April 2016 Monthly Member Bulletin
Executive Director’s Corner
Dear Members of the Smart Card Alliance,
The Smart Card Alliance has been a leader in challenging commercial and government markets to put more emphasis on identity management, strong authentication techniques, and multiple layers of security to replace one-factor ID cards and passwords to access secure facilities and sensitive information networks. Another market in need of identity security has emerged for connecting millions of everyday devices to the Internet, like automobiles, home alarm systems, electric meters, medical devices, and even household items such as refrigerators and thermostats.
This new network of connected devices is called the Internet of Things, or IoT for short. Many of our member organizations who provide secure chips and services related to applications for chip technology are actively pursuing the IoT market –a market that is expected to grow to 21 million devices by 2020, according to Gartner.
IoT has also drawn the interest of the payments industry, with major investments by Visa and MasterCard and pilots for connected wearables, cars, and refrigerators already launched. The mobile industry is applying cellular technology to these connected devices and managing the transmission of the device-generated data with uplinks to the cloud. Healthcare, with its collection of medical equipment, home monitoring systems, and fitness bands and watches, is actively involved. Even our transportation industry has a stake in IoT for tracking buses and trains, monitoring traffic signals, and maintaining transit equipment and tolling systems more efficiently. Every market that has been an adopter of smart card technology and secure solutions also has an interest in IoT. So it makes sense that the Smart Card Alliance has an important role to play in making IoT more secure as well.
Too often, security is an afterthought in emerging markets experiencing rapid growth and lacking strong standards and regulations. The Smart Card Alliance wants to raise awareness about the requirements for security for developers and operators of nascent networks of connected devices and highlight best practices for using embedded security hardware and software in all connected devices. Embedded chip security is needed to protect the “identity” of each device, to prevent unauthorized tampering with how these devices are designed to work, and to protect the privacy and security of the vast amount of data the devices generate. A principle behind the security of smart chips is that the chips not only control how the devices perform under normal conditions, but also control how the devices react when they are attacked or tampered with in any way, including self-destruction, to prevent tampering. Applying those techniques – already proven and implemented for protecting and managing the identity of persons – will deliver a secure platform for the billions of connected devices.
Nowhere was such a dramatic lack of security demonstrated than the recent case of a Jeep Cherokee having its on-board computer hacked through an Internet connection to the car’s radio that allowed hackers to gain access to other critical systems connected to the car’s central computer. Once the hackers cracked the weak security, they took control of the operations of the car’s systems with the driver unable to control the car’s brakes, speed, radio and wipers, and other critical systems. That incident was a controlled test by engineers hired to demonstrate how easily a car’s computer system can be compromised and to show just how dangerous this could be for the automotive industry. The incident led to massive recalls of Chrysler vehicles to install costly security upgrades and a call for new regulations on computer security for connected cars.
To support these efforts to raise awareness of the security needs for IoT devices, and to promote the use of embedded secure chips to control them, the Alliance is creating the Internet of Things Security Council. An initial “call for participation” to Alliance members involved in other industry councils received more than 140 responses, and from those discussions, an interim leadership committee was formed to discuss initial Council activities. The member team is working on a charter and discussing possible Alliance projects. We are so confident that the Alliance is well represented by its current members to provide thought leadership to the discussion of IoT security that we have planned a new event, the Security of Things Conference, October 18-19 in Chicago.
Some of the early work for the new IoT Security Council will be to define a security framework for the Internet of Things and to explain how the same chip security and identity management approaches that are applied for systems involving people can work effectively at securing things. Over time, the Alliance can apply that awareness and knowledge to the major markets we already serve that are moving to IoT applications, such as payments, mobile, healthcare, and transportation. With strong results from the Council and a successful conference in October, we hope to attract new industry leaders from outside of the Smart Card Alliance who want to lend their knowledge and expertise about the Internet of Things to our focus on making IoT secure. If you are interested in joining this effort, as a member of the Smart Card Alliance or as an organization who is interested in and wants to shape the security and success of the IoT market, I invite you to contact me and get involved.
In the Spotlight
Hewlett Packard Enterprise
A 2015 Smart Card Alliance Company of Excellence (COE) recipient, Hewlett Packard Enterprise is an industry leading technology company, delivering services and business solutions for customers worldwide in multiple industry segments. The company provides advanced technologies in security, cloud, networking, software and data infrastructure to enable workplace productivity, protect the digital enterprise, empower the data driven organization and transform it to a hybrid infrastructure. Hewlett Packard Enterprise has over 80 patents and 51 years of experience.
