The Payment & Clearing Association of China (PCAC) has published a set of guidelines that regulate how payments providers making use of face recognition to process payments at the point of sale (POS) should manage the protection of consumer data.
The guidelines “cover user consent and the collection, storage and use of facial data,” Regulation Asia reports.
“Under the guidelines, payment companies are required to encrypt facial image data and store it separately from details such as bank numbers and other personal information.
“Merchants and other companies receiving payments should not be able to retain facial image information.
“Financial institutions should also enter agreements with merchants to prevent intermediaries from retaining biometric facial images.
“Consumers should also be allowed to opt-in or decline facial recognition-enabled payments, where other payment options should be available to those who do not give consent.
“According to the guidelines, customer verification should not be solely based on facial prints. Multi-factor authentication should also be introduced for extra security.”
In addition, providers must have “compensation mechanisms, risk provisions, insurance plans and emergency response mechanisms in place to deal with losses arising from a failure to properly verify the customer’s identity,” the report adds.