Smart Card Talk July 2013
•
a Smart Card Alliance ePublication
• Volume 18 : Issue 7
Dear Members and Friends of the Alliance, The graduation parties, 4th of July fireworks and other festivities are over and my email inbox is filled with “Out of Office Message – On Vacation” notices. Summer is typically when we step back from our computers and smart phones and remember that we are supposed to work to live, not live to work. Yet, I can’t seem to get myself into vacation mode when there is so much happening around the smart card industry that draws me in.
In This Issue: ② Executive Director Letter >> ③ Latin America Letter >> ④ Member Profile >> ⑥ Feature Article >>
Developments within the EMV Migration Forum and a busy fall focused around the 2013 Smart Card Alliance Government Conference has made those lazy, crazy, hazy days of summer just a memory of my younger self. But I love being busy, and so I find myself energized. Please read my letter to learn about all the activities surrounding the industry. And thank you for your support of the Smart Card Alliance.
⑩ Council Reports >>
Sincerely,
Alliance in the News >>
Randy Vanderhoof Executive Director, Smart Card Alliance Director, EMV Migration Forum
On the Web: Members in the News >>
Event Calendar
Click Here to Read Letter ...
2013 Government ID Security Conference
Oct. 15-16, 2013 Walter E. Washington Convention Center, Washington, DC
Feature Article: High Assurance Credentials and NSTIC The identity ecosystem being defined to support the National Strategy for Trusted Identities in Cyberspace (NSTIC) calls for various levels of assurance for credentials. This month’s article reviews the need for higher levels of assurance and outlines use cases that leverage smart card technology. Click to Read More …
Member Profile: UnitecBlue
PANTONE 299 C
PANTONE 303 C
This month Smart Card Talk is pleased to feature a profile of Matias Gainza Eurnekian, an executive with Grupo Corporación America, an Argentine investment group active in the airport, airport business, cargo and energy sectors. Among the group’s subsidiaries is biofuel company UnitecBlue, a Leadership Council member company with SCALA. Click to Read More …
Smart Card Alliance Member Meeting (new!) Dec. 8-10, 2013 Biltmore Hotel, Coral Gables, FL
All Upcoming Smart Card Alliance Conference Events
executive director’s corner
The Busy Season Dear Members and Friends of the Alliance, As you know, the U.S. EMV migration is now in full swing, and the EMV Migration Forum, the separate but affiliated organization launched by the Smart Card Alliance last summer, is approaching its one year anniversary on July 31. The Forum is a cross-industry payments stakeholder led organization with 143 member organizations that include the payments brands, financial card issuers, acquirer processors, merchants, regional debit networks, consultants, systems integrators, and industry suppliers of chip cards, readers, software and related EMV services. Our quarterly member meetings average about 220 attendees, who divide their time getting EMV status reports and critical updates from the each of the stakeholder groups and spending valuable face-time in breakout sessions with colleagues in the six working committees and the two special interest groups – the Issuer SIG and Merchant SIG. These stakeholder groups don’t always see eye to eye on important decisions facing the U.S. payments industry to accommodate the significant choices enabled with the EMV specifications. Several months were spent in the Debit Working Committee discussing complications associated with routing debit card transactions to comply with the regulatory requirements under the Durbin Amendment. Those requirements stipulate that each EMV chip card must support two unrelated debit networks with merchants having the choice to route those debit transactions to their favored network. At our June meeting held at McDonald’s Hamburger University campus near Chicago, a breakthrough was achieved: issuer, merchant, acquirer processor and issuer processor members of the Forum recommended a path forward using a single common U.S. debit payment application identifier (AID) on each EMV chip card that represents each of the debit networks enabled on the card. As the business agreements on working with each of the debit chip application solutions are being worked out, the attention now shifts to the complicated process of certifying the new EMV credit and debit terminal applications between the merchants, their acquiring partners and the payment brands. There has been a common concern voiced by the acquirers that under the current set of testing and certification requirements, there won’t be enough time to get all of their merchant customers through the certification cycle before the liability shift date. That implies that the process needs to be simplified or the timelines need to be extended. The Testing and Certification Working Committee is working on projects that will hopefully address this problem before the expected ramp-up of new terminals being installed over the next year.
