Smart Card Talk A quar terly newsletter for members and friends of the Smar t Card Alliance
March 2014
Healthcare’s Identity Crisis
In This Issue:
I am pleased to announce the new Smart Card Talk Quarterly newsletter for the first quarter of 2014. This publication is a more robust newsletter than the monthly Smart Card Alliance Member Bulletin, and contains our most popular features – my thoughts on industry happenings, an update from SCALA, Council reports, feature article, and our well-read Member Profile spotlight. I dive right into the issue of healthcare in my letter. For those who don’t follow the market closely, you might think that the big changes are the government signing up uninsured citizens through either federally run or state operated insurance exchanges, and expanding the qualifications for Medicare. There’s so much more going on, and I invite you to share your thoughts with me. I hope you enjoy this revamped publication geared to members, friends and supporters of the Smart Card Alliance.
② Executive Director Letter >>
Sincerely, Randy Vanderhoof Executive Director, Smart Card Alliance
Members in the News >>
③ Latin America Letter >> ④ Member Profile >> ⑥ Feature Article >> ⑨ Council Reports >>
On the Web: Alliance in the News >>
Event Calendar
Click Here to Read Letter ...
ISC West - Mobile Devices and Identity Access Control Applications Workshop April 1, 2014 Sands Expo and Convention Center, Las Vegas
Feature Article: Card-Not-Present Transactions: A Primer on Authentication Methods
Member Profile: HP Enterprise Services
Internet transactions are projected to be a growing fraction of overall retail sales. Robust authentication methods for Internet purchasers are critical to mitigate the risk of card-not-present fraud. This month’s article provides a primer on authentication methods for card-not-present transactions.
This quarter Smart Card Talk spoke with Lolie Kull, who has been with HP Enterprise Services (HPES) for seven years and has extensive experience within the Federal Government supporting its identity, credentialing and access management initiatives.
Click to Read More …
Click to Read More …
2014 NFC Solutions Summit June 3-4, 2014 Renaissance Arboretum Hotel, Austin, TX 2014 Government Conference-Smart Strategies for Secure Identity October 29-30, 2014 Walter E. Washington Convention Center, Washington, DC All Upcoming Smart Card Alliance Conference Events
executive director’s corner
Healthcare’s Identity Crisis Dear Members and Friends of the Alliance,
the first time, there is no way to guarantee that the patient will use the same information the next time treatment is sought.
Last month I was privileged to participate in a health IT symposium called “Privacy and Security: Challenges and Opportunities in Healthcare Identity” at HIMSS14 in Orlando, the largest healthcare information technology conference held each year which draws upwards of 50,000 attendees. The Smart Card Alliance Health and Human Services Council helped to organize this symposium. What I learned about the state of America’s free-market healthcare system, electronic health records and patient identity was both very enlightening and very disturbing.
This is where smart cards would really help – by binding patient identity to something that is permanent and portable, can be electronically validated, and can be digitally matched to the electronic health records to follow. David Batchelor of LifeMed ID, an Alliance member and speaker at the symposium, presented a strong business case for smart cards just by eliminating duplicate records.
