Smart Card Talk March 2013
•
a Smart Card Alliance ePublication
Dear Members and Friends of the Alliance, The migration to EMV in the U.S. is underway. It’s no longer a pipe dream, a debate or wishful thinking. With deadlines in place, all stakeholders are very busy working on their part of the transition. The EMV Migration Forum has become the go-to organization for information, knowledge, education, collaboration and leadership. It is remarkable to take a step back and look at the entire payments market working together to make this transition as smooth as possible. Committees have been formed to identify specific issues and to consider “whatif ” scenarios to ensure that every possible item is addressed. Excitement continues to build each passing week. I hope you are part of the process. Please feel free to contact me if you have questions, or simply want to talk about all the great things happening in our industry. Thank you for your support of the Smart Card Alliance.
• Volume 18 : Issue 3
In This Issue: ② Executive Director Letter >> ③ Latin America Letter >> ④ Member Profile >> ⑥ Feature Article >> ⑩ Council Reports >>
On the Web: Members in the News >>
Sincerely,
Alliance in the News >>
Randy Vanderhoof Executive Director, Smart Card Alliance Acting Director, EMV Migration Forum
Event Calendar
Click Here to Read Letter ...
EMV Migration Forum
March 21-22, 2013 Renaissance Concourse Atlanta Airport
Feature Article: Mobile Identity Use Cases
Member Profile: Visa
Mobile devices are emerging as a platform for secure identity applications. This article discusses use cases that present different approaches for storing and using employee identity credentials on mobile devices.
This month Smart Card Talk spoke with Simon Hurry of Visa, Inc. Simon is Senior Business Leader, Chip Infrastructure, where he is responsible for global contactless and contact chip card programs.
Click to Read More …
Click to Read More …
Mobile Devices and Identity and Access Security April 9, 2013 Las Vegas, NV
NFC Solutions Summit May 15-16, 2013 San Francisco, CA
executive director’s corner
The Whole Nine Yards Dear Members and Friends of the Alliance, Often people use nautical metaphors to describe things that represent their point of view. I have heard quite a few in reference to the Unites States “embarking” on its EMV migration. For example, in response to the question about when will we start to see evidence that EMV is really happening, one might reply that “that ship has sailed.” Evidence of that can be found just by watching television. Has anyone else noticed that the commercial about the rock-climbing girl who buys a few accessories for her weekend date that turns into a death defying rock climb features a Citi smart card? That same commercial ran last year, but this year the card now has a chip on it.
Another nautical quip that might be used to answer a question about how long will it take for the U.S. to complete the transition from magnetic stripe to EMV chip technology would be to describe the “considerable headwinds” that are affecting the transition in the payments markets. To further this analogy, these headwinds are coming mainly from the regulatory environment that exists only in the U.S. in meeting the Durbin Amendment rules. These rules impact debit routing, affect the 13 regional debit networks and require a solution that satisfies the technical requirements of EMV and addresses the business needs for the stakeholders involved.
There are many other forces pushing back change, but the debit approach is garnering the most attention right now. Within the EMV Migration Forum, the Debit Working Committee is meeting regularly and all sides are participating in constructive approaches to overcoming these headwinds and keeping the “ship” on course.
and strategize about their issues. I think this is an opportunity for other stakeholder groups preparing to react to the changing landscape created by EMV, such as merchants and issuers, to organize into special interest groups as well to communicate their issues and their proposed solutions in a more organized and effective manner. The Forum offers its members that opportunity.
However, one of the best phrases that I have come across to describe how best to “keep the ship moving” and deal with the “headwinds” is this one: “It is the set of the sails, not the direction of the wind that determines which way we will go.” If you have ever sailed, as I learned to do as a kid, you quickly learn that you can’t go anywhere sailing into the wind. How sailors adjust to that reality is by adjusting their sails and changing the direction of the boat to capture the wind in their sails and propel the boat forward. Often this requires changing directions depending on the force and direction of the wind, called “tacking,” to get to where you want to go. I like this image as a metaphor for the EMV migration. We need to recognize where the winds are coming from. Instead of fighting them off, we need to maneuver by changing the “set of the sails” to find the angle that will allow progress to go forward and then be prepared to change course again further down the road. If everyone sticks to the original course and does not adjust to the forces that are slowing us down, than we will never make it to the end of our journey.
