Biometric Enabled Merchant Payment System

Biometric Enabled Merchant Payment System

Ms. Rajitha P Dept of CSE Associate Professor

ACS College of Engineering Bengaluru.

Rajitha@acsce.edu.in

Dhanush S Dept of CSE

ACS College of Engineering, Bengaluru.

98455dhanush@gmail.com

Ajai Aarumugum M Dept. of CSE

ACS College of Engineering, Bengaluru. ajaimurugan2004@gmail.co m

K Balaji Dept of CSE

ACS College of Engineering Bengaluru. rbk7105@gmail.com

Ashwin S Dept. of CSE

ACS College of Engineering, Bengaluru.

Ashwinsekar94@gmail.com

Abstract The increasing need for secure and convenient merchant payment methods has fueled the exploration of biometric authentication systems. This paper presents a Biometric Enabled Merchant Payment System designed to streamline transactions at point-of-sale (POS) terminals while prioritizing security. The system employs a fingerprint sensor (R307) to ensure robust customer identification, complemented by a 4×4 keypad for versatile input and an I2C OLED display for clear feedback. At its core, the system leverages an ESP32 microcontroller and robust SHA-256 encryption to protect sensitive information during storage and transmission. Transaction data resides in a centralized MySQL database on an Apache server, and merchants manage payment history through a web interface. The system emphasizes security and ease of use for merchants, with the potential for future exploration of multi- factor authentication, offline capabilities, and blockchain integration to further enhance its robustness.

1. Introduction

   before. Rather than waiting around after an attack hits, they see it coming. Even so, guessing whats next doesnt cut it. Day after day, security teams get swamped with tons of alerts

   – things like email checks, traffic trackers, or site blockers. Most point to one scam wave, but pop up like different threats. Workers waste loads of time sifting through repeats, just to spot the few that actually matter. This leads to something people call "alert overload." Workers begin tuning out warnings – mostly cause theyre bombarded daily. That gap? Risky.

   To handle this, alert grouping is used. Rather than pushing each detection as its own notice, similar warnings get bundled into one update. Say youve got several alerts tied to the same scam website or attack wave – theyll merge into a single summary. That cuts down clutter, makes it easier for reviewers to stay sharp, and speeds up response

   1. Hardware Requirements

      The current landscape of daily payments at merchant counters is dominated by cash and IC cards, each with its limitations. Cash transactions are cumbersome due to change-giving. IC cards, though faster, lack robust authentication and are vulnerable if lost or stolen.

      Biometric-enabled merchant payment emerges as a promising solution. Leveraging unique biological characteristics of customers significantly enhances security in offline POS scenarios. It eliminates the need for customers to carry cash or cards and speeds up checkout for merchants.

      Component

      Processor

      Fingerprint Sensor

      Keypad Display Storage Server

      Specs

      ESP32 microcontroller (dual-core, Wi- Fi/BLE)

      R307

      4×4 matrix

      1.3-inch I2C OLED

      On-chip flash + optional SD card Apache + MySQL (cloud or local)

      This paper proposes a low-cost embedded biometric merchant payment system using readily available components, making secure biometric payments accessible to small and medium merchants.

      The system utilizes a fingerprint sensor (R307) for customer verification. Customers interact via a 4×4 matrix keypad and receive real-time feedback on a 1.3-inch I2C OLED display. The ESP32 microcontroller handles processing and SHA-256 encryption. Transaction data is synchronized with a central MySQL database via HTTP, and a web dashboard allows merchants to view history and manage accounts.

      The ESP32 serves as the heart of the merchant terminal, handling fingerprint processing, encryption, and communication.

   2. Software Requirements

   Operating System: ESP32 runs bare-metal or FreeRTOS; server runs Windows/Linux (Apache). Coding Language: C++ (Arduino IDE framework) for ESP32; PHP for web backend. Libraries: Adafruit_Fingerprint, WiFi, HTTPClient, SHA-256. Frontend: HTML/CSS/JS web interface + OLED text display. Database: MySQL.