Please describe your company’s business profile and its offerings
Hewlett Packard Enterprise specializes in full spectrum risk management solutions designed to help customers detect, prevent and remediate security vulnerabilities across their enterprise. Our security solutions provide advanced encryption, tokenization and key management that protect sensitive data across enterprise applications, payments ecosystems, mission critical transactions, storage, and big data platforms. Our solutions help protect organizations by building security into the fabric of the enterprise, proactively detecting, responding to threats and supporting recovery in the event of an incident. Safeguarding continuity and compliance will effectively mitigate risk.
From working within the U.S. public sector, Hewlett Packard Enterprise understands the unique missions and compliance requirements of government agencies. We help address key priorities and technology challenges to delivercomprehensive, scalable enterprise-class solution designed to guard sensitive assets through identity, credentialing, federation, and access management plus enhance security through continuous diagnostic mitigation and application security. We provide the correct mix of traditional IT, cloud and mobility that enables employees access to needed applications and data to collaborate and create instant value.Our strength is our people, our global reach and innovative technology. We are the enterprise transformation partner of choice and offer a new style of business for our clients.
What role does smart card technology play in your business?
Hewlett Packard Enterprise believes that Identity, Credentialing and Access management are key components in providing critical security services for all of our clients. They are inherently linked together with smart card technology as a building block to provide security services that will lay the foundation for a secure environment spanning facilities and cyberspace. It is this foundation of smart card based secure authentication and authorization that will help our clients meet compliance regulations, mitigate security risk and support the reduction of identity fraud. Our Assured Identity Credentialing capabilitysupports secure access to information, systems, and facilities through a comprehensive, scalable enterprise-class solution designed to guard sensitive assets through identity, credentialing and access management. It includes cost effective cloud-based delivery that allows our clients to pay only for the identity services they use.
As the leading expert in data-centric encryption and tokenization solutions for 1,100 of the world’s foremost enterprises, Hewlett Packard finds the use of smart card technology critical in supporting:
- Eight of the ten top U.S. banks
- Six of the seven top U.S. payment processors
- The top five global internet retailers
- The top five auto manufacturers
- Three U.S. tier 1 home improvement retailers
- Global leaders in retail, insurance, health care and telecommunications
What trends do you see developing in your market?
The integrated and secure workplace of the future will drive seamless and secure access to data anytime, anywhere on any device. Identity is a key cornerstone in securing data while driving a better user experience. Trends and maturing capability include digital IDs, derived credentials, mobile applications, mobile device management, mobile payments, EMV, Internet of Things, Big Data and biometrics. Hewlett Packard Enterprise also expects to see a stronger trend for “as a Service” capabilities in credentialing and identity and access management.
What things must you overcome to leverage those trends?
Hewlett Packard Enterprise will focus on proactive communication with our clients. We know that implementing better and more secure capabilities with less money is an ongoing challenge. This collaborative communication will create better understanding of why an initial investment to enhance security and prevent fraud and loss will save overall cost in the long run.
Our customers must want to secure their data at creation and have a “data-centric security” approach to protect sensitive information end-to-end across the entire transaction and company leveraging its data. Realization of the importance of identity verification, authentication and authorization by using a strong smart card technology tool to protect their information and access as well as their intellectual property, sensitive data and personal information is key. Understanding how an integrated and secure workplace will allow them to take advantage of trends, new capabilities and streamlined business processes will create a new style of business for them.
New trends and ever evolving technology can be mind boggling. Hewlett Packard Enterprise, as a trusted partner, will help organizations capitalize on comprehensive solutions and services that take advantage of their current investment and build in new technology and trends that make sense while enhancing security.
Learn more by visiting Hewlett Packard Enterprise.
Councils published an infographic and made progress on seven white paper projects. The Payments, Mobile and NFC, and Transportation Councils held well-attended in-person meetings at the Payments Summit earlier this month.
- The Access Control Council has posted a survey on priorities for next projects to get Council member input.
