Smart Card Talk November 2011
•
a Smart Card Alliance ePublication
10 Annual Government Conference A Resounding Success th
In This Issue: ② Executive Director Letter >> ③ Latin America Letter >>
Dear members and friends of the Alliance, Throughout the year Smart Card Alliance members are kept abreast of industry news through emails, newsletters, fresh web content, white papers, conference calls and webinars. And then there are our annual events. Many of you comment to me that nothing can replace the experience of being present for the networking and social aspects of a Smart Card Alliance event. Our 10th Annual Smart Card Government Conference held Nov. 2-4
• Volume 12 : Issue 11
in Washington, D.C., was an unqualified success on many levels. More than 600 Alliance members, government colleagues and industry friends gathered for our annual fall government identity and security conference, meeting up with colleagues and making new connections. Keep this thought in mind as we start preparation for the exciting Smart Card Alliance conferences planned for 2012, the Payments Summit in February, 2012 and the NFC Solutions Summit in May, 2012. Click to Read Letter …
④ Member Profile >> ⑥ Feature Article >> ⑨ From the Alliance Office >> ⑩ Council Reports >> ⑫ Members in the News >> ⑭ Events Calendar >>
About Smart Card Talk Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership.
About the Smart Card Alliance Feature Article:
The CIV Credential – Leveraging FIPS 201 and the PIV Specifications With over 5 million Personal Identity Verification (PIV) cards issued in the Federal government, many vendors support FIPS 201 and the PIV and PIV-I specifications in their products. Private enterprises can take advantage of the work that the government has already done to implement a standardsbased employee identity credentialing program with the Commercial Identity Verification (CIV) credential. Click to Read More …
Member Profile:
First Data
This month Smart Card Talk spoke with Dom Morea, SVP and Division Manager for Advanced Solutions and Innovation at First Data Corporation. Mr. Morea has been with First Data since 2004, when he rejoined the company as senior vice president for product and business development. Before joining First Data, he was senior vice president of strategy and business development at Encorus, a mobile payments company with operations in the U.S. and Western Europe. Click to Read More …
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org
executive director’s corner
Conferences Offer Valuable Opportunities Dear members and friends of the Alliance,
sprout from some unfamiliar places.
Autumn leaves may have been falling from the trees last week in Washington, DC, but there was definitely a sense of Spring inside the Ronald Reagan Center during our 10th Annual Smart Card Alliance Government Conference. The sense of springtime came from the mild weather outside and the fresh new ideas and discussions in the meeting rooms and exhibit halls, with conversations about new advances from the identity and security industry and new applications and uses for existing technology beginning to take root and
The conference kicked off with Jeremy Grant, the senior executive advisor for identity management for NIST, discussing the National Strategy for Trusted Identities in Cyberspace (NSTIC). Grant’s statistics from the Department of Defense and the U.S. Army included 46% and 85% drops, respectively, in network intrusions since requiring the use of the smart card-based Common Access Card for all network communications. He also referred to a Secret Service study that reported 4 out of 7 data breaches being linked to compromised passwords. His examples reinforced the President’s call to action for government and industry to come together on open standards for user authentication technologies in the identity ecosystem, led by the NSTIC Program Office. Next up was Charles Pena, senior fellow at the Independent Institute and a frequent guest on television news programs. Pena shared his views on government lessons learned ten years after 9/11. He pointed to the numerous failed terrorist acts since the attacks as examples of counter-terrorism successes being more lucky than good, and pointed out that the trade-off for zero risk of attack is infinite cost, something that no government can or should attempt to sustain. Deborah Gallagher, chair of the ICAMS Roadmap Development Team at GSA, wrapped up the morning keynotes with a synopsis of the Federal Identity Credentialing and Access Management (FICAM) roadmap for putting the federally-issued PIV credentials to work in protecting the federal enterprise while enabling nonfederal credentialed contractors with secure access to federal facilities. It was mentioned several times by different speakers that FICAM is the federal embodiment of NSTIC. Perhaps the most thought-provoking session of the day was a panel discussion on identity management and the elusive search for the proper mix of technology and policy that will address the growing threat of cybercrime that results from weak user authen2
Smart Card Talk
tication without evoking the unwelcome feel of a national ID or causing the loss of anonymity under appropriate circumstances. Don Thibeau, head of the Open Identity Exchange (OIX), moderated the discussion that included Joni Brennan, Kantara Initiative; Michael Wyatt, Deloitte; Ian Glazer, Gartner Group; and Aaron Brauer-Riecke, CDT. These identity thought leaders see NSTIC as a forcing function that will get security specialists in the smart card community talking to the online community. Thibeau summed up the role of smart cards in this debate by saying “There’s no question the Alliance has a seat at the table. The question is, where is the table and who else is there?” With the first-day “big picture” discussions setting the framework for how the government and industry will respond to challenges, the next two days of the Government Conference focused on the details of how identity management and security were getting done today and how core identity management principles and technologies were beginning to spread to areas outside the federal government. Healthcare identity cards and mobile devices were two of these new expanding areas discussed. Presentations by the American Medical Administration (AMA), FEMA, National Institute of Health and HIMSS focused on the need for securing the new and emerging electronic health record infrastructure. Patrick Hearn of Oberthur Technologies discussed the biggest potential health ID program in the U.S., the bill proposed by the bi-partisan congressional team led by Senator Mark Kirk (R-IL) to fund a smart cardbased Medicare Common Access Card pilot to eliminate waste, fraud and abuse in our Medicare