So, here is to finding the productive winds that don’t become headwinds and to having the wisdom to know how to maneuver in the directions that will keep this journey moving towards ubiquitous EMV adoption and satisfying everyone involved. And a tip of my captain’s hat to all of the hardworking EMV Migration Forum working committee chairs and Payments Council leaders who are part of this journey and who are working side by side with the elected leadership and staff of the Smart Card Alliance and the EMV Migration Forum.
Sincerely, To say there is a lot of maneuvering in the payments markets is an understatement. While the national and regional debit brands are working through their issues, the ATM industry is also dealing with some turbulence. I recently attended an ATM industry event and learned a great deal about their challenges -- from contracting revenues due to shrinking interchange fees, to machines installed that can’t be upgraded to EMV, to the near term EMV liability shift that will shift fraud liability to ATM acquirers and operators. Many of those ATM industry stakeholders have organized themselves in a special interest group within the EMV Migration Forum to talk
2
Smart Card Talk
Randy Vanderhoof Executive Director, Smart Card Alliance rvanderhoof@smartcardalliance.org
Dear Members and Friends of the Smart Card Alliance Latin America & the Caribbean, I’m pleased to announce our next Government Information Exchange mission, an exclusive activity for SCALA member organizations. This members-only activity allows our affiliated organizations to interact with key government agencies in Mexico to exchange knowledge, experiences, and information related to smart card technology. The Government Information Exchange provides an impartial platform to gather industry and government leadership to share valuable information that helps to improve governmental efficiencies, services, and smart card projects through education. The mission to Mexico will take place May 29th, 2013 at the Marriott Reforma Hotel and will provide a forum for our member organizations and the organizational committee leadership to present success cases of the use of smart card technology for Public Registry, National ID, e-Passports, Driver’s Licenses, Access Control, and Government ID, and transfer knowledge from industry experts to government decision makers. Through collaboration with our member organizations we plan to provide key elements and tools for the Mexican Government Agencies to develop successful implementations of best-in-class solutions. For this exchange, the SCALA organization has partnered with the U.S. Commercial Services (USCS) to develop the Government Information Exchange program mission to Mexico. The strategic alliance between SCALA and U.S. Embassy in Mexico is hoped to provide much needed support on the ground, enhancing our capabilities to: • Identify key government agencies and correct points of contact • Coordinate the delivery of invitations to government representatives • Confirm the participation of high-level government representatives • Control access to our Government Information Exchange Program The SCALA organizational committee for Mexico will be responsible for the delivery of the impartial content to government agencies. The committee will preside over the agenda and the develop-
ment of key talking points of interest for the invited government agencies. In our exchanges, SCALA, as the industry representative, acts as a neutral third party that helps government agencies acquire information and resources to develop their related projects. Through the distribution of impartial information and related SCALA resources, government representatives can use this knowledge to develop successful specifications to their smart card related projects. In our forum, representatives have the opportunity to discuss concepts, exchange ideas, clarify points, and interact with industry leaders. It is important to note that the government of Mexico will be presiding over key technological advances and related industry projects in Mexico. The process of understanding the technology can be time consuming, overwhelming, and confusing, especially when vendors are trying to gain access and providing conflicting information. This is the reason for we created our Government Information Exchange Programs. We also have the opportunity to present the opportunities smart card technology creates for government agencies. As an example, government agencies can develop partnerships with external private organizations for a multiple application smart card. Agencies can utilize the chip to incorporate additional security features such as biometric match-on-card and digital verification. In the end, exchanges such as these spark the imagination what can be accomplished with our technology. The Government Information Exchange mission to Mexico is a great opportunity for member organizations and industry friends to experience the benefits and opportunities of being part of the SCALA community. We welcome all who are interested to contact us and see what we have to offer. For more information visit: Government Information Exchange – Mexico. Sincerely,
Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) ebetts@smartcardalliance.org www.sca-la.org Smart Card Talk
3
latin america corner
Upcoming Government Information Exchange – Mexico
member profile
1. Please describe your company’s business profile and its payment offerings. Visa is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable electronic payments. We operate one of the world’s most advanced processing networks—VisaNet—that is capable of handling more than 24,000 transaction messages a second, with fraud protection for consumers and assured payment for merchants. Visa is not a bank and does not issue cards, extend credit, or set rates and fees for consumers. Visa’s innovations, however, enable its financial institution customers to offer consumers more choices: pay now with debit, ahead of time with prepaid, or later with credit products.
