News : Newsletters : Alliance Member Bulletin : January 2019

12th Annual Payments Summit

The Payments Summit is the premier industry event covering all things payments, including FinTech, EMV chip technology, mobile wallets, NFC, contactless, open transit systems and more. This event marks the second year that the Secure Technology Alliance and the U.S. Payments Forum are combining the Payments Summit with the U.S. Payments Forum All-Member Meeting. If you’ve not yet registered, do so today, and ensure your spot at the most comprehensive gathering of card and payments professionals than ever before.

Register now for the Payments Summit.


Executive Director’s Corner

It Has to Get Bad Before Getting Better

At the start of each new year, there is an opportunity for a fresh look at security threats and challenges faced in this digital age.  Will the new year bring about a new wave of data breaches, internet viruses, and broken security promises?  Will our personal data and privacy be stolen and offered to the highest dark net bidder?  Will 2019 see the start of new regulations to finally hold internet companies and credit service providers accountable for breaches, and their deceptive practices that allow them to profit from our personal data?

I believe things must get bad before they start getting better.  We only need to look back over the last five years in the consumer payments space to see evidence that things had to get very bad first, before change would come.  According to The Nilson Report, in 2015, the U.S. accounted for 38.7%, or $8.45 billion, of gross card fraud losses worldwide, while generating only 22.9% of total global purchase and cash volume. U.S. fraud reached 11.76¢ per $100 in 2015, according to the company. In 2018, roughly four years after the adoption of EMV, counterfeit card fraud has declined about 70%. While overall fraud is still high due to increased spending online, fraud as a percentage of sales has dropped.

To further illustrate this point unrelated to payments security, one of the most damaging cyberattacks ever occurred about five years ago, when the federal government’s Office of Personnel Management (OPM) was breached.  Officials confirmed they suffered multiple attacks, and the second OPM breach snared security clearance files of current, former and prospective federal employees. The data included electronic forms, containing intimate details on those individuals, their contacts and families. Unconfirmed estimates of those affected by the data breach grew to as many as 14 million government employees and their families.  An intensive security upgrade program known as the “cyber-sprint” was employed shortly after this happened to upgrade the security of federal networks and to implement two-factor authentication for logical access security. Now, every federal agency has deployed two-factor authentication to eliminate the risk of criminals using stolen passwords to access sensitive systems.

Unfortunately, the vast healthcare IT market is poised to be the next big target for cyber criminals.  Now that electronic health records have become the norm for managing personal health information, the thin ranks of IT security professional who protect thousands of hospitals, outpatient clinics, and insurance networks are the only line of defense protecting our information.  Two-factor authentication is rarely in place.  Just like the payments industry and the federal government, it is going to have to get bad before it gets better.  Here’s hoping that it doesn’t take a national crisis before that happens.


Council Highlights

  • Council projects. A summary of all active Council projects is posted on the Secure Technology Alliance members-only site
  • The Access Control Council is currently electing its 2019/2020 Steering Committee. The Council has two active projects: completing the enterprise PACS playbook and developing guidance to compliment the NIST SP 800-116 v2 publication
  • The Identity Council has opened nominations for its 2019/2020 Steering Committee with an expanded number of categories and seats. The Council hosted its fourth webinar, Identity on a Mobile Device: Mobile Identity Proofing in Higher Education and Airport Wayfinding Use Cases, on December 13.  Speakers for the webinar were: Tom Lockwood, NextgenID; Chris Runde, American Association of Airport Executives; Mark Sarver, Biometric Signature ID; and Randy Vanderhoof, Secure Technology Alliance.  The Council is also continuing work on the mobile identity landscape white paper
  • The IoT Security Council hosted a successful webinar, IoT Security: Mitigating Security Risks in Secure Connected Environments, on October 11. Speakers included:  Steve Hanna, Infineon Technologies; Josh Jabs, Entrust Datacard; John Neal, NXP Semiconductors; Sri Ramachandran, G+D Mobile Security; Randy Vanderhoof, Secure Technology Alliance.  The Council is now developing its 2019 project plan
  • The Mobile Council held its third interactive web briefing to provide members with up-to-date education. The briefing, “Mobile in Transit,” was presented by David deKozan, Cubic Transportation Systems. The Council is starting to develop its 2019 plan and will be electing a new Steering Committee
  • The Payments Council is working on a new white paper on biometric payment cards to provide a high-level description of biometric payment cards to educate issuers on functionality and benefits
  • The Transportation Council held the very successful “Transit Payments Workshop,” on November 5, in collaboration with the U.S. Payments Forum’s Transit Contactless Open Payments Working Committee. Over 100 members and guests attended the workshop with many staying for the two-day Forum Member Meeting.  The Council Steering Committee has updated the Council charter and will start 2019 project planning

If you would like to participate in a Secure Technology Alliance Council, please contact Devon Rohrer, [email protected]nce.org.


Mobile and Digital Wallets Lunch & Learn Webinar Series

The U.S. Payments Forum Communications & Education and Mobile & Contactless Payments Working Committees are hosting a four-part webinar series on the U.S. mobile and digital wallet landscape.