and Medicaid programs. Mobile phones and mobile devices represent new challenges and opportunities to security professionals. As the new mobile technology, called NFC, transforms smart phones into mobile identity credential carriers and mobile readers of identity credentials, Bill MacGregor of NIST reported on how the standards organization was exploring the expansion of digital credential specifications to support both ID badges and mobile phones without creating two separate identities to track and manage. To name a few of the mobile presenters, Daniel Bailin of HID Global discussed the results of an NFC mobile identity and access control pilot at Arizona State University, and James Sheire of NXP discussed the internal secure element structure of NFC phones that is designed to protect and store secure digital credentials. With so much more to say, but faced with limited space here, I suggest that anyone who could not attend the conference or missed parts of the concurrent track sessions order the Audio Archive, a USB drive containing all of the presentations and a complete audio recording of every session. It is well worth the investment. I hope to see you at the Payments Summit in February. Sincerely, Randy Vanderhoof Executive Director rvanderhoof@smartcardalliance.org
Dear SCALA – Smart Card Alliance Latin America members and friends, It is great to touch base with all of you after one of our busiest months this year. The SCALA staff had been working around the clock to create a training and development center for industry professionals. At the same time we were invited by the public registries of Mexico, Guatemala, and OAS to participate in the CLARCIEV meeting of regional public registries, and coordinated our Smart Card Fundamentals training program for financial institutions in Panama. The influence of the smart card industry is growing and so are the roles that the Smart Card Alliance Latin America & the Caribbean are playing to address the needs and concerns of the vertical markets influenced by our technology. Education and training ensure the success of our industry and the use of the smart chip to its full potential. This is true for leaders of each vertical market that depends on our technology. Dependency is normally linked with the word “reliance,” but at times this “reliance” can reduce growth and expansion. As children, we depended on our parents to accomplish things and to survive. The child-parent relationship is based on trust that has been earned and demonstrated over a long period of time. The only way to cut dependence on our parents is to grow physically, emotionally, and intellectually and to become independent. This is done through education, training, and professional development. In the relationship between vendors and end users it is easy to fall into a dependency relationship, where one party has advanced knowledge over the other. This could mean different values and goals, such as promoting different product lines, technologies, and services. The way to strengthen these types of relationships and eliminate dependency is through education. For smart card implementations, once these organizations have established a high level of knowledge about the subject matter, they can establish a relationship on mutual benefit and trust. At that point, each organization can focus on their core business and understand the roles of each component and supplier in the process.
An example of working together to aid the success of smart card projects and using education to better understand the migration process was the Smart Card Fundamentals training class for the financial industry of Panama, conducted by SCALA on October 24 – 25th, 2011. This training was done through a collaborative effort with the National Banking Association, National Banking Regulator (Superintendence of Banks), Telered S.A., Assenda, First Data, Core Quality Services, and other COTIPA members. The Panamanian Smart Card Committee, COTIPA, created by SCALA, played an essential role in ensuring the success of our training program. The participating organizations in this training program have taken the lead to prepare for their migration process through education and professional development.
The SCALA training program on smart card fundamentals had approximately 40 attendees. Most of these were regional issuers and acquirers. Due to the participation of the financial institutions, we had a training co-instructor, Erica Savka from Visa, Inc., who provided great support on the related subjects and helped to address some of the concerns from the financial sector. The trained professionals who have been assigned by their financial institutions to lead their EMV migration process have also worked with SCALA to coordinate the Certified Smart Card Industry Professional (CSCIP) training and exam on February 28th – 29th, and March 7th, 2012. This effort is being led by COTIPA. Our training program has allowed financial industry representatives to advance their knowledge on smart card technology, understand the process of migration, establish relationships with potential vendors, create a national strategy for adoption, and create a sense of community based on trust, reliance, and shared education. I hope all of you join us in developing these programs around our region and expanding the understanding of smart card technology in the Americas.
Sincerely, Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) Direct Line: +507-225-9089, email: ebetts@smartcardalliance.org
Smart Card Talk
3
latin america corner
Training & Professional Development
member profile
Dom Morea is SVP and Division Manager for Advanced Solutions and Innovation at First Data Corporation. Morea has been with First Data since 2004, when he rejoined the company as senior vice president for product and business development. Before joining First Data, he was senior vice president of strategy and business development at Encorus, a mobile payments company with operations in the U.S. and Western Europe. Prior to Encorus, Morea spent six years with First Data, where he served in several key roles including in the Internet commerce group. In this role, Morea was responsible for the development of corporate eCommerce strategy, and the launch and management of a major joint venture with JP Morgan Chase.
Member point of contact: Dom Morea, dominic.morea@firstdata.com
4
Smart Card Talk
1. What are First Data’s primary smart card initiatives? For many years, First Data has worked on chip card initiatives all over the world. Our main initiatives include supporting contactless and EMV migrations and startups across the globe, and driving mobile payments with our full-service trusted service manager solution working with all the players in the ecosystem.