Before the Affordable Care Act in 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed into law in 2009. This law created the Office of the National Coordinator (ONC) for Health Information Technology to oversee spending $25.9 billion to promote and expand the adoption of health information technology. The HITECH Act promoted electronic health records (EHRs), set meaningful use of interoperable EHR adoption as a critical national goal, and incentivized EHR adoption with cash rewards to medical practitioners. It also established penalties if EHRs were not being used effectively in the delivery of healthcare after 2015. Individuals were empowered to have control over their personal medical records to provide protection from abuse and personal privacy concerns. Fast forward to 2014, five years since the HITECH Act passed, and what I learned is that the billions of dollars spent turning paper into electronic records has succeeded in creating digital mountains of medical data in electronic form, but little or no agreement on how it should be exchanged – and virtually nothing accomplished on how personal health records should be protected. Our symposium exposed the heart of the problem about EHRs – there is no agreement about how to identify the patient. Hospitals have collected huge amounts of digital information about patient history, medical procedures, medications and such, but they may link some or all of this information to the wrong patient. The problem starts with no set standards for how an individual’s identity is established when they enter a doctor’s office or a hospital. For many patients, the individual charged with collecting this vital information is the lowest paid and least qualified staff person in the organization. Information collected – name, address, date of birth, gender, phone number – is based on what the patient provides. Sometimes a driver’s license is requested to prove identity, but nothing proves that the driver’s license belongs to the person presenting it. Often the insurance card is used, but again, it is just a piece of paper. Even if the hospital gets the patient identity right 2
Smart Card Talk
The healthcare system currently uses a combination of patient information that is gathered and a probabilistic measure to determine matching success based on the average number of times the information factors result in a positive match. So if the correct patient is matched to the correct records 94% of the time, that is considered good. In a large metropolitan hospital with 10,000 patients, 600 patients (6%) might be getting the wrong medicine or be treated with a drug with severe interaction with other medications the patient is taking. If your name happens to be John Smith or Jose Rodriquez, you are in big trouble. Since patient matching uses multiple criteria which can’t be verified between different hospitals, a better way would be to use a universal unique patient identifier. There are some challenges – the keeper of this system would have to be highly trusted by the entire industry and the consumer population, and the liability risk would be staggering. The government would be the likely candidate for this role but “highly trusted” and “government” are not often used in the same sentence. However, the idea of a national health identifier is widely supported by nearly every health industry association, according to a new report just released by ONC called “Patient Identification and Matching Final Report.” But, ONC suggests that the industry not wait for that and find other ways to improve patient matching in the meantime. This symposium highlighted how convoluted the healthcare market is concerning patient identity, with smart cards prominently discussed as a possible solution. But after five years and more than $25 billion dollars spent, nobody has figured out a way to make the investment in electronic health records deliver improved the quality of care for patients and make them feel secure. Eventually some catastrophe may occur and people will act surprised that there was no way to know that digitization of healthcare information was going to fail – but if you attended our symposium at HIMSS14 you will have learned that the solutions are right under our noses. Sincerely,
Randy Vanderhoof Executive Director, Smart Card Alliance rvanderhoof@smartcardalliance.org
Dear Members and Friends of the Smart Card Alliance Latino America – SCALA:
to pay public transportation fares. These cards use a single EMV chip with a dual interface, meaning that it communicates through contact and contactless in an interoperable open platform.
Latin American markets have long been pioneers in establishing innovations for smart card technology. Organizations that had the opportunity to participate in our last SCALA initiative in Costa Rica and our EMVTour – Central America quickly earned that this continues to be the reality.
This technology offers many benefits for for transportation and banking, including:
This past month, three important government agencies of Costa Rica - The Ministry of Public Works & Transportation, The Federal Regulator of Public Services, and The Central Bank - signed an agreement to introduce electronic payments in the transportation system. The proposal is to establish a single open payments transportation system, making it the first completely open payments transportation system in Latin America and an example for others. Fare collection systems in public transport have been evolving since their inception in order to improve efficiency, speed, convenience and safety of passengers using these services. Payment technologies have ranged from coins, banknotes, tokens, tickets, magnetic stripe cards, to smart cards. The use of smart cards for fare collection in the transportation system began in the mid 1990s with “MIFARE,” a technology created by Phillips, now part of NXP Semiconductors, where a 1K memory chip smart card was used as the fare medium. The card communicated through radio frequency, reducing wear and tear, and replacement of cards. This improved speed, convenience, and integration of the different stakeholders in the transportation system. During this period the financial systems were also undergoing their own technological evolution from magnetic stripe cards to EMV chip cards. The EMV chip card was designed to assist issuers and acquirers in reducing the high level of fraud that was being created by the static magnetic stripe information, while also providing financial institutions opportunities to improve their products and services through the introduction of a chip. Eventually, someone had the idea to incorporate the two technologies into a single card called a “hybrid card,” which has two chips in a single plastic card. One technology communicated via radio frequency using the MIFARE technology, allowing payments in the transport system, while the other worked through a contact chip for financial payments. Over time, the payment systems advanced their technology to include an RF (i.e., contactless) interface leading to what is known as “open payments,” a term for bank cards such as American Express, MasterCard, Visa, and/or private label networks that can be used
Introduction to the Unbanked: The use of a bank card in the transportation system reduces the cost for the transport authorities issuing the card, opening up the financial services industry to the unbanked transportation user. Financial institutions can increase their cardholder portfolios by creating incentives to offer a variety of financial products and services. Security: Eliminating the use of cash in public transport systems has been shown to increase security, reducing the risk of internal and external theft, as well as increase the number of middle class users. In addition, by removing money from the system, the transportation authority reduces costs associated with managing money within the transportation system. The EMV standard is a much more secure and robust payments platform. Under this standard, and if the transport system acts as a regular merchant, the issuer is responsible for any fraud in the transaction. This may vary by country. Efficiency: The management of route information, users, and collections helps the authority to determine the most effective placement of transportation resources and manage profitability. Additionally, the time spent by users in the transportation system to reach their destination is reduced. This allows the authorities to easily determine how many passengers are required to cover the cost of a single route, schedules, and required resources, improving the quality of life of its customers. Interoperability: The are advantages of having an integrated system where different actors such as the financial system and the transport system can have applications that coexist within a single chip on a card. For the user, it opens the door for the integration of multiple services at a single point.