2
Smart Card Talk
Outside of the payments world, another area of interest that is keeping the meeting calendars full for our members are the developments in the market that are shaping the future of Internet identities and cyberspace. More and more, I read comments from Internet security gurus from PayPal, Microsoft, PING Identity, and Amazon declaring that Internet security – that is, getting by with individuals having dozens of Internet identities based on user names and passwords – is broken. What is unclear is how to move forward with stronger digital identities that can be shared across multiple relying parties, so that, for example, my identity credential recognized by my online bank account could be used to access my favorite Internet shopping site. The Identity Ecosystem Steering Group (IDESG), funded and led by NSTIC Program Office at NIST, is attempting to accomplish for the electronic commerce market what the Smart Card Alliance has accomplished for the smart card access control market, namely establish a cross-industry stakeholder body to collaborate on best practices and technology standards for trusted identities over the Internet. The timing for this added concentration on Internet identity is perfect for leading into our 2013 Smart Card Alliance Government Conference being held October 15-16, in Washington, DC. We are adding a new co-existing conference program to the event called User-Centric ID Live. User-Centric ID Live, produced in partnership with Avisian Publications, is a comprehensive forum to address business challenges and commercial opportunities surrounding user-centric identity. This co-located conference and exhibition will examine the products and services that are being defined that will allow individuals to manage their personal identity across a range of web resources and mobile apps, commercial enterprises, retail and hospitality environments, in the workplace, at security checkpoints, and beyond – regardless of whether smart card technology is used or not. Conference sessions will focus on technologies, standards, implementations, applications, and business models in the new user-centric identity ecosystem. Also presented will be an overview of the market and the social and legal issues that arise with these new tools. The combination of smart card-focused identity and security solutions for government applications with user-centric identity solutions for the commercial and personal marketplace truly brings everything into focus under one roof. So much to do – and so little time to work on my tan. I only hope everyone manages to schedule some much needed relaxation and fun in the next few weeks as I plan to do, so that when September comes, we will all be refreshed and ready to push forward for a busy and productive fall. Sincerely,
Randy Vanderhoof Executive Director, Smart Card Alliance rvanderhoof@smartcardalliance.org
Dear Members and Friends of the Smart Card Alliance Latino America (SCALA), I am pleased to report that our Advisory Board of Directors met last month to help us with the planning of activities, allocation of resources, strategies, and market information. The meeting of fourteen (14) market leaders and industry representatives from American Express, Banco do Rio Grande do Sul, Gemalto, Giesecke & Devrient, HID Global, MasterCard Worldwide, Oberthur Technologies, Safran Morpho, Ultra Electronics, Unitec Blue, and Visa Inc. demonstrated a great deal of unity towards the direction of our industry and how to move forward. Some of the key decisions agreed upon by the group include: • Membership dues increase for new and existing SCALA members • Restricting materials, market information, white papers and other educational resources to members only • Approval for the translation of the materials and training course associated with the Certified Smart Card Industry Professional (CSCIP) designation In addition, the Advisory Board suggested that SCALA establish a new membership procedure to ensure that new member companies are serious, reliable, and knowledgeable. This will help to position SCALA as a trusted organization involved in the smart card industry.
should look towards SCALA, our members, and team leaders to get involved in our industry body. The Alliance welcomes any organization that is willing to work with other member organizations toward the goal of promoting the use, understanding, and adoption of smart card technology in an impartial manner in the Latin America and Caribbean region. If you know a company interested in applying for membership in SCALA, please direct them to www.sca-la.org. The month of July for many companies is the first month of their fiscal year. This period is when companies are submitting budgets, determining the allocations of resource and planning the activities they will participate for the year. This is the perfect time for industry companies to align their events calendars with key activities for the fiscal year and getting involved with SCALA in developing new market opportunities. In conclusion, I would like to congratulate all member organizations that have shown great leadership, resolve, and support in the past fiscal year. I am looking forward to seeing the new member companies also take a leadership role, volunteer, and lead our industry. I am confident that the 2013/2014 fiscal year will be the most productive year yet. I would also like to take this opportunity to thank Telered S.A. for inviting the Alliance and some key member organizations in Latin America as speakers in their annual conference on August 1st, 2013, “Jornada de Actualización tecnológica EMV y Medios de pagos electrónicos en Panama” Please review this month’s member profile from Unitec Blue, one our Leadership Council members in the Latin American Chapter.
SCALA’s Executive Committee will personally evaluate each membership application, and a member of SCALA’s staff will conduct an interview with the member candidate.
