January 2017 Monthly Member Bulletin

• From the Executive Director
• Transportation Workshop
• Spotlight on XTec
• Council Highlights and Other Resources
• 2017 Payments Summit Registration
• Upcoming Training Sessions

Executive Director’s Corner

Breaking Out of Our Information Bubbles

There is often an information bubble that influences how the payments industry interacts with each other to the detriment of change happening effectively and efficiently. There is a lot of evidence that people are unable to communicate and understand other people’s views because they live inside a bubble that only allows information in from select sources and blocks out everything else. These days, we are all aware of how another information bubble involving politics has heightened the partisan divide in our country.

Organizations like the Smart Card Alliance and our affiliated U.S. Payments Forum group try to break through the communications bubbles that inhibit effective communication and foster a broader understanding of how complex security solutions are implemented.

First, the organizations reduce the distance among technology providers, system integrators, and end users who are adopters of technology. By facilitating close contact and communal discussion of important topics, individuals can receive information and provide immediate feedback to the sources of that information in the form of questions or reactions to what was presented.

The U.S. Payments Forum has been very effective at breaking the information bubble concerning EMV chip technology’s introduction in the United States. One of the first bubbles broken was that the payments market in the U.S. was largely the same as other countries who had already adopted EMV, so it would be easy for the hardware and software providers of core infrastructure to deliver the same solutions they developed for the UK and Canada. After repeated face-to-face meetings among networks, issuers, merchants, processors and those organizations who provide the necessary EMV compliant hardware and software, we learned that the unique challenges involving debit and testing for highly customized third party applications prominent in the U.S. meant that existing rules and processes needed to change. Once the information bubbles were gone, the workarounds and changes in technology and policies to account for the uniqueness of the U.S. market were made.

The Smart Card Alliance has been effective in a similar way in breaking down the information bubble involving the use of PIV and PIV-I credentials in the federal government. It started with a NIST blueprint for a tamper-resistant, secure, interoperable identity card that could be rapidly authenticated. That work was completed largely with an information bubble around it, excluding card manufacturers, door access reader manufacturers and PACs integrators. Once the standards and requirements were made known, our Alliance members began a series of discussions and information exchanges with NIST to address problems with the way the standards were written and with the policies for how PIV cards would be used to secure the federal government. Those efforts led to a more collaborative discussion between the security industry and the federal government, which generated valuable input into the creation of a series of “Special Publications” which NIST produced to turn specifications into working security solutions that ultimately transformed the security industry.

Once these organizations break through the information bubbles among the stakeholders in these groups, the next step is communicating what has been learned to the broader industry as a whole. Producing white papers, infographics, webinars, workshops, and conferences open to the public are ways in which these organizations reduce the information bubbles that remain. Promoting the existence of these industry resources is done through numerous channels – email announcements, member bulletins, newsletters, and press releases – so this information is readily available and keeps bubbles from re-forming.

Our effectiveness in this mission is dependent on having a diverse membership base to draw information from and active individuals willing to collaborate with others in the ecosystem. The Smart Card Alliance and the U.S. Payments Forum are looking for new organizations who want to break down the information bubbles and foster a broader understanding of how complex security solutions are implemented through collaboration and active participation. If you are operating inside an information bubble or believe you can help remove the bubble that your customers are in, please consider becoming a member of either the Smart Card Alliance or the U.S. Payments Forum. We’ve now made it easier to fully participate in both organizations with a single, enhanced “PLUS” membership level. Here are the information links to the Smart Card Alliance and the U.S. Payments Forum membership details.

Thank you for your support of our organization.

Smart Cities Transportation Workshop

The Transportation Council and IoT Security Council have scheduled a two-day workshop Feb. 1-2 in Salt Lake City on security challenges associated with Smart City IoT initiatives. Register and learn more about the workshop.

In the Spotlight

As a Center of Excellence recipient for the third year in a row, XTec supports the Smart Card Alliance on several committees with both active participation and leadership. In addition, XTec has the most Certified Smart Card Industry Professionals in Government (CSCIP/G) a certification offered by the Smart Card Alliance. Below are thoughts from XTec’s Executive Vice President, Kevin Kozlowski.

What are your company’s business profile and its offerings?
XTec provides identity, credential and access management security solutions that are compliant with Federal mandates and standards. Our keystone solution, AuthentX, offers the only end-to-end, high assurance identity management infrastructure available for Government and commercial enterprises.

What role does smart card technology play in your business?
Smart card credentials anchor our technology solutions. In fact, both our history and our future as a company are intertwined with the evolution of smart card technology. We see smart card technology as a significant foundation in the evolving security and authentication market, and we want to offer our customers the greatest value by providing them with a solution that is designed to manage the smart card cryptographic components.