2. What do you see as the key factors driving smart card technology in the financial payments market in the U.S.? What role does smart card technology play in supporting First Data’s business? 1. The continuation of contactless debit and credit rollouts as well as more and more merchant point of sale systems becoming contactless enabled. 2. New payment brand initiatives around EMV, pushing issuers and merchants towards EMV implementation and acceptance. 3. Mobile payments. 2011 was really the year mobile payments began, and we will continue to see it accelerate with consumer adoption on the rise and merchants and financial institutions embracing this technology. All these factors are relevant to our business whether on the merchant or financial institution side.
3. How do you see the new contactless and mobile payment initiatives changing the U.S. financial payments industry? The new contactless and mobile initiatives are creating a whole new set of partners in the ecosystem including mobile network operators, handset manufacturers, and other technology companies. Mobile commerce is creating opportunities for new commerce solutions that combine payments with other services like loyalty, offers and advertising. This next revolution in payments will have a profound impact on everyone in the payments system. As a result of this change, consumers will start to mandate new ways to conduct commerce once they have the capabilities available.
4. Where does the U.S. stand in terms of EMV? With the Visa liability shift, merchants, issuers and acquirers are being forced to think about their EMV strategy. There is still high interest in supporting VIP and international traveler programs. But many are still waiting to see if other payment brands that support the U.S. market will follow the Visa initiative.
5. What trends do you see developing in the market that First Data hopes to capitalize on? The emergence of mobile commerce positions First Data to deliver a suite of services to enable new mobile commerce solutions for merchants, service providers and issuers.
6. What obstacles do you see that must be overcome to capitalize on the new smart card opportunities in the U.S. financial payments market? Technology and interest exist for new chip card opportunities, but the industry will need to continue to focus on the benefit and cost drivers across all ecosystem participants, including consumers, that are required to sustain new solutions at scale.
7. How do you see your involvement in the Alliance and the industry councils helping First Data? Our involvement in the Alliance gives First Data the ability to remain aware of and deeply involved with important developments in our markets. The Alliance is a forum for thought leadership that provides us with rich information and research that are valuable to us and our clients.
Smart Card Talk
5
feature article
The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You? Homeland Security Presidential Directive 12 (HSPD-12) mandates a standard for a secure and reliable form of identification to be used by all Federal employees and contractors. Signed by President George W. Bush in August 2004, HSPD-12 initiated the development of a set of technical standards and issuance policies (FIPS 201) that create the Federal infrastructure required to deploy and support an identity credential that can be used and trusted across all Federal agencies. This credential, the Personal Identity Verification (PIV) card, is now deployed and used by Federal agencies to assign controlled resource access privileges to Federal employees and to authorize the cardholder to access both physical and logical resources. The success of this program is largely due to the development of goals, issuance policies, and technical specifications that all agencies agree to follow. A cross-certification policy establishes trust between agencies, so that employees from
one agency can use their PIV credentials to access controlled resources while visiting other agencies. Products and systems that conform to the defined technical interoperability standards are offered by a variety of suppliers. New standards-compliant products are introduced frequently. Today, well over 5 million PIV cards have been issued by the Federal government to employees and contractors. One of the main advantages of these credentials is that they adhere to a set of standards that is accepted by suppliers, issuers, and users. Previously, most access control systems relied on vendor-specific proprietary identity credentials. Interoperability was typically confined to a few office sites belonging to a single organization. A standards-based credential means that any government employee’s credential can be accepted by any government facility and IT network. In addition, vendors of both logical and physical access control products can build equipment that complies
with one common standard. As a result, the Federal government can now choose from a wide range of conforming access control products, which can be purchased from a variety of suppliers, and be assured that their choice will work with every employee’s or contractor’s credential. As the benefits of a common identity credential become clear, interest is growing among non-Federal issuers. PIV-interoperable (PIV-I) cards are already being issued by Federal contractors to those employees who need access to Federal buildings and networks. The PIV-I credentials are technically interoperable with the PIV infrastructure. PIV-I issuers comply with the identity-proofing, registration, and issuance policies described in FIPS 201 and are cross-certified with the Federal PKI Bridge. Private enterprises can also take advantage of this technology. This white paper defines the Commercial Identity Verifica-
Figure 1. Comparison of PIV, PIV-I and CIV Credentials PIV
PIV-I
CIV
Policy Identity vetting
Follows FIPS 201
Breeder documents Background checks
Requires two breeder documents defined by FIPS 201
Follows the corporation’s policies
Other policies are defined by the issuer with the intent to be cross-certified by the Federal Bridge
Process Enrollment
Follows FIPS 201
Follows FIPS 201
Issuance
Follows the corporation’s policies
Activation
Technical Interoperability
6
Card data model
Follows SP 800-73
Follows SP 800-73
Follows SP 800-73
Credential number
FASC-N
UUID
UUID
Smart Card Talk
As with the PIV-I card, the printed CIV card should visually look different than a PIV card.
tion (CIV) credential, which leverages the PIV-I specifications, technology and data model without the requirement for crosscertification. Any enterprise can create, issue, and use CIV credentials according to requirements established within that enterprise’s unique corporate environment.
