July 2014 Alliance Member Bulletin
Executive Director’s Corner
The Case for Sound Security Measures
Dear Members of the Smart Card Alliance,
“Back to the Future” is a cult classic movie for my generation, about a teenager who meets someone who invented a time machine in the form of a DeLorean car that allows him to go back in time to prevent something that will alter the future. I was reminded of this movie as I read about the problems at PF Chang’s, the restaurant chain that revealed they had suffered a data breach due to malware infecting their POS system. Management determined the only way to keep their business open was to abandon their card processing equipment and bring back manual credit card slips until they can complete the forensic analysis of the malware attack and clean up their POS system. In the face of unknown threats to its retail POS systems, those handwritten two-part slips of paper dragged through the old “knuckle buster” credit slip imprint machines were the best solution for this merchant at this time. Back to the future indeed.
I heard of another example of bizarre card fraud circumstances recently, this one involving car washes. Who would suspect that credit card fraud related to small, independently owned or franchised car washes would be a particularly attractive market segment for criminals to target? Yet, it was reported that a large number of stolen credit card numbers were showing up on black market web sites originating from companies doing business of washing cars. It turns out that a particular manufacturer of POS software that is popular with car wash operators had been infected by a specific malware variant. These criminal forces found a way to determine the many locations using this system and penetrate them, probably through infected emails, to extract credit card data to send to the criminal’s offshore website. What makes this scenario even scarier is that not only are the criminals selling the stolen credit card data, but they are also selling “developer’s kits” to aspiring criminals who can invent their own malware variants and find other unsuspecting targets to go after.
As our payments ecosystem moves forward with enhanced security measures such as EMV chip cards, PCI 3.0, and NFC mobile payments, we need to remind ourselves that protecting potential vulnerabilities is an ongoing process and not an end point. We tend to focus too much attention on the security of the perimeter, such as the WiFi or local network connections, and on the payment device — either the credit card or mobile card-equivalent stored in the smart phone. We don’t tend to pay attention to all of the touch points in-between, like the third party POS software that is connected to the perimeter network and accepts the payment device, either with a swipe, tap, or insert. A sound security strategy involves a total end-to-end approach in light of the aggressive malware attacks that keep getting harder and harder to defend against.
Until EMV chip data or some accepted form of tokenization, with the dynamic data properties that effectively stops counterfeiting, is largely present in every retail location in the United States, hackers are going to continue to stalk retailers. These criminal packs will follow their prey and pick off the least protected retail systems like lions trailing a herd of antelope. As the clock slowly winds down for monetizing these retail system hacks, they are likely to increase in frequency because the selling prices are going to continue to drop, enticing more hacks. October 2015 is not going to be the end point for fraud risk and, in fact, fraud losses will continue for some time thereafter until chip transactions are the norm.
There are going to be many more stories like the ones I have cited until the percentage of chip (card or mobile) on chip (terminal) transactions reaches about 50%, and, based on experience in other countries, fraud levels in the U.S. won’t drop to expected EMV market levels until that percentage reaches about 75%. Until then, we may be seeing more reminders of “Back to the Future” as electronic payments take a step backwards until there are sufficient chip cards and terminals in place to be moving forward again.
New Training & Certification Program
The Smart Card Alliance will offer the first session of its Certified System Engineer ICAM PACS (CSEIP) training and certification program July 28-30 in the Washington, DC area. This GSA-approved program provides advanced training for systems engineers on how to set-up and test E-PACS to align with government-wide specifications. It will also offer the training and certification required for E-PACS engineers employed by commercial organizations that are looking to bid on GSA procurement agreements for access control systems. The classroom training curriculum will include the following learning objectives:
- Day One – Lecture and discussion from a prepared training script
- Day Two – Review of the lecture materials followed by extensive hands-on lab training experience on a live E-PACS system; Q&A
- Day Three – Written and practical exams to demonstrate that each person has understood the E-PACS training principles and can successfully apply their knowledge to configure and test an E-PACS system that will enable a successful end-to-end PIV-enabled access control transaction
Learn more about the program, requirements and fees.
The Smart Card Alliance Latin America chapter (SCALA) has signed a five year agreement with Florida State University for the development of an industry Integrated Circuit Card (ICC) Center of Excellence for Latin America and the Caribbean. The Center will help to groom industry experts in areas related to smart card technology in industries that currently have scarce resources and limited training.