What trends do you see developing in your market?
In general, a move to cloud hosted technology has been huge. This is especially true for the physical access control market which as a whole is generally behind in hardware and software. XTec has invested significantly in our cloud infrastructure with three high security data centers in the US and automated load balancing between all. This means our hosted customers’ uptime whether it is card issuance, card authentication or validation is over 99.9999% which is crucial for rapid certificate validation for physical access control as well as newer derived (mobile) credential use. Secure mobile credentials could also be considered a “trend” but that technology is going to continue to evolve along with its use cases. XTec is currently issuing derived credentials for the Department of Homeland Security.

What things must you overcome to leverage those trends?
Given cloud hosted technology provides significant cost savings, the main focus is typically the security of the data in the cloud. Even this is dwindling with the federal government’s FedRAMP (The Federal Risk and Authorization Management Program) initiative along with the notion based on recent events that a server in a room in a federal building has the same vulnerabilities as a server in a room at a data center.

Visit XTec at http://www.xtec.com/

Council Highlights

Councils completed new contactless EMV payments resources and published an IoT security white paper. Five councils also completed Steering Committee elections, and are now planning their 2017 activities.

• Council Steering Committee elections. The Access Control, Health and Human Services, Mobile, Payments and Transportation Councils have completed elections for their 2017/2018 Steering Committees. Officer elections are now in process for the Access Control, Health and Human Services, Mobile, and Payments Councils
• The Access Control Council is currently working on one project, the development of a PACS deployment playbook for the GSA CIO
• The Health and Human Services Council is recruiting healthcare industry stakeholders for their new Client Advisory Board and is working on a healthcare 2.0 webinar presentation
• The Internet of Things (IoT) Security Council completed the new white paper, Embedded Hardware Security for IoT Applications, describing the value of embedded hardware security in end devices used in IoT applications. The Council is also co-hosting the Smart Cities Transportation Workshop with the Transportation Council
• The Mobile Council hosted a successful EMV Tokenization webinar on November 3^rd, covering an overview of EMV tokenization, requirements for token service providers and tokenization methods using in digital wallets. The Council is currently working on three white papers on: mobile identity authentication; mobile profiles and provisioning; and Trusted Execution Environment (TEE) 101
• The Payments Council added to its extensive resources on contactless EMV payments. The Council held a well-attended webinar, Contactless EMV Payments: Issuer Opportunities, on November 9^th, published an updated Contactless Payments Security Q&A, and developed two infographics, Contactless Payments in the U.S.: Guides for Merchants and Issuers. The Council continues work on two other projects: EMVCo Payment Account Reference (PAR) use cases white paper; blockchain and smart card technology white paper
• The Transportation Council is working with the IoT Security Council to co-host the Smart Cities Transportation Workshop on February 1-2, at Utah Transit Authority, in Salt Lake City, UT. The Council is also currently working on the multimodal payments convergence white paper, updating the reference architecture white paper, and developing a webinar on mobile ticketing and NFC
• Council projects. A summary of all active Council projects is posted on the Smart Card Alliance members-only site

If you would like to participate in a Smart Card Alliance Council, please contact Mike Strock, [email protected].

New EMV Resources

The Smart Card Alliance and the U.S. Payments Forum (formerly the EMV Migration Forum) have produced a number of EMV resources.

• The Smart Card Alliance Payments Council added three new EMV resources
  • The webinar, Contactless EMV Payments: Issuer Opportunities, discussed how contactless fits into today’s payment industry; what is different from earlier adoption attempts; and what benefits issuers will realize with contactless EMV payments
  • Two infographics, Contactless Payments in the U.S.: Guides for Merchants and Issuers, provide an easy-to-use reference on the benefits of contactless acceptance and issuance for merchants and issuers
  • The updated Contactless Payments Security Q&A answers frequently-asked questions and includes discussion of contactless EMV payments using both dual-interface cards and mobile devices provisioned with contactless EMV payments applications
• The U.S. Payments Forum Testing & Certification Working Committee published an updated white paper, EMV Testing and Certification White Paper: Current Global Payment Network Requirements for the U.S. Acquiring Community. The December 2016 white paper includes updates from the global payment networks on testing requirements and addition of an appendix discussing Faster EMV (i.e., Quick Chip, M/Chip Fast) implications for testing and certification
• The U.S. Payments Forum published an update to EMV Implementation Guidance: Fallback Transactions, adding additional technical details

Welcome New Members

• China UnionPay USA
• The Johns Hopkins University Applied Physics Lab
• Waltz, Inc.

Congratulations New Recipients

CSCIP Certification

• Steven Mehler, WMATA
• Dennis Nguyen, WMATA
• Iniyan Sampath, Capgemini
  

CSCIP/G Certification

• Richard Hizon, Tyco

CSEIP Certification

• Wendy Brown, Protiviti
• Ryan Clapman, Protiviti
• Troy Hall, Johnson Controls
• Brian Frieze, FDA
• James Morton, NARA
• Kenneth Myers, Protiviti
• Jason Sargent, Protiviti
• Chad Stadig, Siemens