What Is the CIV Credential? The CIV credential is technically compatible with the PIV-I credential specifications. However, a CIV credential issuer need not comply with the strict policy framework associated with issuance and use of the PIV and PIV-I credentials. This freedom allows corporate enterprises to deploy the standardized technologies in a manner that is suitable for their own corporate environments. Figure 1 shows a comparison of PIV, PIV-I and CIV credentials. FIPS 201 currently allows optional use of certain SP 800-73 data objects. Should an enterprise choose not to use all SP800-73 data objects, technical interoperability between the card and the card reader requires that any data objects that are not used must be identified as not populated.
A central authority ensures that Federal issuers issue credentials with a unique identifier. The presence of this authority mitigates the risk that cards issued by separate, independent Federal issuers will have duplicate credential numbers. However, no central authority exists for non-Federal issuers. To enable private enterprises to generate their own universally unique identifier (UUID) numbers with minimal risk of duplication, PIV-I generates the number using a method described in the Personal Identity Verification Interoperability for Non-Federal Issuers. The policies related to issuance and personalization of PIV-I cards are essentially the same as those for a PIV card, although there are some technical differences. In particular, to prevent identifier collisions with credentials issued by the Federal government, PIV-I and CIV cards should not use the Federal Agency Smart Credential Number (FASC-N); instead, the issuer generates an RFC 4122-compliant Global Unique Identifier (GUID) to be used as the credential identifier. In addition, CIV issuers need not follow certain other requirements to cross-certify their CIV cre-
dentials with the Federal PKI Bridge for interoperability with the PIV cards and use within Federal agencies. In addition, as with the PIV-I card, the printed CIV card should visually look different than a PIV card.
Comparison of CIV and Proprietary Solutions Using a CIV card instead of another proprietary product or design offers a corporate enterprise several important advantages: Cards, systems (CMS and card personalization systems (CPS)), and readers are commercially available from multiple vendors (see Section 3.5). The best practices derived for the CIV model are designed to prevent fraud, protect privacy, and provide a standards-based solution that should be less expensive to maintain and evolve over time. Technical interoperability of installed readers and infrastructure (for logical access control systems as well as PACS) allows readers to accept credentials from an
Smart Card Talk
7
increasing variety of issuers who are using the PIV and PIV-I standards (such as government agencies, government contractors, and states issuing First Responder Authentication Credentials). Technical interoperability is a critical advantage. The term refers to the ability of a reader to work with a PIV, PIV-I, or CIV credential without requiring a software change. The CIV credential is issued by the owner of the reader (essentially a closed application), and there is no need to extend trust among independent entities (as in PIV or PIV-I), reducing constraints on issuance processes, identity vetting policies, and PKI requirements. CIV issuers can chose from a variety of products (CMS, CPS, readers, and applications) without having to define a unique corporate data model or credential. A CA would be incorporated under the direct control of the issuer without any need for external interoperable trust. It must be noted that the CIV model cannot be identical to the PIV or PIV-I model. Any data object added to the CIV model should have a private ASN.1 tag and not use a tag within the name space used by NIST and ISO (both use the ASN.1 application class). This is to protect any modification by the CIV issuer from ever risking a collision with future versions of PIV or ISO specifications. Equally important, the OIDs used in the CIV certificates must be different than the PIV or PIV-I OIDs and based on or generated by the CIV issuer’s own data structures and identifiers.
Summary A CIV credentialing program offers a corporate enterprise numerous advantages. A corporate enterprise that chooses to implement a CIV credential will realize the same cost savings as Federal agencies and contractors. One size does not have to fit all. A corporate enterprise can use the supporting technology and standards in the
NEW CSCIP Members Terri Anomnachi Jim Burgess Chun Dong Keith Flemons Orlando Garcia Bob Knowles James Lock III Michael Poitner Erica Savka Michael Zercher
8
Smart Card Talk
WMATA Bank of America WMATA WMATA Core Quality Service WMATA J.P. Morgan Chase Giesecke & Devrient Visa NXP Semiconductor
Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011
way that best fits the enterprise’s requirements. The CIV issuance process and lifecycle support can be tailored to each corporation’s business roles and workflow, while the CIV cardholder takes advantage of the same rapid electronic authentication capabilities as PIV and PIV-I cardholders and is protected by the highest levels of security.
About this White Paper The white paper, The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?, was developed by the Physical Access Council to provide guidance on how enterprises can take advantage of FIPS 201 and the PIV credential specifications to implement a standardsbased commercial identity credentialing program. The white paper defines the Commercial Identity Verification (CIV) credential, discusses corporate benefits of adopting the CIV credential, and outlines planning and implementation considerations and best practices. Physical Access Council members involved in the development of this white paper included: ActivIdentity; AMAG Technology; Bioscrypt/L-1 Identity Solutions; Booz Allen Hamilton; Codebench, Inc.; Datacard Group; Datawatch; Diebold Security; E & M Technologies; HID Global; Hirsch Electronics; HP Enterprise Services; IDenticard; Identification Technology Partners; IDmachines; Intellisoft, Inc.; NagraID Security;NXP Semiconductors; Roehr Consulting; SAIC; SCM Microsystems; Tyco Software House; Unisys; U.S. Department of State; XTec, Inc..
