Consumers are increasingly able to use their hands or faces to pay for purchases and prove their age—an added convenience that comes along with heightened scrutiny of how companies handle sensitive personal data.
These tools are known as biometric payment systems because they are built around recognizing a person by measuring unique features, like the size and shape of their face or the lines, ridges, and vein patterns of their palm. The systems work by matching a person’s information presented at payment with their data previously collected during sign-up.
Globally, almost $5.8 trillion in annual payments are expected to be made using biometrics by 2026, with more than three billion users anticipated, according to a forecast from Goode Intelligence.
Companies have said biometrics are more secure and fraud-resistant than card transactions and could eliminate the need for passwords or PIN numbers while speeding up purchases. But privacy advocates have raised concerns about the risk of biometric information being stolen by identity thieves or abused by law enforcement agencies.
“Tech is not actually convenient if it puts your very sensitive, unchangeable data at risk of potentially being abused or hacked or stolen,” said Leila Nashashibi, a campaigner for digital rights group Fight for the Future. The group is organizing an online petition calling on grocery stores to resist implementing Amazon’s palm-scanning technology as a payment option.
While skeptics push back against the rollout of such tools, others are urging caution in how the collected data is stored.
Businesses deploying biometric tools are applying security controls such as encryption to safeguard data. A technique known as tokenization is used to protect payment card numbers.
Accelerating Adoption
Using a person’s physical features to approve a payment isn’t a new concept, but it has taken off in recent years amid a shift away from cash and growth in digital wallets.
In 2005, grocery chain Piggly Wiggly launched pay-by-touch technology that let shoppers use a finger scanner to access their linked payment information.
Today, face or fingerprint recognition is often used when making purchases with a digital wallet on mobile devices, like through Apple Pay, Google Pay, or Samsung Pay. Almost three-quarters of consumers are comfortable leaving their traditional wallet at home and only bringing their phone for purchases, according to card-issuing platform Marqeta Inc.'s 2023 state of payments report.
“You don’t need a phone or wallet—all you need is yourself,” Chris Reid, executive vice president for Identity Solutions at Mastercard, said in an emailed statement on the company’s biometric payment pilot program. Once enrolled, a customer can simply smile or wave at a device to pay, according to the company.
Contactless Payments
Financial services firm
Amazon also has emerged as a major player in the biometric payments space. Amazon One, the company’s palm-scanning program, has been used more than 3 million times since its launch in 2020, according to a spokesperson for the e-commerce giant.
Amazon touts the technology as a fast, convenient, and contactless way for people to use their palm in everyday activities like paying at a store, presenting a loyalty card, or entering a venue.
It’s available at the company’s own stores, including Amazon Go and Amazon Fresh, as well as business partners such as fast-casual chain Panera Bread and travel retailer Hudson. Some event venues, including Seattle’s Climate Pledge Arena and T-Mobile Park, have deployed the palm scanners.
“Palm recognition is considered more private than some biometric alternatives because you can’t determine a person’s identity by looking at an image of their palm,” the company says. Still, Amazon faces a consumer privacy lawsuit brought under a law in New York City requiring commercial establishments to post proper notices when biometric data is collected.
Data Security
To prevent bad actors from trying to spoof its palm-scanning system, Amazon tested the tech against silicone and 3D-printed palms. It uses “liveness detection” as a layer of security to recognize the difference between a real palm and a replica, according to a company blog post.
Usually companies don’t keep raw biometric information after it’s captured. Instead they store a computer’s interpretation of a physical feature, like a set of numbers representing distances between geographic way points on a person’s face, said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, a trade group.
“That alone can’t be used to create a picture of someone’s face,” he said.
But some observers remain concerned hackers or fraudsters could try to combine scans with other pieces of consumer data.
“If I look at an image of a palm, I probably can’t tell it’s you versus me necessarily,” said Jen King, a privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence. “But that doesn’t say it’s not identifiable, because if it wasn’t identifiable they wouldn’t be using it.”
Event Venues
Biometrics are also emerging as an opportunity to provide a new ticketing or age-verification process at event venues.
Members of CLEAR’s biometric program can take advantage of expedited entry lanes for sports and entertainment events. At select stadiums and venues, the company lets consumers digitally verify their age, though its system doesn’t handle payments.
Each time an individual uses the technology, they must opt in and click a button stating they consent to data sharing. CLEAR then shares only that the individual is old enough to purchase an age-restricted item and that the company has verified the individual’s identity.
People can ask for their data to be deleted if they no longer wish to use CLEAR’s service, according to the company’s privacy policy.
At Coors Field, home of the Colorado Rockies baseball team, spectators can buy alcoholic beverages by hovering their palm over an Amazon One device, and don’t need to present a physical government-issued ID to show they’re at least 21 years old.
Amazon One customers must register their age in advance by uploading a photo of their ID and taking a matching selfie. Amazon says it doesn’t retain IDs after the verification.
Colorado’s liquor and tobacco regulations allow for the use of biometrics to demonstrate age.
Policy Proposals
New York may follow suit. A bill pending before the New York State Senate would pave the way for using biometric identity verification to determine a person’s age for the purchase of alcoholic beverages and tobacco products. The measure would require biometric records be secured in a database that uses encryption to protect information from hacks or leaks.
New York State Senator James Skoufis, a Democrat who is sponsoring the bill, said he’d rather embrace new technology and build guardrails around it than try to prevent biometric payments from spreading.
“If you’ve got concerns, don’t use the technology,” Skoufis said in an interview. “It’s all voluntary.”
Data privacy concerns tanked an earlier effort urging the Washington State Liquor and Cannabis Board to allow use of biometrics as a valid form of age verification for restricted purchases, according to a board spokesman.
Albert Fox Cahn, founder and executive of the New York-based Surveillance Technology Oversight Project, pushed back on the idea that the convenience of biometric-based technologies outweighs concerns.
“I don’t the understand the idea that somehow it’s going to be better, or easier, to take your government-issued ID, register it with this company, submit your biometrics, and then not have to show your ID in the future—versus just taking your ID out of the wallet when you go to the bar,” Cahn said. “If you’re too drunk to remember where your license is, you’re probably too drunk to have any alcohol.”
To contact the reporters on this story:
To contact the editors responsible for this story: