Smart Card Talk A quar terly newsletter for members and friends of the Smar t Card Alliance
June 2014
The Subject of Mobile Security: When is something secure Surrounded by mobile industry members and interested guests who attended our 3rd Annual NFC Solutions Summit in Austin, TX last week, I was amazed by the level of discourse that was happening around the venue – in the conference sessions, the exhibit halls, the workshops, and the NFC start-up developers pavilion – about security. I write more about this interesting development in my letter for this quarter’s Smart Card Talk newsletter. We also have an update on Alliance Councils, a Member Profile spotlight on Gemalto, and a special article from and by the PCI Security Standards Council on EMV and PCI. There’s a lot going on, and I invite you to share your thoughts with me about anything you read. Thank you for your interest and support of the Smart Card Alliance. Sincerely, Randy Vanderhoof Executive Director, Smart Card Alliance
In This Issue: ② Executive Director Letter >> ③ Latin America Letter >> ④ Member Profile >> ⑥ Feature Article >> ⑨ Council Reports >>
On the Web: Alliance in the News >> Members in the News >>
Event Calendar
Click Here to Read Letter ...
Government Conference Special Edition Event: Celebrating the 10th Anniversary of HSPD-12 Thursday, July 31, 2014 Marriott Metro Center Hotel Washington DC
Feature Article: EMV Chip and PCI Standards – A Strong Combination EMV chip is a highly effective method of reducing counterfeit and lost/stolen card fraud in a face-to-face payments environment. For this issue of Smart Card Talk Quarterly, we invited Bob Russo, General Manager of PCI Security Standards Council, to discuss getting ready for EMV chip and other technologies. Click to Read More …
Member Profile: Gemalto This quarter Smart Card Talk spoke with Neville Pattinson, SVP Government Sales for Gemalto North America. Pattinson, who holds three industry designations – CISSP, CIPP and CSCIP – is also the technical vicechairman of the Smart Card Alliance and sits on the board of NSTIC’s Identity Ecosystem Steering Group. He previously served a five year term on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. Click to Read More …
2014 Government ConferenceSmart Strategies for Secure Identity October 29-30, 2014 Walter E. Washington Convention Center Washington, DC Smart Card Alliance Member Meeting December 7-9, 2014 Rosen Shingle Creek, Orlando, FL Smart Card Alliance 8th Annual Conference 2015 Payments Summit February 3-5, 2015 Grand America Hotel, Salt Lake City, Utah All Upcoming Smart Card Alliance Conference Events
executive director’s corner
The Subject of Mobile Security: When is something secure enough? Dear Members and Friends of the Alliance, In the first and second year of the NFC Solutions Summit, attendees were looking to become educated about the potential uses of NFC, mainly for payments, but also for identity management and data exchange uses like smart posters and tags. At the 3rd Annual NFC Solutions Summit held last week at the Renaissance Austin Hotel, security was the hot topic, but the discussion was not the same as past years. It was not the matter-of fact way of rehashing how secure elements create the impenetrable fortress inside the phone so NFC phones can faithfully execute safe mobile payments transactions and store and deliver other credentials in a deliberate way. At the Summit, that very rigid security model was challenged as being too complex, too costly, and overly restrictive to enable large-scale adoption of NFC applications to take hold. Financial institutions, transit operators, and identity providers came to the Summit hoping that Host Card Emulation (known as HCE in technical circles) would provide the alternative. HCE is now built into all new Android-based smart phones (80% of the smart card phones sold globally) and enables the security of the payment or identity credential to be managed in the cloud under certain conditions. HCE and tokenization could be the alternative security option payments providers were looking for to simplify NFC implementation, reduce the cost, and open up access to the NFC radio. The current UICC or embedded secure element-centric model has always been subject to the control of the mobile network operator or smart phone manufacturer, not the payments industry or the identity management provider and the hundreds of millions of customers they serve. At first the established secure element backers made their case for why their approach has been the most secure and most successful method of building NFC wallet applications, while acknowledging potential future uses of HCE. Isis reported that they are supported in 68 NFC mobile phones and are averaging 20,000 new Isis wallet activations per day using this model. The HCE backers presented their cloud security models using new HCE routing that provides direct connectivity to the NFC radio to pass secure tokens from the cloud to the NFC controller and bypass the secure element channel in the phone. This approach also replaces the Trusted Service Manager (TSM) for provisioning and managing the mobile applications and the credentials with a simpler HCE cloud server. As the NFC Solutions Summit conference entered the second day, and the technical and business applications tracks delved deeper into HCE, it became more clear that these are early days for HCE. 2
Smart Card Talk