Sincerely,
Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) ebetts@smartcardalliance.org www.sca-la.org
Smart Card Talk
3
latin america corner
Open Payments in Latin America for Public Transport System
member profile
HP Enterprise Services
1. What are your main business profile and offerings? HP Enterprise Services is a leader in delivering technology services and business solutions for commercial and public sector customers. Working within the U.S. Public Sector, we understand the unique missions and requirements of government agencies and can help address key priorities and technology challenges to deliver innovation that helps you achieve your critical outcomes. Within cybersecurity, we specialize in full spectrum risk management solutions designed to help you detect, prevent and remediate security vulnerabilities across your enterprise. Specifically we specialize in solutions for identity, credentialing & access management (ICAM), continuous monitoring, and application security, with new innovative solutions under development. HP, as the world’s largest technology company, brings together the full portfolio that spans services, printing, personal computing, software and IT infrastructure to solve customer problems.
2. What role does smart card technology play in supporting your business? This quarter Smart Card Talk spoke with Lolie Kull, who has been with HP Enterprise Services (HPES) for seven years and has extensive experience within the Federal Government supporting its identity, credentialing and access management Lolie Kull initiatives. Lolie serves as a subject matter expert for HPES’s Assured Identity Credentialing solution for federal, state, local, international governments and private sector entities. She has been involved in the development and roll out of smart card identity, credentialing and access management programs since 1999 supporting the U.S. Department of State, Transportation Security Administration, U.S. Department of Homeland Security and the Veteran’s Administration. A founding member of the Smart Card Alliance Physical Access Council (now known as the Access Control Council), Lolie currently serves as the Vice Chair, and has been an active member of the Smart Card Alliance since its inception. She holds a Bachelor’s degree from the University of Louisiana Lafayette and is a CSCIP/G (Certified Smart Card Industry Professional/Government).Visit HP at www. hp.com.
4
Smart Card Talk
As a “Tier 1” Gartner-rated service provider for identity and access management and leading government credential issuer, HP believes that smart card technology is a key component of providing critical security services for all of our clients. It can mitigate the challenges of providing our clients, both in the government and the commercial sector, services that rely on a secure environment that spans facilities and cyberspace. Smart card technology is the foundation for secure authentication and authorization to enable user access that will meet compliance regulations, mitigate security risk and support the reduction of identity fraud.
3. What trends do you see developing in the market that you hope to capitalize on? The primary market trend focus for HP is what we call the “new style of IT.” It enables organizations to capitalize on cloud-based computing and applications, BYOD management, social identity integration and mobile applications development and management. HP believes that security, especially identity and access management, is most important and where cloud, security, big data, and mobility all converge. There is a critical need for comprehensive solutions and services to better support our client’s stakeholders, communities, partners, and suppliers with a “new style of IT.” As clients look to expand their enterprise businesses into the cloud, security remains on the forefront of their objectives. As more enterprises move their capabilities and services to the cloud, it is important to understand that protecting data within the cloud is critical. Virtual/private clouds need to be able to meet the needs of many different organizations with different assurance level requirements. Therefore, a flexible and adaptive strong authentication access management posture is required. HP enables clients
to better engage their customers/users/citizens and to collaborate with federation partners through identity and access management (IAM) cloud software-as-a-service (SaaS) solutions in a secure and cost-effective manner that promotes greater user adoption. We see the breakdown of ‘silos’ between government agencies, departments and the private sector as an opportunity to broker high-valued cloud or hosted IAM services that enhance the mutual collaboration of those entities. HP provides secure cloud environments that are FedRAMP certified and incorporate the necessary security capabilities around credentialing and strong authentication, to ensure secure access to your cloud, thereby, protecting your data. In addition, Continuous monitoring is now an implementation requirement for the federal government. It enables insight into risk posture as it pertains to the security of data, networks, end points, cloud devices and applications. Continuous monitoring helps agencies understand their organizational risk, improve security awareness so they may address urgent issues, and gives them the tools to make cost effective, risk-based decision. In order to receive the benefits of continuous monitoring, you must get realtime information that reflects the operational changes to your IT environment through continuous feedback. HP is dedicated to providing our clients with expert continuous monitoring services that paired with current policies and processes, strengthens the overall enterprise risk management process. Continuous monitoring supports ICAM requirements by enabling the identification of users, providing visibility into their access entitlements, and allowing the organization to respond to identified threats. In the mobile space, HP continues to see interest by its clients for both derived credential and strong authentication of mobile applications. All of these trends fit into HP’s vision to be the trusted partner and provider of identity and access management services.
