As the global financial landscape rapidly embraces digitization, the demand for secure, reliable, and scalable methods of identity verification and authentication has become paramount. Traditional methods such as passwords, PINs, and even more common biometrics like fingerprints are increasingly vulnerable to sophisticated fraud. Recognizing this growing need, the Saudi Central Bank (SAMA), a national entity established to develop a secure, interoperable payment infrastructure, has initiated a groundbreaking project to explore the use of palm vein biometrics. Saudi Payments, which serves both banks and FinTechs, is committed to ensuring a standardized, level playing field for financial services, while enhancing security and reducing fraud risks.

This white paper summarizes how palm vein biometrics can be integrated into a national or financial ID system and utilized as the primary modality for payment schemes and financial transactions. The purpose of the project is to demonstrate a Proof of Concept (PoC) that shows how individuals can conduct critical financial transactions, such as withdrawing and depositing money at ATMs and making payments at POS terminals, without the need for physical items like a mobile device or payment card. Instead, the unique biometric patterns within the palm of an individual’s hand will serve as their secure and highly accurate form of authentication. Palm biometric payments can replace the use of cards over time, therefore eliminating costs and vulnerabilities associated with traditional payment methods.

Fujitsu (2024) details the effectiveness of various biometrics. Unlike other biometric technologies, palm vein biometrics provide a level of security and accuracy that is unparalleled. By scanning the unique vein patterns under the skin, palm vein technology offers millions of data points. On the contrary, other biometrics, which consist of visible attributes such as fingerprints, are highly susceptible to fraud. These forms of biometrics have been exploited, leading to financial crimes such as the case detailed in 2023 (Soni) where perpetrators exploited the Aadhaar Enabled Payment System by cloning the fingerprints of their victims to perform financial transactions fraudulently. The internal nature of palm vein patterns and liveliness validation means they cannot be easily compromised or duplicated, making them the ideal biometric for high-security financial transactions.

patterns of veins beneath the skin of the palm to verify an individual’s identity. By utilizing near-Infrared light, the technology captures the internal vein patterns, which are stable throughout a person’s life and nearly impossible to replicate. These patterns are converted into a digital template for authentication, offering a secure, accurate, and scalable solution for identity verification across various industries.

Fujitsu is the pioneer of palm vein biometrics, introducing the technology for commercial use in the early 2000s. The accuracy and scalability of palm vein scanning technology can vary depending on the implementation and provider. In this project, the palm vein technology utilized is designed to meet high-security standards, providing a False Acceptance Rate (FAR) of less than 0.000001% and a False Rejection Rate (FRR) of around 0.01% (with Retry), making it an ideal choice for critical financial applications. The technology’s performance specifications are detailed further within this whitepaper.

Palm vein biometric authentication combines superior security, hygiene, and accuracy, making it a robust solution for identity verification. The technology relies on internal vein patterns that are invisible and virtually impossible to replicate, ensuring enhanced protection against fraud and identity theft. Its contactless nature not only improves hygiene, particularly in public environments like ATMs, healthcare facilities, and retail spaces, but also reduces the risk of contamination. With an exceptionally low false acceptance rate of below 0.000001% and a false rejection rate of 0.01% (with retry), it delivers high accuracy suitable for critical applications such as financial services. However, the adoption of this technology can be limited by its higher implementation costs, as the specialized infrared sensors required are more expensive compared to alternative biometric systems.

Palm vein biometric technology has been implemented in several real-world banking and payment systems, delivering impressive success in terms of both security and user convenience. Notably, banks such as Ogaki Kyoritsu Bank have integrated this technology into their ATMs, enabling users to withdraw cash or perform other banking activities without needing a card (Shinzaki, 2020). This not only reduces card-related fraud but also enhances customer experience by offering a seamless, secure method of transaction authentication. 

IDCentriq has deployed a country-level payment scheme and Financial Digital ID (FDID) in North and East Syria, allowing customers to perform payments and cash services throughout the country using their biometric-based identity.

Amazon leverages palm recognition technology via “Amazon One” to enhance customer experiences and operational efficiency for businesses. By enabling quick, contactless identification and payment, it simplifies transactions, reduces checkout times, and strengthens customer loyalty through seamless integration with loyalty programs. Businesses adopting this technology, such as Whole Foods Market and Panera Bread, report improved customer satisfaction and streamlined operations. The secure, intuitive nature of the system builds trust, while its convenience supports adoption in diverse environments, including retail stores, stadiums, and hospitality venues. As a result, businesses benefit from faster service, increased customer engagement, and a reputation for innovation.