There were many questions unanswered about how reliable the communications between the phone and the cloud server would be, what standards are needed on the device to manage applications sharing a single HCE port, and how credentials or tokenized versions of the credentials sent from the HCE cloud server would be stored and protected inside the mobile operating system until they are needed to execute an NFC transaction. Although it appears that HCE is still several years away, no one would discount the value of HCE in opening up the NFC market to more participants. This could be the challenge that the secure element-based establishment needed to simplify its own architecture and lower the costs and barriers to entry for payments and non-payments applications, so secure element models can compete effectively with the HCE and cloud storage models being proposed. Another interesting byproduct of the debate over NFC security schemes was the acknowledgement that absolute security does not exist and not every NFC application needs to have the same level of security. Risk-based security was mentioned often last week, where service providers should be given the option to decide how much security their mobile application requires in the context of what the potential monetary or reputational cost is at stake if a breach occurs. The co-existence of applications like mobile offers, limited-use tokens, transit passes, and prepaid low-value accounts using the cloud and HCE with highly valued or highly protected credentials like your credit card numbers or driver’s licenses using UICC hardware security gives providers more options and consumers more freedom to choose what they want protected and what they want easier access to at a lower cost. I am grateful that so many knowledgeable mobile security professionals are members of the Smart Card Alliance and thankful that we can attract the level of technical and business professionals to attend the NFC Solutions Summit and make it a terrific learning experience for our guests and members alike. Unlike other NFC conferences that have come and gone over the years, the NFC Solutions Summit has found its place of importance, like the Payments Summit and the Government Conference, within the Smart Card Alliance community.
Sincerely,
Randy Vanderhoof Executive Director, Smart Card Alliance rvanderhoof@smartcardalliance.org
Dear Members and Friends of the Smart Card Alliance Latino America – SCALA: The Inter-American Development Bank (IDB) invited SCALA to be a speaker on “Human Resources as Fundamental: Opportunity for Constant Training” in their International Workshop on Politics of Identification and Civil Registration in Quito, Ecuador on June 5. The purpose of the workshop was to promote knowledge and successful experiences of projects, which details the inscription of births, civil registry, and improvement in public services. We were honored to speak at the workshop, which was led by public sector experts from Chile, Ecuador, England, Germany, Finland, Peru, Uruguay, as well as Inter-American Development Bank representatives. The subjects of civil registry, identification, and identity cards play an important role in the development and planning capabilities of a country’s public services, human development index, and its economy. This is why it is important to accurately forecast the population growth of each country and identify the birth of each citizen. The right of each citizen or person born within a country’s borders to be registered is a fundamental human right. Some governments in our region have found it hard to identify marginalized populations in remote areas of their country, and in other cases purposefully not considering these populations as part of their country or population, or as citizens, violating their basic human rights. Fortunately, identity solution providers are experts in this field and can contribute significantly to the development of a successful identity project. Unfortunately, some providers look at each project through a commercial prism, trying to drive the selection process towards their individual solutions. This creates a conflict of interest that could result in favoring a particular candidate or consortium of companies, which may not serve the best interest of the population, project, or the objectives established to be completed. Some government personnel have been ill trained on identification technology or have not been updated on the new terminology or best practices. In this regard, SCALA, by providing impartial information and training, helps government agencies to understand industry jargon and differentiate it from commercial terminology. These terms may get confused, be accidently entered into public tenders, and become generally accepted terms, creating embarrassing moments for both governments and private companies.
To mitigate this situation, SCALA has been developing a comprehensive impartial educational program for professionals, governments, end users, and future generations to enter the Integrated Circuit Card (ICC) industry. It is meant to help professionals understand the ICC role, which will be the driving technology for identification, government, mobile, payments, transportation, healthcare, access control, and now the “Internet of Things.” Our educational programs are based on the adapted and translated materials from the Smart Card Alliance Certified Smart Card Industry Professional (CSCIP) training program. The program combines classroom style training, online materials for self-study, hands on training, and up to date information for smart card industry professionals to obtain this certification. It is also critical that SCALA help new industry professionals work with ICC and future technologies. We want to create opportunities within our industry and also complement academic training. As a result, SCALA has been in discussions with several international universities for the development of our Center of Excellence, which will encompass the entire spectrum of the training requirements of existing industry professionals, government representatives, and future experts. Smart Card Alliance Latin America (SCALA) has the responsibility to promote innovation, interoperability, and education related to the use of smart card technology in Latin America and the Caribbean. SCALA invites you to investigate the uses, benefits, and opportunities for training on smart card technology that our organization can offer to develop a successful identification project. If you would like further information, please contact us at scala@ smartcardalliance.org. Please mark your calendar for our next conference event, SCALA Government ID & PKI Summit, scheduled for September 16-18, 2014, in San Jose, Costa Rica.