   Hardware Design

2. LITERATURE REVIEW

   1. Rise of Biometric Payment Systems

      The growing demand for secure and convenient merchant payment solutions has driven significant research into biometric authentication. Traditional cash transactions are cumbersome due to the need for exact change, while IC cards, though faster, are susceptible to fraud when lost or stolen because they lack robust authentication. Biometric payment systems address these limitations by leveraging unique physiological characteristics of individuals for identity verification [1].

      Among the various biometric modalities explored in prior work, fingerprint recognition has emerged as the dominant choice due to its maturity, affordability of optical sensors, and high user acceptance [2]. Facial recognition and iris scanning technologies have also attracted research interest; advances in deep learning-based recognition have markedly improved their accuracy and reduced hardware cost, suggesting wider adoption in future point-of-sale (POS) terminals [3]. Retail pilots by large chains have further validated the commercial viability of fingerprint-based checkout, demonstrating sub-two- second transaction completion in controlled environments [4].

   2. Challenges in Biometric Payments

      Despite promising advances, several challenges impede the widespread deployment of biometric merchant payment systems. First, high-quality sensorsparticularly for iris and vein recognitionremain expensive, directly increasing terminal cost and limiting scalability for small merchants [5]. Second, spoofing attacks using printed or silicone fingerprint replicas represent a real security threat; however, ongoing research in liveness detection and challenge- response protocols has continuously improved robustness [6]. Third, secure key management and encrypted storage of biometric templates require specialized expertise in embedded systems programming [7]. Fourth, regulatory frameworks such as the General Data Protection Regulation (GDPR) in Europe mandate strict data minimization and user consent practices, compelling developers to adopt privacy-by- design principles [8].

   3. Need for Low-Cost Embedded Solutions

      A clear research gap exists in developing low-cost embedded platforms that integrate secure biometric authentication with efficient payment processing for merchant counters. Existing proprietary biometric POS systems from major vendors are priced well above what small and medium enterprises can afford. The present work addresses this gap by combining the ESP32 microcontrollera commodity Wi-Fi/BLE SoCwith the R307 optical fingerprint sensor, achieving comparable authentication accuracy to commercial systems at a fraction of the cost. Prior embedded implementations using Arduino-class processors lacked the processing power for on- device SHA-256 hashing; the dual-core ESP32 resolves this limitation while preserving a compact, merchant-counter form factor.

3. COMPARISON WITH PAYMENT METHODS

   Table II presents a structured cmparison of the proposed Biometric Enabled Merchant Payment System against conventional payment methods across five critical dimensions: security, convenience, fraud potential, offline capability, and deployment cost.

   TABLE II. COMPARISON WITH TRADITIONAL PAYMENT METHODS

   A. Application Scenarios

   The Biometric Enabled Merchant Payment System is designed to be versatile across a wide range of commercial and institutional contexts. The following scenarios represent key deployment targets identified during the design phase:

   Retail Point-of-Sale (POS) Terminals: The system integrates directly with retail checkout counters, allowing customers to authorize payment with a finger touch. This eliminates queuing delays caused by PIN entry or cash counting, improving throughput at busy merchant counters.

   School and Corporate Cafeterias: Institutions can pre-register students or employees and deduct meal costs from linked wallet accounts. The systems OLED display provides instant balance feedback, reducing disputes and eliminating the need for physical ID cards or cash.

   Vending Machines and Unattended Kiosks: Retrofitting vending machines with the ESP32-based terminal enables secure cashless transactions without requiring an attendant. The offline queuing capability ensures uninterrupted service even in locations with intermittent Wi-Fi coverage.

   Public Transport Fare Collection: Bus or metro boarding gates can deploy the system for biometric fare deduction, eliminating paper tickets and reducing boarding times. The compact hardware footprint makes it feasible to install on turnstile posts or bus entry panels.

   Government Welfare Distribution: In rural or semi-urban regions, the systems offline capability and low hardware cost make it suitable for distributing government subsidies or ration allocations, ensuring that only registered beneficiaries can withdraw funds without requiring smartphone ownership.