I would like to wish a happy Independence Day celebration to all citizens of Argentina, Colombia, United States, and Venezuela.
The process of being interviewed and evaluated by industry peers helps us to align the prospective candidates with the mission and goals of the SCALA organization. The process also helps new member organizations to expand their credibility and that of the industry body. Likewise, it consolidates the true leadership of our industry in the SCALA Board of Directors.
Sincerely,
Industry organizations not affiliated with the Smart Card Alliance Latino America – SCALA, which are looking for leadership, partnerships, opportunities, or market involvement in Latin America
Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) ebetts@smartcardalliance.org www.sca-la.org
Smart Card Talk
3
latin america corner
Leadership Expansion
member profile
1. What is the key focus of Unitec Blue´s business and products? Unitec Blue is an Argentine company specializing in nanotechnology and the production and development of products and services tailored to the needs of a variety of customers. This month Smart Card Talk is pleased to feature a profile of Matias Gainza Eurnekian, an executive with Grupo Corporación America, an Argentine investment group active in the airport, airport business, cargo and energy sectors. Among the group’s subsidiaries is biofuel company UnitecBlue, a Leadership Council member company with SCALA, Eurnekian serves in various managerial roles in companies with Grupo América. He studied Foreign Trade at the University of Belgrano and Financial Analysis at the University of Palermo, and is fluent in English and Armenian. PANTONE 299 C
PANTONE 303 C
The company develops different processes and services which include the original manufacturing of chips on silicon wafers and their packaging and subsequent inclusion in electronic equipment. Unitec Blue focuses on cutting-edge technology dedicated to the production of semiconductors and integrated circuits. Our production processes start with the manufacture of chips from the original wafer through its inclusion in electronic equipment. The company plans and develops different products such as smart cards (contact and contactless), SIM cards (cards with chip for cell phones), EMV cards (credit and debit payment cards), contactless and RFID tags (e.g., labels, tags for tracking, pay pass, tracking of pharmaceuticals, electronic voting). Its production plant is located in the town of Chascomus, in the province of Buenos Aires.The plant also has the physical facilities and necessary security protocols required internationally to manufacture banking products (Unitec Blue is currently in the process of EMV certification and Arsenal Research) and Government identification.
2. What is the importance of smart card technology for your company? Technological change is transforming the way we live, act, and relate to people. That is why our mission is to create products that facilitate and optimize these relationships, establishing the use of the technology as part of daily life.
4
Smart Card Talk
For Unitec Blue, the global smart card market is one of our main focuses, divided into payment cards (with or without contact), SIM cards (cards with chip for cell phone), and EMV cards (credit and debit banking cards).
and new technological processes. EMV cards and the ecosystem to support them are entering the market. These developments provide flexibility in the form of payment and value-added services with increased security.
3. Which upcoming market trends do you expect to capitalize on?
The benefits of migration to this new system (EMV) are several, among which are: optimization of the security of banking transactions processes, increase in consumer and customer satisfaction, interoperability with the rest of the world, bank fraud reduction, and solutions for EMV-compliant products available in the market.
At the international level, the development and implementation of EMV and mobile payments (NFC, dual interface) solutions generated significant growth in different industries (transportation, telephone, government, banking, retail, loyalty programs, ticketing, micropayments, among others).
4. What are the main obstacles to overcome in order to capitalize on the company’s growth? We have learned a lot since we began our management processes in early 2012. In the first few months, the company incorporated administrative and operational procedures with the premise of optimizing our diverse product lines. Without a doubt, to become the first company of nanotechnology in the region comes with a crucial responsibility for the development of our know-how, so that we can achieve the necessary quality standards in the technology market.
5. What are the main factors leading the EMV migration and governmental smart card markets in Latin America?
Also, we consider the implementation of dual interface cards to be crucial in the migration process.
6. How do you evaluate your participation in SCALA? Unitec Blue considers its participation in Smart Card Alliance Latino America - SCALA as strategic and indispensable. The Alliance added substantial value to the company, helping in the development of its image and prestige, so that we can also observe and efficiently identify the regional and global smart card market. SCALA offers our company several advantages in business, among which include a wide diversity of members and markets, development of targeted events, experience and success stories, continuous updating of techniques and market information through the website, and creation of new business.
