Mastercard users will be able to verify their identity using fingerprint scans or facial recognition when they pay for something online next year.
The firm has told banks issuing Mastercard-branded debit and credit cards that they must be able to offer biometric authentication, such as fingerprint scans, when you pay for something online, over the phone, or by contactless payment on your mobile. This will be in addition to existing PIN and password verification.
You'll be asked to confirm your identity by using your phone at the equivalent stage of a transaction when you are usually sent a one-time password to a mobile phone or email address, or are asked to type in your PIN.
You'll be able to choose if you want to use facial recognition or fingerprint verification, and you'll still be able to authenticate payments by using passwords, but Mastercard says evidence suggests the vast majority of customers prefer biometrics.
The company says the move will bring it in line with the EU's new requirements for 'strong customer authentication', which will be enforced from next year.
What does Mastercard say?
It's unclear exactly when the biometric authentication will be introduced by each bank, but Mastercard says it must be in place by April 2019.
Mark Barnett, president of Mastercard UK and Ireland, said: "Biometric technologies perfectly meet the public's expectation for state-of-the-art security when making a payment.
"This will be of great benefit to everyone: consumers, retailers and banks. It will make the purchase much smoother, and instead of having to remember passwords to authenticate, shoppers will have the chance to use a fingerprint or a picture of themselves."
We also asked Visa and American Express if they were making any preparations for the new EU requirement.
A Visa spokesperson said: "Biometrics is an area that Visa has been involved in for many years, both through our own innovations and working with our partners such as Apple, Google and Samsung, who incorporate biometrics as part of their authentication. What's more, our view is that biometrics in payments isn't simply about mobile; indeed, we have recently launched the first commercial pilots of a biometric card for contactless payments."
We're still awaiting a response from Amex.
What do the EU rules require?
'Strong customer authentication' will be required under the EU's second Payment Services Directive – the same directive which banned all charges for paying on credit or debit card.
The rules on this aim to ensure that consumers will be better protected when they buy online or use online banking.
They have been written into UK law and it's thought this will come into force around September 2019.
Essentially, it will mean online and over-the-phone payments will have to be verified in at least two of the following three ways:
- By something that only the customer knows (eg, a PIN or password).
- By something that only a customer possesses (eg, a card).
- By something unique to a customer (eg, a fingerprint).
Although some banks already apply this process on a voluntary basis, for example, by making you use a card reader and entering a PIN when you use online banking, it is not currently compulsory, but the law will make it so.