Contactless payment methods are gaining popularity for their convenience and the reduced risk of catching COVID by touching something shared. Yet, it comes with a high price – your privacy.
Contactless payments offer people relief from the fear of having to touch something that is shared. Yet, for the touchless self-checkout experience to be convenient, it uses technology that knows so much about you – from the way you move to your credit card number.
Last September, Amazon Go introduced touchless palm readers called One, which, apparently, is going well as the tech giant is expanding its technology to more Amazon Go locations. There are numerous solutions for facial recognition payments, which can be frustrating because you might have to remove your face mask.
In any case, there are many ways to pay for your goods without having to touch anything. But PINs, passwords, and even facial recognition with everyone wearing masks introduce a lot of friction. Therefore, companies such as UnifyID are looking for ways to make shopping an even more seamless experience. Usually, however, it comes with the price of privacy.
But John Whaley, the CEO of UnifyID, reckons that touchless payment solutions will become mainstream even as they invade your privacy in one way or another.
“Ultimately, people do care quite a bit about privacy but they care about convenience more. They are willing to do some of the trade-offs as long as it doesn’t cross the red line for each individual,” he told CyberNews.
UnifyID developed a passive contactless payment solution, which recognizes your movements, and your mere intent to make a purchase is enough to execute the transaction.
“You can just leave your phone in your pocket or just in your hand as you are walking, and we already know that it’s you,” he told CyberNews.
What is happening in regard to contactless payments? Are they getting more and more popular? What new forms of contactless payments are emerging beside the wallets we are used to?
This trend was already happening. Everything around COVID has dramatically accelerated this transformation. And not just at the payment portion. It is the entire journey. They are looking at things for contactless entry and anything where people are sensitive about touching something shared. They are looking at enabling many more things you can do from your phone instead of inserting a card or typing something on a keypad.
Technology like facial recognition and face ID has dropped off because they don’t work when you wear a mask. People are uncomfortable having to pull down their masks, and they are starting to rely on other forms of biometric authentication outside of facial recognition.
One of our customers does QR code payments. There’s a regulation called 3D security 2.0, where you need to have some additional form of authentication. You can’t just scan the QR code. You need to be authenticated in some way because this is debiting from your bank account. Previously, they would often use biometrics, such as face ID or facial recognition, to do that. Now, of course, more people wear masks, which introduces a lot of friction.
Tell me more about how your solution works.
We have passive authentication based on your motion and your behavior. We can seamlessly authenticate the user without them having to remove their mask.
And it’s not always about security. Sometimes it is about personalization. I walk into the room and, instead of having to go and touch the controls to change the configuration, the system knows that it’s me. Therefore, it will adjust everything automatically so that I don’t have to touch some shared control sets.
You don’t need to have any specialized hardware. We don’t have our app and integrate with our customer’s apps. If you have their app on your phone and you are using it for QR code, other contactless payment, or even to unlock a door, then that’s where our technology fits in. You can do that in a much more seamless way without having to take out your phone and unlock it. You can leave your phone in your pocket or hold it in your hand as you are walking, and that’s how we already know that it’s you. If somebody steals your phone, they won’t be able to make that purchase or unlock that door because the biometrics don’t match.
So it can understand it’s me just from the way I hold my phone?
It is based on your unique behavior – the way you walk, move, and hold your phone. These are strong biometric signals and are unique to you. If we capture some motion data while you are walking (around 5-10 seconds of walking), we can identify you with about the same accuracy as a physical fingerprint. False positive rate is about 1 in 50 thousand.
How does it work if I go to an actual shop and am about to buy something? What has to happen for me to make that payment?
You have a payment app on your phone, you go to make a purchase, and you make a payment. You can tap your phone or scan a QR code to show that you intend to make this purchase, but then there’s much less friction on that side.
On the retail side, on the brick and mortar side, stores are increasingly moving towards a model similar to Amazon Go, where you can have a touchless checkout experience.
In the future, you’ll walk into the store, take something off the shelf, and they will know that it’s you because of the signal from your phone and these other biometric signals. They will automatically charge you, and you’ll get a notification on your phone that says, here’s your purchase and receipt. There will be no scanning, no self-checkout or check out at the teller, and no inserting of a physical credit card.
In many cases, it is going to be a much more personalized experience because they are going to know that it’s you when you are walking in and interacting there. You may have personalized offers, and there may be people to greet you. They will know the last time you were there and the things you like to purchase. They will give you a very personalized experience.