Sincerely,
Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) ebetts@smartcardalliance.org www.sca-la.org
Smart Card Talk
3
latin america corner
SCALA Speaks At International Workshop
member profile
1. What are your main business profile and offerings? Gemalto enables organizations to offer trusted and convenient digital services to billions of individuals. We help put a wide range of secure devices in the hands of billions of people all around the world - and we enable our clients to stay in touch with them throughout their life-cycle. Every day, corporations and governments across the globe trust us to help them provide secure, convenient services for their users. Each time their customers, employees and citizens want to transact, connect or identify themselves, our solutions are there to make it safer and easier. Whether they’re communicating, banking, doing business online, using eGovernment or eHealth services, transferring money, accessing cloud services, verifying identities and protecting privacy, or benefitting from machine-to-machine (M2M) communications, people all over the world rely on Gemalto every day. Our expertise spans the entire process of creating digital security solutions for our clients and their customers. We develop secure software and operating systems which we embed in billions of trusted devices of many kinds, like UICC cards, banking cards, tokens, electronic passports or ID cards. We personalize these devices, and deploy the software and services for managing them and the sensitive data they hold throughout their life-cycle.
2. What role does smart card technology play in supporting your business? Neville Pattinson
This quarter Smart Card Talk spoke with Neville Pattinson, SVP Government Sales for Gemalto North America. Pattinson, who holds three industry designations – CISSP, CIPP and CSCIP – is also the technical vice-chairman of the Smart Card Alliance and sits on the board of NSTIC’s Identity Ecosystem Steering Group. He previously served a five year term on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.
4
Smart Card Talk
The scope of uses for a smart card has expanded each year to include applications in a variety of markets and disciplines. Businesses, the government and healthcare organizations continue to move towards storing and releasing information via networks, Intranets, extranets and the Internet. These organizations are turning to smart cards to make this information readily available to those who need it, while at the same time protecting the privacy of individuals and keeping their informational assets safe from hacking and other unwanted intrusions. That’s where Gemalto comes in. At the core of our business is the development of software which we configure and embed in a multitude of different devices and form factors. Our solutions and services include, for example, many kinds of payment cards, secure eBanking devices, authentication tokens, machine identification modules (MIM), and secure ID documents including ePassports, eID and eHealth cards, as well as eDrivers’ licenses.
3. What trends do you see developing in the market that you hope to capitalize on? In general, given recent security breaches and whistleblowing, there is heightened awareness in the United States toward personal privacy, secured identities and fraud prevention. 2014 is shaping up to be the year of authentication. E-verify legislation in regard to immigration, an upgrade to a chip-and-PIN Social Security card system, a chipped Medicare card, and eDrivers’ licenses are just some of the tools being considered. How we secure our mobile devices will also continue to be a topic of discussion. Securing the mobile identity of a workforce that is increasingly more mobile and digitally inclined demands solutions from companies like Gemalto.
4. What obstacles to growth do you see that must be overcome to capitalize on these opportunities? Policy and adoption will be key factors. Legislation to upgrade the Medicare card to include a chip is currently running through Congress. Medicare fraud in the U.S. is estimated at $60 billion; upgrading the Medicare card to include a chip and offer a companion ID card for providers would cut that in half. There is also some discussion at the state level around upgrading the security features of drivers’ licenses. There are states, like Florida, who have started to talk seriously about the benefits of smart card chip technology. Adding a chip into all drivers’ licenses could open up the flood gates for other benefits from this card and help centralize identity management. Combining all of the different identification documents that are provided by different state agencies into one smart card that could be used for programs like Medicaid benefits, food stamps, and drivers’ licenses could be the future in helping states save money.
5. What do you see are the key factors driving smart card technology in government and commercial markets in the U.S.? The world is increasingly digital, wireless and interconnected. We, as an industry, are actively involved in protecting citizen’s information and working to develop solutions that will help secure data through strong authentication solutions. One factor driving the adoption of smart card technology in government and commercial markets in the U.S. is awareness. We’re having the discussions on security; we have a seat at the table; and we’re presenting solutions
to the issues that plague the market. Another factor is necessity. The need for modernization of our current authentication methods and for smart card technology has never been stronger. Smart cards are a reliable solution that can shield against identity theft and fraud, thereby ensuring the privacy of our clients as they interact, do business, grow and prosper.