4. What obstacles to growth do you see that must be overcome to capitalize on these opportunities? Budget constraints “across the board” remain a persistent obstacle to deal with. However, in the case of identity fraud, facility security and cyber security, the cost to implement smart card technologies is normally far less expensive than the actual cost to fix a data breach or a case of identity theft. Every day we see evidence of problems arising as “bad guys” access systems and data that they shouldn’t. Government, businesses and individuals all suffer the consequences of weak security and the cost of fixing such problems continues to rise. The other obstacle to growth that many organizations face can be information overload in light of ever-changing technology. We are all constantly bombarded with commercials, so to speak, featuring the best technology solution or device. There are, seemingly, daily new releases or upgrades for every device or service imaginable. Each is the best and as many commercials state, “you just can’t live without it.” So how does anyone work through all of the hype to
factually determine what is the best solution to meet their requirements? HP’s four decades of experience as a trusted partner with public and private sector enterprises, working closely with each individual client to gain a true understanding of their environment, policies and processes, is the only way to overcome this obstacle.
5. What do you see are the key factors driving smart card technology in government and commercial markets in the U.S.? Each day there is a greater emphasis on the need to protect one’s own identity and for governments and businesses to make sure that those individuals who have access to interact with facilities, networks and data are who, in fact, they say they are and that they have a valid need for access. Protecting one’s private information is critical to maintaining identity security. Smart card technology is the best tool available today to help manage a person’s identity - keeping it private and secure and ensure the highest level of authentication for access to government and commercial information and facilities. It should be the tool of choice for authentication and authorization to prevent fraud within private sector, healthcare and governmental services.
6. How do you see your involvement in the Alliance and the industry councils helping your company? The Smart Card Alliance and its Industry Councils provide HP with a unique opportunity to work with industry and government leaders in an information sharing and problem solving environment. The Alliance provides a forum for much more than just smart card technology. Through the work with the Councils, HP has an opportunity to help shape standards and, to a degree, even inherent policy for improving security. This puts us in the position to offer products and services that are aligned with new technology and the requirements to further improve security. Additionally, the Alliance also provides our employees an educational opportunity through a multitude of conferences, seminars and webinars. The Certified Smart Card Industry Professional Program also provides our employees the necessary tools to keep up with the smart technology and policy changes and serves as a knowledge base for the updated NIST Standards and associated Special Publications. This provides HP the ability to understand the challenges that our customers may be facing and helps us provide the support they need.
Member contact: Lolie Kull HP Enterprise Services Cybersecurity Solutions Group Identity Practice 225 341 6024 Lolie.Kull@hp.com Smart Card Talk
5
feature article
Card-Not-Present Fraud: A Primer on Authentication Methods for e-Commerce Transactions
Card-not-present (CNP) fraud involves the unauthorized use of a credit or debit card number to purchase products or services in a setting where the customer and merchant are not interacting faceto-face. This can be in an Internet (or e-commerce) transaction from either a computer or a mobile device, or a transaction that takes place over the telephone or through mail order. There are three important areas to consider when discussing CNP fraud and consumer authentication. First is the projected growth in e-commerce. While the Commerce Department reported that e-commerce accounted for only 5.8% of total retail sales in 2013, it grew 16.9% from 2012. E-commerce transactions are projected to be a growing fraction of total transactions. Second, payment account information that is stolen in data breaches is sold to fraudsters and used to either create counterfeit cards or used for e-commerce transactions. Third, addressing CNP fraud risk is an important topic as the U.S. moves to EMV chip payments at the physical point-of-sale (POS) to address the growing problem of counterfeit fraud. EMV has been proven effective at reducing counterfeit card fraud globally. Experience in other countries, however, has also found that as counterfeit card fraud declines, fraudsters move to other channels, such as e-commerce, and CNP fraud increases as a proportion of total fraud. 6
Smart Card Talk
Authentication for CNP Transactions The challenge with card-not-present transactions is authenticating that the purchaser is who they say they are and is the true account holder. An identity authentication process typically relies on a person providing one or more authentication factors – something the person has, something the person knows, and/or something a person is – with at least two factors present. Relying on a single factor implies extremely high confidence or tolerance for risk. In a face-to-face transaction at the POS, a cardholder uses a card (something owned) and, if prompted, a personal identification number (PIN, something known) or a signature (a biometric), providing two-factor authentication. This process for authenticating cardholder identity isn’t replicated for e-commerce transactions. And, while CNP authentication methods are available, there are no commonly adopted authentication standards in use that are similar to those used at the physical POS. E-commerce retailers and the payments industry currently take a variety of approaches to authenticate consumers. Some general classes of approaches include static or random passwords, dynamic information such as one-time passwords generated in software or using a smart card or mobile phone, knowledge-based approaches (such as asking secret questions), and device fingerprinting, where some information is used to identify the device by which the user is accessing an e-commerce site. Table 1 illustrates example authentication methods that may be used in e-commerce transactions.
The payments industry has implemented a number of standard approaches for CNP authentication. Asking for the cardholder’s zip code to do address verification and entering the “card security code” printed on the card are common methods used by many, but not all, merchants. Card issuers validate that this information is correct during the transaction authorization. The payments networks have also defined other standard CNP authentication protocols that are in use internationally. The MasterCard Chip Authentication Program (CAP) and Visa Dynamic Passcode Authentication (DPA) program used EMV payment cards and cardholder readers to generate one-time passwords for online access. The 3D Secure software protocol is also in use by merchants and issuers to validate cardholder identity during an e-commerce transaction. It’s been reported that these types of tools have been used successfully in Europe to address CNP fraud after EMV migration,
with the UK Cards Association reporting CNP fraud in the UK decreasing by one-third due to increasing use of fraud screening tools by retailers and use of 3D Secure. E-commerce retailers typically implement multiple solutions to mitigate CNP fraud or use a commercial service to mitigate transaction risk. Since merchants today assume the costs of CNP fraud as well as typically pay higher fees for e-commerce transactions, merchants also may have their own internal fraud departments and often use tools to score the risk of online shopping behavior to determine which online purchases to accept, reject or send for review. Ultimately, e-commerce retailers have to balance the risk of losses due to fraud with making the purchase process more difficult for
Table 1: Example Authentication Methods for CNP Transactions
Authentication Method
Description
Static password or PIN
Shared secret known to both the customer and the merchant. Shared secret/PIN may be provided out-of-band, separate from the transaction itself.
Random static passwords
Typically a six-digit password that is created like other static passwords but not requested in its entirety on subsequent transactions. Instead, only 3 different digits of the password are requested for each purchase.
Static knowledge-based authentication
One or more secret questions asked to the user to confirm the user’s identity.
Random knowledge-based authentication
One or more randomly selected secret questions asked to the user to confirm the user’s identity.
End-point identity
Umbrella term that describes any of a number of methods used to identify the device by which the user is accessing the service provider.
One-time password using hard token
One-time password generated by a USB token, smart card, or mobile phone.
One-time password using soft token
Digital certificate.
Scratch card
Small card, often made of plastic, on which one or more areas contain information that can only be revealed by scratching off an opaque covering.
Bingo card
A numbered list of one-time passwords, printed on paper. For every e-commerce transaction, the user is required to enter a specific password from the list.
IVR voice verification
Consumer repeats a pre-recorded phrase or PIN to an IVR.
Chip Authentication Program (CAP) with personal card reader or mobile device
Dynamic password generated by an EMV chip card placed into a chip authentication reader and using a PIN.
