The case of biometric payment cards: A quantitative study of the behavioural intention to use biometric payment cards among Swedish consumers

(1)

The case of biometric payment cards: A quantitative study of

the behavioural intention to use biometric payment cards

among Swedish consumers

Authors: Axel Rosén (990627), Erik Sondell (960615) and Evan Khalil (940401)

Autumn 2020

Informatik, kandidatkurs 15hp Subject: Informatics

Supervisor: Wipawee Victoria Paulsson Examinator: Kai Wistrand

(2)

2

Preface

We would like to begin by thanking our supervisor Wipawee Victoria Paulsson who has been supporting us through this study. A supervisor who has contributed with a helping hand through the study. We also want to thank all the students who have been giving us feedback to help our study move forward. We also like to thank all the respondents who answered our survey. Without all the responses, this study would not have been possible to conduct. Örebro

January 2021

(3)

3

Abstract

Title:The case of biometric payment cards: A quantitative study of the behavioural intention to use biometric payment cards among Swedish consumers.

Background: The rising problem with credit card fraud and existing security limitations with PIN-authentication for payments, has led the banks to develop a technological solution with enhanced security, in form of a biometric payment card (BPC). Biometric authentication utilizes ‘something that you are’, your own unique biological characteristic for authentication and additional security. Fingerprints are the most common type of biometric authentication. It is unique, as not two individuals have identical ridge patterns. Biometrics eliminate the need to manage a PIN which eliminates the risk of fraud.

Purpose:This thesis objective is to determine factors that indicate behavioural intention to adopt biometric authentication on credit cards (biometric payment card) for transactions among Swedish consumers. The thesis aims to suggest businesses' insights into Swedish customers' behavioral intention to adopt this technology so companies can form their business strategies accordingly.

Method: A quantitative research method based on a survey in form of a questionnaire (survey) was conducted to collect data, which consisted of 121 respondents. The research model was proposed through a literature review and incorporates the Technology Acceptance Model (TAM) along with an additional trust factor.

Conclusion: Based on the literature review, perceived usefulness (PU), perceived ease of use (PEOU), attitude toward technology (ATT) and Trust are the variables that were identified as key determinants of consumers´ behavioural intention (BI) to use biometric payment cards. Furthermore, based on the research data collected through a questionnaire, showed a positive and significant relationship between ATT and Trust with consumers’ BI to use biometric payment cards. PU and PEOU are found to have no significant impact on predicting BI. Keywords:Credit cards security issues, Authentication, Biometric authentication, Biometric authentication applications, Biometric user acceptance, Biometric payment cards, Behavioral Intention to use biometrics, Technology acceptance model.

(4)

4 Definitions and list of abbreviations

EMV - Europay, Mastercard, Visa, which is the standard for payment terminals and automated teller machines.

PIN - Personal identification number, is a numeric or alpha-numeric passcode used for authenticating a user access to a system.

POS- Point of sale, terminal (abbr. POS- terminal) is defined as an electronic device which purpose is to process card payments at retail locations.

ATT- Attitude towards technology PU- Perceived Usefulness.

PEOU- Perceived ease of use. BI - Behavioral Intention to use

TAM -Technology Acceptance Model T- Trust

FRR- False rejection rate RQ- Research questions BPC - Biometric Payment Card CNP- Cardholder not present

BioTAM- Biometrical technology acceptance Model ATM- Automated Teller Machine

M-payments- Mobile payment, (also mobile money, mobile money transfer, mobile wallet) payment performed from or via a mobile device as Apple Pay, Samsung Pay or Google Pay. IS- Information system

(5)

5

One of the continuing issues of information systems (IS) is identifying factors that cause people to accept and make use of systems developed and implemented by others (Phua et al., 2012). Effective implementation of any information technology (IT) or information system (IS) depends on the behavioral intention to use (BI) (Hossain et al., 2017). Behavioral intention (BI) is the degree to which an individual intends to perform or not perform a specific behaviour in the future (Davis, 1989). A new upcoming technology yet to be accepted and adopted by consumers are biometric payment cards. Many companies and Governments are realizing the advantages of using biometric security devices for protecting their computers, servers, users’ information and business assets to produce unique security systems to handle the issues related to low level security (Unar et al., 2014). Despite all the advantages of biometrics, the future of biometric payment cards rests on one core factor, user acceptance, which as of now remains uncertain.

Because biometric payment cards is a newer concept, it has not been properly explored. Essentially, there is a need for research regarding the evaluation of the user acceptance of the technology. Among the research that does exist, biometric technology has several limitations and problems that need to be addressed as security and storage issues. However, previous studies also highlighted that traditional PIN-codes can be stolen, cracked or copied and the user needs to remember a numeric code for authentication. Worryingly, recent reports of network security breaches and identity thefts affirm the fact that a strong authentication method is needed to higher the security level due to the risks surrounding the current solutions. (Piotrowska et al., 2017). Biometric payment cards aim to address these concerns by providing additional security and privacy by using fingerprints for authentication. The technology can produce unique data, and can provide automated identification, remove management of PIN-code etc. (International Journal of Science, Engineering and Computer Technology, 2017). However, the technology is still in its early stages and has not been adopted by consumers.

Sweden has a high adoption and acceptance rate of traditional payments cards, the Swedish consumers has a high level of consumer trust, as 88% of consumers in Sweden said that they consider card transactions as the payment method they trust the most (Sverige Betalar, 2017). There are 15 million cards issued on the Swedish market and 97% of the population have a charge card and a high use rate of card transactions per year (319), while the EU average is only at 116 per year. (Card Payment Sweden, 2017; Sveriges Riksbank, 2019). Thus, the biometric payment cards are something that could benefit and interest the Swedish consumer. There is therefore a need to study which factors that influence the technology from being adapted by the Swedish consumers. The question remains, what are the Swedish consumers payment card users’ behavioral intention to use a biometric payment card?

(8)

8 1.1 Problem statement

It seems that traditional authentication methods are becoming outdated and being sorted as less secure (Ju et al., 2013; Pointner, 2020), and at the same time biometric authentication appears to be the solution to this problem (Harakannanavar et al., 2018). Multiple authors agree that biometric authentication is most likely an improvement over passwords, PINs, patterns or other methods (“something users know & have) which are widely used nowadays (Piotrowska et al., 2017). Both Visa and MasterCard have been working on developing a more secure authentication and payment method relying on implementing biometrics on payment cards , running Trials and tests in several locations (Nasonov, 2017; Finextra, 2020). In the future, biometric payment cards might join the line-up of cashless payments options available to consumers. However, this type of innovation adds issues and concerns related to payment security, will it actually increase security? Furthermore, will the users accept the technology, are they willing to use the technology, and what's their attitude towards biometric authentication?

