Smart Card Talk June 2013
•
a Smart Card Alliance ePublication
• Volume 18 : Issue 6
Dear Members and Friends of the Alliance, This month, I take you inside the process of how we are shaping the strategic direction for the Smart Card Alliance for the next three to five years that will hopefully correspond to the future of smart card and secure chip technology. We spent a few months in advance of our annual board of directors strategic planning retreat working with global management consulting firm Oliver Wyman to independently assess strengths and weaknesses of the Alliance and the opportunities and threats to further smart card adoption in North America and Latin America. In short, the planning meeting energized the Alliance as an organization. The research and resulting information presented by the consultants showed us that we are a nimble group whose greatest assets – our members and their collective knowledge – can be leveraged even greater within the industry.
In This Issue: ② Executive Director Letter >> ③ Latin America Letter >> ④ Feature Article >> ⑧ Council Reports >>
On the Web: Members in the News >> Alliance in the News >>
Thank you for your support of the Smart Card Alliance.
Sincerely, Randy Vanderhoof Executive Director, Smart Card Alliance | Director, EMV Migration Forum Click Here to Read Letter ...
Event Calendar 2013 Government ID Security Conference
Oct. 15-16, 2013 Walter E. Washington Convention Center, Washington, DC
Smart Card Alliance Member Meeting (new!) Feature Article: Smart Card Technology and NSTIC The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a White House initiative to improve on the credentials currently used to access the Internet and authenticate identity online. This month’s article provides an overview of the initiative and discusses how smart card technology supports the NSTIC principles. Click to Read More …
SCALA News: The Right to an ID Civil registry in Latin America shows that 10% of children born there are not registered by the government. Does that ensure that the entire population is accounted for, and are being served, by their government? SCALA Associate Director Edgar Betts gives his take on this and other news impacting Latin America. Click to Read More …
December 8-10, 2013 Biltmore Hotel, Coral Gables, FL
executive director’s corner
Aiming Higher Dear Members and Friends of the Alliance, Our planning process for the next year involves a two-day, comprehensive Board Meeting with the more than 20 senior executives from various parts of the smart card and related technology industries. Each June we meet to discuss the significant developments from the previous year and share intelligence about changing industry trends and technology advances that keep the Smart Card Alliance programs relevant to the dynamics of the markets. These sessions then translate into the projects and deliverables of the six industry councils, the four industry conference events, and the various training programs, web resources, and industry outreach programs we manage. This year, with the help of consulting firm Oliver Wyman, we took a much deeper dive into the internal and external market forces shaping the smart card markets for payments, transportation, mobile, healthcare, identity, and security. We brought in the consultants for the first day of the planning meeting to provide us with their perspectives and conclusions that had been prepared as a result of their hours of interviews with staff and with Alliance, council and board members. They presented an unbiased perspective how the various smart card markets are evolving, and the strategies we can formulate as the market matures. One of the recommendations was to expand our role of smart card technology and applications training. Having evaluated all the related global industry organizations and their training programs, the Smart Card Alliance CSCIP training and certification program was by far the most established and comprehensive they found. They looked at online training, classroom training, and text books available, and found that few regions in the world outside of the U.S. and Latin America offered any professional education programs. They also learned that there were no other programs that included a professional certification that recognized individual skills and knowledge and that cut across multiple usage models and form factors like cards, mobile devices, SIMs or USB-based security devices. We were encouraged to expand online access to training programs to reach global markets and to consider publishing manuals and text books for university and post-graduate education channels. Those efforts have already begun with the upcoming translation, into Spanish and Portuguese, of the training documentation and testing materials for SCALA. Oliver Wyman concluded that the Alliance should utilize the content we have within the organization and develop a delivery channel that could reach global markets, particularly areas where smart card adoption is growing, like India, China, and Eastern Europe. 2
Smart Card Talk
Healthcare is another opportunity for improvement through more support from the Alliance. We have maintained a presence in the healthcare market for several years; we have an established Healthcare Council that has produced numerous white papers and webinars, and produced conference tracks on health IT security and the use of healthcare identity cards in hospitals. As the federal policies slowly start to take shape under the Affordable Care Act of 2010 creating health information exchanges to enable electronic health records to be securely transmitted among patients, hospitals, healthcare providers, private insurers and other relying parties, it has become increasingly apparent that a consistent, secure, and scalable method of identifying patients and binding these individuals to their health records is essential for the system to work. In addition, state and federal government health programs, such as Medicare and Medicaid, are under increased pressure to cover more people with less funds and to squeeze out inefficiency and fraud from the healthcare system. Oliver Wyman recommended that the Alliance update and