Physical biometrics
An individual’s biological characteristics.
Behavioral biometrics
An individual’s physical behavior patterns.
Display card
A token in plastic card form with a display, an on-off button, and an optional PIN pad that generates a one-time password. The PIN pad allows the user to PIN-protect access to the one-time password and also sign transactions. If the card is an EMV chip card, it can act as both the chip authentication reader and the card.
Mobile device secure element
A chip embedded within a mobile device that stores payment account information and enables fully authenticated EMV transactions in the CNP environment. This could be used to support a number of the authentication methods in this table. Smart Card Talk
7
the consumer. The more difficult it is for the consumer to purchase online, the more likely they’ll abandon the transaction – leading to lost revenue. So each e-commerce merchant will take different approaches based on its transaction volume and potential for fraud.
Conclusion Mitigating an increase in CNP fraud requires devising and implementing solutions for authenticating customers in CNP scenarios. There are a variety of different solutions currently in the marketplace; most rely on the use of a common set of authentication building blocks to get the job done. To date, merchants have chosen which solution to implement because they have assumed the risk of losses due to fraud and abandoned purchases. The approach taken by merchants varies by merchant size and customer/ traffic profile.
About this Article This article is based on the white paper, “Card-Not-Present Fraud: A Primer on Trends and Authentication Processes,” published by the Smart Card Alliance Payments Council in February 2014. The white paper was developed to educate payment industry stakeholders about the impact of and need to further address card-notpresent fraud in conjunction with migration to EMV in the U.S. Member organizations involved in the development and review of this white paper included: ABnote; Capgemini; CH2M HILL; CPI Card Group; First Data Corporation; Gemalto; Giesecke & Devrient; Heartland Payment Systems; INSIDE Secure; MasterCard; NXP Semiconductors; Oberthur Technologies; SHAZAM; TSYS; Vantiv; Visa Inc..
Because issuers have not been liable for CNP fraud, it is understandable that their role in preventing it has been fairly limited. Issuers can choose to participate in emerging processes for standardizing CNP authentication across merchants. Doing so will provide consumers with a more trouble-free experience when shopping virtually. With the U.S. migration to EMV to address counterfeit card fraud, it’s critically important that the industry take proactive steps to deal with the potential increase in CNP fraud, especially as new and large data breaches continue to compromise cardholder information. Identifying best practice strategies for merchants, evaluating industry-wide approaches that deal with risk at the payments system level, and engaging issuers in the fraud mitigation process are critical. Important factors for success will be not only effectiveness in reducing CNP fraud, but also ease of merchant implementation and customer ease of use.
8
Smart Card Talk
Resources on Fraud and CNP Transactions • 2013 LexisNexis True Cost of Fraud Study, LexisNexis, September 2013 • 2013 Online Fraud Report, CyberSource • The 2013 Federal Reserve Payments Study, Federal Reserve System, December 19, 2013 • Annual Report of the Observatory for Payment Card Security, Observatory for Payment Card Security • Australian Payments Clearing Association • Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?, Smart Card Alliance, February 2012 • Chip-and-PIN: Success and Challenges in Reducing Fraud, Federal Reserve Bank of Atlanta, January 2012, • EMV Connection web site • E-retail rolls in 2013, Internet Retailer, February 18, 2014 • FICO Data Shows the U.S. Credit Card Fraud Incident Rate Rose 17 Percent Over Two Years, FICO, October 13, 2013 • “Global Card Fraud Losses Reach $11.27 Billion, The Nilson Report, Issue 1023, August 2013 • Second Report on Card Fraud, European Central Bank, July 2013 • Smart Card Alliance web site • UK Cards Association • Worldwide EMV Deployment and Adoption, EMVCo
Access Control Council
• The Access Control Council approved a plan to start Council activities focused on the non-government PACS market. Initial activities are to profile different non-government PACS market segments and develop a white paper discussing the benefits of smart card technology for access control. • The Council is currently developing the statement of work for a white paper on using smart card technology for logical access. • The Council has had guest speakers in recent Council conference calls, including Bob Gilson (DMDC) discussing OPACITY and Steve Lasky, editor with Cygnus publications, discussing the commercial PACS market.
