While payment methods based on biometric authentication have been introduced as a way of dealing with the security and convenience concerns associated with payment by credit card or QR code, the outstanding issues include how to manage biometric information securely and how to improve the speed of authentication. Hitachi’s PBI ensures security by converting biometric information into an irreversible template or public key and using these for authentication using public key infrastructure techniques. Hitachi also addresses the issue of speed by using its own proprietary technique to perform authentication in approximately 0.5 s (in a system of a million users), which is fast enough for practical applications. A trial of a deviceless and cardless electronic payment service was launched in December 2019 in partnership with UC CARD Co., Ltd. Along with using the knowledge and expertise acquired from the trial to further enhance the system in preparation for commercial release, Hitachi also intends to further develop its business activities based around biometric authentication, expanding its horizon globally to a variety of different industries and to other non-payment identity verification services (such as facility access control).
At the same time as Japan is facing challenges such as aging demographics, a low birthrate, and a shrinking workforce, the country lags behind other parts of the world in its adoption of cashless payment methods such as payment by credit card or QR code*1 due to security and convenience issues, despite their use being encouraged as national policy. Meanwhile, payment methods based on biometric authentication are being launched commercially in countries such as South Korea and China that are at the forefront of cashless payment.
This article reviews the developments and issues surrounding cashless payment and describes what Hitachi is doing to verify the utility of biometric authentication based on its public biometrics infrastructure (PBI) technology and to utilize trials as a pathway to service commercialization.
Fig. 1—Percentage of Payments Made by Cashless Means in Different Countries (2015)
The numbers in a report entitled “Cashless Vision” published in 2018 by the Ministry of Economy, Trade and Industry indicate that Japan lags behind most major countries in its use of cashless payments.
According to “Cashless Vision,” a report published by the Ministry of Economy, Trade and Industry in 2018, Japan lags behind most major countries in its use of cashless payments, with only 18.4% of payments being made this way in 2015 (see Figure 1). Japan has set a target of increasing the percentage of payments made cashlessly to 40% by 2025 with objectives that include boosting productivity through labor-saving measures at bricks and mortar stores and raising tax revenues through suppression of the cash-based grey economy. Following successful examples from countries such as China, the Japanese government has been promoting the rapid adoption of electronic payments over recent years, including through various reward points schemes based on payment by QR code.
Having come to recognize the security problems associated with payment by QR code, countries such as South Korea, China, and India that are at the forefront of cashless payment are shifting toward payment methods that utilize biometric authentication based on attributes such as faces or fingerprints.
Fig. 2—Trend in Fraudulent Use of Credit Cards (2019)
The cost of fraudulent credit card use in Japan has increased in recent years against a background of increasing losses due to the misappropriation of credit card numbers in electronic commerce transactions.
Behind these industry-leading nations choosing to adopt biometric authentication methods are the low level of public confidence and the lack of convenience associated with methods such as credit cards or QR codes [issues (1) and (2)].
The low level of public confidence (1) refers to the risk of theft, falsification, loss, or identity theft. For example, the cost of fraudulent credit card use in Japan ballooned from JPY10.4 billion in 2008 to JPY23.6 billion in 2017, with increasing losses due to the misappropriation of credit card numbers in electronic commerce transactions being a significant factor. Losses since 2017 have remained at this high level (see Figure 2). The cost of reimbursing customers for this fraudulent use is met by the merchant or credit card company and totals more than JPY20 billion annually. There is also an urgent need to address QR code payment fraud, with losses occurring due to the falsification or copying of codes.
Among the problems relating to convenience (2) is the complexity caused by the numerous different methods of cashless payment. With different retailers using different methods, consumers find themselves having to switch between wallet or smartphone depending on which store they are in. As people in a hurry or burdened with shopping bags find this annoying, there is a proportion of consumers who choose to stick with payment by cash.
In contrast, cashless payment based on biometric authentication has a significant advantage in addressing these two issues (1) and (2) above, because it does not require users to carry a token to verify identity, thereby eliminating both the inconvenience and the fear of theft or fraud.
Cashless payment based on biometric authentication is currently in the introductory phase and needs to deal with the issues of security and performance if it is to become widely adopted in the marketplace [issues (3) and (4)]. That is, it needs to ensure secure management and improve the speed of authentication.