4. DATA MANAGEMENT AND DATABASE DESIGN

   1. Database Schema

      The MySQL database hosted on the Apache server maintains two primary tables. The Users table stores: user_id (INT, Primary Key, Auto Increment), username (VARCHAR, Unique), fingerprint_hash (VARCHAR, 64-char SHA-256 hex digest), and account_balance (DECIMAL). Critically, no raw fingerprint image or template is ever stored; only the irreversible SHA-256 digest is persisted, ensuring that the database cannot be reverse-engineered to reconstruct biometric data. The Transactions table stores: transaction_id (INT, Primary Key, Auto Increment), user_id (INT, Foreign Key referencing Users), merchant_id (INT), amount (DECIMAL), transaction_type (ENUM: pay, credit), transaction_timestamp (DATETIME), and sync_status (ENUM: online, offline_pending). The sync_status field enables the offline transaction queue to be reliably reconciled when network connectivity is restored.

   2. Offline Transaction Handling

      Feature	Cash	IC Card	SuccessfulBlyiosmyentcrhicro(Pnrizoepdosreedc)ords are deleted
      Security	Low	Medium (PIN required)	Highfailefdinrgeecrporridnst +arSeHreAt-a2i5n6edhafsohrinregtry with expon
      Convenience	Low (change giving)	Medium (card required)	High50-tnraoncsaarcdt/icoanshonfefelidneedstress test conducted du of cached transactions were successfully sync
      Fraud Risk	Moderate	Moderate (PIN theft)	Lowlounssiqourendeosus bolfef-idngeedrupcritniot n.
      Offline Use	Yes	Limited	Yes C. lSoceacl uqureituye sAynrccohnitreeccotnunreectSummary
      Cost (Terminal)	None	Medium (POS reader)	Low ESP32 + R307 (~$15 BOM)

      During network outages, the ESP32 firmware maintains a local transaction queue stored in on-chip NVS (Non-Volatile Storage) flash using the Arduino Preferences library. Each queued record contains the users SHA-256 hash, the transaction amount, type, a locally generated UUID, and a Unix timestamp captured at transaction initiation. Transactions are validated against the last known wallet balance cached in NVS to prevent overspending beyond available funds. Upon network restoration, a background FreeRTOS task iterates through the local queue and posts each record to the Apache server via HTTPS. The server processes each transaction atomically using MySQL transactions (BEGIN UPDATE INSERT COMMIT) to maintain data integrity.

      from the NVS queue; ential back-off. In the ring evaluation, 100% hronized without data

      The system employs a layered security model. At the device layer, the R307 sensors optical acquisition prevents remote or replay injection, while the ESP32s hardware-accelerated SHA-256 engine (via mbedTLS) ensures that template processing occurs on- chip without exposing raw biometric data to the network. At the transport layer, HTTPS with TLS 1.2 encrypts all communication between the ESP32 and the Apache server, preventing man-in-the- middle interception. At the application layer, the PHP backend employs prepared statements for all MySQL queries to neutralize SQL injection attacks, and merchant dashboard sessions expire after 15 minutes of inactivity. At the database layer, only the SHA- 256 digest is stored, ensuring that even a full database exfiltration yields no usable biometric information. This defense-in-depth approach meets the privacy-by-design requirements of modern data protection regulations and provides a robust foundation for commercial deployment.

      A. Structure esign

      (Insert Figure 1: Block diagram of Biometric Enabled Merchant Payment System here ESP32 connected to R307, keypad, OLED, power supply, and IoT server)

      The merchant terminal consists of the ESP32 as central controller, R307 for fingerprint capture, a 4×4 keypad for amount/entry selection, and an OLED for instructions/status.

      Non-Functional Requirements

      • Speed: Transaction < 3 seconds.

      • Ease of use: Intuitive OLED prompts and keypad; no training needed for customers.

      • Reliability: SHA-256 encryption + local queue for offline operation.

      • Portability: Compact, low-power design suitable for any merchant counter.

      • Security: Fingerprint template never stored in raw form; only SHA-256 hash.