- The Health and Human Services Council published a new infographic, Healthcare 2.0: A New Paradigm for a Secure and Streamlined Healthcare Industry. The infographic depicts the impact of smart card technology on the future of healthcare identity authentication and suggests how current challenges can be solved through interoperability, increased security, and multi-factor authentication. The Council will be presenting the infographic as a poster at the upcoming National Association of Healthcare Access Management (NAHAM) conference.
- The Identity Council is completing the white paper on the FIDO protocols and smart card technology. Publication is expected by the end of April.
- The Mobile and NFC Council is working on a new white paper on mobile authentication of identity and the use of the authenticated identity in applications. The Council is also revising its charter to expand the Council’s activities to include all interface technologies and to focus on mobile applications requiring security.
- The Payments Council is working on three white papers: use cases for the EMVCo Payment Account Reference (PAR); blockchain and smart card technology; and contactless value propositions for issuers and merchants.
- The Transportation Council is currently working on two white papers: multimodal payments convergence and an update to the EMV and parking white paper published in 2015. The EMV and parking white paper update is scheduled to be complete by mid-May.
If you would like to participate in a Smart Card Alliance Council, please contact Mike Strock, [email protected].
New EMV Resources
The EMV Migration Forum completed two EMV resources. All EMV resources are available on the EMV Connection web site.
- The EMV Migration Forum published the new EMV Chip Implementation Best Practices web resource. This searchable resource to provide easy-to-find answers on commonly asked questions about best practices for implementing EMV chip technology. The best practices can be searched in the database or sorted by type, category, and stakeholder.
- The EMV Migration Forum published a new white paper, Merchant Processing during Communications Disruptions. The white paper outlines how to process EMV chip transactions when communications are disrupted, including EMV offline authorization, deferred authorization and force post of an EMV chip card transaction.
New Marketing Brochure
The Smart Card Alliance has developed a new marketing brochure that provides a high level overview of the organization, its mission and member benefits. Spread the word to industry colleagues who are interested but not yet members and invite them to download the brochure. If you’d like a printed copy, let us know.
Welcome New Members
- KICTeam, Inc.
- San Mateo County Transit District
- Gerald Murphy, Deloitte & Touche LLP, CSCIP/G recipient
- Jennifer Besenski, LTK Engineering Services, CSCIP/P recipient
- Greg Brown, JPMorgan Chase, CSCIP/P recipient
- Keith Flemons, LTK Engineering Services, CSCIP/P recipient
- Hitesh Shah, CPI Card Group CSCIP/P recipient
- Perry Galloway, Brivo Systems, LLC, CSEIP recipient
- Joe McCollum, Identiv, CSEIP recipient
- Opy Robbins, Bergelectric, CSEIP recipient
- Freddy Salas, TIC Security, CSEIP recipient
- Todd Soderstrom, Security Install Solutions, Inc., CSEIP recipient
- Nicholas Suarez, GSA, CSEIP recipient
- Rodney Taylor, Office of the Comptroller of the Currency, CSEIP recipient
- Jason Tesori, Bergelectric, CSEIP recipient
- Maniram Tiwari, Tyco Integrated Security, CSEIP recipient
- Ricardo Torres, Siemens Industry, Inc., CSEIP recipient
- Anthony Tran, Star Asset Security, LLC, CSEIP recipient
Registration Open – Government Conference
This year’s revamped Government Conference on June 6, called Securing Federal Identity 2016, will offer a refreshed look at Government Identity and Authentication. Join us and participate in the most important developments, innovations and experts in federal identity credentialing and access security; the event will be held at the Ronald Reagan Building and International Trade Center in Washington, D.C. Register or learn more details.
Save the Date for Security of Things (SoT) Conference
Details are forthcoming, but mark your calendar to attend a two day conference at the Hilton Rosemont Chicago O’Hare Hotel in Chicago Oct. 18-19, 2016 on the Security of Things. Registration information will be available later, so look for more information on this exciting new meeting.
Upcoming CSCIP Training
The Smart Card Alliance CSCIP training and exams will be held at the new National Center for Advanced Payments and Identity Security in Crystal City, just outside of Washington D.C, located at 2900 Crystal Drive, Arlington, VA. Classes fill up quickly so register now to reserve your spot.
- CSCIP/G training and exam, June 1-2
- CSCIP/P training and exam, June 27-28
- CSCIP training and exam, June 29-30