refresh much of the educational information and resources we have on the subject of healthcare security and identity management and to promote these resources more broadly. We should consider planning a new conference or expanding the coverage of the electronic health record management problem within our existing conferences and increase the dissemination of market intelligence to the large, complex health information systems and integrators who are building the new IT infrastructure for this health information to travel across. As we have experienced in the corporate IT markets, the infrastructure often gets built first, and security gets added later. In healthcare, this is going to be a bigger problem to address later because once consumers lose confidence that their private information is secure, the infrastructure will be suspect, or worse, fraudsters will find ways to exploit the weaknesses in identity management in the new systems and costs will continue to rise, and not fall as expected. While I have summarized only two of the areas the board plans to address in the future, there were other important strategic opportunities presented involving EMV, mobile/NFC, international expansion, and organizational operational efficiencies. We will be developing major programs in the next few months to move forward with these strategic opportunities. When we gather in Miami at the first annual Smart Card Alliance Members Meeting scheduled for Dec. 8-10, 2013, we hope to talk in greater detail about new initiatives. Until then, enjoy your summer and keep supporting the markets, educational programs and training we currently provide. Sincerely,
Randy Vanderhoof Executive Director, Smart Card Alliance rvanderhoof@smartcardalliance.org
Dear Members and Friends of the Smart Card Alliance Latino America – SCALA: It is sometimes a challenge to articulate our vision to others outside our industry and market. Sometimes this seeming lack of ability to express our points of view, mixed with industry jargon and cultural and language barriers, causes me to wonder if our goals and objectives will ever see the light of day. When I feel frustrated, I remind myself of the famous quote from Robert F. Kennedy, who said, “Some men see things as they are and say why. I dream things that never were and say why not.” To me, smart card technology represents an opportunity to address some of the key challenges faced in many markets in which technology is a critical component. During our last Government Information Exchange held last month in Mexico, the Inter-American Development Bank made a presentation on civil registry in Latin America. A slide that impacted me was a graph that showed that 10% of children born in Latin America are not being registered by their respective governments. As a result of not being registered, they receive fewer vaccinations than those children who are processed in the system. The process of registering an entire population is difficult. In particular, some countries in Latin America have large geographies, variations in terrains and climates, variations in cultures, multiple languages, and areas with limited resources. It is easy to understand why governments focus most of their resources and efforts in urban population areas. This is where the majority of their citizens is located. The term “more bang for the buck” comes to mind. Brazil, for example, is an area larger than Europe, with population spread throughout. While Brazil contains many of the world’s most modern cities, there are areas in this vast country that are considered difficult access, as there are many remote areas that can only be reached by helicopters and boats. Taking these factors into account and the associated cost that governments would bear to register 100% of all their citizens, is it worth it? Or is 10% a number we can live with that is good enough
to ensure that the majority of the population is accounted for and constituents of the different government districts are serviced? Governments are unable to accurately plan the resource allocation necessary to expand the educational system if they cannot forecast the growth in population, the number of children that will require education, the number of teachers, desks and classrooms, and the amount of supplies. This is also true for public healthcare; how can the government accurately order the right amounts of vaccinations for the newborn population if they can’t determine where, or when these babies are born? Smart cards are currently the best tool available in the market for secure identification. It is possible to have a multi-application card that could serve as a single document for identification and provide all the functions for the effective interactions with government. In conclusion, identification is a right of being a citizen. Any individual being born in a geographic territory or through lineage (depending on the country) has a right to citizenship and the only way to prove citizenship is through an identification card. By being excluded from being identified in a civil registry, the individual is marginalized and separated from society. In turn, the exclusion of individuals reduces the access to public services, government participation, and equality among citizens. Our industry is composed of individuals with different nationalities, backgrounds, cultures, perspectives, ideology, and language. Despite these differences we all are united together under one cause -- because we know why we promote the technology and what we want to achieve with smart cards. We hope to see you all in Punta Cana at the EMVTour-CAC 2013. Sincerely,
Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) ebetts@smartcardalliance.org www.sca-la.org
Smart Card Talk
3
latin america corner
The Right to an ID
feature article