Extending use to all the various different types of retailer will require that large amounts of biometric information be handled securely in a public environment. Unfortunately, recent years have seen numerous instances of security breaches by system administrators, meaning that measures are needed to prevent the theft of biometric information by people with malicious intent.
There are also issues with the speed of biometric authentication, with the time taken increasing as more people participate (increasing the amount of biometric information needing to be cross-checked to verify an identity). As slow authentication is a source of stress for users, the system must be able to verify identity in a reasonable time even as the number of users increases.
If cashless payment based on biometric authentication is to become widely adopted in the marketplace, ways will need to be found to overcome these issues of security and performance.
Hitachi’s deviceless and cardless payment service resolves the issues described above [issues (1) to (4)] to provide both convenience and security. The following section presents an overview of the service.
Fig. 3—PBI Authentication Flowchart
PBI templates and private and public keys are generated from finger vein information. Authentication is performed by using the finger vein information to regenerate the private key.
Hitachi has long been engaged in research into finger veins as a means of authentication and has utilized this work in the development of the PBI authentication technique used in this service to resolve the issues described above. PBI is based on the techniques of public key infrastructure (PKI) and works by using biometric information to generate the private keys held by individuals and the public keys used by services. In contrast to techniques that work by storing a private key on a smartcard or other mobile device that is presented each time authentication is performed, PBI improves convenience and overcomes concerns about loss or theft by eliminating the need for this key management.
While conventional security practices are robust in their own terms, they are unable to prevent the divulging of information as a result of operational problems. Because PBI instead generates public keys or templates from biometric information by means of a one-way (irreversible) conversion, there is no need to hold the biometric information used for this purpose on a server. One-way conversion means using a mathematical function to transform the biometric information into a form from which it is difficult to recreate the source information. The conversion also utilizes random numbers to ensure that it outputs a different result each time. Even if a public key or template is divulged, the difficulty of recreating the biometric information used to generate it means that security can be maintained by something as simple as cancelling the divulged information (see Figure 3).
As a result, it is a proprietary Hitachi authentication technique that can maintain end-to-end security during online authentication.
A common practice in authentication techniques that include face or fingerprint information is to improve accuracy by checking a number of different features. Unfortunately, this slows the response time as the more features are used the larger the number of candidates against which cross-checking needs to be performed. In contrast Hitachi’s PBI technique uses its own proprietary method to rapidly narrow down the cross-check candidates, achieving an authentication speed of approximately 0.5 s in a system with a million users.
Cashless payment works by linking the user information identified by PBI authentication to card information that has been tokenized by a function supplied by the payment handling company, and managing this information at Hitachi. When processing a payment, the tokenized card information linked to the user is passed along with the payment amount to the payment provider to execute the transaction.
In anticipation of future growth in user numbers and applications, a public cloud is used to ensure that the service can be delivered with fast response times and at a reasonable cost as well as that information can be managed securely at the system level. While security concerns have in the past led people to worry about the wisdom of using public clouds for mission-critical applications, they have in recent years come to be recognized as a worthwhile option for reasons that go beyond mere cost, not least being the ability to keep up to date with the latest security measures by utilizing the various functions for this purpose made available by cloud providers. For this reason, Hitachi chose to optimize its system configuration to run in a public cloud. Moreover, because the system is made available in the form of a web app, retailers who chose to use it do not need any special system configuration or other changes. Compared to an on-premises configuration, this means the system can be supplied quickly and at low cost, requiring only a finger vein biometric authentication unit and tablet computer to access the service.
Fig. 4—Payment Flowchart
To make a payment at a merchant (retailer), the customer’s identity is verified and the tokenized credit card information is passed to the relevant payment provider to execute the transaction.
Fig. 5—Making a Cashless Payment at a Store
The amount is entered into the tablet and the customer places their finger on the finger vein biometric authentication unit to complete the payment.
Hitachi set out to verify the usability of the service on the basis of multi-stage trials.
The trials involved installing a tablet computer and finger vein biometric authentication unit at a retailer and having customers use it for payment. The users’ credit card details and finger vein information were entered and linked beforehand. The sale process starts with the retailer entering the sale amount after which the customer places their finger on the authentication unit to verify their identity and make payment from their linked credit card (see Figure 4). This allows users to make deviceless and cardless electronic payments without the need to carry their credit card with them.