2. What role does smart card technology play in your business? Fighting fraud and protecting cardholders and merchants have always been a high priority for Visa and fundamental to the success of electronic payments. Visa seeks to innovate new solutions that enhance security and reduce the value of stolen data to criminals. That’s why in August 2011 Visa was the first payment network to announce a plan to accelerate chip migration in the U.S. We designed our roadmap with a focus not only on reducing overall fraud in the payment system, but also on supporting emerging payment innovations such as mobile and enhancing global acceptance. Specifically, elements of the program include:
This month Smart Card Talk spoke with Simon Hurry of Visa, Inc. Simon is Senior Business Leader, Chip Infrastructure, where he is responsible for global contactless and contact chip card programs. Mr. Hurry, a member of the Smart Card Alliance Board of Directors, has more than 18 years of experience in the payments industry, with a specialized focus on smart card and contactless payments. Prior to joining Visa, he architected smart card clearing and settlement systems at Nedcor Bank in South Africa. Mr. Hurry, who was an active member and vice chairman of the GlobalPlatform systems committee, holds a Bachelor of Science from the University of Kentucky and a Master of Business Administration from the University of Pretoria.
4
Smart Card Talk
• October 1, 2012 – Visa’s Technology Innovation Program (TIP) took effect in the U.S. TIP eliminates the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75 percent of the merchant’s Visa transactions originate from dualinterface contact/contactless chip-enabled terminals. • April 1, 2013 – Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions. Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique. • April 1, 2015 – U.S. third-party ATM acquirer processors and sub-processors must be able to support EMV chip data. • October 1, 2015 – Visa will institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-ofsale (POS) transactions as well as an ATM liability shift in Asia Pacific (excluding Thailand, Japan, China and India). • October 1, 2017 – Visa will institute a U.S. liability shift for domestic and cross-border counterfeit card-present transactions at automated fuel dispensers and U.S. ATMs as well as ATM transactions in Thailand, Japan, China (excluding domestic ATM transactions) and India.
3. What trends do you see in the U.S. market driving the move to chip?
6. What does Visa see as the best approach for implementing chip debit in the U.S.?
There are three main reasons Visa is encouraging the migration to chip in the U.S.:
Visa believes that the best approach is one that is fast, simple and cost-effective to implement. To that end, Visa has put forth a proposed common debit solution in the U.S. that meets those criteria. Specifically, Visa has offered to make some of its EMV chip technology available to the industry in conjunction with a generic Application Identifier (AID). Visa is offering this solution free of charge and without any gateway requirements or restrictions. We believe this approach provides flexibility for issuers to manage card portfolios over time and merchants to make their preferred routing choices – in a streamlined approach that minimizes complexity and time-to-market.
• Security: We believe that the migration to chip technology will make a significant difference in the security of the U.S. payment system overall by addressing the largest point-of-sale fraud category – counterfeit fraud. Further, Visa’s U.S. chip roadmap is part of our broader authentication vision to create a more secure payments system that focuses on the use of dynamic authentication. • Payment innovation: As NFC – or Near Field Communication – mobile payments and other chip-based emerging technologies are poised to take off in the coming years, we are taking steps now to create a commercial framework that will support growth opportunities and create value for all participants in the payment chain. • Enhanced global acceptance: Travelers occasionally experience difficulties when using their cards in chip markets. By moving the U.S. to the same technology used widely throughout the world, global acceptance will increase.
4. Why should merchants consider adopting smart card technology? We see the U.S. move to chip as an important step forward for all stakeholders in building a future-proof infrastructure that helps reduce fraud, supports emerging payment technologies and enhances international acceptance. As part of Visa’s roadmap to accelerate the migration to EMV and support merchant adoption of this technology, we are offering tangible benefits to merchants who update their POS infrastructure to accept contact and contactless chip payments through our Technology Innovation Program (TIP). The TIP program eliminates the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75 percent of the merchant’s Visa transactions originate from chip-enabled terminals. The program only waives annual validation, and merchants must continue to protect sensitive data in their care and adhere to the PCI DSS standards as applicable.