Honestly, in this day and age, where you can order things and have them delivered, why do I go to the store instead of clicking something and having it show up at my doorstep? The place that they are looking to differentiate is in that whole experience of doing it. That’s where they are focused on having that very premium and personalized experience when you enter one of these stores. And this is going to be a general trend that is going to go across.
If you zoom out from the macro view, it used to be that if you go to the grocery store, somebody is scanning all of these QR codes, and then you have this piece of plastic that you are going to swipe or insert and type a PIN or sign your name. Then they bag the stuff up, and you take it out. What happened after that, they introduced a notion of self-checkout. Initially, only a small number of people used it but now it’s becoming more and more popular. It is a natural evolution.
What’s the natural evolution behind the checkout? It is fully automatic. The technology has reached the point where it already knows that it’s me and what items I have. What’s the point of doing the formality of scanning all those things? You don’t need to do that. As soon as you have those capabilities, it opens up a lot of customization and personalization opportunities. They can use these types of things to give a premium experience.
Even the vision of the bank branch in the future. You’ll walk into the bank, and they will say, ‘oh, hello, Mr. Whaley, how are you today’? From the moment I walk in, they will know that it’s me. The authentication rituals will persist because people are used to them, but that doesn’t provide security. The four-digit PIN that you choose, well, people choose terrible things. They choose a birthday, or 5555, or 1234. Telling people they have to use a different PIN, people don’t like to do that. The truth is, it doesn’t add much security because people won’t change them very often, and it’s easy to steal them. It’s more a ritual that people are used to, and it makes them feel a little bit better, but it doesn’t add any additional security on top. The things that do are these types of passive factors that they use. It is how they know it’s you and not someone who happens to know your PIN.
What retailers have to do from their side so that I could actually just walk in the store, take something from the shelf, and walk out without anyone scanning my goods? Is it a costly investment for retailers?
There are a variety of technologies. Some of them involve cameras in the stores, the inexpensive RFID tags, and sensors, then correlating these together and figuring out who is the person who took this item off and what items he had when he left. Those technologies all exist today, and they have reached the point where they are now cost-effective enough.
Obviously, with COVID and everything, there’s going to be a fundamental change and shift in people’s attitudes toward these types of things. Much like what happened with 9/11. The world changed fundamentally. Even after the vaccine is distributed, things will not go back to normal overnight. There will be a new normal. Now people are much more cognizant of infection, limiting its spread. All of these transformations were already happening. Everything that has happened around COVID has just dramatically accelerated all of these as well.
Another area is travel. The travel industry has been particularly hard hit. You’ve seen a very strong emphasis on sanitation procedures. Whether it’s airlines, rental car companies, hotels – I don’t need to interact with a person. I can do more things from my phone. The rental car market is not going to be that I go to the rental car counter and I show you my ID, and they hand me over some keys, and then I go to my spot number to get my car. It’s going to be a phone app. The phone will act as your key to get into the car.
Looking at the technology, it all looks very bright and interesting. But there are some societal issues. This technology might be easier implemented in countries like Sweden, where they are moving towards a cashless society. Then there are poorer countries that still mostly use cash, and the shadow economy makes up a huge part of the economy. What obstacles do you see for this technology and the seamless experience that you are talking about?
These things are starting to happen. It’s not like cash is going to go away. It’s not like physical keys are going to go away. They will still be there. These types of things take a long time to change. When my grandparents go to the store, they write a physical check and sign it. That is what they are used to. Other people don’t trust the ATMs, and they have to go and see a teller.
Even though a lot of these technologies have existed, changing human behavior is very hard. Under different circumstances, maybe people would not want to consider these other types of experiences, are now much more likely to think about them or want to use them because of everything that is happening.
Cash is not going to go away. Partially it’s because changing human behavior and habit is just hard. People get used to doing things a certain way, and that’s the way that they trust. Changing that takes a certain amount of effort.
Some of those are privacy considerations. I don’t want to be tracked. Ultimately, it comes down to trust. Do I trust this technology? Do I trust the retailer? Is this going to be done appropriately, and they are not going to misuse my data? Is it not a vector for me to be hacked?