NEW CSCIP/G Members Justin Davis Irving Gilson Patrick Finnegan Robert A Fontana Christopher Jensen Eggert Jonsson Diana Loughner Douglas Morford John Santisteban Andrew Sheedy James Sheire Michael Zercher
Wells Fargo Bank N.A. US Department of Defense Hirsch Electronics Codebench, Inc General Dynamics IT Siemens Government Services IDenticard Systems Booz Allen Hamilton HID Global ActivIdentity NXP Semiconductor NXP Semiconductor
Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011 Nov. 2011
• Superintendencia De Bancos De Panama, PANAMA Membership Level: Government (SCALA) Member Contact: Vielka De Lincona Description: Panama superintendents of banks • Intel, Hillsboro, OR Membership Level: General Member Contact: Tom Calvert, Venture Lead Secure e-Commerce and NFC Description: #1 Semiconductor manufacturer in the world • InComm, Atlanta, GA Membership Level: General Member Contact: Phil Graves, EVP Description: industry leading marketer, distributor, and technology innovator of stored value gift and prepaid products • Interac Association, Toronto, Ontario CANADA Member Level: General Member Contact: Allen Wright, Vice President, Product Management Description: National payment network, leader in debit card services • LifeNexus, Inc, San Francisco, CA Member Level: General Member Contact: Hugh Meadows, President, Payment Card Group Description: Provider of new era in portable health records with the Personal Health Card
OCTOBER 2011 WEB STATISTICS • • • • • • •
88,927 visitor sessions for the month 2,868 visitor sessions per day 432,015 total page views for the month 147,085 Industry News items viewed 1,276 Card Reader Catalog items displayed 16,370 PDF downloads 26,098 Product and Service Directory page views
If you have any suggestions on content that you’d like to see on the Alliance web site, please send them to info@smartcardalliance.org.
WEB SITE NEWS Updated web content: • New slide show, Personal Identity Verification – Interoperable (PIV-I): A Secure ID Credential for NonFederal Issuers • New white paper, Complementary Smart Card Guidance for the WEDI Health Identification Card Implementation Guide
from the alliance office
NEW MEMBERS
• New white paper, The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You? • New white paper, The Mobile Payments and NFC Landscape: A U.S. Perspective • Archived recording of the Payments Council webinar, EMV for Merchants and Merchant Acquirers: U.S. Migration Considerations • 2012 Payments Summit call for papers and registration • Update to Council web pages
ALLIANCE IN THE NEWS The Alliance has an active communications program to promote industry messages in business, vertical market, and technology publications. Coverage results from both Alliance press releases and interviews with publications writing articles about smart cards. Selected recent coverage is shown below with links to online articles. October 2011 • Wireless News, 10/27/2011, Smart Card Alliance Publishes White Paper on Commercial Identity Verification Credentials for Enterprises [link not available] • Dark Reading, 10/24/2011, Smart Card Alliance Publishes White Paper on Commercial Identity Verification (CIV) Credentials For Enterprises • Digital ID News, 10/24/2011, SCA report: How FIPS 201 can help the enterprise • NFC News, 10/21/2011, Datacard Group to host EMV, NFC seminar • Fox Business News, 10/20/2011, US Credit Cards add Chip and PIN Security • BankInfoSecurity, 10/19/2011, ATMs Hit by Cash Trappers • ATM Marketplace, 10/18/2011, Smart Card Alliance Payments Summit 2012 will offer ‘all payments’ agenda • Contactless News, 10/10/2011, SEPTA to award contactless fare contract • Philadelphia Inquirer, 10/10/2011, SEPTA’s new electronic payment system will be a big change for rail commuters • Managed Care Weekly Digest, 10/10/2011, Card Alliance Supports Bi-Partisan Smart Medicare Common Access Card Act of 2011 [link not available] • Mass Transit, 10/1/2011, What’s the cost of open payment systems? • PYMNTS.com, 10/3/2011, Why Should NFC Be Harder to Ignite than GPS • Telecom Engine, 10/5/2011, Developments in the e-health, telehealth field
Smart Card Talk
9
council reports
Updates from the Alliance Industry Councils HEALTHCARE • The Healthcare Council published the new white paper, Complementary Smart Card Guidance for the WEDI Health Identification Card Implementation Guide, The white paper was developed to serve as a supplement to the Workgroup for Electronic Data Interchange’s (WEDI) Health Identification Card Implementation Guide, provide WEDI-compliant smart card designs and discuss the features and benefits of smart ID cards for healthcare providers and payers. Smart Card Alliance Healthcare Council members involved in the development of this white paper included: Computer Sciences Corp. (CSC); Datacard Group; Gemalto; Identive Group -- SCM Microsystems; LifeMed ID, Inc.; Oberthur Technologies; OTI America; Watchdata Technologies USA; XTec, Inc. • To combat a reported $60 billion lost to waste, fraud and abuse within the Medicare system, a bi-partisan group of U.S. senators and representatives led by Senators Mark Kirk (R-IL) and Ron Widen (D-OR) have introduced legislation to use existing “smart card” technology to protect seniors. The Smart Card Alliance issued a press release in support of the Smart Medicare Common Access Card Act of 2011. • The recording of the Healthcare Council webinar, Smart Health ID Cards: Addressing Challenges with Patient Identity Management and Authentication, is available. The webinar focused on smart health ID cards for patients, reviewing the key challenges with patient identity management and authentication today and discussing how patient ID cards and smart card technology can address the critical issues.