6. How do you see your involvement in the Alliance and the industry councils helping your company? The Smart Card Alliance is helpful in educating the public about the advances in smart card technology and the security benefits provided. Identity management and authentication problems are faced in many industries, and by providing information about smart card resources, the Smart Card Alliance is successful in working toward helping the U.S. government and companies like Gemalto architect a safe, secure, and interoperable IT infrastructure for our citizens.
7. What are some of the challenges you see confronting the smart card technology industry? With an increasingly digital lifestyle, there is a growing need for solutions and services that protect and secure against unseen threats. Digital security comes in many different form factors including smart card technology. We develop secure software and operating systems which we embed in billions of trusted devices of many kinds, like UICC cards, banking cards, tokens, electronic passports or ID cards. As traditional smart card technology continues to develop and innovate, form factors such as mobile derived credentials will bring new opportunities to the industry. Gemalto’s vision is to provide digital security solutions and services that enable citizens, employers and governments to have the security needed to live their lives freely and conveniently.
Member point of contact: Neville Pattinson SVP Government Sales, Gemalto North America
Neville.pattinson@gemalto.com Twitter: @Neville_Gemalto
Smart Card Talk
5
feature article EMV Chip and PCI Standards – A Strong Combination As evidenced by recent high-profile breach incidents, securing payment data and protecting against card fraud in today’s world are increasingly complex challenges. EMV chip is an extremely effective method of reducing counterfeit and lost/stolen card fraud in a face-to-face payments environment. That is why the PCI Security Standards Council supports the deployment of EMV chip technology. But it’s important to remember that there’s no single solution that addresses all security challenges. Global adoption of EMV chip, including broad deployment in the U.S. market, does not preclude the need for a strong data security posture to prevent the loss of cardholder data from intrusions and data breaches. PCI Standards in concert with EMV chip and other technologies that devalue data provide a multi-layered strategy for defending against criminals that are after card data for fraudulent use.
Multi-channel Protections EMV chip provides excellent protection against fraud in a faceto-face environment, but payment cards are used in a variety of remote channels—such as electronic commerce—where today’s EMV chip technology is not typically an option for securing payment transactions. Those countries that have adopted EMV chip have experienced a significant spike in other types of fraud, especially in card-not-present environments. Consequently, the industry needs to continue to protect cardholder data across all payment channels to minimize the ongoing risks of data loss and resulting cross-channel fraud that may be experienced in the online channel. The controls outlined in the PCI Data Security Standard (PCI DSS) offer protections for multi-channel organizations to apply to
6
Smart Card Talk
their entire payment infrastructure, including e-commerce environments, for the protection of payment data.
Security at the POS EMV chip migration is a great opportunity to look at point-of-sale (POS) device and terminal security, and for merchants to invest in equipment that provides the strongest security protections (See PCI listing here). For example, EMV chip technology does not prevent memory scraping, a technique that has been highlighted in press reports of recent breaches. Other safeguards are needed in order to do so. In our latest versions of security standards for POS devices, (PCI PIN Transaction Security Requirements), we include requirements to further counter this threat – such as tamper responsiveness so that devices will “self-destruct” if they are opened or tampered with, and the creation of electronic signatures that prevent applications that have not been “whitelisted” from being installed. Our recently released update to the standard, PTS 4.0, requires a default reset every 24 hours that would remove malware from memory and reduce the risk of data being obtained in this way. As the market migrates payment terminals to support deployment of EMV chip, we also advocate for all involved to consider additional layers of security for data protection such as tokenization and encryption that can further limit payment card data from being stolen.
A Layered Approach
Getting ready for EMV Chip: • • •
EMV chip needs PCI DSS Don’t forget e-commerce security Upgrading terminals? Make sure your EMV chip terminal meets PCI PTS requirements
A Layered Approach It’s important to keep in mind that implementing EMV chip doesn’t do away with the need for secure passwords, patching systems, monitoring for intrusions, using firewalls, managing access, developing secure software, educating employees, and having clear processes for the handling of sensitive payment card data – all of which are covered in the PCI Standards. Layered controls and processes are critical for all businesses—both large retailers and small businesses—who themselves have become a target for cyber criminals. Protection is also needed against attacks that take advantage unauthorized access, introduction of malware, and subsequent exfiltration of cardholder data. Failure of other security protocols required under Council standards is necessary for malware to be inserted. Used together, EMV chip technology and PCI Standards, along with many other tools, can provide strong protections for payment card data. I want to take this opportunity to encourage all parties in the payment chain—whether they are EMV chip ready or not—to take a multilayered approach to protect consumers’ payment card data. There are no easy answers and no shortcuts to security. Global adoption of EMV chip is necessary and important. Indeed, when EMV chip technology does become broadly deployed in the U.S. marketplace and fraud migrates to less secure transaction environments, PCI Standards will remain critical. Bob Russo is General Manager of the PCI Security Standards Council, an open global forum launched in 2006 and responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. For more information on how PCI Standards and EMV chip work together, visit the PCI SSC website and check out their new infographic and video.
