poland, Mastercard.
If you, like me, are wondering, “Why Poland?”, the answer is simple: Poles are apparently more inclined to adopt dystopian disruptive new technologies — at least according to Mastercard. From the industry publication, Biometrics Update:
The global payments giant says it chose Poland as its first European country to pilot the program because of its receptiveness to new technologies. According to their survey, four out of five Polish people say that they use or have used biometric technology while among the 18–25-year-olds category, almost all are familiar with using biometrics.
“Poland was one of the first countries where contactless payments with Mastercard cards were introduced and we know that Polish consumers are leaders in adopting innovative technologies,” says Marta Życińska, Mastercard’s general manager for Poland.
The pilots will be conducted in five stores in Warsaw, Wrocław, Kraków, Poznań and Czeladź. Empik has over 350 stores across Poland.
This will be the first time Mastercard has piloted a Biometric Checkout Program in Europe. In May, 2022, the company unveiled to much fanfare plans to launch a pilot “biometric checkout program” in the UK, but that so far appears to have come to naught. Before testing the system on UK consumers, the company first trialled it in Brazil. It then expanded its pilot programs program to the Asia Pacific region and launched its second pilot in Latin America earlier this June.
JP Morgan Chase Joins the Race
Mastercard is not the only large financial institution testing out this still relatively nascent payment technology. The company’s largest rival (after cash, of course) and fellow duopolist, Visa, recently showcased its pay-by-palm biometric payment technology at an event in Singapore. During the event, visitors were invited to try out the palm reader and link their signature to their payment card for a transaction.
“The future of biometric payments is promising and is set to revolutionise the retail experience,” said Kunal Chatterjee, Head of Innovation at Visa Asia Pacific. But it may take time for the technology to reach critical mass. Various factors, he said, influence the level of acceptance of biometric payments, including regulation, technology and consumer priorities, which can vary from country to country.
The largest bank in the US, JP Morgan Chase, is also piloting both face and palm pay technologies, with a view to fully launching a biometric checkout service with its merchants early next year. Given JPM is the largest merchant acquirer in the US, processing around 37 billion transactions in 2022, the impact on the payments landscape in the US could be huge. According to Prashant Sharma, executive director of biometrics and identity solutions at JPMorgan, merchants are highly interested in tapping biometrics, “because everybody wants to provide a streamlined, personalized experience to the consumer.”
Biometrics have already seeped into many other aspects of everyday life, including travel and communication. Many national passports these days include biometric data. Hundreds of millions — perhaps even billions — of people use a biometric authentication factor, such as a fingerprint or face scan, to unlock their smartphones and other digital devices. Soon, biometric identifiers may even be necessary to log onto social media platforms.
In other words, people are already giving away their most private data to work, communicate, cross borders, or get on planes. Will they do the same to speed up their shopping experience?
It is far from clear. As we reported last year, a push back against biometric surveillance and control systems has been gathering momentum on both sides of the north Atlantic, particularly the Western one. In the US, a small but growing handful of cities, including New York, have passed biometrics laws. Likewise, a growing number of states have followed Illinois’ lead in passing laws that expressly govern the processing of biometric data. In Illinois alone, more than 1,000 class action lawsuits have been filed under the state’s Biometric Information Privacy Act (BIPA).
In the UK, meanwhile, the unmanned store experience offered by Amazon has been such a flop that the company has had to begin opening stores with actual fresh-and-blood human beings serving customers. Across the English Channel, there have been murmurings of protests in Belgium, France and other countries. But despite this growing backlash, there is a sense of inevitability to all of this. These are, after all, technologies that stand to massively benefit both governments and corporations alike while stripping the public at large of even more power, autonomy and independence.
More Convenience. But for Whom?
Mastercard’s Biometric Checkout Program claims to offer several benefits, including increased speed, convenience and better hygiene. Consumers first have to enrol in the program, by using their phone to scan their face, before being able to take advantage of its supposed benefits.
“The new technology ensures a fast and secure checkout experience, while also empowering consumers to choose how they want to pay… No more fumbling for your phone or hunting for your wallet when you have your hands full – the next generation of in-person payments will only need a quick smile or wave of your hand. The trusted technology that uses your face or fingerprint to unlock your phone can now be used to help consumers speed through the checkout. With Mastercard’s new Biometric Checkout Programme, all you will need is yourself.”