Smart Card Technology and NSTIC Internet use is evidently the most indispensable activity of our generation. We use it for almost everything—to connect with friends, shop, bank, blog thoughts, and seek medical attention, among other things. But as use of the Internet has increased, so has cyber crime. Cyber crime has resulted in losses to individuals and businesses amounting to billions of dollars annually. According to the Federal Bureau of Investigation, identity theft is currently the leading and most persistent financial crime. Approximately 12 million Americans have been affected by identity theft of some kind in the past 2 years. To use their online accounts, people must remember an unmanageable number of passwords. For this reason, most people reuse the same passwords for years, making it easy for identity thieves and hackers to do their worst. To use the Internet
4
Smart Card Talk
safely and effectively, a better way must be developed for individuals to prove online that they are who they say they are. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a White House initiative to improve on the credentials currently used to access the Internet and authenticate identity online. This initiative proposes a marketplace that allows people to choose among multiple identity providers, both private and public, who can issue trusted credentials. [1] NSTIC has already involved itself in defining the essential fundamental elements that aid in strengthening identity, privacy, and security in the administration of Social Security benefits, immigration, healthcare, and other programs in the physical world. The NSTIC framework recognizes grave inadequacies in the current management of identity, privacy, and security in online transactions.
The Smart Card Alliance is promoting the adoption of the NSTIC framework. The Alliance strongly agrees with the use of federal, state, and local government initiatives to accelerate the development of an identity ecosystem. At the same time, the Alliance advocates for leveraging existing procedures, standards, and technology. Technologies such as those described in FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors and in the Federal Identity, Credentialing and Access Management Roadmap are vital to achieving interoperable, high assurance identity verification.
envisions an environment where individuals use a secure, interoperable, privacy-enhancing credential to authenticate themselves online for different types of transactions. The credential can be any number of identity tools and can be stored on a variety of different identity tokens (such as a smart card or a USB device). The credential comes from a public or private provider. The security level and abilities of the credential can vary, depending on the provider and medium.
Smart card technology provides maximum security through strong authentication mechanisms and protects user privacy. The technology is designed to resist malware, forgery, and other efforts to extract information fraudulently from an identity token. Smart card technology provides a tamper-proof container for digital identity credentials and biographic and biometric identifiers. The availability of multiple form factors make smart card technologybased tokens portable and easy to distribute.
NSTIC envisions an entity known as an identity provider (IDP), which is responsible for establishing, maintaining, and securing the digital identity associated with a particular person. The IDP’s responsibilities include revoking, suspending, and restoring the person’s digital identity if necessary. IDPs issue credentials: information objects that provide evidence of the person’s identity for a transaction. The credential may also provide a link to a person’s authority, roles, rights, privileges, and other attributes. [1]
This is the first of two Smart Card Talk articles that review the NSTIC initiatives and discuss how smart card technology can provide the advanced credentialing capabilities needed to enable high assurance in the NSTIC identity ecosystem.
According to NIST Special Publication 800-63 Electronic Authentication Guideline, a credential is an object that authoritatively binds a person’s identity to a token possessed and controlled by that person. A securely issued smart card or smart card technology-based device can carry a credential and provide the owner with many benefits for safeguarding information.
Purpose of the NSTIC Organization NSTIC was created in response to an action item in the Cyberspace Policy Review [2] that calls for the creation of an online environment in which individuals and organizations can execute transactions with confidence, trusting the identities not only of all parties to the transaction but also of the infrastructure supporting the transaction. This environment of trusted identities and infrastructure is referred to as the identity ecosystem. The identity ecosystem is an online environment in which individuals and organizations can trust each other, because they agree to follow specific standards to obtain and authenticate both their digital identities and the digital identities of all devices involved in a transaction. The identity ecosystem is designed to secure a complete range of transactions, from anonymous to fully authenticated and from low value to high value. [1] By enabling the principles of NSTIC, individuals no longer have to remember an ever-growing (and potentially insecure) list of user names and passwords to access various online services. NSTIC
Credential Definition
Establishing a smart card-based identity token for an individual involves several components. First, an individual enrolls for a credential, a process which consists of identity proofing, the establishment of a personal identification number (PIN), and possibly the capture of biographic and biometric data. Then, the credential is produced and issued to the individual. Usually the credential must be maintained over a lifecycle, which can include revocation, reissuance and replacement, re-enrollment, expiration, PIN reset, suspension, and reinstatement processes. Smart card technology is an important element in identity management systems, due to its ability to support authentication mechanisms that can identify people with minimal ambiguity. A smart card-based identity token can be used to verify who an individual claims to be, using information about the cardholder printed or stored on the card and biometric information stored in the card, instead of or possibly in addition to checking something the cardholder knows (such as a PIN).