Specific Requirements

User Interfaces: OLED + keypad for customers; web dashboard for merchants. Software Interfaces: HTTP/HTTPS to Apache/MySQL server. Performance Requirements: Real- time fingerprint matching, support for 1000+ users per merchant.

Software Analysis

The ESP32 firmware is developed in Arduino IDE using the Adafruit_Fingerprint library. Server-side scripts (PHP) handle user registration, transaction logging, and synchronization.

The web interface is built with HTML/CSS/JS for merchant login and history viewing.

System Analysis Modules Classified

The project has five main modules:

1. Customer Enrollment

2. Authentication & Payment

3. Balance Inquiry / Add Money (for wallet-based merchants)

4. Secure Transaction Processing

5. Offline Synchronization & Web Dashboard

System Design System Methodology

Data Collection & Pre-processing

R307 captures fingerprint imags. The sensors DSP performs noise reduction, normalization, and minutiae extraction. Templates are stored as SHA-256 hashes.

Fingerprint Matching Algorithms

Minutiae-based matching is used (ridge endings and bifurcations). The hybrid correlation approach improves robustness.

UI Interactions

OLED displays clear prompts (Place finger, Enter amount, Payment Successful)4×4 keypad for navigation and amount entry.

Secure Payment Handling

All sensitive data is hashed with SHA-256 on the ESP32 before transmission. Communication uses HTTPS.

System Test

A fully functional prototype was built with the ESP32 DevKit V1 and the R307 sensor. Enrollment, authentication, balance check, add-money, and payment transactions were tested successfully in both online and offline modes. Fingerprint templates are securely stored, and all transactions maintain data integrity via HTTPS to the central MySQL database. The intuitive OLED + keypad interface provided a smooth user experience for customers and merchants.

Result

The prototype successfully demonstrates secure biometric merchant payments with SHA-256 encryption and real- time synchronization. The system is ready for deployment at retail counters, cafeterias, vending machines, and transport ticketing.

IV. IMPLEMENTAT

1. Cust er Enrollment Module

   The enrollment process begins when a new customer approaches the merchant terminal. The ESP32 firmware prompts the user via the OLED display to place their finger on the R307 sensor three times to capture consistent fingerprint samples. The R307s onboard DSP applies noise reduction and binarization to produce a clean minutiae map. The resulting template is serialized and passed through a SHA-256 hashing routine running natively on the ESP32 using the mbedTLS library. The 256-bit digest, along with a server-generated unique user ID, is transmitted over HTTPS to the Apache/PHP backend, which stores the record in a MySQL users table. No raw biometric image or template ever leaves the device or persists in flash memory, ensuring template privacy by design.

2. Authenti tion and Payment Flow

   At the point of payment, the merchant enters the transaction amount via the 4×4 keypad. The OLED then prompts the customer to place their finger on the R307 sensor. The ESP32 captures the live scan, generates its SHA-256 hash on-device, and sends an HTTPS POST request containing the hash and merchant ID to the server. The PHP backend queries the MySQL users table for a matching hash. On a successful match, the server deducts the specified amount from the customers wallet balance, logs the transaction in the transactions table with a timestamp and merchant reference, and returns a JSON confirmation. The ESP32 parses this response and displays Payment Successful or Payment Failed on the OLED. The entire flow, from finger placement to OLED confirmation, completes in under 3 seconds under normal Wi-Fi conditions. For offline scenarios, the ESP32 caches the encrypted transaction record in its on-chip flash and synchronizes with the server once connectivity is restored, ensuring no transaction data is lost.

3. Merc nt Web Dashboard

The web dashboard is implemented in PHP with an HTML/CSS/JavaScript frontend. Merchants log in with credentials stored as salted SHA-256 hashes in MySQL. The dashboard presents a chronological transaction history table showing transaction ID, customer alias, amount, and timestamp. Filter and export-to-CSV options allow merchants to reconcile daily sales. An admin panel supports customer account creation, balance top-up, and deactivation of compromised fingerprint enrollments. All communication between the browser and the Apache server uses HTTPS with TLS 1.2 to prevent interception. Session tokens are invalidated after 15 minutes of inactivity, minimizing exposure from unattended terminals.

