According to the Bank of Russia, the share of non-cash payments in retail turnover has reached 86.7%. The main payment method is still a bank card. However, alternatives are emerging: QR codes, pay services, and biometrics payments, which have won back 12% of all non-cash transactions.

In the first quarter of 2025, over 37.5 million transactions worth about 30 billion rubles were performed using biometric technologies. This is more than in the entire previous year!

Given that biometrics payments are growing, the issue of the security of such payments deserves special attention. To reduce risks and improve the customer experience, NSPK has developed a BIO-PIN for additional protection of payments passing through the Biometric Services Platform (BPS).

We understand why it is needed, how it works, what is the similarity with the PIN code from the card and how it affects the convenience of biometric payments.

The same thing, but different: what is a BIO-PIN and how does it differ from a PIN code for a card?

At first glance, they are really similar. A BIO-PIN (or biopin) is a secret 4-digit code that is an additional factor in user authentication when making payments using biometric technologies.

Unlike the standard PIN used for bank card payments, the BIO-PIN plays a special role – it ensures the security of payments in financial systems where biometric identification is used. This code can be linked to both the Mir card and the account in the fast payment system, depending on the instrument chosen by the client for payment using biometrics.

In terms of reliability, a BIO-PIN is comparable to a traditional card PIN. Its data is also stored in encrypted form and protected by modern cryptographic mechanisms that fully comply with information security standards.

When is a BIO-PIN required?

So. A BIO-PIN is an additional level of protection that is used only when paying using biometric data, that is, the biometrics of the bank’s customers are involved.

Despite the fact that biometric payment is considered one of the most secure, especially in the context of biometric security in financial systems, nevertheless, the acquiring bank may in some cases request a BIO-PIN. When?

1. When paying for large amounts 

For example, in some cases, banks may request biopin for purchases starting from 5,000 rubles. In this case, the need to use a BIO-PIN is based on the risk policy adopted by the bank. Biopin for the bank is an additional insurance here.

2. The influence of biometric factors

These are cases where biometric identification reveals a low degree of similarity between the user’s image and the data stored in the biometric system.

In addition, the type of biometrics used may have an impact: according to 572-FZ, there are three types of biometrics: simplified, standard, and validated. Thus, customer biometrics differ in the level of verification and security requirements. The higher the degree of verification, the more reliable the authentication process is and the lower the probability of fraudulent transactions.

The topic of biometrics in banks deserves special attention, since it is financial organizations that are the first to introduce face, voice, or fingerprint identification technologies. This allows you to speed up service processes, reduce the burden on employees and increase the level of trust in electronic payments.

3. If fraud is suspected

While biometric payments have not become widespread, the risks of fraud remain low here: the technology is used less frequently compared to cards or money transfers, which means it is not too interesting for intruders yet.

In addition, biometrics for payments is one of the most secure payment methods. Modern recognition systems use the so-called “liveness detection”: they track eye movements, image depth, facial micro-movements, and other features that cannot be reproduced in a photo or video. Therefore, even if someone has your photo, you will not be able to pay for it: the liveness detection algorithm will report suspected fraud and a BIO-PIN will be requested.

The BIO-PIN request is regulated by the acquiring bank itself, and it is he who makes the final decision. The principle of responsibility allocation applies here: if the client was offered a BIO-PIN during the transaction, then in the event of a dispute, financial risks are transferred to the issuing bank. If no additional verification is required, responsibility for possible consequences remains with the acquiring bank.

How can a user connect a BIO-PIN?

There are two ways to assign a BIO-PIN:

1. In your bank’s mobile application, when linking an SBP account or a Mir card for biometric payments

Important: at the moment, not all banks have biometrics available for digital payments. Please specify whether your bank supports connection to the Biometric Services Platform.

2. In the SBPey app, when linking an SBP account for biometric payments

Tip: when choosing a BIO-PIN, you should not use the same code as the PIN from your card. It is better to set a unique combination, as this reduces the risk of data compromise and increases the overall level of security.

The user can change his BIO-PIN at any time, also through the bank’s DBO or the SBPay application.

What improvements does the bank need?

The appearance of a BIO-PIN changes not only the user experience, but also the business processes of the banks themselves. This is a full-fledged IT project in which issues of security, interface, integration and compliance with the requirements of the biometric services platform are intertwined.

In order for the client to go all the way through linking an SBP account or a Mir card with the installation of a BIO-PIN for biometric payments, the bank must be ready:

1. DBO (mobile application or online banking) — it is necessary to implement the entire user path: from obtaining customer consent to selecting a card/account and creating a BIO-PIN
2. Integration with the Biometric Services Platform — here the bank must establish information exchange with the NSPK Biometric Services Platform.
3. Processing center — for performing cryptographic procedures when transferring BIO-pins for verification to the PBS

In practice, this means that you need to involve several teams, go through consultations with the information security service, make changes to the IT infrastructure and test everything. In order for a biometric payment to work, you need to go through a serious preparation process.

However, there is another option: banks can use ready-made box solutions, such as Bio Connect. This solution contains all the necessary functionality for launch: API for mobile banking, integration with the NSPK PBS platform and processing centers. And the typical bank connection period is from one and a half to two months.