The finance sector (mainly through credit and debit cards) in the region is heading towards mainstreaming global economic trends
Smart Card Talk
5
feature article
High Assurance Credentials and NSTIC The identity ecosystem calls for various levels of assurance and must be secure and resilient. Security and resiliency become increasingly important as the assurance level goes up; an essential element of a resilient credential is the ability to be revoked or suspended easily. Credentials at lower assurance levels can be propagated easily: relying parties can simply reference an earlier validation that is cached within their relying systems. Credentials at higher assurance levels (an excellent example is public key infrastructure, or PKI, certificates) offer much tighter controls in terms of validation processes, and relying parties own the responsibility to authenticate these credentials properly.
Required Assurance Levels To enable high assurance transactions, institutions and individuals alike require credentials that can perform certain essential functions: • Mutual authentication with a relying party • Information authentication using digital signature technologies • Non-repudiation of transactions • Maintenance of confidentiality of transactional data. To support these functions, both PKI and multifactor authentication are essential. The most common carrier for multifactor PKI credentials is a smart card or device. Smart card-based tokens can carry a credential that utilizes PKI certificates to enable strong digital trust and that delivers the assurance levels required for the most critical transactions within the identity ecosystem. Biometric technologies have also emerged as strong identity verification technologies, supporting the “who you are” factor of multifactor authentication. But the biometric information must be protected, as it is highly susceptible to attack. Biometric templates need protection against substitution and may require authentication. When digitally signed and stored in smart cards and devices, biometric templates become very reliable identification factors. They can be highly resistant to tampering, and have strong nonrepudiation attributes. Smart card-based credentials can satisfy not only the identity ecosystem’s requirement for a high assurance level credential, but also the requirement for a range of identity ecosystem credentials, providing various levels of assurance to map to various levels of risk. Not all identity ecosystem transactions require high levels of security. Certain interactions may require multiple levels: transaction initiation may demand only a low level of security, which can be satisfied with a user name and password, but security may have to be “stepped-up” for subsequent transactions. For example, a customer at a financial institution may connect to a Web site to 6
Smart Card Talk
browse account status but then decide to submit a funds transfer request. The funds transfer request will require additional authentication at an assurance level higher than that used to log on to the Web site. Smart card technology-based tokens can be a repository for a variety of credential types and support a number of security protocols and authentication mechanisms.
Trust Framework Requirements High assurance credentials must be issued within an acceptable trust framework and typically are certified with a trustmark. The trustmark attests to the relying party’s adherence to the rules of the identity ecosystem and validates the identity provider’s adherence to the framework appropriate to the transaction being performed. The policy foundation for the identity ecosystem calls for an accreditation authority to assess and validate identity providers, attribute providers, relying parties, and identity media, ensuring that they all adhere to an agreed-upon trust framework. Accreditation authorities can issue trustmarks to participants they validate. The NSTIC identity ecosystem framework provides a set of standards and policies that apply across different frameworks. The standards include both technical and functional standards and enable specific communities of interest to agree on how to trust transactions within their own communities or across communities. Smart card technology-based credentials have an advantage in this area, as they are already in use today. Examples include ePassports, the Department of Defense (DoD) Common Access Card (CAC) and Federal PIV card, EMV credit and debit cards, and numerous national health and national ID cards in use around the world.
Smart Card Technology Use Case – Financial: Online Banking Increases in counterfeit card fraud have led the financial industry to move to smart chip technology for bank cards and to develop the global EMV specifications for both bank cards based on chip card technology and the accompanying point-of-sale (POS) infrastructure. Financial institutions in the United States, Europe, Latin America, Asia/Pacific, and Canada are issuing contact or dual-interface EMV smart cards for credit and debit payment or are migrating to EMV. According to EMVCo, approximately 1.5 billion EMV cards have been issued globally, and 21.9 million POS terminals accept EMV cards as of the second quarter of 2012. In the United Kingdom, the cryptographic capabilities of EMVcompliant smart bank cards have been harnessed to provide greater
protection for customers undertaking online banking transactions through the use of MasterCard’s Chip Authentication Program (CAP) and Visa’s dynamic passcode authentication (DPA). A transaction using CAP/DPA works as follows: 1. The cardholder is prompted to insert the EMV bank card into an offline reader. 1.
The reader prompts the cardholder to enter a PIN, which is checked by the card.
2.
For every use, the bank can issue a challenge. The challenge is a number of up to 8 digits, which the bank determines dynamically.
