Palm scans and other biometric payment methods: What you need to know

If you live in a big city, you probably know how frustrating the line for your morning coffee can be. When it’s time to pay, you may find yourself half asleep, digging through your purse or backpack for your credit card or phone. And God forbid you leave your wallet at home or your phone malfunctions.

That will no longer be a problem for customers of Panera Bread, a popular US chain of bakery-cafe restaurants. Panera recently announced that it will allow customers to pay for orders with the palm of their hand. But aren’t they creating another problem by eliminating one?

Palm pay for pastries

The new payment method would rely on Amazon’s contactless payment service called Amazon One. If you haven’t used it before, you will be able to sign up at a participating Panera location. An Amazon’s scanning device will capture small features of your palm, such as veins, wrinkles and creases as you hover your hand over it, and turn them into a ‘palm signature.’ This will be encrypted and sent to a cloud server run by Amazon, where it will be linked to the card you used at the sign-up. You can register one or both of your palms, or add the second later. After the registration, you should be able to use your palm to enter and pay at any Amazon One-enabled location, including Amazon’s own stores, select Whole Foods stores, and concession areas at some sports venues.

What happens to the biometric data?

Panera says it does not store any personal palm data. Amazon, for its part, says the biometric data is not stored on its scanning device, but only in a “highly secure area” on the Amazon Web Services (AWS) Cloud. The tech giant claims that the data is kept “separately from other Amazon customer data” and is only used for the purposes of creating a palm signature and for authentication. It notes that a “subset of anonymous data is used to improve our system,” though. All data is protected by “multiple layers of security controls,” such as encryption, data segregation and “secure zones with restricted access controls.”

Amazon One ID is automatically created for each Amazon One user and includes their palm signature, phone number, credit card number and a merchant loyalty program. In the case of Panera — this is the bakery chain’s loyalty program. Its 52 million members will be able to link their accounts to Amazon One in the future and get some perks, such as being greeted by name and receiving personalized recommendations.

Amazon says it will permanently delete your palm print if you choose to leave the Amazon One program. Likewise, the data will be automatically deleted if you have not paid via Amazon One for two years. If users want to view and manage their Amazon One data, for example to change their phone number, they would need to link their Amazon account with Amazon One.

Paying with your palm is cool, but…

According to Panera, the new payment method will make your dining experience more personalized and convenient. Amazon claims it will allow you to “breeze through your day” by spending less time at the checkout.

Indeed, unlike your phone or card, your palm is always at your fingertips: you don’t have to fumble around in your bag or search your pockets to retrieve it, all the while holding up the queue and getting side-eyed. The only thing you might have to do is take off your glove. That means no more worrying about leaving your wallet in the car, or your phone’s battery dying at the worst possible moment — the list of potential mishaps averted can go on and on.

Secondly, unlike your mobile phone, your wallet or a stack of cash tucked away in your back pocket — your palm can’t be stolen or lost (we’re not going to entertain any macabre scenarios out there). Thirdly, while it’s not impossible to fake a palm print, it takes a lot of pains to make a realistic replica, so the chances of it happening are pretty slim even compared to other biometric identification methods such as facial recognition. Finally, if you’re a germaphobe, paying with your palm could be a lifenerversaver: because it’s contactless, you don’t have to touch any surfaces that might not be pristine.

Admittedly, there are a lot of advantages to paying with the palm of your hand, but that does not mean there are no pitfalls.

…is also risky

Because your palm print cannot be changed — again, we’re not going to go into the wild stuff — there is literally nothing you can do if it is compromised. So you have to put all your trust in the company processing and storing your palm signature not to leak or misuse it, for example by sharing it with third parties such as law enforcement and advertisers. And if that company is Amazon, a big tech heavyweight that has a checkered history when it comes to privacy and security, then you might want to think twice.

Amazon has been repeatedly accused of failing to keep track of what data it has, where it is stored, and who can access it. The firm is known to share footage from its Ring cameras with law enforcement without user consent, and has admitted to storing voice data from its Alexa assistant even after the user has deleted the audio from their account. In addition, it also used to sell facial recognition software to police before placing a moratorium on such sales in 2020. Amazon’s palm-reading program has sparked its own share of privacy and security concerns as well.