PAYMENTS • The Payments Council held the webinar, EMV for Merchants and Acquirers: U.S. Migration Considerations, on October 6, 2011. The webinar covered global EMV migration status, the key considerations for merchant and acquirer migration to EMV, Visa’s announcement of EMV migration incentives and mandate, and lessons learned from a Canadian acquirer. Speakers included: Guy Berg, Datacard Group; Simon Hurry, Visa Inc.; Oliver Manahan, MasterCard Worldwide; Amer Matar, Moneris; and Randy Vanderhoof, Smart Card Alliance. • The Council published a new white paper, The Mobile Payments and NFC Landscape: A U.S. Perspective. The white paper reviews available mobile payment approaches and outlines the state of the Near Field Communication (NFC) mobile proximity payments infrastructure in the U.S. • The Council’s LinkedIn group, Smart.Payments, is open for discussion on payments and fraud. The group is open to both members and non-members.
IDENTITY • The Identity Council is working on a white paper that will include use cases for non-Federal organizations issuing and using PIV-I credentials.
• The Council’s LinkedIn group, Healthcare Identity Management, is open for discussion on healthcare identity security and management. The group is open to both members and non-members.
Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich.
10
Smart Card Talk
PHYSICAL ACCESS • The Physical Access Council published the new white paper, The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?. The white paper provides guidance on how enterprises can take advantage of FIPS 201 and the PIV credential specifications to implement a standards-based commercial identity credentialing program. The white paper defines the Commercial Identity Verification (CIV) credential, discusses corporate benefits of adopting the CIV credential, and outlines planning and implementation considerations and best practices. Physical Access Council members involved in the development of this white paper included: ActivIdentity; AMAG Technology; Bioscrypt/L-1 Identity Solutions; Booz Allen Hamilton; Codebench, Inc.; Datacard Group; Datawatch; Diebold Security; E & M Technologies; HID Global; Hirsch Electronics; HP Enterprise Services; IDenticard; [Identification Technology Partners; IDmachines; Intellisoft, Inc.; NagraID Security;NXP Semiconductors; Roehr Consulting; SAIC; SCM Microsystems; Tyco Software House; Unisys; U.S. Department of State; XTec, Inc.. • The Council developed and submitted comments on the draft Federal CIO Council document, Federated Physical Access Control System (PACS) Guidance.
TRANSPORTATION • The Transportation Council is completing a new white paper on the benefits and challenges of open bank card payments for transit. The white paper will be published in November. • The Council is developing a set of web resources on open payments for transit agencies, highlighting agencies that are moving to open payments and Smart Card Alliance resources for agencies. The Council will also be hosting a new LinkedIn Group for member and public agency discussion of topics related to smart card use in transit. The new resources and LinkedIn group will be launched in November. • The Council has just started a new white paper on NFC and transit, which is scheduled to be available by the Payments Summit, February 8-10, 2012 in Salt Lake City, UT.
OTHER COUNCIL INFORMATION • Members-only council web pages are available at http:// www.smartcardalliance.org/councils. These are passwordprotected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich. • A Council meeting calendar is available on the members-only web site at http://www.smartcardalliance.org/pages/memberscouncil-resources. • If you are interested in forming or participating in an Alliance council, contact Cathy Medich.
Smart Card Talk
11
members in the news
G&D to Focus on Subscription Management and NFC Trusted Service Management at this Year’s CARTES & IDentification Trade Show Munich, November 10, 2011–At the international trade show CARTES & IDentification 2011 (to be held November 15–17), Giesecke & Devrient (G&D) will be presenting a comprehensive portfolio of end-to-end solutions for ensuring the security of its customers’ digital applications. G&D’s activities at the trade show will center around the company’s NFC and Trusted Service Management (TSM) solutions, without which secure monetary applications of a mobile wallet nature, such as mobile-payment and mobile-ticketing solutions, would not be possible. Another point of focus will be subscription management, which covers the overthe-air personalization and activation of SIMs in M2M devices. G&D will be showing–for the first time in a live demonstration– various sample applications for the remote management of subscriptions in line with GSMA recommendations. G&D’s subscription management platform and its special “embedded SIMs” will be deployed in the course of the demonstration.
SecureKey Technologies Inc. to power the Government of Canada’s new online authentication service Use of bank-issued credentials from TD Bank Group, Scotiabank and BMO Financial Group will enable secure, convenient access to online government services Toronto, Canada, November 7, 2011–Toronto based SecureKey Technologies Inc. today announced that it has been awarded a contract by the Government of Canada to provide an innovative Credential Broker Service (CBS) that will allow Canadians to use their bank authentication credentials to obtain access to online government services. To ensure privacy protection, users of the CBS will authenticate through their bank but neither their login credentials nor the identity of their bank will be shared with the Government of Canada. Similarly, no information about the government service being accessed by the user will be shared with the user’s bank.