To predict the user acceptance of an information system (IS), the behavioural intention to use a technology(BI) is a key factor in measuring users willingness to adopt and use a new technology, and the probability or strength of their intention to perform a specific behaviour (Phua et al., 2012; Hossain et al., 2017). User-acceptance is one of the most important research areas, in which a particular solution is studied to find out if it becomes widely used or not. This is because if users do not like the solution enough they will likely choose another alternative (Venkatesh et al., 2003). Previous research agrees that security and ease of use (including high match rate, ergonomics, time required) are the most important improvements that users require. As of now, fingerprint authentication is the most used type of biometric authentication method. However, biometrics can be fooled by malicious users, which in turn makes some users perceive it as less secure than passwords (Miltgen et al., 2013; Chau et al., 2004). Since biometric payment cards do not exist in Sweden, hence there is a need to study the possibility of introducing such a concept in Sweden.

The objective of this thesis is to provide an insight into a behavioural intention to use biometric payment cards in Sweden since there are limited studies that exist in this research area. The studies that exist as Kumar et al., (2008) and Graevenitz (2007) contain outdated technologies and information (which need to be updated). Previous studies exist as traditional methods of authentication contra biometrics and perceived ease of use and likewise research (Ogbanufe & Kim, 2018). However, this thesis incorporates a different perspective, focusing on biometric payment cards and their acceptance level at an individual level. To the best of our knowledge, there is no prior scientific study on the Swedish market.

In relation to the covid-19 pandemic which is ongoing at the time this thesis is being written and is declared as a “Public health emergency of international concern” by WHO (2020). According to the Swedish public health agency, Folkhälsomyndigheten (2020), the illness is being spread with human contact, which can force people to adopt new ways of life and take advantage of new technology. A new way of life can include contactless payments. Thus, this

(9)

9 research is relevant because biometric payment cards eliminate the need for directly touching the POS-terminals (IDEX, 2020; Secure Technology Alliance, 2019; MasterCard, 2020). Larger sums of money might need to be authenticated also by PIN on a POS-terminal. However, in most cases it would be sufficient and practical, even in the future, in case the situation would get worse (no contact allowed) or a smaller outbreak as e.g. a flu. Hence, the importance of technology, as biometric payment cards could improve both public health and reduce the illness from being spread.

1.2 Purpose

This thesis objective is to determine the factors that indicate behavioural intention to adopt biometric authentication on credit cards (biometric payment card) for transactions among Swedish consumers. The thesis aims to suggest businesses' insights into Swedish customers’ behavioral intention to adopt this technology in order for companies to form their business strategies accordingly.

1.3 Research question and hypothesis:

In line with the purpose, this thesis posts the following research question:

What factors determine behavioural intention to adopt biometric authentication on credit cards (biometric payment card) for transactions among Swedish consumers?

To answer this research question, the following hypotheses are formed:

Hypothesis 1: Perceived ease of use (PEOU) is correlated with behavioural intention (BI) to use the biometric payment card [PEOU -> BI].

Hypothesis 2: The perceived usefulness (PU) of using the biometric payment card will have a positive impact on an individual’s behavioural intention (BI) to use the technology [PU -> BI].

Hypothesis 3: Attitude towards the biometric payment cards (ATT) will positively influence users’ behavioural intention (BI) to use the biometric payment cards [ATT -> BI].

Hypothesis 4: System Trust (T) will positively influence the Behavioral Intention (BI) to use the biometric payment card. [Trust ->BI].

(10)

10 1.4 Limitations

Firstly, the use of a quantitative methodology to collect data made it not possible to fully explore the in-depth reasoning behind the consumers’ BI. For instance, if a qualitative interview was selected instead, the researchers could then learn what respondents think is important about the topic in more detail (Bryman, 2012). However, interviews could not be performed for multiple reasons including the Covid-19 pandemic being unable to conduct physical face-to-face interviews and the restrictions from the Swedish Government that limits public meetings (of more than 8 people). Multiple public places were closed and people were recommended to stay at home (Regeringskansliet, 2020). In practice, this meant that there was limited access to individuals. Nevertheless, the number of participants would likely have been significantly smaller for face to face meetings, within the given timeframe the selected methodology was more suitable and incorporated a larger sample size. Additionally, research access was not easy to obtain, originally multiple private companies were contacted as banks, biometric technology manufacturers, biometric suppliers, biometric research companies etc. For the most part the companies never replied and the ones that did were unwilling to share information or take part in interviews. The reluctance to share information can be explained by companies not wanting to release business information that could be exploited by their competitors and hurt profitability (Bryden & Caparini, 2006). Information from companies could have provided more information about biometric payment cards and other perspectives. Had it been possible to include more qualitative methods in the current research, greater insight might have been gained.

Secondly, the survey was only available for a short period of time (around 2 months), which means that the final number of participants is not extensive. If more time was allocated for this project, the end-result could conclude in a much higher number of participants which could in turn lead to more relevant and accurate data (reduce margin of error). However, for the purposes and scope of this study the sample size and time is considered as sufficient. Another limitation was that the respondents were all inhabitants of Sweden, as the study was focused on the Swedish market. Incorporating a global perspective, with comparison to perceptions and attitudes in different markets and countries, could have led to a large sample size with interesting/relevant data.

Thirdly, limited access to the technology, as biometric payment cards are not available from retailers in Sweden and as the technology is currently under development and in early stages of releasing (Burt, 2020). It would have been interesting to test or field study the biometric payment card in practice, to see if it's applicable for “real world” applications and get more detailed data on user experiences.

(11)

11 2. Literature review

This chapter details information about the research topic biometric authentication with a focus on payment cards. Firstly, a general background on credit cards and fraud is

presented. Secondly, the authentication methods are described. Followed by biometrics and biometric technology and the threats and problems with biometrics. Then the biometric payment card use-case of biometrics is presented. Lastly, the theoretical framework is presented.

2.1 Credit cards and fraud

A credit card is a payment card whose purpose is to provide credit service to customers, i.e. allow the user to purchase goods and services, both offline and online. Globalization and the convenience of credit cards has led to an increase of credit card transactions throughout the world (Abhaya & Jha, 2014). Consequently a rapid growth in fraudulent activities followed, in Sweden, a study by BRÅ (2019) based on self-reports found that 4,9 % percent of the Swedish population between the ages 16-84 in 2017 had been a victim of credit card fraud which equals to approximately 500 000 people. According to Abhaya & Jha (2014) the increase of credit card frauds is believed to be linked to the exposure of weak points and the security weaknesses in traditional credit card processing systems. Fraud takes many different forms, a study made by Abdallah et al. (2016) classifies a fraud into two categories,

(1) Offline: Includes “offline” transaction fraud for example, the physical card being stolen by thieves, the card getting lost, or a fraudster using counterfeit cards for payments. The fraudster in most cases tries to make a physical card based purchase pretending to be the actual card-owner. This type of fraud still occurs, but is becoming less common as the card issuers can lock lost cards if the theft is reported (Sushmito & Reilly, 1994).

