January 2017 Monthly Member Bulletin
Executive Director’s Corner
Breaking Out of Our Information Bubbles
There is often an information bubble that influences how the payments industry interacts with each other to the detriment of change happening effectively and efficiently. There is a lot of evidence that people are unable to communicate and understand other people’s views because they live inside a bubble that only allows information in from select sources and blocks out everything else. These days, we are all aware of how another information bubble involving politics has heightened the partisan divide in our country.
Organizations like the Smart Card Alliance and our affiliated U.S. Payments Forum group try to break through the communications bubbles that inhibit effective communication and foster a broader understanding of how complex security solutions are implemented.
First, the organizations reduce the distance among technology providers, system integrators, and end users who are adopters of technology. By facilitating close contact and communal discussion of important topics, individuals can receive information and provide immediate feedback to the sources of that information in the form of questions or reactions to what was presented.
The U.S. Payments Forum has been very effective at breaking the information bubble concerning EMV chip technology’s introduction in the United States. One of the first bubbles broken was that the payments market in the U.S. was largely the same as other countries who had already adopted EMV, so it would be easy for the hardware and software providers of core infrastructure to deliver the same solutions they developed for the UK and Canada. After repeated face-to-face meetings among networks, issuers, merchants, processors and those organizations who provide the necessary EMV compliant hardware and software, we learned that the unique challenges involving debit and testing for highly customized third party applications prominent in the U.S. meant that existing rules and processes needed to change. Once the information bubbles were gone, the workarounds and changes in technology and policies to account for the uniqueness of the U.S. market were made.
The Smart Card Alliance has been effective in a similar way in breaking down the information bubble involving the use of PIV and PIV-I credentials in the federal government. It started with a NIST blueprint for a tamper-resistant, secure, interoperable identity card that could be rapidly authenticated. That work was completed largely with an information bubble around it, excluding card manufacturers, door access reader manufacturers and PACs integrators. Once the standards and requirements were made known, our Alliance members began a series of discussions and information exchanges with NIST to address problems with the way the standards were written and with the policies for how PIV cards would be used to secure the federal government. Those efforts led to a more collaborative discussion between the security industry and the federal government, which generated valuable input into the creation of a series of “Special Publications” which NIST produced to turn specifications into working security solutions that ultimately transformed the security industry.
Once these organizations break through the information bubbles among the stakeholders in these groups, the next step is communicating what has been learned to the broader industry as a whole. Producing white papers, infographics, webinars, workshops, and conferences open to the public are ways in which these organizations reduce the information bubbles that remain. Promoting the existence of these industry resources is done through numerous channels – email announcements, member bulletins, newsletters, and press releases – so this information is readily available and keeps bubbles from re-forming.
Our effectiveness in this mission is dependent on having a diverse membership base to draw information from and active individuals willing to collaborate with others in the ecosystem. The Smart Card Alliance and the U.S. Payments Forum are looking for new organizations who want to break down the information bubbles and foster a broader understanding of how complex security solutions are implemented through collaboration and active participation. If you are operating inside an information bubble or believe you can help remove the bubble that your customers are in, please consider becoming a member of either the Smart Card Alliance or the U.S. Payments Forum. We’ve now made it easier to fully participate in both organizations with a single, enhanced “PLUS” membership level. Here are the information links to the Smart Card Alliance and the U.S. Payments Forum membership details.
Thank you for your support of our organization.
Smart Cities Transportation Workshop
The Transportation Council and IoT Security Council have scheduled a two-day workshop Feb. 1-2 in Salt Lake City on security challenges associated with Smart City IoT initiatives. Register and learn more about the workshop.
In the Spotlight
As a Center of Excellence recipient for the third year in a row, XTec supports the Smart Card Alliance on several committees with both active participation and leadership. In addition, XTec has the most Certified Smart Card Industry Professionals in Government (CSCIP/G) a certification offered by the Smart Card Alliance. Below are thoughts from XTec’s Executive Vice President, Kevin Kozlowski.
What are your company’s business profile and its offerings?
XTec provides identity, credential and access management security solutions that are compliant with Federal mandates and standards. Our keystone solution, AuthentX, offers the only end-to-end, high assurance identity management infrastructure available for Government and commercial enterprises.
What role does smart card technology play in your business?
Smart card credentials anchor our technology solutions. In fact, both our history and our future as a company are intertwined with the evolution of smart card technology. We see smart card technology as a significant foundation in the evolving security and authentication market, and we want to offer our customers the greatest value by providing them with a solution that is designed to manage the smart card cryptographic components.
What trends do you see developing in your market?