Health and Human Services Council
• The Health and Human Services Council hosted a full-day pre-conference symposium, “Privacy and Security: Challenges and Opportunities in Healthcare Identity,” on February 23rd, at the HIMSS ’14 Conference. The symposium featured Randy Vanderhoof, Michael Magrath (Gemalto) and David Batchelor (LifeMed ID) as speakers and session moderators. The Council identified and recruited symposium speakers, with strong presence from healthcare organizations who have implemented smart card initiatives, including: Memorial Hospital; Resolute, an Innovation Center for Vanguard Health; Seattle Children’s Hospital; Southwest Texas Regional Advisory Council for Trauma. • The Council is working on a brief on patient identity and the role of smart card technology in patient identity management.
Identity Council
• The Identity Council is working on its 2014 project plan.
Mobile and NFC Council
• The Mobile & NFC Council held a well-attended in-person Council meeting at the Payments Summit, with 22 members attending. The group brainstormed projects for 2014 and agreed on top priority projects. • The Council is starting to scope three projects: Host Card Emulation (HCE) 101, Bluetooth Low Energy (BLE) 101, and a mobile security white paper or webinar series.
Payments Council
• The Payments Council published a new white paper, CardNot-Present Fraud: A Primer on Trends and Authentication Processes, to educate payment industry stakeholders about the impact and need to further address card-not-present fraud in conjunction with migration to EMV in the U.S. Ryan Barnes (TSYS) and Sarah Hartman (TSYS) led the project. Member organizations involved in the development and review of this white paper included: ABnote; Capgemini; CH2M HILL; CPI Card Group; First Data Corporation; Gemalto; Giesecke & Devrient; Heartland Payment Systems; INSIDE Secure; MasterCard; NXP Semiconductors; Oberthur Technologies; SHAZAM; TSYS; Vantiv; Visa Inc..
• The Council held a well-attended in-person Council meeting at the Payments Summit, with 25 members attending. The group brainstormed projects for 2014, with excellent discussion on educational resources needed that the Council could create. • The Council has surveyed members on project priorities and will be starting new projects in March.
Transportation Council
• The Transportation Council held a very well-attended inperson Council meeting at the Payments Summit, with 43 members attending. The group reviewed projects currently in process and discussed possible new projects for 2014. • The Council is working on a project to discuss transit challenges with open payments with the payment brands. The Council held an in-person project meeting at the Payments Summit on one of the key issues. The project goal is to produce a best practices document. • Other projects in process include a white paper on EMV and transit and a small agency guide to open payments.
Other Council Information
• Members from the Access Control, Identity and Mobile & NFC Councils will be presenting in an ISC West preconference workshop, “Mobile Devices and Identity and Access Control Applications,” April 1, 2014, at the Sands Expo and Convention Center, Las Vegas, Nevada. Click here for workshop registration. • Members from the Mobile & NFC, Payments and Transportation Councils presented in the Payments Summit pre-conference workshop, “The Changing U.S. Payments Landscape: The Impact of EMV and Mobile on the Payments Acceptance Infrastructure,” February 4, 2014. Presenters included: Ryan Barnes (TSYS); Deborah Baxley (Capgemini); Guy Berg (MasterCard); Patrick Burns (Visa); Jane Cloninger (Edgar Dunn); David deKozan (Cubic); Mike English (Heartland Payment Systems); Sarah Hartman (TSYS); Gerry Schoenecker (Ingenico); Ellie Smith (Discover); Patty Walters (Vantiv); Tom Zalewski (CorFire). • Members-only council web pages were updated and are available at http://www.smartcardalliance.org/councils. These are password-protected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich. • If you are interested in forming or participating in an Alliance council, contact Cathy Medich.
Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich. Smart Card Talk
9
council reports
Updates from the Alliance Industry Councils
from the alliance office
Welcome New Members • • • •
Consult Hyperion, SCALA Leadership Council Euro Tech Sales LLC, Associate Member Servired, Sociedad Espanolo de Medios de Pago, S.A., General Member Sevired, S.A., SCALA General Member
New CSCIP Recipients • James S. Berkowicz, Sprint
New CSCIP/G Recipients • Steven Quade, ICFI
New CSCIP/P Recipients • Leah Foster, TSYS • Barbara Hain, TSYS • Docia Myer, CIP Card Group
Payments
For more news, visit our website at www.smartcardalliance.org. Members can also access white papers, educational resources and other content.
About Smart Card Talk Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership. 191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org 10
Smart Card Talk
About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.