Major French Chains Testing Biometrics On Top Of A Contactless Smartcard, All Riding On EMV

American retailers have never been able to make biometric payment authentication work, but it has been years since anyone has attempted it. Is the time now ripe? Was the efficiency and speed of biometrics the right idea at the wrong time? Two major French chains—Leroy Merlin, with more than 300 home improvement stores in 13 countries, and the Auchan Group, with 639 hypermarkets and 2,412 supermarkets—are betting that shoppers are now ready.

But the six-month French trial that has just started is taking the efficiency goal one step further, by marrying a contactless smartcard—which holds the biometric data—with the POS-affixed biometric scanner. The retailers estimate that the contactless card's transmission will be intercepted by the POS authentication element from two meters away, which is about 79 inches or about 6.6 feet.

This way, it literally asks the shopper to do nothing more than scan a finger or a hand. And given that it's happening in Europe, this all sits atop an EMV transaction. The EMV part is where some of the efficiency—by comparison—happens, because the PIN that is normally required truly slows down checkout.

The trial is trying two different biometric tactics in two geographies. In Angoulême, shoppers will use digital fingerprints, while those in Villeneuve d'Ascq will be asked to have the patterns of their finger veins captured. The biggest downside is that shoppers must first visit their bank to have the biometric readings taken and to then have the results stored on their smartcard. Presumably, there would be extensive authentication done at the time the readings are taken. Hence, the convenience is a long-term concept, and getting customers to submit themselves to the initial phase will take some convincing.

Andre Delaforge, who runs marketing for the vendor coordinating the trials, Natural Security, said customers have thus far had no hesitation with cooperating. "We have gotten no resistance at all thus far," he said. "Maybe this is a question of time to market?" meaning that other biometric trials may have launched too soon.

Possibly, but it's hard to envision this flying in the U.S. Will consumers be worried about sharing that data with their banks and, by extension, all retailers where they want to shop? Will they be worried—and not without reason—that the absence of a PIN will make this approach a very tempting target for fraudsters? With the contactless card beaming the biometric details to anyone scanning the airwaves within six feet of a shopper, is it not possible to trick the machine into seeing an echo of those values?

All payment systems can be cracked, and some question whether putting too much reliance on any single authentication element is asking for trouble. On the other hand—literally—it is harder to fake a fingerprint that matches up with what's on a card than it is to hijack a four-digit PIN.

The real issue is that this is a single element of authentication. If that element can be faked, the cyberthief wins. That's no different than someone today cloning a payment card, where no PIN is needed and signature is worthless as an authentication element. That gets back to the difficulty of faking it. Is a cloned card harder or easier to deliver than tricking the biometric scan into accepting the numbers you wirelessly stole and decoded?

That all said, if this can be made to work securely, the convenience of no card, no swipe or wave, no PIN and no signature could make a lot of retail transactions faster. Speaking of time to market, is it perhaps too late for biometrics, given the multitude of more complex ways mobile devices can now authenticate shoppers? Or could these approaches merge, with biometric data stored on the mobile device?