Cubic Integrates Video Interface in Next-Gen Ticketing Machines Enhancements deliver richer customer experience, added revenue opportunities for transit agencies San Diego, California, November 3, 2011–Fare cards aren’t the only products that Cubic Transportation Systems’ self-service ticketing machines are delivering now that the company has integrated high-resolution video displays in its next-generation machines for public transit. According to the company, a subsidiary of San Diego-based Cubic Corporation (NYSE:CUB), transit agencies will be able to offer video advertising, information, marketing, direction maps and other messages directly at the point of purchase, adding a new channel for high-traffic generating agencies to attract additional revenues, as well as to get more useful information in front of customers. 12
Smart Card Talk
Smart Card Alliance Government Conference Concludes with Updates on Health Security Card and Expanding Uses of PIV for Information Access Princeton Junction, NJ, November 7, 2011–More than 600 government and technology sector leaders and 40 exhibitors came together at the 10th Annual Smart Card Alliance Government Conference, which took place last week in Washington, D.C. The event brings together a broad spectrum of government users, policy makers, analysts and technologists in a collaborative and informative conference that includes the latest news on a wide range of government smart card programs underway.
Smart Card Alliance Government Conference Day One: Experts Talk NSTIC and Moving Away from ‘Broken Passwords’ Washington, DC, November 3, 2011, 10th Annual Smart Card Alliance Government Conference–Passwords are broken, and key logging, man-in-the-middle, phishing, and malware attacks have made the industry’s reliance on passwords the soft underbelly of the Internet, according to Jeremy Grant, senior executive adviser for identity management at NIST and the manager responsible for creating the national program office for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Smart Card Alliance Board Members and Executive Leadership Announced for 2012 The 10th Annual Smart Card Alliance Government Conference, Washington, DC, November 2, 2011–The Smart Card Alliance today announced its 2011-2012 board and seven-member executive committee. Elections were held during the 10th Annual Smart Card Alliance Government Conference, taking place this week through November 4th at the Ronald Reagan International Trade Center in Washington, DC.
Gemalto Launches Ezio Plug & Sign for Unmatched Online Transaction Security • New authentication device to tackle online transaction security with superior convenience • Ezio Plug & Sign is a truly zero footprint device, and enables new services • With Ezio Plug & Sign integrity is assured even if the platform of connection has been compromised AUSTIN, TX, November 2, 2011–Gemalto, the world leader in digital security, today launches the Ezio Plug & Sign, the pioneering corporate banking device that tackles automated clearing house (ACH) and wire transfer fraud. Ezio Plug & Sign is a truly zero footprint device. It provides a secure web browser for online banking, also called a “safe zone”, to overcome the inherent risks of an open online environment. This capability in addition provides the ability to extend the services that can be offered to the users, including secure email, secure electronic bank account management and secure statement viewing.
Smart Card Alliance Healthcare Council Provides Smart Card Supplement to the WEDI Health Identification Card Implementation Guide
Smart Card Alliance Publishes White Paper on Commercial Identity Verification (CIV) Credentials for Enterprises
Princeton Junction, N.J., October 28, 2011–The Smart Card Alliance Healthcare Council today released a new white paper providing smart card guidance for the Workgroup for Electronic Data Interchange (WEDI) Health Identification Card Implementation Guide. The white paper provides WEDI-compliant smart card designs and includes a discussion of the features and benefits of smart ID cards for healthcare providers and payers.
Princeton Junction, N.J., October 24, 2011–Enterprises looking at options for secure physical and IT access now have a new resource from the Smart Card Alliance Physical Access Council, which just released a white paper on “The Commercial Identity Verification (CIV) Credential–Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?” The white paper defines the CIV credential and describes benefits, best practices and technical requirements for establishing a secure, reliable, electronically verifiable identity program based on broadly-deployed standards.
Gemalto Trusted Services Manager Selected for Singapore’s Nation-wide Near Field Communication (NFC) Roll-out Infocomm Development Authority of Singapore (IDA) awards callfor-collaboration to Gemalto-led consortium Singapore, Oct 25, 2011–Gemalto, (Euronext NL0000400653 GTO), the world leader in digital security, announces its selection by IDA as the trusted third party to deploy mobile NFC contactless services across Singapore.
Sparkasse Suedholstein Secures eBanking with Gemalto’s Ezio Optical Reader
• Credit card-sized reader solution replaces paper-based OneTime-Passwords • Innovative optical screen-reading feature simplifies and shortens data entry by consumers • Miniaturized format provides utmost portability and convenience
Amsterdam, Oct 25, 2011–Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, announces that Sparkasse Suedholstein is deploying Gemalto’s Ezio strong authentication optical readers to better protect its online customers. The Gemalto solution eliminates the need for paper-based lists of One-Time-Passwords (“iTAN”, Indexed Transaction Authentication Number”) and adds the higher level of security of the smart banking card. The bank is part of the Sparkassen Finanzgruppe, the leading banking group in Germany with 45 million retail accounts. The unique credit card-sized optical authentication device is easy to carry around in your wallet and offers a high level of mobility and convenience. With 27 million ebanking users(1), Germany has the largest number of online customer base in Europe.