Palm vein biometric technology has proven to be highly effective, offering enhanced security and improved user experience. Its use of unique, internal vein patterns makes it extremely difficult to replicate, providing superior protection against fraud compared to traditional biometric methods like fingerprints and facial recognition (Shinzaki, 2020). The technology also enhances the user experience by enabling quick, contactless authentication, eliminating the need for cards, PINs, or passwords. This makes it particularly valuable in settings such as ATMs and retail environments, where speed and convenience are essential. 

While the technology’s infrastructure costs, particularly for specialized infrared sensors, may influence the speed of rollout, they are not the primary barriers to adoption. More significant Challenges lie in driving user adoption, especially in regions where biometric methods are unfamiliar or where concerns about privacy may cause hesitation (Shinzaki, 2020). Successful deployments have demonstrated the effectiveness of phased rollouts, allowing businesses to address technical issues and gather user feedback before full-scale implementation. Additionally, integrating palm vein technology with existing systems has been key to ensuring smooth transitions, providing a seamless experience for customers without disrupting established payment infrastructures.

Many studies show the challenges with knowledge-based authentications (KBA) methods (i.e. methods that require the user to remember a secret string or pattern) to attacks such as shoulder surfing and impersonation (Wang, Chen, Liu). Furthermore, the user experience with passwords is poor, especially for the elderly, as they may experience difficulties with memory, making it challenging to remember complex passwords. On the contrary, financial institutions (FIs) are required to develop strong password policies for their users when accessing digital channels (e.g., length, formation, duration, aging, etc) and this creates further friction in the user experience and costs in supporting frustrated users to reset and gain access to their accounts.

Using a reliable and strong biometric authentication method, such as palm vein or facial recognition, in combination with non-KBA methods, such as device binding, offers several advantages for users, especially the elderly, eliminating the need to memorize and manage multiple passwords.

SAMA initiated this proof of concept (POC), with an emphasis on demonstrating how palm vein biometrics can be integrated into the user experience at multiple touchpoints. When the bank customer is onboarded, they can use the ATM to withdraw cash or purchase from merchants.

Saudi Arabia’s current banking and issuer/acquirer ecosystem was simulated to demonstrate these use cases where palm vein biometrics delivers improved user experience, mitigation of fraud, and high levels of security.

Financial Institutions are required to perform KYC on all individuals before doing business. Onboarding and enrolling a customer. Issuers (banks) will maintain their role and responsibility as issuers to perform and maintain KYC of their customers. To participate in the payment scheme, the issuer must integrate with standard APIs to onboard its customers. Issuers must provide KYC data, which is stored at the scheme and is used to generate and store biometric templates. Customers may enroll their palm vein pattern by traveling to an authorized enrollment station and securely verifying their identity via KYC data stored at the scheme. Palm enrollment devices use an encryption key to encrypt the palm vein biometric template on capture, therefore avoiding the capture and storage of raw data that could otherwise be
sensitive information. The encrypted values are then persisted in the biometric database and
referred to as a biometric template. 

This use-case has been simulated as follows:

Banks issue debit and credit cards to enable customers to perform financial transactions. This project provides the ability to link a bank account directly to a person’s identity through the use of their biometrics. The person’s biometrics are then used for identification and performing financial transactions without the need for plastic cards.

To participate in the biometric-based identity payment scheme, the bank must integrate with standard APIs to perform account linking. The bank must utilize its own existing mechanisms (Such as One Time Passcode or PIN) to strongly authenticate its customers for onboarding. The bank may then assign a token to each of its customers’ accounts using a unique Issuer Identification Number (IIN) assigned to the bank by the payment scheme provider. The bank must then return the token and metadata (Account Name, Product Label, etc) to the payment scheme provider for all accounts that have been requested to be linked to the payment scheme. Once the accounts are linked, the customer may manage default accounts and preferences when performing financial transactions using their biometric identity.

KYC is the foundation of customer identification. The solution links biometric templates for each individual to their KYC record. Customer identification is then supported using palm vein biometrics to uniquely identify an individual to perform authorized financial transactions.

Once a customer is onboarded and their palm vein is enrolled, their biometric template is associated with their KYC record, the customer may link any of their authorized accounts to their identity via Account Linking. Once an account is linked, the individual may scan their palm, which will identify the user and return to the issuer the authorized account token(s) to enable to customer to proceed with the financial transaction.