In other words, consumers will not have to use safer two-factor authentication — biometrics plus a PIN or password — if they don’t want to. And they are essentially being encouraged by Mastercard not to.
In the interview below, Ajay Bhalla, Mastercard’s president of cyber and intelligence solutions described the company’s biometric checkout program as a “cool new technology” that “allows consumers to pay with a smile on their face or just wave.” That way, he said (emphasis my own), “you can forget the clunkiness of taking your wallet out, your devices out, your card out.” Just do your shopping, he said “go to the checkout and… pay with your face. It’s as simple as that.”
Convenience, as always, is the watchword. But for whom?
It is already well established that large retailers, banks and payment card companies much prefer people to use contactless payments as much as possible because: a) they are quicker to process, which means more sales per hour and more fees for the banks and card companies; and b) (this is the key part) people tend to spend their money in a more carefree or reckless fashion, which also means more sales for the retailers and more commissions and fees for the banks and card companies. As growing numbers of cash-strapped consumers grappling with high inflation have discovered (or rediscovered), cash tends to have the opposite effect.
This was already known when contactless cards began making their appearance almost two decades ago, as a 2006 Financial Times article makes clear:
Mr Williams, [controller at The Bailey Co, parent company of Arby’s, a fast food restaurant chain based in the US], has found that customers spend about 50 per cent more when they use a contactless card than when they pay for their food with cash: “I think it is psychological: because customers are not pulling cash out of their wallet, they spend more.” Arby’s has also made productivity gains with less time being spent on counting money and taking it to the bank, Mr Williams says.
Another benefit to retailers is that cards allow them to capture data about their customers from small transactions.
“If contactless cards offer merchants better information on their customers, that could prove to be valuable,” says Mr Uzureau.
Beware of Wandering Eyes
Another potential problem with Mastercard’s biometric checkout program is the apparent risk posed by customers’ wandering eyes. As the company itself notes in its press release, using PayEye’s eyePOS terminals “requires precise calibration, such that there is no risk of accidentally looking at the terminal and paying” for somebody else’s purchases.
Other major concerns include privacy and security (or lack thereof). More or less all large corporations have suffered at least one significant data breach in recent years, often through third-party service providers. They include, of course, Mastercard, Visa and JP Morgan Chase. In March this year, American Express (Amex), the US’ third largest credit card company, alerted its customers that their credit card details may have been compromised following a third-party data breach.
“The idea of a data breach is not a question of if, it’s a question of when,” says Professor Sandra Wachter, a data ethics expert at the Oxford Internet Institute. “Welcome to the Internet: everything is hackable.”
In my 2022 book Scanned, I documented how authorities in India, the Philippines and South Korea had suffered extensive security and data breaches leading to the leaking of biometric ID information belonging to millions of people.
Since then India’s Aadhaar ID system has suffered its biggest ever data leak, the Inspector General (IG) of the US Department of Defense (DoD) has released a report revealing glaring gaps in security and management of biometric data within the DoD, and an Australian firm called Outabox has suffered a breach of personal data linked to a facial recognition scheme that was implemented in bars and clubs across the country during the reopening of the economy. As WIRED magazine reported in May this year, the Outabox incident vindicated the privacy experts who have repeatedly warned about the creep of facial recognition systems in public spaces such as clubs and casinos:
“Sadly, this is a horrible example of what can happen as a result of implementing privacy-invasive facial recognition systems,” Samantha Floreani, head of policy for Australia-based privacy and security nonprofit Digital Rights Watch, tells WIRED. “When privacy advocates warn of the risks associated with surveillance-based systems like this, data breaches are one of them.”
This may not be news to regular readers but it bears repeating: biometric data is the most precious data of all. If it is hacked, leaked or compromised in some other way, the damage is often permanent. You cannot change or cancel your iris, fingerprint or DNA like you can change a password or cancel a credit card. As Illinois’ BIPA law notes, once biometric identifiers are compromised, “the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” This is what makes the relentless march toward a future of biometric-enabled surveillance and control so dangerous.