V. PERFORMANCE VALUATION AND DISCUSSION

1. Exper ental Setup

   Experiments were conducted with 20 enrolled participants across 500 individual transaction attempts to measure system

   accuracy, speed, and reliability. Each participant enrolled three fingerprint templates at the beginning of the session. Transactions were tested in two environments: (i) a stable Wi- Fi network (30 Mbps) simulating an indoor retail counter, and

   (ii) a degraded network (2 Mbps with intermittent packet loss) simulating a low-connectivity kiosk environment. The Apache/MySQL server was hosted locally on a laptop running Ubuntu 22.04 to allow controlled latency measurements. All timing measurements were recorded from the moment the OLED displayed Place finger to the moment the confirmation message appeared.

2. Ac and Security Metrics

   The R307 sensor achieved a False Acceptance Rate (FAR) of 0.001% and a False Rejection Rate (FRR) of 0.08% across all test attempts, consistent with its factory specifications. No unauthorized fingerprint was accepted during adversarial testing using printed latent fingerprint images, confirming the sensors liveness characteristics. The SHA-256 hashing layer adds a second line of defense: even if the database were exfiltrated, the absence of raw templates prevents template reconstruction. Table I summarizes the key performance indicators recorded during evaluation.

3. mparative Discussion

   Compared to conventional card-based POS terminals, the proposed system eliminates card issuance cost and removes single-factor vulnerabilities such as PIN shoulder-surfing and card skimming. Unlike NFC or QR-code mobile payment methods, it requires no customer smartphone, making it accessible to users without smart devices, a critical advantage in semi-urban and rural merchant contexts. Relative to cloud- only biometric platforms, the on-device SHA-256 hashing ensures that network eavesdropping cannot recover usable biometric data. The average transaction latency of 1.8 seconds is comparable to contactless card tap times (typically 0.52 seconds) and substantially faster than OTP-based mobile payments (typically 1030 seconds), confirming the systems practical suitability for high-throughput merchant counters.

4. imitations and Mitigations

Several limitations were identified during evaluation. First, the R307 sensor exhibited a slightly elevated FRR for participants with dry or worn fingertips, a known challenge for optical fingerprint sensors; applying moisture before scanning reduced this rate, suggesting that user-guidance protocols should be part of deployment. Second, the current architecture stores all wallet balances on a single MySQL instance; a production deployment would require database replication to eliminate this single point of failure. Third, the system currently supports one biometric modality. Integrating a secondary factor such as facial recognition via an ESP32- CAM extension would further harden authentication without significantly increasing hardware cost. These limitations represent addressable engineering challenges rather than fundamental architectural flaws.

Conclusion

This paper presented a low-cost, secure Biometric Enabled Merchant Payment System using fingerprint authentication on an ESP32 platform. The design balances security, convenience, and affordability, making it ideal for merchants. Future enhancements include multi-biometric support, full blockchain integration, and expanded offline capabilities.

REFERENCES

1. References [1] Series Fingerprint Identification https://www.adafruit.com/datasheets/ZFM%20user%20anualV

   15.pd Module Manual. 1891

2. World Journal of Advanced Research and Reviews, 2024, 23(01), 18801892 A. Vinay, A. S. Cholin, A. D. Bhat, K. N. B.

   Murthy, and S. Natarajan, An efficient ORB-based face recognition framework for human-robot interaction, Procedia Comput. Sci., vol. 133, pp. 913923, Jan. 2018.

3. A. Tlili, F. Essalmi, M. Jemni, Kinshuk, and N.-S. Chen, Role of personality in computer-based learning, Compute. Hum. Behave., vol. 64, pp. 805813, Nov. 2016.

4. B. Suh and I. Han, The impact of customer trust and perception of security control on the acceptance of electronic commerce, Int. J. Electron. Commerce, vol. 7, no. 3, pp. 135 161, 2003.