This capability was demonstrated with an NCR ATM as follows:

Once a customer is onboarded and their palm vein is enrolled, their biometric template is associated with their KYC record. The customer may link any of their authorized accounts to their identity via Account Linking. Once an account is linked, the individual may scan their palm, which will identify the user and return to the acquirer the authorized account token(s). The transaction is routed to the correct destination for processing. The financial transaction is processed using the desired financial instrument attached to the individual’s identity. This capability was demonstrated with a point of sale terminal as follows:

SAMA has partnered with IDCentriq to deliver the proof of concept (POC). In this POC, the Mobile POS and Standalone USB Palm Vein Sensor devices performed palm enrollment and identification services. The Standalone USB Palm Vein Sensor was directly integrated with a standard NCR ATM Machine to perform palm enrollment and identification functions. The following standard hardware devices are available from IDCentriq to facilitate palm enrollment and customer identification activities.

IDCentriq provides a platform to integrate biometrics into existing National ID systems and/or provide a Financial Digital ID (FDID). Integration with the platform is provided over a variety of channels.

System integration and business logic, such as biometric template matching, are provided via APIs and SDKs. Physical devices such as Microsoft Windows and Linux terminals for banking systems are supported using the Standalone USB Palm Vein Scanner and supplied drivers, which communicate with the platform for business processes such as customer identification.

Support for legacy Point of Sale (POS) terminals is achieved through the Auxiliary POS Device, which connects to the legacy POS over Bluetooth. As shown in Figure 3.2, the Auxiliary POS Device performs the customer identification activity and communicates the account token to the legacy Point of Sale device to perform the standard ISO payment transaction it performs today.

Payment scheme customers can manage their Identity profile, linked accounts (including default accounts), perform step-up authentication for high-value transactions, and view transaction history through a mobile app. Biometric templates, such as palm veins, are encrypted (AES) at the time of capture and sent over encrypted channels to matching engines to process and return tokens. Tokens are passed to integrated systems to perform business processes and transactions. Biometric templates are stored as an encrypted value in an encrypted database. The encrypted biometric template does not store sensitive personal information and is not usable outside of the matching engine’s algorithm and specific key value; therefore, it provides absolute data privacy.

The escalating threat of security breaches across diverse industries has created a pressing need for advanced security solutions, propelling the growth of the palm vein biometrics market. As estimated by IMARC Group (2024), the global palm vein biometrics market is expected to have a compound annual growth rate exceeding 18% over the next 7 years.

Key factors driving this growth include:

Technology advancements in near-infrared light and sensors have resulted in cost reductions and improved matching algorithms to enable palm vein biometrics to be used at scale as the premier biometric for identification and authentication.
‍
Leading solution providers add layers of encryption to nullify the benefit of stealing a palm vein biometric template, as the template is encrypted with a unique key and therefore cannot be used for any purpose.

IKSA Regulatory Framework
in the Kingdom of Saudi Arabia (KSA), the use of biometric authentication is governed by several regulatory standards and laws, as the country aims to ensure both security and privacy for users. 

Personal Data and Protection Law (PDPL) by SDAIA (2023) governs how personal data, including biometric data, is collected, processed, and stored. Biometric data is considered sensitive data, which requires the data to be secured at all times and consent to be explicitly received from the individual to process the biometric data, except in cases defined by law.

PDPL requires biometric data to be stored within the borders of KSA unless specific conditions are met, such as an individual providing explicit consent after being fully informed of the purpose and scope of processing the data.

The Ministry of Interior (MOI) in Saudi Arabia enforces various regulations on biometric
identification, focusing on security, identity verification, and fraud prevention. These regulations
primarily apply to sectors such as civil affairs, immigration, border control, and law enforcement.
They address the collection, processing, and protection of biometric data, especially for foreign
nationals, citizens, and residents engaging in government services. The MOI requires biometric data to be collected from citizens as part of the national ID registration process. This data is then used for identity verification in government services and transactions.

The Saudi Central Bank (SAMA) has implemented regulations such as the Counter-Fraud Framework by SAMA (2022) that promote secure authentication methods, including biometrics, in financial services. Banks and financial institutions are required to use biometrics responsibly for identity verification while maintaining data privacy.

Communications, Space & Technology (CST) has implemented regulations to mandate the use of biometrics to verify the identity of customers in the telecommunications sector.

Interoperability across palm vein sensors can be achieved by standardizing the quality requirements of the image capturing across palm vein sensors. This approach requires a certification and governance process to maintain the security and accuracy of a platform. Interoperability protects against vendor lock-in and encourages innovation.

Multiple global organizations provide standards to regulate the standards of biometric systems, including ISO/IEC (ISO/IEC 24745; ISO/IEC 30107-3; ISO/IEC 19795-1; ISO/IEC 5152:2024), ANSI, and NIST. However, palm vein biometric templates are unique to solution providers for the purpose of security and data privacy.

Interoperability across palm vein sensors can be achieved by standardizing the quality Requirements of the palm vein image capturing across palm vein sensors. This approach requires a certification and governance process to maintain the security and accuracy of a platform. Interoperability protects against vendor lock-in and encourages innovation.

During the POC, IDCentriq demonstrated the interoperability of palm vein sensors within their platform. While this is very important, it is equally important to ensure there are ample security controls to prevent tampering and avoid storing sensitive biometric data that can be compromised.

The platform demonstrated security controls through a secure enrollment process that converts sensitive, raw images into a mathematical array of numbers, which is then encrypted as a biometric template. The process executes within a secure enclave within the SDK and device to prevent tampering. The formula used for biometric enrollment is unique from the formula used for identification and authentication. This design prevents the need to store sensitive biometric data and significantly reduces the risk associated data leakage.

An SDK enables any compatible palm vein sensor to securely enroll and perform identification and authentication activities to authenticate the identity of individuals scanning their palm.

Palm vein biometric authentication is an advanced, secure, and hygienic method of identity verification that uses near-infrared light to capture the unique vein patterns beneath the skin. Its superior security is attributed to the high number of unique points of interest and internal nature of palm vein patterns, making it nearly impossible to replicate. As such, palm vein biometrics offer a significantly lower False Acceptance Rate (FAR) than fingerprint technology, which is crucial for high-security applications like financial transactions. With a low False Rejection Rate (FRR), palm vein scanning ensures high accuracy, making it suitable for sensitive environments.

As a contactless solution, it also enhances hygiene in public spaces such as ATMs and healthcare facilities, improving the user experience by eliminating the need for cards or PINs. The technology has already seen real-world applications, including in banking systems like Ogaki Kyoritsu Bank's cardless ATMs and MENA's biometric-based payment solutions. With increasing adoption in high-security sectors and government initiatives for unique citizen identification, the palm vein biometrics market is expected to grow substantially. Technological advancements continue to drive improvements in cost-effectiveness and accuracy, positioning palm vein biometrics as the leading biometric solution for secure and frictionless authentication.

In conclusion, palm vein biometric authentication represents a significant advancement in identity verification, offering a compelling combination of security, accuracy, hygiene, and user convenience. As the technology continues to evolve and its adoption expands, it is poised to play an increasingly vital role in securing our digital world.

Shinzaki, T. (2020). Use case of palm vein authentication. In Uhl, A., Busch, C., Marcel, S., & Veldhuis, R. (Eds.), Handbook of Vascular Biometrics. Advances in Computer Vision and Pattern Recognition. Springer, Cham. https://doi.org/10.1007/978-3-030-27731-4_5

Soni, Neeraj. “Aadhaar Biometric Fraud.” CyberPeace, 4 Nov. 2023, www.cyberpeace.org/resources/blogs/aadhaar-biometric-fraud.

Fujitsu. (2024). Palm Vein Pattern Authentication Technology [White paper]. Retrieved from https://www.fujitsu.com/my/imagesgig5/PalmSecure%20Whitepaper.pdf

Borak, M (2020). Companies are hacking facial recognition to make it safer. Retrieved from https://www.scmp.com/abacus/tech/article/3088834/companies-are-hacking-facial-recognition-Make-it-safer

IMARC Group (2024). Palm Vein Biometrics Market by Component, Application, and Region 2024- 2032. April 2024. IMARC Group

SDAIA (2023). Personal Data Protection Law. March 27, 2023. Retrieved from https://sdaia.gov.sa/en/SDAIA/about/Documents/Personal%20Data%20English%20V2-23April2023 %20Reviewed-.pdf 
‍
SAMA (2022). Counter Fraud Framework Saudi Central Bank. Version 1.0, October 2022. Retrieved from https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Counter_Fraud_Framework.pdf
‍
(Wang, Chen, Liu). Chen Wang, Yan Wang, Yingying Chen, Hongbo Liu, Jian Liu, User authentication on mobile devices: Approaches, threats and trends, Computer Networks Volume 170, 2020, 107118, ISSN 1389-1286, https://doi.org/10.1016/j.comnet.2020.107118 ( https://www.sciencedirect.com/science/article/pii/S1389128618312799 )