In general, a move to cloud hosted technology has been huge. This is especially true for the physical access control market which as a whole is generally behind in hardware and software. XTec has invested significantly in our cloud infrastructure with three high security data centers in the US and automated load balancing between all. This means our hosted customers’ uptime whether it is card issuance, card authentication or validation is over 99.9999% which is crucial for rapid certificate validation for physical access control as well as newer derived (mobile) credential use. Secure mobile credentials could also be considered a “trend” but that technology is going to continue to evolve along with its use cases. XTec is currently issuing derived credentials for the Department of Homeland Security.
What things must you overcome to leverage those trends?
Given cloud hosted technology provides significant cost savings, the main focus is typically the security of the data in the cloud. Even this is dwindling with the federal government’s FedRAMP (The Federal Risk and Authorization Management Program) initiative along with the notion based on recent events that a server in a room in a federal building has the same vulnerabilities as a server in a room at a data center.
Visit XTec at http://www.xtec.com/
Councils completed new contactless EMV payments resources and published an IoT security white paper. Five councils also completed Steering Committee elections, and are now planning their 2017 activities.
- Council Steering Committee elections. The Access Control, Health and Human Services, Mobile, Payments and Transportation Councils have completed elections for their 2017/2018 Steering Committees. Officer elections are now in process for the Access Control, Health and Human Services, Mobile, and Payments Councils
- The Access Control Council is currently working on one project, the development of a PACS deployment playbook for the GSA CIO
- The Health and Human Services Council is recruiting healthcare industry stakeholders for their new Client Advisory Board and is working on a healthcare 2.0 webinar presentation
- The Internet of Things (IoT) Security Council completed the new white paper, Embedded Hardware Security for IoT Applications, describing the value of embedded hardware security in end devices used in IoT applications. The Council is also co-hosting the Smart Cities Transportation Workshop with the Transportation Council
- The Mobile Council hosted a successful EMV Tokenization webinar on November 3rd, covering an overview of EMV tokenization, requirements for token service providers and tokenization methods using in digital wallets. The Council is currently working on three white papers on: mobile identity authentication; mobile profiles and provisioning; and Trusted Execution Environment (TEE) 101
- The Payments Council added to its extensive resources on contactless EMV payments. The Council held a well-attended webinar, Contactless EMV Payments: Issuer Opportunities, on November 9th, published an updated Contactless Payments Security Q&A, and developed two infographics, Contactless Payments in the U.S.: Guides for Merchants and Issuers. The Council continues work on two other projects: EMVCo Payment Account Reference (PAR) use cases white paper; blockchain and smart card technology white paper
- The Transportation Council is working with the IoT Security Council to co-host the Smart Cities Transportation Workshop on February 1-2, at Utah Transit Authority, in Salt Lake City, UT. The Council is also currently working on the multimodal payments convergence white paper, updating the reference architecture white paper, and developing a webinar on mobile ticketing and NFC
- Council projects. A summary of all active Council projects is posted on the Smart Card Alliance members-only site
If you would like to participate in a Smart Card Alliance Council, please contact Mike Strock, [email protected].
New EMV Resources
The Smart Card Alliance and the U.S. Payments Forum (formerly the EMV Migration Forum) have produced a number of EMV resources.
Welcome New Members
- China UnionPay USA
- The Johns Hopkins University Applied Physics Lab
- Waltz, Inc.
Congratulations New Recipients
- Steven Mehler, WMATA
- Dennis Nguyen, WMATA
- Iniyan Sampath, Capgemini
- Wendy Brown, Protiviti
- Ryan Clapman, Protiviti
- Troy Hall, Johnson Controls
- Brian Frieze, FDA
- James Morton, NARA
- Kenneth Myers, Protiviti
- Jason Sargent, Protiviti
- Chad Stadig, Siemens
2017 Payments Summit – have you registered?
If you’ve not already done so, register today for the 2017 Smart Card Alliance Payments Summit, scheduled for March 27-30 at the Renaissance Orlando at SeaWorld. Check out the full agenda to start marking down what sessions you want to attend for the “Adapting to the World of Change” conference.
Upcoming CSCIP Sessions
The CSCIP/G training and exam will be held February 14-15, 2017, and the CSCIP/P training and exam will be held Feb. 22-23, 2017. Both trainings and exams will be held at the National Center for Advanced Payments and Identity Security in Arlington, VA. The CSCIP training and exam will be on the road in March, and is scheduled for March 6-7, 2017, at Corporate Identification Systems Group in San Antonio, TX. Classes fill up quickly so register soon.
Upcoming CSEIP Sessions
Two sessions for the CSEIP training and exam certification have been scheduled, and registration is now available. The first session is Jan. 31-Feb. 2, 2017, and the second is March 14-16, 2017. Both sessions will be held at the National Center for Advanced Payments and Identity Security in Arlington, VA.