Smart Card Talk
7
council reports
Updates from the Alliance Industry Councils Access Control Council • The Access Control Council approved a project to develop a guide specification for architects, engineers, consultants, integrators, manufacturers and end users that would allow them to easily incorporate smart card-based PACS cards and readers into the A&E specification for non-government PACS. • The Council submitted comments to NIST on SP 800-157, “Guidelines for Derived PIV Credentials,” (in collaboration with the Identity Council). • The Access Control Council is compiling comments on NIST second draft SP 800-73-4 and will be submitting the comments to NIST in June.
Health and Human Services Council • The Health and Human Services Council had a panel at
the National Association of Healthcare Access Management (NAHAM) Conference, “Patient Access: Best Practices and Standards for Patient Authentication.” Morgan Richard (XTec) moderated the panel, with David Batchelor (LifeMed ID) and two LifeMed customers as panelists.
Identity Council • The Identity Council is collaborating with the Access
Control Council on a white paper on converging physical and logical access.
Mobile and NFC Council • The Mobile & NFC Council published the white paper,
“Bluetooth Low Energy (BLE) 101: A Technology Primer with Use Cases.” The white paper was developed to provide an educational resource on Bluetooth low energy, describing what it is, how it’s used, how it fits with other mobile technologies, and what security aspects should be considered for BLE-enabled applications. Mike English (Heartland Payment Systems) led the project. Members involved in the development of this white paper included: Advanced Card Systems Ltd.; Booz Allen Hamilton; Capgemini USA Inc.; CH2M Hill; Cubic Transportation Systems, Inc.; Discover Financial Services; First Data Corporation; Fiserv; Giesecke & Devrient; Heartland Payment Systems; Identification Technology Partners; Ingenico; Intercede; IQ Devices; Morpho; NXP Semiconductors; Oberthur Technologies; Underwriters Laboratories (UL). The white paper is available on the Smart Card Alliance web site. • The Council is now completing its second white paper, ‘Host Card Emulation (HCE) 101,” with publication planned this summer.
Payments Council • The Payments Council has launched three projects: a
white paper on EMV and data breaches; a white paper on
8 8 Smart Smart Card Card Talk Talk
the “true cost” of data breaches; and a white paper on EMV, tokenization and encryption. Project teams are now drafting and discussing content.
Transportation Council • The Transportation Council launched a new white paper
project on EMV impact on parking. The project team is now drafting content for the white paper. • Other projects in process include: a white paper on EMV and transit; a transit/payment brand project on transit challenges with open payments.
Other Council Information
• Members from the Access Control, Identity, and Mobile & NFC Councils presented in the ISC West pre-conference workshop, “Mobile Devices and Identity and Access Control Applications,” on April 1, in Las Vegas, NV. Presenters included: Tvrtko Barbaric (NXP Semiconductors); Peter Cattaneo (Intercede); Sal D’Agostino (IDmachines); Frazier Evans (Booz Allen Hamilton); Julian Lovelock (HID Global); David Mahdi (SecureKey); James McLaughlin (Gemalto); Jonathan Mooney (Allegion); Dale Porter (CorFire); Steve Rogers (IQ Devices); Lars Suneborn (Identiv). • Members from the Mobile & NFC Council presented in the NFC Solutions Summit pre-conference workshop, “NFC Mobile Security Approaches and Business Applications Workshop,” on June 2, in Austin, TX. Presenters included: Maarten Bron (UL); Peter Cattaneo (Intercede); Stu Cox (Giesecke & Devrient); Mike English (Heartland Payment Systems); Jeff Fonseca (NXP Semiconductors); Roger Hornstra (Identiv); Pedro Martinez (Gemalto); Tony Sabetti (Isis); Sree Swaminathan (First Data); Tom Zalewski (CorFire) • Members-only council web pages were updated and are available at http://www.smartcardalliance.org/councils. These are password-protected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich.
Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich.
from the alliance office
Welcome New Members • AT&T Mobility Services LLC, General • Discover Financial Services, Latin American General
New CSCIP Recipients • Phuong Tran, WMATA
New CSCIP/P Recipients • Allen Friedman, Ingenico, North America
Payments
For more news, visit our website at www.smartcardalliance.org. Members can also access white papers, educational resources and other content.
About Smart Card Talk Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership. 191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org
About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. Smart Card Talk
9