(2) Online: Includes fraud related to remote card transactions, i.e. CNP. Where credit cards' information are stolen in online transactions via the Internet, mail or phone. Using one of the following methods to get access to the card's details: Skimming, Site Cloning, Credit Card Generators and Mail/telephone order scams or phishing, etc. (Patidar & Sharma, 2011). In this type of fraud the card holders are not aware that their credit card information is obtained, this type of fraud has become more common and rising in popularity among fraudsters (Parusheva, 2015).

(12)

12 2.2 Authentication

These types of problems are related to the management of who has access to the systems. In information systems, authentication is used to restrict unauthorized users to a system (Baur & Boche, 2018). According to Idrus et al. (2013) as of now, authentication still represents the most advantageous way for security enhancement in commercial applications. Authentication is a method that requires someone to verify who they are and relay credentials to prove you are who you say you are. Authentication systems aims to provide the answer to these questions:

(I) Who is the user?

(II) Is the user really who they represent themselves to be? (Idrus et al., 2013).

According to Abhishek et al. (2013) and Idrus et al. (2013) authentication credentials can take different forms, but can be categorized into different authentication factors. The four most recognised factors are mentioned below (other factors also exist):

“Something the user owns”: Represents the lowest level of security, something that the user has in its possession (Traditional authentication method).

“Something the user knows”: Represents the second level of security, which can be a password or a PIN code (Traditional authentication method).

“Something that you are or something that you do”: Represent the highest level of security, a fingerprint, DNA fragment, voice pattern, hand geometry or iris (Biometrics). Multi-factor-Authentication: The authentication process can be based on a combination of two or more of the previous authentication factors. For instance, a system that combines two of the other categories, e.g. PIN and fingerprints for login.

Credit cards basically use both, something the user owns (physical card) and something the user knows (PIN). For instance a user needs a bank credit card and PIN if he wants to make a withdrawal from an ATM. The PIN-code is usually a 4-6 digit identification number and is entered into a POS-terminal during a purchase (Korauš, 2019). After performing different attacks, Bultel et al. (2018) found that the security of such methods is questionable referring to PIN-code authentication. Adding that it is possible for someone with malintent to see the PIN code being entered into a POS and then later on steal and use the card (shoulder attack), i.e. the attacker follows the user authentication process and identifies the PIN-code

(Srinivasan, 2018; Bošnjak & Brumen, 2019). Rasmussen & Rudmin (2010) outlines the problems with remembering multiple numeric codes for banking, online accounts, phones etc. and predicates the problem to be likely increased. Korauš et al. (2016) describe this problem as PIN code safe-keeping, their study found that those who are afraid to forget the PIN, write it down on a piece of paper and then carry it together with their credit card. Korauš et al. (2019) analyzed the security aspects of payment cards with PIN-code and the attitude among users and found that 38.50 % of those in the ages over 60 years have a date of birth encoded as their PIN code. Adding that a PIN-code encrypted with the date of birth exposes the users

(13)

13 to potential risks and sorts as the weakest point in payment cards, which the user is unaware of.

2.3 Biometrics

Harakannanavar et al. (2018) describes biometrics as a method to make authentication more robust and secure as biometrics is defined as the study of human authentication by their physical and/or behavioral characteristics. The term biometrics is derived from the Greek words bio which means life and metric which means to measure. Biometric authentication methods are increasing in popularity and the technology is being used on a daily basis (e.g. to unlock smartphones with fingerprints) (Blanco-Gonzalo et al., 2019; Buckley & Nurse, 2019), the reason for this could be that biometric sensors such as fingerprint scanners or cameras are being implemented into daily objects (as phones and computers). The technology is increasing in quality and decreasing in cost, with these advancements the availability has increased and physical products can be made smaller.

Gulliksen & Göransson (2002) describes that a system should be designed from the user perspective (i.e. user-centered design). Furthermore, Karlsson (1998) describes that users’ needs should be central in systems development and be highly prioritized, something that Collin (2003) also insists by bringing up users involvement, warning that users need to be met or the systems desired effect will be absent. Continuing on the same track, previous research on biometrics indicates that biometric systems have different requirements and user needs than traditional systems. For instance, Al- Rahawe et al. (2019) and Krishna et al. (2013), emphasize that when designing a biometric system, certain factors are needed to be taken into consideration, such as:

● Universality: This factor depicts that the user should possess a valid biometric trait and further relates to the user experience of the system, e.g. interactions with the biometric system should not cause inconvenience or harm to the user (ease of system interaction). For instance, Chan et al. (2018) describes that people with specific diseases or disabilities can/may not be able to use biometric systems.

● Uniqueness: grounded on all individuals across the population should possess the distinct features, i.e., the chosen identifiers such as fingerprint, and the properties should be unique to the individual.

● Permanence: The biometric characteristics or traits should remain consistent for longer periods of time and not be affected by disease or age.

● Performance: Relates to performance and accuracy factors, the system needs to be reliable and designed in a way that the system performs at an acceptable and useful, false rejection and acceptance rate.

● Acceptability: The biometric application or solutions need to be accepted by the target population who will use the system, e.g., some users may be uncomfortable using biometric systems such as Facial-Recognition for Payment (Zhang & Kang, 2019).

(14)

14 ● Security: Traits related to the security aspect of the system, i.e. a biometric system

should be secure and resistant to potential spoof or template attack and also not be reproducible.

In summary, the developer must understand both the application requirements and the application environment and take the previously mentioned factors into consideration while implementing and designing the biometric system. In general a biometric system follows the mentioned factors and utilizes a pattern recognition system. The biometric system

authenticates a user by measuring certain biometric characteristics (traits), which are possessed by the user. Those traits are compared against stored traits in a biometric

(template) database. To simplify, a biometric authentication system is an automated method in which the user’s identity is authenticated/verified by capturing their unique

behavioral/biological characteristics (Krishna et al., 2013). A biometric authentication system generally consists of two main parts. The first main part is biometric enrollment, the system captures the chosen biometrics (e.g. fingerprints) from the biometric device and then the input is processed and enrolled. The captured biometric is stored into a biometric database or on an object (e.g. a card). The second part is biometric authentication, the input from the biometric device is scanned and then the biometric input is processed and extracted. The input is then matched with reference models from the database, to distinguish genuine users from impostors. The application then provides a matching score to the user either approved (match) or disapproved (user becomes discarded) (Kaushik, 2019; Krishna et al., 2013; Al- Rahawe et al., 2019) (see fig 1).

Fig 1. Overview and simplified description of how a biometric system works, adopted from (Banerjee et al., 2014; Krishna et al., 2013). Describes the enrollment and authentication process of a person using a biometric security system.