3.
The cardholder types the challenge into the reader, which transmits it to the card. If the card has previously verified the PIN, it generates a passcode that is an encrypted version of the challenge and of additional information that identifies the card and ensures that every passcode is different (and thus cannot be replayed, even if the challenge happens to be the same).
4.
The cardholder types in the passcode for transmission to the bank.
5.
The bank verifies that the passcode could only have originated from the card associated with the account, that the card has been given the correct PIN and challenge, and that the passcode has been produced in the correct sequence for that card.
Smart Card Technology Use Case – Identity: Government-Issued Credentials Government use of smart card technology is increasing worldwide, including issuance of citizen identity credentials, government employee identity credentials, social benefits credentials and healthcare credentials. Electronic passports based on contactless smart card technology have become the norm. A strong international standard and effective trust framework enable these credentials to be accepted around the world. In some countries, the ePassport includes biometrics. In particular, the U.S. Federal Government has adopted smart card technology for major credentialing initiatives. The DoD CAC uses smart card technology to credential all military and civilian personnel. CACs are the standard DoD ID card and the primary card enabling both physical access to buildings and logical access to DoD computer networks and systems. In compliance with Homeland Security Presidential Directive 12, all Federal employees and contractors now receive a smart cardbased identity credential: the PIV card, defined by FIPS 201. [3] While only Federal agencies can issue the PIV card, enterprises can follow FIPS 201 processes, use FIPS 201 defined technologies, and implement credentials that are PIV interoperable or PIV compatible, as appropriate. [4] Following the FIPS 201 process for credential issuance allows all Federal relying parties to trust the card across enterprises. This trust is established by common enrollment, registration, and issuance processes and by the use of a strong authentication credential that leverages a cross-certified and federated public key infrastructure.
This process offers greatly enhanced levels of security for online banking transactions and has been implemented by many of the major UK banks. The use of end-to-end application level cryptography (based on keys shared between the card and the issuer) provides strong authentication and defeats attacks such as the man-in-the-middle (MitM) attack. Such protection represents a significant improvement over user name and password protection, which is very vulnerable to variations on the MitM attack, such as the man-in-the-browser (MitB) attack. Even accounts protected using OTPs can be more vulnerable to these attacks than those protected by more comprehensive strong cryptographic mechanisms. An essential feature of the CAP/DPA solution is its ability to support transaction-level authentication (signing), which protects against attacks such as MitB. Moreover, the CAP/DPA solution achieves the goal of enhanced security while maintaining processes that are simple, convenient, and easily adopted by banking customers. Smart Card Talk
7
Other Federal Government ID programs have also started to use smart cards, including the Transportation Worker Identification Credential (TWIC) and the First Responder Authentication Credential (FRAC). Under the Transportation Security Administration TWIC program, biometric-enabled identity smart cards are issued to all private and commercial transportation workers accessing U.S. maritime ports.
Smart Card Technology Use Case – Healthcare: Healthcare Information Healthcare organizations can benefit by using smart card technology to provide authenticated access to medical information and identities. Smart cards can be used to implement strong identity authentication and information security for healthcare organizations and applications. [5] Smart healthcare cards protect patient privacy and security when accessing online records and support the National Strategy for Trusted Identities in Cyberspace (NSTIC), which identifies consumer access to online electronic health records as warranting two-factor authentication. Compliance with the Health Insurance Portability and Accountability Act. Healthcare organizations are required by the Health Insurance Portability and Accountability Act (HIPAA) to safeguard patient health information. HIPAA specifies administrative, technical, and physical security procedures to assure the confidentiality of protected health information. The security of confidential health information is essential to HIPAA compliance and patient privacy. Secure access management fulfills the Act’s patient privacy requirements. The combination of smart cardprovided cryptography, authentication, system security, and policy can implement strong authentication within an organization’s healthcare systems. The smart card can be used for administrative, data, network, and physical security. Portable Medical Records. Numerous pilots and applications have demonstrated the use of smart cards to implement portable medical records and secure and control access to distributed repositories of patient health records and insurance data, such as detailed medical histories, medical images, x-rays, and insurance information. A smart healthcare card can authenticate a patient’s identity and facilitate rapid access to medical information about that patient. A smart card solution that stores (or points to stored) health information, conditions, prescriptions, and insurance data can result in better service and shorter medical visits. The card can also be used to help parents provide and update immunization records for school-age children. Medical Identity Theft Mitigation. Identity theft and fraud continue to be significant problems in social, workplace, business, and medical interactions. Strong electronic authentication of patients, insurance personnel, and healthcare personnel can help providers mitigate the risks posed by identity theft. Authentication can 8
