The STPay-Topaz-Bio platform handles the fingerprint enrolment, data template, power management, and the card’s authentication process. Users simply put a finger on the card’s scanner instead of entering a PIN before the transaction takes place.
It is based on the ST31N600 Secure Element, a 40nm ARM SecurCore SC000 core, which handles most operations during payment, while the STM32L443 processes the image from the fingerprint reader. The platform also includes an operating system compliant with Java Card 3.0.5 and GlobalPlatform 2.3.1 to accelerate development operations.
ST developed STPay-Topaz-Bio in partnership with Fingerprint Cards and Linxens. Adding biometrics on a card is challenging because manufacturers must still meet existing thickness requirements to ensure compatibility when swiping or inserting the card in existing readers. The ISO/IEC 7810 standard dictates that all bank and ID cards must have a thickness of 0.76 mm. Other standards also define a card’s ability to bend without the connectors or components breaking. Satisfying those stringent requirements mean that companies that master biometric bank cards can easily port their solutions. Biometric ID badges, employees’ identification with fingerprint recognition, and more become easier to make.
ST implemented a secure element that can harvest power from the contactless reader and distribute it to the entire card using the same NFC technology as the previous generation of contactless bank cards while powering more components, such as a fingerprint sensor and a general-purpose MCU.
The secure element executes the application, secures information, including the biometric template, and runs the algorithm that matches the fingerprint to the template to authenticate the user, increasing the memory requirement for storing the template and the matching algorithm. Similarly, the general-purpose MCU extracts the fingerprint from the sensor and sends it to the secure element, demanding high computational performance while keeping the power consumption as low as possible.
Implementers are also looking into different enrolment mechanisms that would use a sleeve, a mobile device, or a reader with optional LEDs on the card. The capture must also be fast enough and comply with biometric standards such as FAR (False Acceptance Rate) and FRR (False Recognition Rate) requirements that regulate biometric interactions. False positives are severe breaches of security and make the whole system unreliable. On the other hand, a false negative creates friction that end-users hardly tolerate. Therefore, teams working on their system must find the right balance between accuracy and performance.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.