The most common type of biometric authentication techniques are fingerprints, where the users provide their identity with their fingerprint. A fingerprint consists of different patterns such as loops, arches or whorls. The unique characteristics of the fingerprints is captured using a sensor device (Kumar & Walia, 2011). The unique attribute fingerprints have is an advantage, as two individuals will have identical ridge patterns (i.e. the papillary ridges on the ends of the fingers and thumbs). Additionally, an advantage is that biometrics eliminates

(15)

15 the need to manage PIN, which the user can forget. Biometrics cannot be forgotten, lost, and in most cases often not even stolen (e.g. fingerprint). However, if the finger is for example injured or dirty, the input may not be accepted. In addition, some people may not be able to use fingerprint authentication, because they have too ‘weak’ ridge patterns, resulting in the sensors being unable to read their fingerprints. The fingerprint authentication system might have troubles recognizing wet or wrinkled fingers. Kumar & Walia (2011) states that there is no perfect biometric solution that fits all users' needs and is without disadvantages.

2.4 Limitations and threats against biometric technology

Regardless of its advantage in providing unique identity and authentication, biometric data might be particularly vulnerable than any other kind of data due to its sensitivity. To exemplify, traditional passwords and PINS can be changed while a fingerprint or iris scan cannot be changed, which means once the data is leaked, it becomes irreversible according to Albacete (2008). Biometric technology can only capture one unique identity that can never be changed according to Simske (2009). This static nature of biometric data makes it prone to identity based threats. Meaning, once your biometric data has been compromised, it may no longer be in your control. AlienVault security expert Javvad Malik in an article shared by Biometric Technology Today (2019) points at the basic nature of hacking the traditional identifiers, where hackers get access to a limited and not too valuable data. While using unique identifiers the risk of accessing biometric data becomes greater, and hackers have the potential to steal someone’s identity or manipulate detrimental private and public information relying on the hacked data (e.g. government issued ID or a password). That's why biometric data needs to be protected as any other form of identity authentication tool to prevent potential misuse.

For instance, authentication credentials, such as fingerprint scans or voice recordings can leak from devices, company servers or software used to analyze them. Last year, Biometric

Technology Today (2019) reported that one million fingerprints records and facial images were stored in an open database. Privacy researchers found open fingerprint, face and other personal data totalling over 27 million records and 23 gigabytes of data in an open database. The Biometric Technology Today (2019) reported that a similar leak of data took place by the Chinese company SenseNets when the company left 2.57 million sensitive data records of 2.5 million people visible on the internet for several months. Other limitations biometric systems has are followed:

Biometrics are public, a person's eyes, ears and face are exposed, as Albacete et al. (2008) mentions that a person leaves fingerprints everywhere they go and a person's voice could be recorded when they talk. To exemplify, a criminal can take a high-resolution photo of your ear from afar or copy your fingerprints from a glass you leave at a cafe. This means that all types of biometric identifiers could be accessed, unlike a traditional password which is inherently private because the person is the only one who knows it (Jindal et al., 2018). Biometric systems are vulnerable to spoofing (deception or direct attacks), according to Hadid et al. (2015). The fingerprints left on surfaces can then be lifted according to Precise Biometrics (2020) with methods as e.g. lift tape, cyanoacrylate fuming and photography.

(16)

16 Fake fingerprints can also be created from moulds using household material as latex paint, modelling paint or gelatine. For instance, an article written by Roberts (2016) details how a biometric company employee was able to open an iPhone, by making a copy of fingerprint with Play-Doh (modelling compound) to trick the smartphone’s TouchID (Apples built in security system). A spooﬁng attack is defined by Biggio et al. (2011) as stealing, copying and replicating synthetically a biometrics trait. The purpose is to gain unauthorised access by defeating the biometric system security (see Fig 2). From a security perspective, Biggio (2011) mentions that spoofing attacks does not require any knowledge of the technological system as matching algorithms etc. Thereof, traditional informatics security methods as hashing, encryption or digital signature are not effective against an analogue attack. Problems related to identity management and security. The security issues regarding biometric data focus on how sensitive information is captured, stored, processed, transmitted and accessed. There are many ways in which biometric data can be used and accessed, with little to no attention to its sensitivity and immutability (Ebelogu et al., 2019). Today’s modern mobile phones, tablets and cameras capture some biometric data and store it even if it is not used to authenticate or authorize. This information could potentially be used to hack into your devices or accounts. Your fingerprint or face scan (template data) stored in the database could be replaced by a hacker to gain unauthorised access to a system (see Fig 2). The concern is that personal data could be collected and without user consent (Ahmad et al., 2012).

Fig 2: Demonstrates the points of attack in a generic biometric system (Adopted from (Campisi, 2013)).

(17)

17 2.5 Biometric payment card

Despite the problems and limitations of biometrics, previous studies and multiple authors agree that biometrics are inherently more reliable, secure and more capable than traditional knowledge-based authentication (Kumar & Walia, 2011; Ogbanufe & Kim, 2018). Resulting in biometric technology becoming more common and used in different applications. The financial industry has historically used biometric technology in banking and finance, e.g. to access safety deposit boxes Previous research has shown that the consumers consider biometric authentication more secure than credit card only (or credit card + PIN), i.e. traditional authentication(Ogbanufe & Kim, 2018). Furthermore, consumers seem to still prefer credit cards over m-payments (Card Payment Sweden, 2017). Even though they perceive the technology as less secure, e.g. as credit cards can also be stolen and cardholder information can be intercepted during a transaction. This has led the banks to start

manufacturing biometric payment cards with the aim to address the security concerns and issues with PIN by providing multi-factor authentication to credit cards and a strong identity check, e.g. to clarify entering a PIN does not require identity control. (SSH Communications Security Corp, 2007; Bultel et al., 2018; Biometric Technology Today, 2015; Secure

Technology Alliance, 2019).

Limited research exists about biometric payment cards. However, studies with related context and concepts exist, such as biometric payment and authentication. For instance studies on biometric authentication applications by Sauveron (2009) who researched smartcards and list the banking industry as a potential area to implement biometrics to credit and debit cards. Piotrowska et al. (2017) also researched biometric applications to the polish bank sector and discussed biometric smart cards as potential applicants. Using biometrics to make

m-payments which would increase security has been researched by multiple authors and seems trending in biometric research. For instance studies by Pal et al. (2017) who researched securer mobile payments solutions with biometrics. Further, studies also by Sreedharan (2016) and Zhang & Zhang (2013) research biometrics and ATM:s.

Therefore it is hard to find information on biometric payment cards, an assumption is that BPC would work similar to a biometric smartcard and use fingerprint for additional security and authentication. At the time of writing biometric payment cards exist in some countries and it's being tested in different countries (Secure Technology Alliance, 2019). According to the manufacturer of the biometric payment cards, the cards would conform to existing EMV standards and use typical safety measures like end-to-end encryption along with tokenization. Thus, adding additional level of security by integrating the credit card with a fingerprint-sized biometric sensor. In theory it would like a traditional credit card, i.e. the card would be placed on a POS- reader, but instead of entering a PIN, the user authenticates the purchase with a fingerprint placed on card (Oleksiuk, 2020; InPaymentsMag, 2018; Mastercard, 2020). The benefit of this would be,

(18)

18 ● Increased security: Fingerprint data is encrypted and is only stored on the card

similar to a biometric smart card. Thus, eliminating the need for a central database connected to the internet that PIN requires, which in turn protects the users’ sensitive data from hackers. To prevent spoof attacks, e.g. as a duplicated 2D- print or rubber fingerprints, the technology incorporates electrical capacitive sensing. Also as biometrics are both private and uniquely personal, a person with malintent cannot guess your biometrics, unlike PIN, which can be guessed (Piotrowska et al., 2017) (Korauš, 2019).