The first webinar, Mobile Wallet Landscape, Models and Processes, was held on January 9 with over 230 attendees. The webinar described the main wallet models in market, the main differences and the factors that have led to the success or failure of each, and the technologies and processes used in their implementation.  Deborah Baxley, PayGility Advisors, and Mina Malak, G+D Mobile Security, presented.

Registration for the webinar series is available at:  https://register.gotowebinar.com/register/3089908444440419330.

Upcoming webinar dates:

  • Mobile Wallet Security Technologies and Approaches– Marianne Crowe, Federal Reserve Bank of Boston, January 23, 2019, 2pm ET/11am PT
  • Strategic Considerations for Merchants– Laura Townsend, Merchant Advisory Group, February 6, 2019, 2pm ET/11am PT
  • Strategic Considerations for Financial Institutions– Art Harper, PSCU, February 20, 2019, 2pm ET/11am PT

Register once for the three remaining webinars.

Those who participate in all four webinar sessions and in short online retention assessments will receive a certificate of participation from the U.S. Payments Forum and a registration discount to the 2019 Payments Summit.


New Forum Resource: Contactless at the ATM

The Forum’s ATM Working Committee published a new white paper, Guidelines for Contactless ATM Transactions – A Guide for ATM Owners and Operators.

The contactless ATM guide focuses on contactless transactions completed with Near-Field Communication (NFC)-enabled mobile wallets and contactless-enabled chip cards and is meant to serve as a starting point for contactless implementation. The guide includes:

  • The basics of contactless concepts
  • ATM contactless requirements – both software and hardware
  • Certification, testing and approvals requirements to support contactless transactions
  • The contactless ATM transaction process

The document provides guidance to ATM providers, acquirers, processors, and vendors who are preparing to implement contactless EMV transactions at their ATMs in the United States.  The white paper also highlights how contactless EMV transactions differ from contact-based EMV transactions and covers contactless transactions using a plastic card, NFC-enabled mobile device, wearable device or other NFC-enabled form factor.


New Forum Resource: True Costs of Fraud

The Forum’s CNP Fraud Working Committee published a new white paper, Understanding the True Costs of Fraud.  The white paper highlights the myriad forms fraud costs take and the impact they have on the various stakeholders, providing insights from different perspectives.  It presents three example case studies from different stakeholder perspectives to illustrate the cost of fraud.  The consumer, card issuer and merchant were selected to highlight as stakeholders because they experience the most pain points in mitigating fraud risk and most measurable losses when calculating the cost of fraud.


Congratulations New Recipients

CSCIP/G

  • Benjamin Globus, Securityhunters
  • Ross Nelson, Securityhunters
  • Paul Arsenault, Department of Homeland Security*
  • Vandy Hill, Department of Homeland Security*
  • Steven Holt, Department of Homeland Security*
  • Robert Mayes, Department of Homeland Security
  • David Walker, Department of Homeland Security*

CSCIP/P

  • Shing Hong Pang, American Express

CSEIP

  • Rick Burfield, Silent Partner Security Systems
  • Rob Edwards, Diversified
  • David Murray, scDataCom
  • Steven Peltier, Johnson Controls
  • Dustin Perkins, Orion Security Solutions
  • Melvin Terezon, CertiPath
  • Benjamin Williams, Probitas Technology

*Denotes corporate exam. For more information, contact Randy Vanderhoof


New Training Location!

The Secure Technology Alliance Institute for Advanced Payments and Identity Security serves as the training and education organization for the Alliance. Unless otherwise noted, CSCIP and CSEIP trainings will be held at Identification Technology Partners, located at 12 S Summit Ave in Gaithersburg, MD.

CSCIP Training and Exam

  • Hyatt Regency Phoenix (Secure Alliance Technology 2019 Payments Summit)
    • March 14, 2019 (training), March 15, 2019 (exam)

CSEIP Training, Exam, and Recertification Dates

Unless otherwise noted, CSEIP training and exams will take place at The Training Center at Identification Technology Partners, located at 12 S Summit Ave in Gaithersburg, MD. Recertification is online-based only.

CSEIP Training/Exam

  • Jan. 22-24, 2019, Identification Technology Partners
  • Feb. 26-28, 2019, Identification Technology Partners
  • March 26-28, 2019, Identification Technology Partners
  • April 23-25, 2019, Identification Technology Partners

To view the entire CSEIP 2019 schedule, click here.

CSEIP Recertification

The online instructor-led review course is four hours, from 11 AM ET – 3 PM ET. The hour-long exam follows from 3 PM ET to 4 PM ET. Here are upcoming dates:

  • Jan. 18, 2019
  • Feb. 22, 2019
  • March 22, 2019
  • April 19, 2019

To view the entire recertification schedule, click here.


Follow the Alliance on Social Media

The Secure Technology Alliance has enhanced its presence on social media with robust platforms on Twitter and LinkedIn.  Here are some ways you can interact with the organization: