Biometric SCA · device-side only
Face recognition payment system — biometrics on the device, nothing on the wire.
topropay treats face recognition as an authentication factor, not a data collection exercise. Face ID and Google Face Unlock stay inside the buyer's phone; only signed cryptograms reach the acquirer; biometric KYC — where the merchant's vertical requires it — sits with licensed partners under their own regulated posture.
- Device-side
- biometric stays on the buyer's device — never traverses topropay
- SCA inherence
- face-as-something-you-are satisfies PSD2 SCA under the right pairing
- Partner-run
- biometric KYC delivered by licensed providers with GDPR-aligned posture
Key benefits
Why biometric SCA lifts a face recognition payment system
Four properties that show up the moment a merchant enables Apple Pay and Google Pay alongside inline card entry, then routes them through a scheme-token-aware orchestration layer.
-
Face-as-authentication, not face-as-surveillance
Face unlock happens inside the buyer's phone or laptop; only a signed cryptographic attestation reaches the acquirer. The platform never sees, stores or transmits a raw face template — the merchant doesn't inherit any biometric-storage liability.
-
PSD2 SCA without extra clicks
For European card acceptance, Face ID / Google Face Unlock inside Apple Pay or Google Pay counts as the inherence factor of a Strong Customer Authentication challenge. Approval rates lift vs OTP-based 3DS flows; the buyer sees no separate step-up screen.
-
Biometric KYC through licensed partners
Onboarding merchants (KYB) and — where the merchant runs their own trader / player / patient onboarding — buyer-side KYC is delivered via licensed biometric-verification partners. topropay orchestrates the API surface; the partner owns the biometric processing and its GDPR / regional-law posture.
-
One integration across every biometric surface
Apple Pay, Google Pay, Click to Pay, WebAuthn passkeys and the partner biometric-KYC flow all sit behind the same unified API. Adding or swapping a biometric partner is a configuration change, not a re-integration.
How biometric-SCA acceptance flows
From face-unlock to a settlement row in five steps
What actually happens between the buyer authenticating on their own device and finance reading a ledger row tagged with the SCA method used.
- 01
Buyer taps to pay
The checkout surface renders Apple Pay / Google Pay / Click to Pay alongside inline card entry. The buyer selects the biometric wallet.
- 02
Face unlock on the buyer's device
Face ID or Google Face Unlock runs against the local secure enclave. The template stays on the device; nothing crosses the wire except a signed cryptogram.
- 03
Wallet token to platform
The wallet returns a network-token cryptogram (VTS / MDES) to topropay's vault. The PAN and the biometric template never touch the merchant's origin or the platform's servers.
- 04
Route the auth
The routing engine ranks connected acquirers per BIN, currency and country pair. The biometric SCA flag is carried through the authorisation so 3DS challenges skip.
- 05
Reconcile with SCA metadata
Each settlement row is tagged with the SCA method used (inherence via biometrics, possession, knowledge). Finance and compliance can audit SCA coverage per merchant, per acquirer and per currency.
Main use cases
Where biometric auth pays back the integration effort
Five common merchant shapes that benefit from biometric SCA on the payment path or partner-run biometric KYC on the onboarding path.
- DTC
DTC checkout with biometric wallet default
A DTC brand promotes Apple Pay and Google Pay above inline card entry; SCA runs invisibly via Face ID; conversion beats an OTP-based 3DS flow.
- Subs
Subscription re-billing on network tokens
First authorisation runs with biometric SCA; the vault token is used for subsequent renewals with the merchant-initiated-transaction (MIT) exemption on European card rails.
- KYC
Buyer-side biometric KYC for licensed operators
Licensed gaming, licensed brokerage and other licence-bound verticals pair topropay's payment orchestration with a partner-run selfie / liveness KYC step before first funding.
- B2B
B2B corporate cards with biometric SCA
Corporate cards issued by European issuers commonly step up via mobile-wallet biometrics; the merchant sees the same clean authorisation shape whether the corporate buyer taps face or approves OTP.
- Travel
Travel checkouts across regions
OTAs and airlines see high biometric-wallet share on mobile traffic; the platform's biometric-SCA-aware routing keeps European conversion up without breaking any regional compliance.
Platform features
Capabilities behind the face recognition payment system
Twelve capabilities the platform exposes across biometric SCA and biometric KYC — the primitives that make the "face recognition" surface work without ever touching a face template on topropay's side.
-
Apple Pay & Google Pay
Face-unlocked wallet acceptance where the buyer's device supports it; scheme-tokenised credentials with no PAN exposure.
-
Click to Pay with device biometrics
Where the browser and OS support it, Click to Pay flows lock behind Face ID / Windows Hello for the returning cardholder.
-
WebAuthn / passkey acceptance
Optional passkey step-up on select checkouts where the merchant wants a biometric second factor without a wallet.
-
SCA orchestration
The auth flow signals which SCA factor was used (inherence / possession / knowledge) so the acquirer's 3DS decisioning respects it.
-
Biometric KYC partner APIs
Onfido, Sumsub, Jumio-class partners plug into the platform for selfie + liveness KYC on merchant and (where relevant) buyer onboarding.
-
Selfie + liveness step-up
Optional selfie-plus-liveness step-up on high-value or first-time transactions for merchants who need it, delivered by the licensed partner.
-
Network tokens by default
VTS and MDES network tokens replace the static PAN in the vault; refunds and recurring run against the token.
-
Fallback to card entry
Buyers on unsupported devices see inline card entry with selective EMV 3DS2; the merchant's checkout doesn't require biometric-only.
-
Vault tokenisation
Card data captures into the PCI DSS Level 1 vault; the biometric never touches the vault; the vault stores no biometric material at all.
-
No raw biometric storage
The platform never stores or processes raw face templates. Biometric material sits either on the buyer's device (Face ID / Face Unlock) or with a licensed KYC partner under their own regulated posture.
-
Unified dispute queue
Disputes on biometric-SCA-authenticated transactions carry the SCA metadata in the evidence pack; scheme representment is easier when SCA was inherence-based.
-
One reconciliation feed
Settlements tagged by SCA method, acquirer, currency and provider — one ledger for finance and one audit trail for compliance.
Industry relevance
A face recognition payment system for licensed merchants in EU, UK, APAC and LATAM
topropay's biometric posture targets licensed merchants operating in strong-SCA regions — EU under PSD2, UK under the FCA equivalent, and APAC markets adopting similar frameworks. The platform's role is orchestration and vault, not biometric capture. Where partner-run biometric KYC is needed for licensed high-risk verticals, it sits with a licensed KYC provider under their own regulated posture.
Trust & compliance
Compliance posture across biometric SCA and biometric KYC
One audited environment for the orchestration layer; explicit no-biometric-storage posture on topropay's side; licensed partners for any actual biometric processing.
- PCI DSS Level 1
- Card data captures into the PCI L1 vault before any acquirer sees it; biometric material never enters the vault at all.
- PSD2 SCA (inherence)
- Device-side biometrics (Face ID, Google Face Unlock) count as the inherence factor under PSD2 SCA. Selective 3DS2 keeps approval high in Europe without breaking the SCA bar.
- GDPR-aligned biometric handling
- Biometric templates are special-category personal data under GDPR Article 9. topropay does not collect or process them; the licensed KYC partner owns that scope end-to-end under their own DPA.
- Regional biometric laws
- Partner posture respects regional biometric laws (Illinois BIPA, Texas CUBI, EU AI Act biometric-remote-identification restrictions) — the merchant's compliance team confirms fit for their operating region.
- Sanctions & AML alignment
- Sanctions screening on onboarding; AML monitoring tuned per merchant vertical and volume. Biometric KYC is a signal input to AML risk scoring, not a replacement for it.
- Licensed verticals only
- Licensed gaming, licensed brokerage, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope. Mass-surveillance, non-consenting capture and covert biometric identification are explicitly OUT OF SCOPE regardless of licence.
Ready to lift European approval on wallet traffic
Turn biometric SCA on today — without touching biometric data.
A 30-minute review covers the wallet mix relevant to your buyers, the biometric KYC partner fit for your vertical if you need it, and a sandbox to test against before any commercial commitment.
Frequently asked
Buyer questions about the face recognition payment system on topropay
Data-handling, GDPR / BIPA / AI-Act posture, wallet-lane fallbacks, refund mechanics and the practicalities of running biometric-SCA acceptance under one API.
- 01
What does the face recognition payment system on topropay actually cover?
The face recognition payment system on topropay covers three flows: (1) device-side biometric authentication as the inherence factor of PSD2 SCA — Face ID inside Apple Pay, Google Face Unlock inside Google Pay, WebAuthn / passkey biometrics inside Click to Pay; (2) biometric KYC onboarding delivered by licensed partners (Onfido, Sumsub, Jumio-class); (3) SCA-method-tagged reconciliation so finance and compliance can audit which flows cleared under which factor. topropay does not run its own facial-recognition engine.
- 02
Does topropay store face data?
No. topropay stores no raw biometric templates. Face-based SCA runs on the buyer's device inside Apple / Google secure enclaves; only a signed cryptographic attestation reaches the acquirer. Biometric KYC data sits with the licensed KYC partner under their own regulated posture — never in topropay's vault.
- 03
How does face-based SCA compare to OTP-based 3DS in terms of approval?
In most European card portfolios, biometric SCA via Apple Pay or Google Pay clears at higher approval rates than OTP-based 3DS challenges — the buyer authenticates inside their own wallet, doesn't switch apps to receive a code, and doesn't drop out mid-flow. Exact lift is BIN- and issuer-dependent; the platform's post-transaction reporting shows the comparison per acquirer.
- 04
Which mobile wallets qualify as inherence-factor SCA?
Apple Pay via Face ID (and Touch ID where devices still ship it), Google Pay via Face Unlock (and Fingerprint), and Samsung Pay via device biometrics all qualify. Click to Pay on supported browsers with WebAuthn / passkey biometrics also qualifies. Non-biometric mobile wallets don't provide inherence and step up on possession or knowledge factors instead.
- 05
Does the merchant need a specialised integration for biometric SCA?
No. The merchant integrates topropay's unified API once and enables Apple Pay / Google Pay / Click to Pay in the dashboard. The biometric SCA happens inside the wallet; the merchant sees a normal authorisation with an SCA-method flag on the response.
- 06
What about biometric KYC — is that mandatory?
Biometric KYC is not mandatory for every merchant. It becomes relevant when the merchant's own vertical requires strong buyer-side identity verification — licensed gaming, licensed brokerage, some crypto rails, some cross-border high-risk flows. Where required, topropay orchestrates a licensed KYC partner via the same API contract.
- 07
Which biometric KYC partners does topropay work with?
The connected biometric-KYC partner panel is chosen for the merchant based on geography, vertical and regulatory fit. Typical selections include Onfido, Sumsub, Jumio-class providers — all licensed and operating with GDPR-aligned data-protection posture. Partner selection is agreed during onboarding rather than exposed as a public list.
- 08
How does the face recognition payment system handle GDPR?
GDPR classifies biometric templates as special-category personal data (Article 9). topropay avoids GDPR biometric-processing exposure entirely by not touching biometric material. Where a licensed partner does the biometric KYC step, the partner is the biometric-processing controller / processor under their own DPA — the merchant contracts with the partner directly on that scope.
- 09
What about the EU AI Act's biometric restrictions?
The EU AI Act restricts certain uses of biometric identification, especially remote biometric identification in public spaces. topropay's face-recognition posture is narrow: on-device SCA (an authentication use consented to at wallet setup) and consent-based KYC (an identity-verification use). Neither falls into the AI Act's high-risk-remote-identification category.
- 10
Is Illinois BIPA a concern for US-side traffic?
Illinois BIPA (Biometric Information Privacy Act) applies to entities that collect, capture or store biometric identifiers or information from Illinois residents. Because topropay does not collect biometric material, BIPA doesn't sit against topropay. Where a US-based biometric KYC partner is involved, the partner runs the BIPA-compliance posture for their own capture and storage.
- 11
How does the platform handle refunds on biometric-authenticated transactions?
Refunds run against the network token issued at first authorisation, regardless of how SCA cleared. The buyer doesn't re-scan their face on a refund. The refund event is tagged in reconciliation with the original SCA method for audit but doesn't re-trigger authentication.
- 12
What if the buyer's device doesn't support face biometrics?
The checkout falls back to inline card entry with selective EMV 3DS2, or to Touch ID / fingerprint where the device supports it. No merchant checkout requires face biometrics as the only option; the biometric flow is one lane inside the wider acceptance surface.
- 13
Does the platform work with third-party face-recognition payment terminals?
Terminal-side face recognition (in-store 'pay with your face' kiosks) is delivered by licensed partner acquirers and biometric-terminal vendors. topropay's role is on the orchestration / vault / reconciliation side. Merchants deploying face-recognition terminals do so via a licensed partner with the local regulatory approvals for terminal-side biometric capture.
- 14
Is the face recognition payment system suitable for licensed high-risk merchants?
Yes — for licensed high-risk verticals (gaming, brokerage, some cross-border flows) biometric SCA and biometric KYC lift both approval and compliance posture. Unlicensed operators are out of scope regardless of how they describe themselves; underwriting screens for licence before biometric-KYC configuration is exposed.
- 15
How long does it take to go live with biometric-SCA acceptance?
Merchants already integrated with topropay can turn on Apple Pay and Google Pay in the dashboard within an hour; biometric SCA rides on those wallets automatically. Biometric KYC integration with a licensed partner takes 2–4 weeks depending on the vertical, geography and partner selection.
Related
Related on the topropay platform
- Wallets Mobile payment gateway Apple Pay and Google Pay on one integration — the wallets that carry biometric SCA end-to-end.
- Controls Risk & fraud controls Velocity rules, device signals and fraud-engine connectors layered on top of biometric-SCA-authenticated traffic.
- Compliance PCI compliant payments The inherited PCI L1 vault the biometric-flow lives underneath — no card data, no biometric material.
- Compliance Compliance posture overview The wider compliance shape — PSD2 SCA, sanctions and AML — that biometric flows plug into.
- Acceptance Accept online payment, MID optional The merchant-side acceptance flow biometric wallets ride on — sub-merchant or direct MID.
- Taxonomy Types of e payment system The taxonomy wallet-based biometric acceptance sits inside — card and wallet as core categories.