● Hardware Upgrades Unnecessary: The biometric card is designed to work with existing payment terminals that accept contactless- or chip-based payments. ● Ease to use: Minimal time is needed for learning how to use the technology. Users

might find it simpler placing their finger, than entering and remembering a code. Compared to m-payment, not every user has a phone or is interested in using it for payments (Mastercard, 2020; Secure Technology Alliance, 2019).

● Self-charging: The biometric sensor is powered by the payment terminal, which eliminates the need for an embedded battery or the need to recharge the card.

Compared to m-payments, where the phone needs to be recharged (NAYAX, 2019). ● Time saving: Queueing times has the potential to be reduced, as a quick tap of the

card on a POS-reader is all it takes to perform a transaction, which is faster than entering a PIN-number and a forgotten PIN code can slow down the checkout-process (Secure Technology Alliance, 2019; Mastercard, 2020; InPaymentsMag, 2018). In theory a biometric payment card seems to be an improvement that is more secure and user-friendly. However, Buckley & Nurse (2019) suggest that the biggest barrier for biometric solutions to become widely used is the acceptance among users.

2.6 Behavioural intention

According to Pons and Polak (2008) user acceptance is a key factor for the success of a biometric system. To measure user acceptance and predict users’ later usage of a technology, researchers describe the behavioral intention to use (BI) as a central concept (Venkatesh et al., 2003). BI is the degree to which an individual intends to perform or not perform a specific behaviour in the future, in this case using a biometric system (Davis, 1989). Previous

research indicates that an implemented biometric system needs to be easy to use and

transparent, in order to avoid the user to become hesitant, fearful or uncomfortable (Habibu et al., 2019; Kumar & Walia, 2011). A study on user acceptance on biometric systems by

Albrecht (2001) describes that simplicity, convenience and speed could contribute to higher acceptance rates among users. That the “operation” needed to be as intuitive and simple as possible, preferably with authentication with natural and everyday motions which are not needed to be learned. Furthermore, the users expressed and desired to receive feedback and wanted an effective verification process, with low False Rejection Rate (FFR).

(19)

19 Previous research by Blanco-Gonzalo et al. (2019) indicated that a high percentage of users distrusted using biometrics for high security tasks, such as banking transactions. However, in a survey by Biometric Technology Today (2018) fingerprint scanning was rated as the authentication method that citizens would be most happy using. Another study by Biometric Technology Today (2016) on the British population contradicted this, which instead found that the majority of people favored passwords over biometric authentication methods. The card manufacturer Zwipe (Rouhiainen, 2020), surveyed the interest towards biometric payment cards among the Swedish consumers, their findings was that 70% of Swedish consumers would be interested in having a biometric payment card. However, it’s hard to validate the reliability of their result, because of the conflict of interest as the company has clear interest to showcase a favorable result.

2.7 Theoretical framework

This section outlines the theoretical framework and relevant technology acceptance theories and models. Due to the importance of user acceptance there are multiple theories that attempt to understand, explain, and anticipate the technology acceptance among users. Among these theories, the following theories were selected for the theoretical framework:

2.7.1 Technology acceptance model (TAM)

Technology acceptance model (TAM) shown at fig 3, was proposed 1989 and has the purpose to find the probability that a group of people or organisations will use a new technology (Turner et al., 2009). TAM is based on the theory of reasoned action and is grounded on the hypothesis that the intention to use a technology and acceptance level of it can be discovered by users’ attitude, intentions and thoughts about that technology (Turner et al., 2009). TAM is a model that would predict the individuals view on technology before it comes to the market. It is measuring the effect with four different variables which are Perceived ease of use (PEOU), Perceived Usefulness (PU), Attitude (ATT), Behavioral intention to use (BI) and Actual system use (see fig 3). PU and PEOU is one of the most important constructor in TAM because a user's acceptance of a technology has a big influence on these two components. Moreover, PEOU and PU are affected by external components which are important to understand and implement to explain the users technology adoption. It is important to add external components into TAM to be able to understand the reasons for a technology to be adopted or not (Abudullah et al., 2016). Furthermore, trust is a key

component in online store purchases with biometric authorisation and the willingness to continue using a system is linked to the users’ trust of the system (Ogbanufe & Kim, 2017). Due to the importance of trust in online stores purchases and the use of trust in other

scientific models such as BioTAM, trust is an important component for developing and extending TAM. The reasons for selecting TAM and not other scientific models as BioTAM, along with the suitability of using TAM as a theoretical model is discussed in section 2.7.9.

(20)

20 Fig 3: Davis (1989) Technology acceptance model.

2.7.2 Perceived ease of use (PEOU)

Perceived ease of use is how users perceive a particular technology as being easy or difficult to use (Venkatesh et al., 2003). PEOU represents a level of effort that users will have to make in order to start using a certain technology, i.e. a lower effort will in turn lead to a higher adoption rate (Henderson et al., 2003). Previous research found that the perceived ease of use influences the attitude and intention to use biometrics (Akinnuwesi et al., 2016; Miltgen et al., 2013; Ko, 2014). This means users are more likely to adopt biometric payment cards if they are easy to use. These literature has led to a formulation of research hypothesis: H1: Perceived ease of use (PEOU) is correlated with behavioural intention (BI) to use the biometric payment card [PEOU -> BI].

2.7.3 Perceived Usefulness (PU)

Perceived usefulness is the degree in which an individual believes that using a particular computerized system will help him or her to perform work better (Venkatesh et al., 2003) (Davis, 1989). To simplify, the user perceives the system to be an effective way of

performing the task(s) (Davis, 1989). In the context of biometrics, perceived usefulness is interpreted as an adoption of information technology which can save time, increase security and improve user experience. Previous research found that perceived usefulness is a

significant driver of the behavior intention to use biometrics and were found to influence the adoption of biometrics (Rashed & Alarjarmeh, 2015; Chau et al., 2004). These literatures led to a formulation of research hypothesis:

H2: The perceived usefulness (PU) of using the biometric payment card will have a positive impact on an individuals’ behavioural intention (BI) to use the technology [PU -> BI]. 2.7.4 Attitude toward technology (ATT)

Attitude is defined by Fishbein & Ajzen (1975) as the individual’s evaluation of an object, i.e. attitudes are affective and based upon a belief about the object (e.g. using a credit card for payments is convenient). To clarify, attitude is not a behaviour in itself but rather a

(21)

21 disposition that influences a particular behavior of people (Fishbein & Ajzen, 1975; Lai, 2017). In the context of biometrics, previous literature posits that attitude has an influence on the behavioral intention to use biometrics (Seyal & Turner, 2012; Ko, 2014; Riley et al., 2009). Seyal & Turner (2012) researched the behavioural intent of the executives towards biometrics through their attitudes. Their conclusion was that government officers’ attitudes towards biometrics is a predictor of behavioural intention. Ko (2014) who studied the acceptance of biometric technology by employees in hotels, concluded that the attitude toward using biometric systems was related to the intention to use biometric systems in hotels. Riley et al. (2009) who investigated attitudes towards biometric technology in different cultures, concluded that cultures with a positive attitude towards the use of biometric systems were likely to become users of the technology. These literatures led to a formulation of the following research hypothesis:

H3: Attitude towards the biometric payment cards (ATT) will positively influence users’ behavioural intention (BI) to use the biometric payment cards [ATT -> BI].