Smart Card Talk
5
Figure 1: Impact of Smart Cards on Security
Use of smart card technology within the identity ecosystem offers several advantages: • The technology is designed to eliminate fraud by minimizing the risk that credentials or tokens are fraudulent. • Smart cards are deployed around the world for financial services, mobile communications, healthcare, and e-government. • Smart card technology enables secure identity verification while protecting personal privacy. • Only the cardholder is able to initiate or verify a transaction using a PIN, biometric data, or both. • Smart card technology-based tokens can store electronic credentials and prevent the credentials from being copied, altered, or hacked. • Smart card technology-based tokens can hold many different identity credentials and support multiple authentication mechanisms. As shown in Figure 1: Impact of Smart Cards on Security, use of smart card technology increases the security of the identity system and improves the accuracy, speed, and control of the cardholder authentication process.
6
Smart Card Talk
Guiding Principles and Relevance to Smart Card Technology NSTIC envisions individuals and organizations using secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation. NSTIC has identified several guiding principles [3] for the identity ecosystem. Smart card technology offers advantages in all of the areas represented by these principles (Table 1).
Summary This month’s article reviewed the NSTIC initiatives and summarized how smart card technology supports NSTIC guiding principles. Part 2 of this article will review the need for higher levels of assurance and outline use cases that leverage smart card technology.
References Table 1: NSTIC Guiding Principles and Smart Card Technology Advantages Guiding Principal
Smart Card Technology Advantage
Identity solutions will be privacyenhancing and voluntary
Preserves the positive privacy benefits associated with offline identity-related transactions. Provides individuals using smart cards with the freedom to present the stored credential of their choice.
Identity solutions will be secure and resilient
Is based on proven technology and security standards, so provides secure and reliable methods of electronic authentication. Can detect when trust has been betrayed, is capable of timely restoration after any disruption, can quickly revoke and recover compromised digital identity credentials, and can adapt to the dynamic nature of current technology.
Identity solutions will be interoperable
Is governed by standards for physical properties, communication characteristics, and definition of the stored applications and data. Available standards provide both technical and policy-level interoperability (e.g., ISO/IEC 7816, ISO/IEC 15693, ISO/IEC 14443, ISO/ IEC 7501, ICAO, FIPS 140 (1-3), FIPS 201, EMV, PC/SC Specification, CEN and ETSI, HIPAA, IC Communications Standards, GSM, OpenCard Framework, GlobalPlatform, Common Criteria, and national and international biometric standards).
Identity solutions will be costeffective and easy to use
Enables individuals to have many identity credentials from an array of service providers. As an identity solution, is simple to understand, intuitive, easy to use, and requires minimal user training.
[1] National Strategy for Trusted Identities in Cyberspace, Enhancing Online Choice, Efficiency, Security and Privacy, The White House, April 2011. [2] Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, The White House, May 2009 [3]From http://www.idecosystem.org/page/adherence-nsticguiding-principles
About this Article This article is an extract from the Identity Council white paper, Smart Card Technology and the National Strategy for Trusted Identities in Cyberspace (NSTIC), published in June 2013. The white paper was developed by the Smart Card Alliance Identity Council to describe the benefits of combining smart card technology and strong credentials within NSTIC. Member organizations participating in developing the white paper included: Booz Allen Hamilton; CH2M HILL; Deloitte & Touche; Gemalto; General Services Administration (GSA); HP Enterprise Services; IDmachines; IQ Devices; NXP Semiconductors; Oberthur Technologies; SecureKey Technologies.