7. How do you see EMV migration progressing in the U.S.? What do you see as the key milestones?
It is a process that takes time, but since announcing our intent to help the U.S. move to this technology we are seeing good momentum toward that goal. The upcoming milestone in Visa’s chip roadmap is the April 1, 2013 mandate for acquirer processors and subprocessors, requiring them to complete the upgrades and testing necessary to be able carry and process chip data. This milestone is an important and necessary step in ensuring that the infrastructure is in place to support the U.S. migration to chip, and we are seeing very good progress toward that goal. We are also seeing positive signs from the issuing side. As of June 30, 2012, U.S. financial institutions have reported issuing an estimated 1.5 million Visa-branded chip cards and we expect to see those numbers accelerate as we get closer to the 2015 liability shift deadline.
Member point of contact: Simon Hurry Senior Business Leader, Chip Infrastructure, Visa Inc. shurry@visa.com
5. What type of measurable impact has the Smart Card Alliance and/or its Councils made in your company’s business? The Smart Card Alliance serves as a constructive forum for sharing resources, advancing education and building bridges to increased cooperation around important chip topics. We also believe the Smart Card Alliance’s role in establishing the EMV Migration Forum was a major accomplishment that will help drive EMV technology forward in the U.S. in a way that is most beneficial for all stakeholders.
Smart Card Talk
5
feature article
Mobile Identity Use Cases Both small and large companies deal with the challenge of issuing and maintaining employee identity credentials for physical access to company facilities. In addition, some companies use these same identity credentials for logical access and web-based authentication. Companies incur significant costs to maintain the infrastructure that supports employee identity credentials and to equip facilities, computers and employees with the readers that enable their use.
or rejected response from the employee determines whether access is granted. Alternatively, the phone may display an OTP, which the employee enters on the Web site to gain access to the network.
Mobile devices represent both a better way for companies to manage physical access and a cost-effective and convenient way for employees to access company information (network or enterprise access). Many approaches can be used to secure an identity transaction. The use cases described this article illustrate three different approaches for using mobile devices to authenticate an employee’s identity: 1. Using the mobile device as an “out-of-band” solution to determine whether an employee is the “right” employee for logical access to company resources. 2. Leveraging the NFC capabilities of a mobile device to read and transmit the details of a company ID card (or badge) for logical access. 3. Using the mobile device as the ID credential, leveraging the device’s secure element to securely store credentials and authenticate the employee for physical or logical access. It is important to note that the use cases described in the article are presented as illustrative examples and are not intended to include all possible approaches. Also important is to consider that the use cases are “visions” for how mobile devices may be used for identity authentication; not all mobile devices can support the capabilities described in these use cases at this time.
This approach can have several benefits. Using the phone as an out-of-band authentication device provides an additional authentication factor (something you have) and also protects against certain forms of attack—specifically phishing attacks to capture identity credentials for fraudulent use. To achieve access, someone must now intercept the user ID–password combination as well as the OTP from the mobile device. In addition, since virtually all phones are capable of supporting OTP applications, this solution is the most generally available to organizations and is relatively easy to use.
Using the Phone as an Out-of-Band Authentication Device
Leveraging Near Field Communication (NFC) and the Employee ID Card
Using the phone as an out-of-band authentication device requires that an employee’s mobile phone be provisioned with an application that, when requested, either produces a one-time password (OTP) or prompts the person for confirmation. In addition, the phone must be correlated with the person’s identity. Once a preregistered user ID–password combination is entered, the phone can be used as an additional factor to authenticate the employee.
The emergence in the market of NFC-enabled mobile devices creates opportunities to further improve security and authentication for remote applications. An employee with an NFC-enabled phone may be able to tap a contactless smart ID card against the phone and use the information on the card to confirm the employee’s identity.
For example, when an employee tries to gain access to the company network, the network initiates a dialog with the phone. The application on the phone is activated either through a short message service (SMS) message or an Internet-based request or push. The phone then displays a company Web site or prompt (Figure 1) and asks the employee to confirm the access attempt. The accepted 6
Figure 1. Mobile Device as an Out-of-Band Authentication Solution
Smart Card Talk
In this use case example, the phone would be associated with the person’s employee ID. Once a preregistered user ID–password combination is entered, the phone could be used to capture data from the contactless smart ID card. Also in this use case, the company Web site initiates a dialogue with the phone. The application on the phone is activated either
through an SMS message or an Internet-based request or push. The phone would then display the company Web site and prompt the employee to tap the company-issued ID card against the phone (Figure 2). The data from the ID card would be securely transferred through the phone to the issuer of the card, where it is validated. Assuming that the card is valid and matches the user ID–password information provided earlier, the employee would be granted access to the Web site or network. It is important to note that the application on the phone would store the appropriate permissions, or keys, to access the card details. If the card is a smart card, the data generated is dynamic, and only the company can correlate the data to a specific employee.