2.7.5 Trust (T)

Trust is defined as one party (trustor) relies on the actions on the other party (trustee), i.e. a biometric system must provide a trusted information system to its users (e.g. protect against theft and misuse while maintaining anonymity) (Ring & Van de Ven, 1992; Ngugi et al., 2011). Research has shown that if a person would trust the technology, needs privacy to be preserved, security is guaranteed and the user needs to have confidence in the technology (Kanak & Sogukpinar, 2017; Wu et al., 2011). As the consumers' trust increases, they are more likely to perceive the system with less risk (than if trust were absent), i.e. the effect of trust on the users will influence their intention to use and to accept biometric technology (Miltgen et al., 2013; Ngugi et al., 2011). Miltgen et al. (2013) who examined the individual acceptance of biometric identification techniques in a voluntary environment, their results suggest that building the users' trust (T) in biometric identification systems had an effect on BI. Ngugi et al. (2011) who investigated the different factors that determined the user

intention to use a biometric system, their founding was that trust is one of the most important factors in the intention to accept a new biometric technology and that trust was the most influential predictor of BI. These results should be applicable to the biometric payment card as well. Therefore the following research hypothesis was formed:

H4: System Trust (T) will positively influence the Behavioral Intention (BI) to use the biometric payment card. [Trust ->BI].

2.7.6 Behavioral Intention to use (BI)

The BI is an outcome variable, which is determined by the previously described constructs, PEOU, PU and ATT that have an indirect effect on the BI. Fishbein and Ajzen (1975) describes BI as the most important factor to measure users' acceptance of a technology. The former affects the latter, e.g. if the user feels that the biometric payment card is easy to use, perceives it as useful and has a positive attitude towards the card, the user is then prepared to

(22)

22 use the technology in practice (Liu et al., 2010). The causal relationship between these

variables have been proven by previous literature as Venkatesh et al., (2003). 2.7.7 Excluding Actual System Use from TAM

Originally, the Actual System Use is a key component from TAM but “the TAM variables are much stronger predictors of the behavioural intention to use a technology than the actual usage of a technology” (Turner et al., 2019). The biometrics payment cards will come to the Swedish market in 2021 (Forsman, 2020). As a result, it is not possible to test the actual system use component from TAM at this point in time. Therefore, it will be excluded in this study.

2.7.8 Conceptual Model of this Study

Based upon the previous theoretical concepts and constructs described, the following model was created (see Fig 4). This conceptual model was designed in accordance with the previous literature, i.e. the items were selected because of their high relevance in previous literature.

Fig 4: Research model

2.7.9 Suitability of using the Technology Acceptance Model (TAM) and the conceptual model

In the Information Systems (IS) field, the Technology Acceptance model (TAM) has been frequently used by researchers to study the adoption of various technologies (Koul &

Eydgahi, 2017). TAM is considered to be broadly accepted and has been proven applicable in multiple studies (Malatji et al., 2020). The model has arguably become one of the most influential theories and according to Lim (2018), TAM has been cited 79,000 times on Google Scholar. This indicates that the model is suitable for predicting behaviors.

Previous studies by Lim (2018) on the suitability of the TAM, highlights the model as both intuitive and easy to use. Further, the TAM-model can be expanded and adjusted, with

(23)

23 additional variables. The adjustability of the model means that the researcher gets the benefits and flexibility of integrating extended and contextualized motivational influences and user behaviours based on emerging realities in contemporary technology-mediated environments (Malatji et al., 2020). To simplify, the research can either add or remove variables from the model, an example of such extension are BioTAM, TAM2 and UTAUT.

On the other hand, Bagozzi (2007) criticizes the different extension of TAM and states that these additions help broaden TAM in the sense of introducing additional predictors for either PU or BI. However, these extensions have not deepened TAM, in the sense of explaining PU, BI and PEOU, but instead they reconceptualizing existing variables in the model or

introducing new variables which explain how the existing variables produce the effects they do. Further, Bagozzi (2007) mentions that the extensions introduce moderators into TAM which focuses on experience, demographic variables (e.g., gender, age) or classifications of the context of use (voluntary/mandatory). Adding that these additions does not provide theoretical insight into the underlying reasons behind the proposed interaction effects, and that potentially an infinite list of such moderators exists, stating that “making such

broadenings of TAM are both unwieldy and conceptually impoverished”.

Another problem with the extended versions of TAM are that they exclude or replace the main constructs of TAM, such as ATT, PEOU or PU. To give an example, TAM2 does not include ATT and UTAUT excludes and replaces all of the main constructs (Malatji et al., 2020). Previous research found that these main constructs had an impact on BI, consequently the original TAM-model was selected as it includes all of the main constructs. Furthermore, some of the extensions are only suitable for certain applications or research fields and were therefore not suitable to include in this study (Malatji et al., 2020). Another reasons for not selecting the extended versions of TAM are that they incorporate factors related to the actual use of the system (A). For instance, the extension BioTAM (Biometric Technology

Acceptance model) posits that BI of using a biometric system is influenced by practical and psychological factors as UI (user interfaces), enrollment, verification procedures, devices, and other auxiliary tools. BioTAM includes technical criteria as accuracy, error rates and average entropy. BioTAM also focuses on objective measures and assessments of privacy and security by computing false rejection rate (FRR), energy efficiency rating (EER), failure-to enroll (FTE) etc. (Kanak & Sogukpinar, 2017). This study is limited failure-to subjective methods (questionnaire), the technical aspects of the system cannot be tested and measured as

biometric payment cards are not available on the Swedish market. In addition, limited information exists on the security and privacy aspects of biometric payments cards.