5. L. Y. Leong, K. B. Ooi, A. Y. L. Chong, and B. Lin, Modeling the stimulators of the behavioral intention to use mobile entertainment: Does gender really matter? Compute. Hum. Behave., vol. 29, no. 5, pp. 21092121, 2013.

6. C. Carlsson, P. Walden, and H. Bouwman, Adoption of 3G+ services in Finland, Int. J. Mobile Common., vol. 4, no. 4, pp. 369385, 2006.

7. C J. Boyce and A. M. Wood, Personality and the marginal utility of income: Personality interacts with increases in household income to determine life satisfaction, J. Econ. Behave. Org., vol. 78, nos. 12, pp. 183191, 2011. VOLUME 7, 2019 154371 W.

K. ang, M. J. Kang: Factors Affecting the Use of Facial-

Recognition Payment: Example of Chinese Consumers

[8]C. L. Miltgen, A. Popovi, and T. Oliveira, Determinants of end-user acceptance of biometrics: Integrating the big 3 of technology acceptance with privacy context, Decis. Support Syst., vol. 56, pp. 103114, Dec. 2013.

1. C Liao, J. L. Chen, and D. C. Yen, Theory of planning behavior (TPB) and customer satisfaction in the continued use of e-service: An integrated model, Compute. Hum. Behave., vol. 23, no. 6, pp. 28042822, 2007.

2. C. M. Ringle, S. Wende, and A. Will, Smart PLS Computer Software. Accessed: Apr. 10, 2015. [Online]. Available: https://www.smartpls.de

3. C. Ranganathan and S. Ganapathy, Key dimensions of business-to-consumer Web sites, Inf. Manage., vol. 39, no. 6, pp. 457465, 2002.

4. C. López-Nicolás, F. J. Molina-Castillo, and H. Bouwman, An assessment of advanced mobile services acceptance: Contributions from TAM and diffusion theory models, Inf. Manage., vol. 45, no. 6, pp. 359364, 2008.

5. F. D. Davis, Perceived usefulness, perceived ease of use, and user acceptance of information technology, MIS Quart., vol. 13, no. 3, pp. 319340, 1989.

6. D. Dmytro and F. M. Sukno, Automatic local shape spectrum analysis for 3D facial expression recognition, Image Vis. Compute, vol. 79, pp. 8698, Nov. 2018.

7. D. N. Parmar and B. B. Mehta, Face recognition methods & applications, Int. J. Compute. Technol. Appl., vol. 4, no. 1, pp. 8486, 2013.

8. D. Turan, On recognition of gestures arising in flight deck

   officer (FDO) training, Cranfield Univ., Cranfield, U.K., Tech.

   Rep., 2011.

9. E. L. Slade, M. D. Williams, and Y. Dwivedi, Extending UTAUT2 to explore consumer adoption of mobile payments, in Proc. U.K., Acad. Inf. Syst. Conf., Oxford, U.K., 2013, pp. 123.

10. E. M. Rogers, Diffusion of Innovations, 4th ed. New York, NY, USA: Free Press, 1995.

11. E. Vazquez-Fernandez and D. Gonzalez-Jimenez, Face recognition for authentication on mobile devices, Image Vis. Compute, vol. 55, pp. 3133, Nov. 2016.

12. E. Wright, The future of facial recognition is not fully known: Developing privacy and security regulatory mechanisms for facial recognition in the retail sector, Media Entertainment Law J., vol. 29, p. 611, 2019.

13. F. Becerra-Riera, A. Morales-González, and H. Méndez- Vázquez, Facial marks for improving face recognition, Pattern Recognit. Lett., vol. 113, pp. 39, Oct. 2018.

14. G. B. Svendsen, J.-A. K. Johnsen, L. Almås-Sørensen, and J. Vittersø, Personality and technology acceptance: The influence of personality factors on the core constructs of the technology acceptance model, Behav. Inf. Technol., vol. 32, no. 4, pp. 323 334, 2013.

15. G. Heineck and S. Anger, The returns to cognitive abilities and personality traits in Germany, Labour Econ., vol. 17, no. 3, pp. 535546, 2010