The first stage of the trial focused on the service’s objective of convenience and looked at whether the service really did represent an improvement in this regard over the existing cashless payment system at a staff canteen of UC CARD Co., Ltd. (see Figure 5). The results indicated that users’ idea of convenience was a close match with that of the developers, with comments praising the system’s quick payment time and noting how not having to carry a card or device made it easier to use than expected.
The second stage looked at use of the service across a variety of different industries and applications. In contrast to the stage-one trial at a single site, this trial involved adapting the service for use at a number of restaurants and drug stores that are not all part of a single franchise. This was the first time that finger vein information linked to credit cards had been used for payments across multiple sites in Japan. Whereas it would have been necessary in the past to configure the system separately for each of the various different retailing formats, in this case the requirements for accessing the service were the same for all stores, requiring only an Internet-connected tablet computer and finger vein biometric authentication unit. The trial also demonstrated how users could be enrolled by a one-off registration process after which they were able to use the payment service at all sites where it was offered.
The third stage of the trial commenced at dispensing pharmacies on March 2, 2020. Whereas the first two stages had been limited to staff of UC CARD and Hitachi, the purpose of this third stage was to expand the trial beyond company staff and gather feedback from a wider range of people, especially those unfamiliar with ordinary digital devices and cashless payment, with a view to improving how the service would be perceived by the general public.
While the trial earned positive feedback from both users and retailers, it also identified a number of new challenges for wider commercial deployment.
One such problem related to the devices used. Whereas the trial used the same tablet computers across all sites, the amount of counter space available varies between applications and there some users asked whether small portable devices such as smartphones could be used instead. As the web app developed for the trial was limited to a single screen size, this feedback prompted a decision to add flexibility by giving the web app for the commercial rollout the ability to work on different types of device.
Hitachi has also been working on the use of ordinary cameras to scan finger veins. Once this is properly available, it should make the service even easier and more convenient to use by eliminating the need for a dedicated finger vein scanning device. Furthermore, scanning is a non-contact process (unlike past authentication devices), which means it should be well placed to meet the demand for contactless authentication arising from the coronavirus pandemic. Testing of the technology is ongoing and will be used as feedback to the service once the trials are complete.
The user feedback included comments that the impression of speedy payment was lost when serving a number of customers at a time because of the need for manual entry of the sale amount. This can be resolved by linking to the store’s point-of-sale (POS) system*2. Hitachi aims to provide further service benefits to retailers as well as to their customers.
The intention is to collate the opinions and know-how obtained from the trial and use it to further enhance the service in preparation for commercial release.
At the core of the system is its ability to use finger veins to verify identity. Hitachi is also targeting future use of the service in applications other than payments by leveraging this feature as a basis for interoperation with a variety of other systems. One example is how biometric authentication is already used in applications such as building access control but is fragmented across different systems, meaning that users have to register for each one separately. This problem can be overcome by offering authentication as part of Hitachi’s Digital Innovation Platform and integrating this with other platforms. A one-time registration by users will be all that is needed to make use of this across different applications and services, subject to their consent in each case. Unification of security standards that vary from service to service will enable users to access these services with greater safety and convenience. The more this access is standardized, the greater the scope for making use of data. Examples might include combining purchase histories with ride hailing trip records for the route optimization of public transportation or the holding of community events such as stamp rallies. The coordination and rollout of this authentication platform is currently taking place across the full range of sectors, including industrial logistics, healthcare, and the public sector.
Furthermore, the service providers and users do not have to be Japanese. As noted above, the service can be utilized regardless of location or industry, and finger vein authentication is something that all people can use. Further improvements are being made with a view to deploying services overseas as well as services for overseas visitors to Japan. The intention is to expand the scope of the business while also taking account of the different legal systems in other countries, not least the European Union’s General Data Protection Regulation (GDPR).
This article has described the benefits of Hitachi’s deviceless and cardless electronic payment service using PBI authentication for addressing the issues surrounding cashless payment and biometric authentication together with the work being done on trialing the service.
PBI authentication has potential applications that go beyond cashless payment to encompass a wide range of business scenarios that are based around verification of identity. Along with addressing the issues identified during trials of the service in preparation for its commercial release, Hitachi plans to transcend the barriers between industries such as finance and expand its operations globally in the future.