Using an Identity Credential Stored in the Mobile Phone’s Secure Element A company-issued credential can also be stored in the SE of a phone. Storage of the credential in the SE requires the company to work with the SE owner (for example, the phone manufacturer or mobile network operator) to pay for memory space on the SE and provision the credential to the chip. In addition, the phone is associated with the employee ID. Once the employee uses preregistered logon credentials, the company can communicate with the credential on the phone. In this use case, when an employee tries to gain access to the company network, the network initiates a dialogue with the phone. The application on the phone is activated either through an SMS message or an Internet-based request or push. The phone then displays a company Web site (Figure 3) and prompts the employee to confirm the access attempt. The company can also collect another password. The ID credential stored on the SE is securely transferred to the issuer of the card, where it is validated. Assuming that the credential is valid and matches the user ID–password information provided earlier, the employee would be granted access to the network. As described in the previous section, leveraging the dynamic data generated from an out-of-band device significantly reduces the risk of several forms of malicious attack. The added benefit of this approach is that it is easier to use than an approach requiring the employee to tap a card on the phone. To the employee, it is a relatively convenient process and has security enhancements offered by the smart card technology that is used for the SE.
Figure 2. NFC-Enabled Mobile Device and the Employee Badge This approach would have several benefits. In addition to protecting against phishing (as described in the previous section), leveraging the card and the NFC capabilities of the phone could avoid man-in-the-middle and man-in-the-browser attacks, assuming that the data from the card is sent directly to the card issuer for validation and not sent first through the browser. In essence, the card and phone act as two “what you have” factors for authentication. As NFC-enabled phones penetrate the market, this authentication method may become a popular initial authentication method, as there would be no need for card issuers to provision phones with employee identity credentials (i.e., in a secure element (SE) or on a SIM). That said, the phone must be able to be configured as an NFC-enabled reader to implement this use case. Figure 3. Identity Authentication Using the Secure Element
Smart Card Talk
7
Card Validation in the Field NFC-enabled phones can provide additional opportunities for in-person security and authentication of people carrying contactless ID cards. One possible solution is for security personnel to confirm a person’s identity by having that person tap an ID card against the security staff ’s NFC-enabled phone. Security staff would start an application on the phone, which prompts for a card to be tapped. The data on the card would be communicated to the phone using NFC and then transferred to the SE. The ID credential would then be securely transferred to the issuer of the card, where it is validated. Assuming the card is valid, the phone would display a digital image and other relevant information to security staff (Figure 4) to assist in confirming the person’s identity.
Figure 4. NFC-Enabled Mobile Phone Used as a Reader
cards in the field. Now, card-reading capability can exist in a lowcost, mobile communication device.
Physical Access Control in an NFC-Enabled World The most simplistic mobile access control model is to replicate existing card-based physical access control principles using smartphones with NFC technology. The smartphone would be equipped with a digital key which, when presented to a reader, passes the identity information to an access control system. Based on a predefined set of access rights, the access control system would make the decision to unlock the door (Figure 5). NFC-enabled mobile access control has some basic requirements, including the following: • First, NFC-enabled handsets are required. This can be achieved via handsets with an embedded secure element, a SIM or UICC-based secure element, or an add-on device (such as a microSD card) that incorporates a secure element. • Second, there must be an ecosystem of devices (i.e., readers, locks, and other hardware) that can read and respond to the digital keys stored in NFC-enabled handsets. • Third, there must be a way to manage digital keys. All identity provisioning/de-provisioning and sharing must occur within a trusted boundary, to ensure a secure channel for communicating identity data objects between validated endpoints so that all transactions between phones, readers and locks can be trusted. A common access control trusted service manager (TSM) would interface seamlessly to the mobile network operator (MNO), its TSM, and the NFC smartphones that will receive the encrypted keys for storage in the secure element, the SIM, or the microSD. Provisioning and de-provisioning would be executed over-the-air via a managed services portal, much like today’s plastic cards, with one-time or batch uploads and drop-and-drag simplicity.
