MasterCard is to test facial recognition as a payment authorization tool on smartphones. That’s prompted questions over the security of the way it will handle the data.

The idea is to replace the need to type in a PIN code when making a purchase. While MasterCard hasn’t confirmed this, it’s likely the tool will work for bigger purchases, unlike contactless payment authorization such as NFC chips that are usually restricted to small amounts.

The concept is simple enough: you pay using a dedicated app and as part of the process you hold up the phone to your face and take a picture. (Journalists, with the help of a quote from a MasterCard spokesman, are already banging on about this being ‘selfie security.’) Facial recognition confirms you are the registered account holder.

During the authorization you’ll need to blink once to prove the lens really is pointing at you and not a photograph. That’s not necessarily foolproof however as it could theoretically be possible to take a photo of somebody and animate it with a few frames featuring bogus eyelid images. That said, you’d either need to act as a bogus seller (and leave yourself open to tracing if the fraudulent transaction is reported) or find some way of distracting a genuine retailer while you pull off the scam.

It’s the technical process that’s worrying one security consultant quoted by CNN. The image of your face never actually leaves your phone, but it is converted to a digital code that is sent to Mastercard’s servers for verification. Mastercard insists it will keep that code secure and that it won’t be able to reverse the conversion to recreate the image.

Mastercard is starting out cautiously with a test program for 500 users this fall. It certainly plans to go full throttle once any kinks are worked out. Tt’s made deals for the technology to work with Apple, Android and Windows phones and says it’s close to agreements with two major banks.