GS Logo
The Green Sheet, Inc

Please Log in

A Thing

Are Smart Cards the Key to the Biometrics Solution?

By Tracy Kitten, LogoThis story was originally published on, Feb. 9, 2005; reprinted with permission. © 2005 NetWorld Alliance LLC. All rights reserved.
Editor's note: This story is a follow up to "Back to the Future: Biometrics Revisited," an article published in the Feb. 28, 2005 issue (05:02:02) of The Green Sheet.

The idea of carrying a template of some part of yourself around in your pocket is, well, a little unnatural. But it's becoming one of the preferred forms of identification, especially when compared with the alternative, storing biometrics data elsewhere.

Whether it's used to let a cardholder gain access to accounts at ATMs or to enforce security restrictions at airports, biometrics is finally attracting increased interest, largely because of weaknesses associated with other verification methods.

Although biometrics technology has been around for more than a decade, it hasn't yet taken off as a form of identification, especially in the United States.

Mark Grossi, NCR Corp.'s Chief Technology Officer, said that consumers weren't comfortable with biometrics in the 1990s. They didn't understand how biometrics information would be used and stored, and financial institutions weren't willing to tackle the infrastructure challenges that storing all of that data posed.

But experts like Francois Lasnier, North American Vice President for Axalto Inc., a Texas-based provider of smart cards and point-of-sale terminals, believe that the challenges that slowed adoption of biometrics in the 1990s can be overcome with smart cards.

It's Not Called Smart for Nothing

Card issuers around the world realize that online connections are not as secure as they need to be, Lasnier said.

Banks were initially eager to connect all transactions, from ATMs to online banking channels, but recent incidents of phishing and card skimming at ATMs and POS terminals, have forced banks to reconsider traditional methods of protecting data.

"It's really all about the communication channel," Lasnier said. "The U.S. is one of the leading countries in the world to address online security. But the whole online environment [is vulnerable]. People can get into your account."

Lasnier said financial institutions in the United States have been reluctant to change the way they do things because they fear a consumer backlash.

"If they try to deploy something that protects consumers from fraud, then they have to admit that problems exist, and that's not something financial institutions want to do," he said.

Lasnier expects that to change over the next five years. As the rest of the world incorporates the Europay/MasterCard/Visa (EMV) standard, the United States will be forced to catch up.


In 1996, Europay, MasterCard and Visa first released flexible specifications for smart card-based debit and credit payments.

In 1999, the three card Associations founded EMVCo LLC, an independent organization, to manage and enhance EMV specifications as technology advances and the implementation of chip card programs become more prevalent.

Since then, EMVCo has published specification updates that factor in advancements in smart card technology, such as faster chip speeds.

EMVCo also established a single approval process for POS terminals and ATMs to ensure cross-payment system interoperability.

Because smart cards can hold far more information than magnetic (mag)-stripe cards, and because data cannot be copied as readily from them as they can from mag-stripe cards, issuers throughout the world are beginning to adopt the EMV standard.

According to a report published by VeriFone Inc. titled "EMV: Global Framework for Smart Card Payments," Visa estimates that counterfeiting can be decreased by at least 70% with smart cards.

The financial industry in the United Kingdom became one of the first to endorse EMV specifications when card fraud soared there during the mid-1990s.

In 1999, the United Kingdom began converting its approximately 80 million mag-stripe debit and credit cards to smart cards, and began requiring ATMs and POS terminals to be equipped with EMV-compliant card readers.

Western Europe face[d] a deadline of January 2005 to make the smart card/EMV switch. Central and Eastern Europe, the Middle East, Africa and Asia/Pacific must make the move by January 2006.

Though Canada has yet to establish an EMV compliance deadline, Lasnier said smart card pilots are already underway there. "When that technology begins to unfold, you'll begin to see neighboring countries, like the U.S., begin to use it," he said.

American card issuers have been reluctant to adopt EMV because fraud has not been as great a problem as it is in countries like the United Kingdom. But Lasnier predicts that could change.

"We can suspect that fraud is going to begin moving to the U.S. as the increased use of smart cards spreads throughout the world," he said. "The fraud will move to the place of least resistance."