ActivIdentity Launches New Fraud Detection and Cloud Security Capabilities 4TRESS Authentication Appliance Enables Enterprise and Banking Customers to Deploy a New Level of Multi-Layered Strong Authentication More Quickly and Affordably Fremont, Calif., Oct. 18, 2011–ActivIdentity Corporation, a global leader in secure identity solutions, part of HID Global, today introduced 4TRESS Authentication Appliance that offers a complete multi-layered strong authentication, fraud detection and cloud security capabilities to enterprises, banks and ecommerce sites. The new 4TRESS Authentication Appliance FT2011 model provides more than 15 versatile strong authentication methods that can be used in conjunction with transparent new adaptive authentication and fraud detection techniques to achieve more security, more conveniently for end-users, and more affordably.
Smart Card Alliance Expands 2012 Payments Summit to Include EMV, Mobile and Transit Payments EMV Migration, NFC and Open Transit Payments to Headline Agenda Princeton Juncton, N.J., October 18, 2011–The Smart Card Alliance today announced that its Payments Summit will return for 2012 with an ”all payments” agenda, covering every leading transaction platform: EMV card payments, mobile payments, and transit payments. The event will be held February 8th through the 10th, 2012 at the Hilton Salt Lake City Center in Salt Lake City, Utah. Registration, sponsorship information, and speaking proposal forms are available on the 2012 Payments Summit event page.
Members submit news each month to the Smart Card Alliance, with news items highlighted on the Alliance web site and in the monthly news letter. Members are invited to submit their news releases (as a Word document) to news@smartcardalliance.org to contribute to the Members in the News content.
Smart Card Talk
13
events calendar
Cubic Receives Contactless EMV Bank Card Type Approval for Next-Generation Tri-Reader 3 CARTES and IDentification 2011 Paris, France November 15-17, 2011
2012 Payments Summit
A Smart Card Alliance conference event Salt Lake City, UT February 8-10, 2012
RSA Conference 2012 Feb 27-Mar 2, 2012 The Moscone Center San Francisco, CA
Cartes North America March 5-7, 2012 The Mirage Hotel Las Vegas, NV
ISC West
March 27-29, 2012 Sands Expo & Convention Center Las Vegas, NV
NFC Solutions Summit 2012
A joint Smart Card Alliance and NFC Forum event San Francisco, CA May 22-24, 2012
Cardware 2012: Payment Insights June 19-20, 2012 Marriott Gateway on the Falls Niagara Falls, ON, Canada
14
Smart Card Talk
Smart Fare Payment Using Open Payment Contactless EMV Bank Cards, AccountBased Cards and Existing Closed-Loop Transit Smart Cards, All on One Innovative Device San Diego, CA, Oct 17, 2011–Cubic Transportation Systems, Inc., the transportation unit of Cubic Corporation (NYSE: CUB), has received approval from the top four bank card brands for the Tri-Reader 3 to process their branded contactless EMV bank cards for use in public transit revenue management systems. Cubic has equipment and systems supporting seven of the top 10 largest public transit markets in the United States, United Kingdom and Australia as well as other major markets around the world.
SALT LAKE CITY
The Smart Card Alliance
2012 Payments Summit February 8 – 10 • Salt Lake City, Utah (Pre-conference workshops February 7)
EMV Bank Cards, Mobile Payments and Transit Payments Converge at the 2012 Payments Summit www.SmartCardAlliance.org 1-800-556-6828
The Smart Card Alliance 2012 Payments Summit returns to Salt Lake City again in February 2012 – building on a successful history of great events held in this great city located at the foothills of the snowcapped Wasatch Mountains. The 2012 Payments Summit has a new theme with a larger meeting space than in previous years. The Smart Card Alliance has combined its rapidly growing Mobile and Transit Payments Summit event with the Roadmap to EMV Payments portion of the 2011 Annual Conference event into a single, larger ALL PAYMENTS SUMMIT focusing on all forms of payments – bank card payments, mobile payments, and transit payments. 2012 is expected to be a tipping point year for the smart card payment industry. As more leading financial institutions announce EMV chip card rollouts to their international travelers, other financial institutions and credit unions will follow suit or risk falling behind their competition. Pressure will rise on U.S. issuers and merchants to begin the migration to EMV for domestic transactions as Canada, Europe, Asia and Latin America continue their rollouts of EMV cards. At the same time, NFC-enabled mobile phones and devices are reaching the
store shelves, putting mobile payments into the hands of millions of consumers, and mobile operators, including AT&T, Verizon Wireless, T-Mobile, and Sprint, have all announced plans to introduce NFC-enabled mobile payments. Salt Lake City, our host city, will be the site of one of the first Isis mobile payments network implementations sometime in 2012. Transit operators from major cities on the East Coast, Midwest, and the Mountain Region are planning open bank card fare payments pilots and rollouts that are expected to include contactless payments cards, stickers, and NFC-enabled mobile devices. Join us for what the Smart Card Alliance does best – bringing experienced smart card practitioners and suppliers together with innovative solutions developers and end users across the payments, mobile, and transit markets. The 2012 Payments Summit will include timely, informative conference sessions; in depth educational workshops; exhibits from leading smart card technology suppliers, payments applications and terminal suppliers; and outstanding networking and social events to meet new customers, suppliers, and technology partners.