Smart Card Talk
include every person receiving care and every person who accesses patient information. A multifactor authentication solution that identifies the patient, the medical provider, and all others handling patient information can span data locations while maintaining privacy and facilitating the secure exchange of medical information. Emergency Medical Information. Emergency personnel and first responders need medical information for a patient immediately. Using smart cards and portable readers, emergency information can be available at any location: the site of an emergency, during patient transfer, or within a healthcare facility’s emergency room, enabling first responders to manage and coordinate life-saving information. A smart healthcare card can store a patient’s identity and medical records, providing medical personnel with critical information even when the patient is unconscious or too flustered to convey information, or when there is a language barrier. Health information such as special medical conditions, prescriptions, and insurance eligibility data can be stored on the card, and emergency solutions can be implemented that both access on-card information and point securely to online medical data repositories. Healthcare Provider Identification Credential. As healthcare providers migrate their records from paper to electronic media, there is growing industry awareness of the need for secure and encrypted data solutions. The lack of provider identity verification can compromise patient privacy if unauthorized users access patient records and can cause health risks for patients if records are compromised or manipulated. Use of a smart healthcare card can allow organizations to implement strict security access controls for health information. The use of large clinical data exchanges makes it critical for user privileges to be assigned using role-based access controls and implement multifactor authentication. Smart cards can identify and authenticate an individual who requests access to medical information systems. Smart card identity credentials are currently being deployed in hospitals and healthcare organizations as secure employee identity credentials. The credentials allow healthcare providers to control physical access to assigned areas, permitting only authorized personnel to enter. Controlled areas can include the pharmacy, operating room, network server room, or HR department. The same credential can also be used to authorize logical access to networks and computers and support HIPAA compliance. Implementing multifactor authentication and the cryptography capabilities supported by smart cards can provide benefits in the form of stronger identity verification and can help ensure corporate network security. In addition, the PIV-I credential has been recommended by FEMA in the “National Incident Management System (NIMS) Guideline
for the Credentialing of Personnel” (July 2011) and is the credential being deployed as the First Responder Authentication Credential (FRAC) by several state and local governments. The PIV-I credential is standards-based, non-proprietary, trusted by the federal government, and usable for multiple purposes. The first responder population encompasses approximately 20 million people in the U.S.; healthcare professionals represent a significant percentage of this population including the nation’s one million physicians and three million nurses and EMTs. By putting a FRAC in the hands of the medical community, local authorities will be able to rapidly grant access only to qualified individuals during emergency situations, such as Hurricane Katrina and Hurricane Sandy. If followed, the PIV-I guidance provides a supporting framework for technical interoperability with the nearly 10 million federally-credentialed uniformed and civilian employees and contractors. It supports enhanced integration and reduced costs in day-to-day operations as well as during response and incident management.
Conclusion NSTIC was released in April 2011, with the main objective of encouraging the private sector, in collaboration with Federal colleagues, to develop online identity and authentication systems that individuals could use and that organizations and commercial stakeholders could all accept without each needing to create their own vetting systems. The flexibility of smart card technology makes it a valuable component of the NSTIC landscape, supporting multiple prerequisites: • Management of a participant’s multiple online identities • Participant control of presentation • Preservation of anonymity • Robust security • Interoperability among participants Smart card technology can meet the challenges presented by a heterogeneous identity framework while providing assurance that transactions are secure. While the details of the NSTIC identity ecosystem are still being defined, smart card technology provides a secure flexible solution and is the best choice for higher assurance levels.
References [1] EMVCo is the organization formed in February 1999 by Europay International, MasterCard International, and Visa International to manage, maintain, and enhance the EMV Integrated Circuit Card Specifications for Payment Systems. EMVCo is currently operated by American Express, JCB International, MasterCard Worldwide, and Visa, Inc. [2] National Institute of Standards and Technology, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006. [3] Personal Identity Verification Interoperability for Non-Federal Issuers, Federal CIO Council, July 2010. [4] Additional information on the use of smart card technology for healthcare applications can be found on the Smart Card Alliance Healthcare Identity Resources Web page.