Lasnier estimates that 50% of the POS devices being sold in the United States include smart-card readers. Approximately 35% of the country's installed base of POS devices is ready for EMV now, he said.

"The last link is the smart card infrastructure," he said. "So in the next two or three years, there won't be anything to hold it up. You will begin to see smart card connections in the United States."

Lasnier believes that Visa and MasterCard may even mandate the technology in the United States as they have elsewhere around the world.

If You Build It, They Will Come ...

Most experts agree the issue of where to store biometric data has been one of the primary issues blocking the use of biometrics at the ATM. If smart cards are adopted in the United States, those barriers could begin to disappear.

As card fraud becomes a greater concern throughout the world, the use of smart cards at the ATM must be considered, said Randy Vanderhoof, Executive Director of the Smart Card Alliance.

"There's no concrete evidence at this time but as more people use debit cards with traditional PINs and mag-stripes in the United States, fraud will increase," he said.

"It will become increasingly easy for someone to go to the ATM and empty someone's account. With a smart card, you eliminate the fraud that occurs from people reading the mag-stripe information from the swipe, like from the card reader."

Evidence of growing consumer acceptance of smart cards in the United States is popping up, Vanderhoof added.

Last November, the Transportation Security Administration launched an 11-month worker identification credential prototype that requires transportation employees to present smart cards that contain biometrics information for admittance at ports, airports and other sites.

Gordon Hannah, a Senior Manager for BearingPoint Inc., which is overseeing the $12 million project, said 200,000 credentials will be issued over the course of 11 months.

BearingPoint is running the prototype project at 10 sites, some using contact smart cards and others using contactless versions that communicate with smart card readers via radio waves. At the end of the 11-month period, the project will be implemented at 30 sites.

Hannah said biometrics data, including fingerprint templates and facial and iris images, are being stored in a database, a government requirement for the project, and also on the cards themselves.

"For this program, we had a requirement to use the database, to make sure that we hadn't seen the person before, so that we didn't issue more than one card," Hannah said.

"Or, for the scenario of re-issuance, I want to make sure that I only have to make the match once to get a new card, so that I don't have to come back in."

But using smart cards alone for biometrics information could be appropriate in other situations, Hannah said, including ATMs, where creating a database to hold all users' information would be cumbersome, if not impossible.

For instance, an Axalto smart card being used in another interesting biometrics project, one that is underway at the Minneapolis-St. Paul International, Los Angeles International, Houston's George Bush Intercontinental, Boston's Logan International and Ronald Regan Washington National airports, can hold about 64 kilobytes, 13 times more information than a standard mag-stripe.

A mag-stripe, on average, can hold about 140 bytes. The average fingerprint template consumes around 500 bytes.

The airports' project involves select frequent flyers who now only present cards with biometrics data to verify their identities when they go to the airport. About 10,000 frequent flyers, 2,000 at each site, are participating in the pilot. The expectation of the pilot, which is being administered by Unisys Corp., is that airports throughout the country will be able to quickly usher frequent flyers through security checks.

All five sites are using iris and fingerprint biometrics. Three of the five airports store information only on cards, while the other two are using a database.

Bryan Ichikawa, Chief Engineer for Unisys' Registered Traveler Program, said the pilot has been extended until the end of September 2005.

Because the program is voluntary, Ichikawa said, there hasn't been any resistance from consumers. In fact, he said cardholders are pleased with the program because it has eliminated the need to wait in long lines at security checkpoints.

"Security is the catalyst," he said. "If you think in terms of a haystack, there are something like 60 million passenger boardings per year. Half of those are performed by about 8 million people. So if you know who the 8 million are, you've cut the haystack of boardings in half; you've narrowed that down to 30 million boardings.

"It's not about looking for needles when it comes to terrorists," he added. "It's about making the haystack smaller."

Using smart cards to store biometrics templates is logical, Ichikawa added, because the cards "are inherently secure." There is plenty of room to store biometrics data on smart cards, especially if only a biometric template, and not the entire image, is used.

"Going back to ATMs, having one common network to hold all of the biometrics data would be difficult," Ichikawa said. "And you have the same sort of situation in the airports. It just would seem easier to put the information onto the card."

Link to original article:

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Back Next Index © 2005, The Green Sheet, Inc.