Criticism and pushback

Amazon first introduced palm reading technology to its own Amazon Go stores in late 2020. Then its scanners came to Whole Foods stores. Soon after, Amazon teamed up with ticketing company AXS, which planned to use its palm-reading technology for “ticketless” entry at Denver’s Red Rocks Amphitheatre. But the plan drew massive backlash from artists and human rights groups, who argued that the cloud service where Amazon uploaded the prints was vulnerable to hacking and government access.

The root of these concerns was that, unlike Apple’s Face ID or Samsung Pass, Amazon One stores biometric information in the cloud rather than on a user’s device. In a letter, activists argued that the implementation of Amazon One’s scanning technology could lead to police matching data collected at concerts with data from other databases. Ultimately, the plan for “ticketless” entry at the venue was dropped.

US lawmakers have also questioned the use of palm-reading tech by Amazon. In a letter to Amazon CEO Andy Jassy a group of bipartisan senators asked to clarify what Amazon does to protect user data privacy and security, and expressed worries about Amazon possibly repurposing this data for “advertising and tracking purposes.” Most recently, Amazon has faced a lawsuit in New York, alleging that it had not properly notified customers about collecting biometric data at the cashier-less Amazon Go store.

Whether or not to use palm reading technology ultimately comes down to whether or not you trust the service provider enough to handle highly-sensitive information that you can never change, and that’s a personal decision for everyone.

What about other unorthodox payment methods?

Paying with the palm sounded like science fiction just ten years ago, but it became reality, and now is entering mainstream at an expedited pace. But it’s not the only new payment method that is challenging the old ways. In a world where customers value speed and ease above all, retailers are racing to offer more options, all powered by cutting-edge technology, and all coming with their own advantages as well as privacy and security risks. Let’s look at some of them.

Paying with your ring

Contactless payment rings use near-field communication (NFC) to allow users to pay for things by tapping their rings on a payment terminal. You can choose from many different rings to suit your style or needs. The best part is probably that you don’t need to carry anything else, not your phone, or cash, or a credit card. However, there are risks: rings tend to get lost and it is relatively easy to damage them, especially if you wear them on your finger all the time. And as with other new options, don’t expect to use them everywhere because of limited adoption.

Paying with your voice

Paying by voice is another payment method that relies on biometrics. You can check your balance, pay your utility bill by talking to Alexa, or send money on PayPal by shouting at Siri. While managing your finances with just a few words may be a multitasker’s dream, this method is vulnerable to fraud, especially now that artificial intelligence has become frighteningly good at mimicking the voices of real people. Thus, in 2019, a UK energy company fell victim to a voice deepfake scam that cost them $243,000. Moreover, there’s always a chance that your voice assistant can misinterpret what you’ve said or mistake background noise for a command.

Paying with your face

Paying with just a glance at your phone or a camera is another payment method that has been rapidly gaining popularity. You can use face payments with your iPhone and Apple Pay, or with Google Pay if you have Android 10 or higher. Some other examples include Alipay in China and CaixaBank, that has deployed ATMs with facial recognition tech throughout Spain. While face payments share the same benefits with other payment methods based on biometrics, they also pose similar security and privacy risks. For one, face payments rely on your biometric data, such as your facial images and expressions, which can be collected and stored by selfie apps and filters. This data can be hacked, leaked, or sold to third parties who can use it to impersonate you or steal from you. Moreover, cybercriminals have been actively working on bypassing biometric authentication, in particular with the use of biometric skimmers — devices that can be attached to ATMs to steal users’ biometric data and card information.

Whatever you choose — choose wisely

Every payment method, including those brought about by the latest technological advances in artificial intelligence, has pros and cons. And what you consider a pro or a con may depend on your personal preferences. You may prefer to share your card information with merchants because you can cancel your card if there is a leak or breach. Or you might feel more comfortable sharing your biometric data because you know it’s much harder to replicate, which means it’s extremely unlikely that someone could charge your account without your knowledge.

In any case, what we see now is that payment methods based on biometric data are surely and not so slowly becoming a staple of our lives. That means we need to be aware of all the risks and benefits of the new tech to stay ahead of the curve.

Here are some of the things you can do when using biometric payment methods to stay on the safer side: be cautious with whom you share your data and make sure to study privacy policies and ToS of the companies and apps that use biometrics to know what data they can collect and store about you.