Incorporating BioTAM would be better suited for studies who research the actual usage of a biometric system (A) and the technical aspects of biometric systems. Where the researcher has access to the technology and can research the users’ experience with the actual system. Moreover, BioTAM is better suited for more developed and established technology

However, this study extends TAM as suggested by Abudullah et al. (2016) with the component, trust. The original model remains unmodified and incorporates all the main components of TAM, following the critique by Bagozzi (2007). Scientific model as BioTAM

(24)

24 also identifies trust as a key component. There is a difference on how this study measures trust compared to BioTAM, which attempts to measure trust as objectively as possible by measuring users confidence and willingness. While this study focuses on subjective measurements and the social factors that influence peoples’ intention to use a technology. Further, BioTAM does not directly state that trust (T) leads to BI, and instead that trust (T) will lead to increased perceived usefulness (PU) and perceived ease of use (PEOU). PEOU and PU in turn will have a positive effect on users’ behavioural intention (BI) to use the biometric system (Kanak & Sogukpinnar, 2017). If BioTAM was used in this study

unnecessary complexity would be added, as two or more additional hypotheses would then need to be created, instead of one hypothesis. This study instead follows the research by Miltgen et al. (2013) and Ngugi et al. (2011) which directly states that trust (T) will influence the behavioral intention to use (BI) a technology.

One limitation of the conceptual model is that the model does not combine different variables as PEOU and ATT together, combining variables could have led to different results and new findings. This is left for future studies to do, as this study purpose is to determine the factors which influence the behavioural intention, thus the focus is to determine the independent (individual) factors and their effect on BI and not the possible combinations.

This research also acknowledges the possibility that the other extensions of TAM may include factors that could influence the consumers’ choice which the TAM-model or the conceptual model does not take into account. For the scope of this study the included

variables are deemed sufficient and it is unreasonable to expect that one model could explain all decisions and behaviors fully across a wide range of adoption situations and decision making process. In the future, a better technology acceptance model or extensions (e.g.

combination of BioTAM and TAM2) may exist which solves the current limitations of TAM. Future studies should consider this and see this research as base, in which future research can modify the conceptual model either with addition or removal of variables, the possibility also exists to incorporate/combine other frameworks.

(25)

25 3. Method

This chapter outlines the research methods that were followed in this study and describes the reasons for the choices. Describes insights into how this research was conducted and the details about the data collection (sample size, respondents etc.). Additionally, brief information on which research methodology was used and why.

3.1 Literature research

To be able to answer the research question, a qualitative literature research was conducted. A literature research is a research where literature in a specific area is analysed with the focus on understanding and analysing the science. Literature as scientific journals, conference papers, reports, books were included in the study, most of them were peer reviewed. For an article to be called peer reviewed, it must be reviewed by other scientists in the same subject area and then approved. Moreover, all our literature meets the criteria for source criticism. The criteria used to determine credibility are validity and reliability (SBU, 2017). Validity means how truthful a source is. All data is valid and trustworthy and the scientist needs to get the same result from repeated measurements under the same conditions. Time, authenticity, dependence, and tendency are other criteria that were applied to determine the credibility of the source. A scientific source needs to be relevant, original, contain references and be independent of value and opinions (Örebro Universitet, 2018).

To find relevant information about the subject different databases such as Primo, Google scholar, EBSCOhost, Sciencedirect and IEEE Xplore were used, CINAHL Plus (see Fig 5). To find relevant articles the keywords were used to search the databases are: Credit cards security issues, Authentication, Biometric authentication, Biometric authentication applications, biometric technology limitations, Biometric identification, Biometric fingerprint advantages, Biometric user acceptance, Technology Acceptance Model, Biometric payment cards, Swedish card market.

3.1.2 Selection

To narrow the results and select relevant material, inclusion and exclusion criteria were set. In order to set boundaries for the systematic review. These criteria were determined with the research question in mind and the number of hits as each result had (Patino & Ferreira, 2018). The inclusion and exclusion criteria for this study were:

Inclusion criteria: English or Swedish papers/journals/website/reports that provide answers to the proposed research question. Studies with a focus on biometrics, authentication, user acceptance, technology acceptance model. Peer review scientific journals, reports or conference papers.

Exclusion criteria: Studies written in other languages. Studies that are not related to the research area or research question. Duplicated studies or with unproven statements and generalizations.

(26)

26 The Boolean operators AND and OR was used to get the desired information, AND is used for specific searches and OR for wider searches (KTH Biblioteket, 2020). To give an example, a search with two different keywords (1) “biometric identification” and (2) “biometric authentication”, gave different results. In the first search the operator “OR” was used, i.e. biometric identification OR biometric authentication. The search results using the database EBSCOhost were 226 and in the database Primo, 232 465. To clarify, using this operator resulted in a non-specific search which generated wider results. The second search used the operator AND, i.e. biometric identification AND biometric authentication. This search resulted in 15 hits using the database EBSCOhost and 7 594 in database Primo. Meaning, by using this operator AND the search became more specific and resulted in fewer results. Table 1 demonstrates the different searches on how the Boolean operators (AND, OR) generated different search results.

Database searched words AND operator results OR operator results

EBSCOhost biometric identification,

biometric authentication 15 finds 226 Primo biometric identification,

biometric authentication 7 594 232 465

Table 1: Presents the different search results depending on which logical operator that was used.

(27)

27 Fig 5: Describes an example of different searches made in the database Primo and the path analysis, from a broad search to eventually a specific research topic, i.e. biometric payment card. Firstly, a general keyword “credit card security issues” was used which generated a lot of hits. Then after reading some of the articles, a central theme was found, which was used to construct a new keyword (which then resulted in new hits). The keywords got more specific for each keyword specified for the subject, resulting in a research topic. Where,

N = Number of hits on the database Primo.

N* = Number of peer reviewed hits on the database Primo. For more information, see appendix 4

3.2 Research design

A variety of methodologic approaches exist for conducting research. To select a research approach depends on a number of factors as purpose, type of research question and

availability of resources (Ponte, 2015). Bryman (2018) emphasizes two main approaches for conducting research- quantitative and qualitative research. Quantitative research is the main method used for this thesis.

3.3 Quantitative research

Quantitative research is an approach for testing theories by examining the relationship among variables. These variables, in turn, can be measured, so that numbered data can be analyzed using statistical procedures to find patterns and averages, test correlational relationships and generalize the results to a wider population. On the other hand, qualitative research collects and analyzes non-numerical data (such as text). The collected quantitative data and

information is analyzed using statistical procedures and hypothesis testing (Creswell & Creswell, 2018). A quantitative research method was employed in order to answer the research questions as these questions deal with connections among multiple variables and measurements for example, ATT and BI. Compared to a qualitative approach which is more suited for e.g. understanding an event or phenomenon, which in turn do not require concrete hypotheses or structure. Quantitative research focuses on collecting data as opposed to insight. The collected data is statistically valid and can be generalised to the entire user population.

Quantitative research entails a deductive approach to the relationship between theory and research by testing theories. The researcher, on the basis of what is known about in a particular domain deduces hypotheses that must then be subjected to empirical scrutiny. Embedded within the hypothesis will be concepts that will need to be translated into researchable entities (Bryman, 2012). This study attempts to verify the hypotheses. A hypothesis is according to Funmilayo (2014) empirically verifiable if “possible observation statements logically imply the truth of the stated claim” (Verification Principle). “If actual

observation statements do imply the claim, then it is verified. To give an example, "This raven is black" verifies that "There are black ravens." However, a hypothesis can be rejected if these predictions are shown not to be correct. To give an example, the hypothesis “All swans are white”, can be falsified by observing a black swan. Meaning researchers need to

(28)

28 formulate their theories in a way that makes them testable (Gilje & Grimen, 2007).