One requirement critical to this solution is that the application on the phone must have access to the appropriate permissions, or keys, to access the details on the card. Smart card and smart cardreading solutions are based on the theory that the phone has the correct keys to open the secure identity verification application. Also, the data generated is dynamic, and only the correct issuer’s systems can interpret and correlate this data to a specific user. Leveraging the reading capabilities of NFC-enabled phones can offer a few key benefits to organizations and individuals. First, the number of cards used fraudulently in the market can be greatly reduced. Instead of relying on the image on a card, security personnel would be able to access a digital image of the cardholder and electronically verify an individual’s identity. Second, phones can represent a low cost and convenient terminal for deployment to security personnel or first responders. Traditionally, hardware costs have been the impediment to reading 8
Smart Card Talk
Figure 5. NFC Phone and Physical Access Control
It is believed that NFC-enabled mobile access will be used in three primary environments: residential, hospitality (hotels), and commercial. With the NFC ecosystem in place, a home’s family members will be able to receive digital house keys over-the-air to their smartphones. When the homeowner wants to give a repair person temporary access, it will be possible to send a temporary key and then revoke it when the project is finished. Similarly, business travelers will be able to receive hotel room keys on their smartphones that enable them to bypass the front desk when checking in. In a commercial application such as a hospital, users will be able to receive digital keys on their smartphones that are configured to operate with all of the access control infrastructure’s various readers and locks and to support a variety of security levels and associated access rules. Moving beyond the simple card emulation model described thus far, the mobile access control model can also leverage the smartphone’s on-board intelligence to perform most of the tasks that are currently performed by the access control system. Instead of having a wired physical access control system, a mobile device with its wireless connection could be both the key and the processor. Instead of a reader going to a panel and a panel going to a computer, the phone can become the rules engine to make the access control decision. In a mobile-enabled physical access control use case, when an employee goes to a door, several things can happen. The phone can confirm the location, make sure the employee has the proper authorization to access the area, and ensure that they are allowed access at that specific time. All of this data can be checked against data stored in the cloud; the handset can then send an encrypted signal to the door for it to open. Physical access control systems would no longer need to be hardwired allowing electronic access control to be used on interior doors, filing cabinets, and storage units where it previously would have been cost-prohibitive to install a traditional wired access control infrastructure.
Summary
About this Article This article is an extract from the Smart Card Alliance Identity Council white paper, Mobile Devices and Identity Applications. The white paper presents the vision of the secure use of mobile devices for identity applications and describes different use cases for current and NFC-enabled mobile devices. Identity Council members involved in the development of this white paper included: Booz Allen Hamilton; Consult Hyperion; Deloitte & Touche LLP; Gemalto; HID Global; HP Enterprise Services; Identive Group ; Identification Technology Partners; IDmachines; INSIDE Secure; Intellisoft, Inc.; NXP Semiconductors; SecureKey Technologies.
About the Identity Council The Smart Card Alliance Identity Council is focused on promoting best policies and practices concerning person and machine identity, including strong authentication and the appropriate authorization across different use cases. Through its activities the Council encourages the use of digital identities that provide strong authentication across assurance environments through smart credentials – e.g., smart ID cards, mobile devices, enhanced driver’s licenses, and other tokens. The Council furthermore encourages the use of smart credentials, secure network protocols and cryptographic standards in support of digital identities and strong authentication on the Internet. The Council addresses the challenges of securing identity and develops guidance for organizations so that they can realize the benefits that secure identity delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.
Using mobile devices for secure identity authentication is a new application that shows great promise for providing convenient and secure employee identity authentication for logical and physical access applications. Approaches for mobile identity applications are expected to vary widely, and can use and leverage a number of mobile device capabilities to offer an easy-to-use user interface and strong security platform for identity authentication. Mobile identity applications leverage the smart card technology that is already built into mobile phones and the standards developed for mobile and payment applications to ensure security, and to enable many innovative approaches for identity authentication.