About the Identity Council The Identity Council is focused on promoting best policies and practices concerning person and machine identity, including strong authentication and appropriate authorization across different use cases. Through its activities, the Council encourages the use of digital identities that provide strong authentication across assurance environments through smart credentials—e.g., smart ID cards, mobile devices, enhanced driver’s licenses, and other tokens. The Council furthermore encourages the use of smart credentials, secure network protocols, and cryptographic standards in support of digital identities and strong authentication on the Internet. The Council addresses the challenges of securing identity and develops guidance for organizations so that they can realize the benefits that secure identity delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organizational resources to bear on addressing the challenges of securing identity information for proper use. Additional information on the use of smart card technology for identity applications can be found on the Smart Card Alliance Web site at http://www.smartcardalliance.org.
Smart Card Talk
7
council reports
Updates from the Alliance Industry Councils Access Control • The Access Control Council submitted comments to NIST on the draft Special Publication (SP) 800-73-4, Interfaces for Personal Identity Verification. Lars Suneborn, Oberthur Technologies, led this project. • The Council submitted comments to the U.S. Coast Guard on the Transportation Working Identification Credential Reader Requirements Notice of Proposed Rulemaking (NPRM).
Healthcare • The Healthcare Council submitted comments to respond to the Senate request for feedback on federal progress promoting health information technology adoption and standards. Michael Magrath (Gemalto) and David Batchelor (LifeMed ID) led the development of this response. • The Council is collaborating with the Workgroup for Electronic Data Interchange (WEDI) Health ID Card Subworkgroup to provide input on smart cards and biometrics for a WEDI research paper.
8
Smart Card Talk
Identity • The Identity Council completed a new white paper, Smart Card Technology and the National Strategy for Trusted Identities in Cyberspace (NSTIC). The goal of the white paper is to raise awareness of the benefits of smart card technology and show how smart card technology can be used for high assurance credentials in the NSTIC identity ecosystem. Abel Sussman (Booz Allen Hamilton) led this project. Member organizations participating in the project included: Booz Allen Hamilton; CH2M HILL; Deloitte & Touche; Gemalto; General Services Administration (GSA); HP Enterprise Services; IDmachines; IQ Devices; NXP Semiconductors; Oberthur Technologies; SecureKey Technologies. • The Council, in collaboration with the Mobile and NFC Council and the Access Control Council, completed a new white paper, “Supporting the PIV Application in Mobile Devices with the UICC.” This white paper was developed to provide guidance to U.S. Government policy makers and technologists on the key technical, business and policy considerations for supporting the Personal Identity Verification (PIV) application and credentials on
mobile devices using the Universal Integrated Circuit Card (UICC). Neville Pattinson (Gemalto) and James McLaughlin (Gemalto) led this project. Member organizations participating in the project included: Bell Identification B.V.; Booz Allen Hamilton; CH2M HILL; Deloitte & Touche LLP; Gemalto; General Services Administration (GSA); HID Global; Identification Technology Partners; IDmachines; Intercede Ltd; IQ Devices; NXP Semiconductors; Oberthur Technologies; SafeNet, Inc.; SAIC; SecureKey Technologies; XTec, Incorporated.
Mobile and NFC • The Mobile and NFC Council is working on a white paper that evaluates different approaches for securing credentials on mobile devices.
Payments • The Payments Council has started two new projects: a white paper on EMV and card-not-present fraud and a white paper on the changing U.S. payments landscape.
Transportation • The Council has started two new projects: a white paper on EMV impact on transit and a cross-industry discussion of key challenges in accepting open payments in transit.
Other Council Information • Members-only council web pages are available at http:// www.smartcardalliance.org/councils. These are passwordprotected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich. • A Council meeting calendar is available on the members-only web site at http://www.smartcardalliance.org/pages/memberscouncil-resources. • If you are interested in forming or participating in an Alliance council, contact Cathy Medich.
Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich.
Smart Card Talk
9
from the alliance office
Welcome New Members
• iAll-Tech, Associate member • Arjowiggins Security, SCALA, General member
New CSCIP and CSCIP/P Recipient • Tim’t Hart, Kyushu University
For more news, visit our website at www.smartcardalliance.org. Members can also access white papers, educational resources and other content.
191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org
10
Smart Card Talk
About Smart Card Talk
About the Smart Card Alliance
Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership.
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.