Typically, there’s going to be a group of early adopters of the technology. They are the ones that always use new stuff. And then there’s a question when you cross that bridge and that gap to where it becomes mainstream. There’s a lot of technology that never makes that transition. I think that with a number of these types of touchless, contactless interactions, these will happen. They will happen just because of these underline drivers that are happening. It’s also a much better experience for the end-user. The times when you see things not make this transition is where it’s a mixed bag – there are some benefits, but there are also some downsides. With this type of technology, most of the advantages are to the end-user and the consumer experience.
Ultimately, people do care quite a bit about privacy, but they care about convenience more. They are willing to do some of the trade-offs, as long as it doesn’t cross the red line for each individual.
It has been proven time and time again that people do care about privacy and security, but not that much. When it comes to the conflict with convenience, they will often choose convenience over security. If you look at the use of passwords, the opt-in rates for setting up 2FA, when it’s not required, the opt-in levels are low. If you look at the type of passwords that people choose, they are not very good. They reuse passwords all over the place. Everyone knows that you’ll be more secure if you do these other things if you choose better passwords, and you choose 2FAs, but it’s just annoying, and it’s frustrating. 99% of the time is you, and you want to have a much more seamless experience. It’s a very frustrating experience when you get locked out of your own thing, you can’t remember what your password is, or something doesn’t match. It’s extremely frustrating.
Ultimately, people do care quite a bit about privacy, but they care about convenience more. They are willing to do some of the trade-offs, as long as it doesn’t cross the red line for each individual. Some people are very privacy-aware, and they don’t want the business to know anything about them. But most people are OK with having at least some basic information, especially when it’s going to leave them to have a better experience, or they will have special promotions that apply only to them. People are willing to do that. They will let businesses know who they are in exchange for a coupon or discount on something that they like. People are often willing to make that trade-off. It is an individual trade-off. There’s going to be areas where there’s going to be a big push back.
Ultimately, there will have to be things like user control of what data is being collected and how it is being used, and self-sovereignty: don’t use my data anymore, delete my data, tell me all the data that you have on me, allow me to download that. You see that with things like the GDPR in Europe (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act) in California. There will be a continuing number of these types of regulations, rules, and guidelines. You can use this data, but only under these kinds of circumstances. The person involved is going to ultimately be in control of that.
Maybe we are just not used to knowing that businesses have a lot of information about us. This privacy awareness seems quite fresh to me, and regulations, such as the GDPR, are also relatively new. What are your thoughts on that?
There’s a cultural difference. In Europe, there’s much more sensitivity about private corporations having access to this type of data, but there’s much more openness to governments having this data. In the US, it’s almost flipped. I don’t trust the government to have this data, and there’s a lot of sensitivity about that. But there’s a little bit more general acceptance around sharing that type of data with the private industry.
None of these things are new. They have been done for many years, like tracking your online behavior. The biggest difference that has happened recently is that traditionally a lot of this data was being used for things like ‘let me serve you ads’. I search for something, and they know that I’m interested in that thing, and therefore they are going to serve me an ad that is related to what my interests are. It has a more questionable value to the end-user. They try to make an argument that this is good because you would rather see ads that are more appropriate for you. But they don’t get it right. There are cases where I search for hotels in a certain stop, and for months I continue to get ads about traveling to that location even though maybe I changed my mind, or I’ve already made that trip, and I’m not in the market to make that purchase anymore.
In the past, they were collecting and using a lot of data in a more rudimentary way. Now we are starting to see more cases where this is actually to facilitate a better experience. For example, I make a purchase at someplace I haven’t been before. Normally, they would deny this transaction, and you would have to call in and say that you wanted to make this charge. It is a terrible experience when your card gets declined. Now they can say that this is the right user. And they know that they are there because their phones are there, and this matches their behavior. So this charge is OK, even if it may look suspicious by some other metrics.
Those are the types of things where the benefit is just purely on the user experience side. That’s the place where, I think, there’s going to be a kind of more general acceptance. As long as you are not misusing this data, and it’s not going to be leaked.
For example, my fitness gym. You scan your fingerprint, and that’s how they know it’s you, and then you get it. It’s very private, and you don’t want to share it with everyone, but that’s an interaction that I find acceptable because it’s very convenient. I’m sure they have some customers that don’t want to use the fingerprint, but most of the customers are just using it. The majority of people do that because they trust that it’s a reputable business, and they are not going to misuse fingerprints in some way.
More great CyberNews stories:
Subscribe to our monthly newsletter