About this Article This article is an extract from the Identity Council white paper, Smart Card Technology and the National Strategy for Trusted Identities in Cyberspace (NSTIC), published in June 2013. The white paper was developed by the Smart Card Alliance Identity Council to describe the benefits of combining smart card technology and strong credentials within NSTIC. Member organizations participating in developing the white paper included: Booz Allen Hamilton; CH2M HILL; Deloitte & Touche; Gemalto; General Services Administration (GSA); HP Enterprise Services; IDmachines; IQ Devices; NXP Semiconductors; Oberthur Technologies; SecureKey Technologies.
About the Identity Council The Identity Council is focused on promoting best policies and practices concerning person and machine identity, including strong authentication and appropriate authorization across different use cases. Through its activities, the Council encourages the use of digital identities that provide strong authentication across assurance environments through smart credentials— e.g., smart ID cards, mobile devices, enhanced driver’s licenses, and other tokens. The Council furthermore encourages the use of smart credentials, secure network protocols, and cryptographic standards in support of digital identities and strong authentication on the Internet. The Council addresses the challenges of securing identity and develops guidance for organizations so that they can realize the benefits that secure identity delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organizational resources to bear on addressing the challenges of securing identity information for proper use. Additional information on the use of smart card technology for identity applications can be found on the Smart Card Alliance Web site at http://www. smartcardalliance.org. Smart Card Talk
9
council reports
Updates from the Alliance Industry Councils Access Control • The Access Control Council submitted comments to NIST on draft Special Publication 800-73-4 and to the U.S. Coast Guard on the TWIC Reader NPRM.
• The Mobile and NFC Council is working on a white paper that evaluates different approaches for securing credentials on mobile devices.
• The Council is developing a white paper on common PACS topologies supporting FICAM.
• The Council will be electing members to the open Steering Committee seats and open officer positions.
Healthcare • The Healthcare Council is collaborating with the Workgroup for Electronic Data Interchange (WEDI) Health ID Card Subworkgroup to provide input on smart cards and biometrics for a WEDI research paper. • The Council is identifying key industry conferences in 2013/2014 for Alliance speaking proposals and presence.
Identity • The Identity Council completed two new white papers, Smart Card Technology and the National Strategy for Trusted Identities in Cyberspace (NSTIC) and Supporting the PIV Application in Mobile Devices with the UICC (in collaboration with the Mobile and NFC Council and Access Control Council. • The Council is currently defining next projects.
Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich.
10
Mobile and NFC
Smart Card Talk
Payments • The Payments Council is working on two new white papers: a white paper on EMV and card-not-present fraud and a white paper on the changing U.S. payments landscape.
Transportation • The Council is working on three new projects: a white paper on EMV impact on transit; a cross-industry discussion of key challenges in accepting open payments in transit; a guide for open payments acceptance for small transit agencies.
Other Council Information • Members-only council web pages are available at http:// www.smartcardalliance.org/councils. These are passwordprotected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich. • If you are interested in forming or participating in an Alliance council, contact Cathy Medich.
from the alliance office
Welcome New Members • • • • • • • •
Primax, General member Banco Caribe, SCALA, Financial Institute Advisor Bancode AhorroY Credito Immobilario S.A., SCALA, Financial Institute Advisor Banco Santa Cruz, SCALA, Financial Institute Advisor CHARGE Anywhere, SCALA, Leadership Council Direccion General Del Registro Civil, SCALA, Government Instituto Federal De Acceso A La Informacion Y Proteccion de Datos, SCALA, Government Scotiabank, SCALA, Financial Institute Advisor
New CSCIP Recipients • • • •
Paul Baker, Gemalto Lishoy Francis, FranceTelecom R&D UK Ltd Kay Kyriacou, Gemalto Ramoncito Reyes
New CSCIP/G Recipients
• TonyMcGee, CPI Card Group • Maria L. Smith, DMS International
New CSCIP/P Recipients • • • •
Emmett McDonnell, Glenshesk Solutions Inc. Ross Murdoch, Gemalto Peter Song, Ingenico Canada Ltd Irene C. Villaverde-Aquino, Credit Union of Central Canada
For more news, visit our website at www.smartcardalliance.org. Members can also access white papers, educational resources and other content.
191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org
About Smart Card Talk
About the Smart Card Alliance
Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership.
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Smart Card Talk
11