Smart Card Talk
9
council reports
Updates from the Alliance Industry Councils Access Control • The Access Control Council collaborated with the Security Industry Association (SIA) to submit industry comments on the changes being made to the FIPS 201 Evaluation Program. We had strong participation from both Smart Card Alliance and SIA members on developing and agreeing on comments. Lars Suneborn (Oberthur Technologies) led the project; Lars Suneborn, Sal D’Agostino (IDmachines), Steve Rogers (IQ Devices), Roger Roehr (Roehr Consulting) and Joe Tassone (Identive) led reviews of the individual documents. Member organizations participating in the project included: AMAG Technology; Booz Allen Hamilton; CertiPath; Codebench; Dale Laszig; DMDC; Exponent; HP; Identification Technology Partners; Identive; IDmachines; IQ Devices; NagraID Security; NASA; NXP Semiconductors; Oberthur Technologies; Quantum Secure Inc.; Roehr Consulting; SafeNet; Secure Mission Systems; Stanley Security Solutions; Tyco/Software House; U.S. Department of State; XTec, Inc. • The Council is currently working on a “PACS Primer for PIV” to provide additional guidance for the GSA Evaluation Program Technical Working Group (EPTWG). • Other Council 2013 priorities include: providing input to NIST on FIPS 201-2 related publications; and providing recommendations and guidance on derived credentials.
10
Smart Card Talk
Healthcare • The Healthcare Council held an interactive web briefing on use cases for smart healthcare cards on March 1st, with invited government and industry contacts. Lawrence Carbanero, Memorial Hospital, North Conway, NH, and Roderick Bell, Resolute Health, Innovation Center for Vanguard Health, discussed their perspectives and the success they’ve achieved with their smart healthcare card programs.
Identity • The Identity Council is developing a white paper on smart card technology and NSTIC. The goal of the white paper is to raise awareness of the benefits of smart card technology and show how smart card technology can be used for high assurance credentials in the NSTIC identity ecosystem. • The Council is leading a cross-council white paper project on supporting the PIV application on mobile devices with the UICC.
Mobile and NFC • The Mobile and NFC Council held a successful webinar on March 5th, “Anatomy of a Mobile Device” – the first of four webinars on mobile/NFC security fundamentals. The March 5th webinar was held in collaboration with GlobalPlatform and had over 530 people registered for the event. Kevin Gillick (GlobalPlatform), Philip Hoyer (HID Global), and Gil Bernabeu (GlobalPlatform) presented in the webinar. The webinar recording is available at: http://www. smartcardalliance.org/pages/activities-events-mobile-nfcsecurity-fundamentals. • The second webinar, “Secure Elements 101,” will be held on March 28th, with presentations from Brent Bowen (INSIDE Secure), Sree Swaminathan (First Data), Sanjiv Rawat (Giesecke & Devrient) and Greg Coogan (Morpho Cards). Registration for the second webinar is at: https://www1. gotomeeting.com/register/771731673. • The Mobile and NFC Council is currently discussing other new projects for 2013 based on member input on priorities.
Payments • The Payments Council is discussing priorities for 2013 projects. Topics being discussed for 2013 include: EMV impact on contactless; the EMV business case; EMV & mobile payments; and mobile payments approaches.
Transportation • The Transportation Council is currently defining 2013 projects. Topics being discussed for 2013 include: EMV and transit; small agency business model for open payments; transit and PIV card linkages; transit system reference architecture; and agency outreach.
Other Council Information • Members-only council web pages are available at http:// www.smartcardalliance.org/councils. These are passwordprotected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich. • A Council meeting calendar is available on the members-only web site at http://www.smartcardalliance.org/pages/memberscouncil-resources. • If you are interested in forming or participating in an Alliance council, contact Cathy Medich.
Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich.
Smart Card Talk
11
from the alliance office
Welcome New Members
• JVL Ventures, LLC, D/b/a Isis, Leadership Council • Jack Henry Processing Solutions, General Member • Unitec Blue, SCALA, Leadership Council
New CSCIP Recipients
• Christian O’Keefe, Deloitte & Touche LLP • Ron Sutton, Deloitte & Touche, LLP
CSCIP/Payments
• Dave Kaminsky, Mercator Advisory Group
For more news, visit our website at www.smartcardalliance.org. Members can also access white papers, educational resources and other content.
191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org
12
Smart Card Talk
About Smart Card Talk
About the Smart Card Alliance
Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership.
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.