Furthermore, this research followed a deductive approach using the predetermined theory of TAM, because the research aim is to verify TAM in the context of consumers' acceptance of biometric payment cards. The developed model will be validated and examined empirically through rigorous testing. Previous research on TAM follows the same research approach (Ngugi et al., 2011; Miltgen et al., 2013; Ko, 2014; Seyal & Turner, 2012). The motivations are summarized in table 2.

Features

(Source) Quantitative research Qualitative research Motivation

Core (Bryman, 2012) (Creswell & Creswell, 2018) Deductive; Testing of theory Inductive; Generation of theory

This study objective is to evaluate the acceptance-level of users using biometric authentication on credit cards, using hypotheses based on literature. The theory is then tested against users. Multiple studies have been done on TAM. Data (Paterson et al., 2016) (Sutton & Austin, 2015) Numeric:

Variables Non- numeric: Thoughts feelings, themes

The data will be numeric, e.g. a survey question “I would trust the BPC” rated on a 1- 5 likert scale, provides numerical output and a statistical output e.g. “86% of

respondents trusted the BPC” Generalizability

(Creswell & Creswell, 2018)

Large scale Situation

or case The research focuses on the entire Swedish market and not a specific situation/case, i.e. generalizable to a larger scale.

RQ:s

(Hancock, 1998) What? Where? How many?

Why? How? Who?

What is the current acceptability level of BPC?

Where? In Sweden

How many users show a behavioural intention to use the biometric payment cards?

Time

(Bryman, 2012) Efficient Slow Limited time and access, i.e. an efficient method is needed. Table 2: Describes the differences between quantitative and qualitative research, which is then applied to the thesis. Shows the features in relation to the research aims and thereof the motivation for selecting a quantitative approach. Also highlights the sources used.

(29)

29 4. Data collection method

The main method of gathering the data was through a questionnaire on Google Forms, in which a demonstration video was presented to the users, in order for the responders to get an insight and understand how a transaction with a biometric payment card occurs step by step. Appendix 1 and table 3 shows the questionnaire used for data collection and the link to access the demonstration video. The following sections outline the process of the literature search and the questionnaire.

4.1 Study Context

This study is conducted among credit card users in Sweden. The Swedish card market

represents an important sector to the Swedish economy as Swedish card issuers have invested billions of Swedish Crowns (SEK) over many years in developing a secure and efficient infrastructure. Card payments have a high acceptance rate in Sweden and with a high level of consumer trust, as 88% of consumers in Sweden said that card transactions are the method of payment they trust the most in a survey (Sverige Betalar, 2017). Sweden has a high rate of credit card usage and acceptance compared to the EU. There are 15 million cards issued on the Swedish market and 97% of the population have a charge card. There is a high use rate of 319 card transactions per year, while the EU average is only at 116 per year. (Card Payment Sweden, 2017; Sveriges Riksbank, 2019).

The Swedish market is therefore relevant to study as the technology could be of interest and deliver many opportunities for banks, companies, merchants and consumers. The technology of interest in this study is biometric payment cards, in which the card utilizes fingerprint recognition as an alternative to PIN or signature to authenticate a transaction. The user registers a fingerprint, which is then stored on the card. Whenever the user places the finger on the card’s sensor during a transaction, the card senses whether the registered fingerprint matches the input. A light on the card then shows if the match is successful or unsuccessful. The solution in turn would not require any new hardware or software, and would be

compatible with any type of EMV-enabled terminal (Secure Technology Alliance, 2019; Mastercard, 2017). The technology, at the moment of writing, is not widely available and can still be considered in “test mode”, with the major manufacturers VISA and MasterCard running trials (Oleksiuk, 2020). The release of biometric payment cards may have possibly been delayed due to the covid-19 pandemic, which could have had a negative impact and disrupted the manufacturing processes (Okorie et al., 2020).

4.2 Questionnaire design (Survey)

A survey based on TAM was used to collect data for this study. Fink (2017) defines surveys as a method for collecting quantitative data about a person's beliefs, knowledge, feelings and behaviour. The reasons for the selection and the design choices are listed below.

Questionnaire design relates to two parts, the “look and feel” of the design of questionnaire and the measurement design of a questionnaire.

(30)

30 4.3 Sampling approach & Population size

Survey research provides a quantitative or numeric description of trends, attitudes, or

opinions of a specific population by studying a sample of that population. In research terms a sample can be defined as a subset of a population, e.g. a group of people, objects, or items that are taken from a larger population. The sample should in turn reflect or represent the studied population in order to ensure that the finding can be generalized to the whole population, i.e. the intent is to generalize from a sample to a population (Fowler, 2008) (Creswell, 2014). To be able to draw conclusions about populations from samples, the following should be answered (1) How large should the sample be? (2) Which type of sampling approach is best? (Hair Jr et al., 2015).

(1) For this study the size of population should be large, therefore our aim is to focus the study on high diversity (i.e. all age groups, sex, education level) so that a higher number of participants and relevant data can be achieved. A restriction to the population size is only on Sweden and Swedish consumers. Thus, the data collected in this study regarding users behaviours toward BPC can be generalised to all consumers in Sweden.

(2)Self-selection sampling is going to be used as the sampling approach. Self-selection sampling is a method based on the judgement of the researcher, the sample is self-selected when the inclusion or exclusion of sampling units is determined by whether the participants agree or disagree to participate in the study. The method consists of participants becoming part of a study (willingly) because they volunteer when asked or in response to an advert. The researcher then collects data from those who answer (respondents) (Oates, 2006).

The advantages are that the potential units (individuals or organisations) are likely to be more committed to take part in the study. This in turn might help in improving attendance and greater willingness to provide more insight into the area being studied. The respondents could be inclined to spend more time filling in qualitative, open-ended questions in a survey, where others may leave them blank. This method reduced the time to search for appropriate units and formatting target groups. The downsides with this specific sampling is the responders' strong opinions about the subject which can lead to data that are not typical for a wider population (Oates, 2006). If the self-select sampling does not provide useful data, different survey techniques as e.g. purposive sampling could be a good alternative.

4.4 General design

To collect data about the user and to find answers to the stated research questions an online survey was designed using Google Forms. The survey had 16 statements where a scale was used to be able to analyse if the respondent agreed or disagreed with the statement.

Additional information was collected about the users such as age, sex and academic

background. There were 16 closed questions and 4 open-ended-questions which allowed the respondent to propose additional comments in the form of free text. Open ended questions were used to a lower extent in order to make the survey uncomplicated and easy to answer. However, each section had at the end one open-ended question, these questions were optional

The case of biometric payment cards: A quantitative study of the behavioural intention to use biometric payment cards among Swedish consumers