A legal perspective on the relevance of biometric presentation attack detection (PAD) for payment services under PSDII and the GDPR

Abstract

Payment applications turn in mass to biometric solutions to authenticate the rightful users of payment services offered electronically. This is due to the new regulatory landscape which puts considerable emphasis on the need of enhanced security for all payment services offered via internet or via other at-distance channels to guarantee the safe authentication and to reduce fraud to the maximum extent possible. The Payment Services Directive (EU) 2015/2366 (PSDII) which applies as of 13 January 2018 in the Member States introduced the concept of strong customer authentication and refers to ‘something the user is’ as authentication element. This chapter analyses this requirement of strong customer authentication for payment services offered electronically and the role of automated biometric presentation attack detection (PAD) as a security measure. PAD measures aid biometric (authentication) technology to recognize persons presenting biometric characteristics as friends or foes. We find that while PSDII remains vague about any obligation to use PAD as a specific security feature for biometric characteristics’s use for authentication, PAD re-enters the scene through the backdoor of the General Data Protection Regulation (EU) 2016/679.