In The Spotlight
A 2013 Smart Card Alliance Company of Excellence (COE) recipient, XTec is a leader in secure, interoperable authentication and verification systems. The company develops, produces and licenses enterprise-level security solutions for credentialing, access control, information systems and electronic commerce for a wide range of government and commercial uses.
What are your company’s business profile and its offerings?
XTec is the premier provider of authentication and security solutions in today’s marketplace. Our keystone solution, AuthentX, offers the only end-to-end, high assurance identity management infrastructure available for Government and commercial enterprises.
What role does smart card technology play in your business?
Smart card credentials anchor our identity management and credential management solutions. In fact, both our history and our future as a company are intertwined with the evolution of smart card technology. Several decades ago, some of our staff members served as writers for the original Government Smart Card-Interoperability Specification, the precursor to today’s PIV requirements.
That intellectual investment in smart cards continues today, evidenced by the fact that we have more Certified Smart Card Industry Professionals/Government staff than any other vendor. We see smart card technology as a significant foundation in the evolving security and authentication market, and we want to offer our customers the greatest value by providing them with staff that are proven experts in this area.
What trends do you see developing in your market?
In the past few years, we’ve seen a gradual shift toward smart card-based solutions specifically for the enterprise. In fact, XTec has helped spur that trend by offering one of the only IDMS solutions designed with the enterprise in mind. More of our customers are realizing that threats to security and opportunities for fraud aren’t receding; they’re becoming more sophisticated, and they’re here to stay. And they demand equally sophisticated and long-lasting solutions. They’re discovering as the years go by that fragmented solutions with too many products coming from too many vendors make things expensive and complicated – unnecessarily.
When HSPD-12 came out, the Federal Government community recognized, on some level, the magnitude of the post 9/11 threat. But they may not have fully comprehended the scope, what the face of security in the Federal Government would look like moving forward. As more of our customers have come to accept this new reality, they’re looking to do more than just check the boxes for Federal requirements. They’re less interested in taking a piecemeal approach and more interested in establishing a full solution that will mature to match evolving government standards and accommodate future-looking initiatives like the FICAM roadmap.
What things must you overcome to leverage those trends?
In a word, misconceptions. Some customers hear words like “robust,” “comprehensive” and “long-term” and they think, “We can’t afford a solution like that.” But XTec has a history of meeting customers where they are. We believe in offering a solution that can work for 1 credential or 1 million credentials, and we’ve engineered our solution with scalability as a key component precisely for that reason. By establishing a scalable foundation, customers can expand as their workforce or their workload does.
Visit XTec at http://www.xtec.com/.
- The Access Control Council and Identity Council collaborated on developing and submitting comments to NIST on the second draft of SP 800-73-4, “Interfaces for Personal Identity Verification,” in June. Lars Suneborn (Identiv) led the project and we had broad member participation in developing and reviewing the comments, including: AMAG Technology; DMDC; Eid Passport; Gemalto; Giesecke &Devrient; HID Global; HP Enterprise Services; Identification Technology Partners; Identiv; IDmachines; IQ Devices; NXP Semiconductors; Oberthur Technologies; Roehr Consulting; Secure Mission Solutions; Stanley Security Solutions; U.S. Department of State.
- The Access Control Council has launched a new project to develop a guide specification for architects and engineers for smart card-based PACS cards and readers.
- The Payments Council is working on three new projects: a white paper on EMV, tokenization and encryption; a white paper on EMV and data breaches; and a white paper on the true cost of data breaches. Project teams are currently drafting content for these white papers.
- The Transportation Council launched a new white paper project on EMV impact on parking. The project team is now drafting content for the white paper.
Council participation is open to all Smart Card Alliance members. If you would like to participate in a Smart Card Alliance Council or in one of the Council projects, please contact Cathy Medich.
New Members & CSCIP Recipients
Welcome New Members
- Integrated Security Technologies, Inc., General member
- ITN International, Associate member
New CSCIP Recipient
New CSCIP/Payments Recipient
HSPD-12 10th Anniversary Event
Have You Registered?
A special one-day event commemorating the 10th anniversary of landmark security directive HSPD-12 will be held on July 31 at the Marriot Metro Center in Washington, DC. Government leaders and current heads of federal agencies are scheduled to speak. The event is free of charge to federal government employees who have a PIV card or Common Access Card (CAC) and is open to non-federal government attendees for a registration fee. Learn more details or register today.
New White Paper on BLE
The Smart Card Alliance Mobile and NFC Council recently published a white paper on Bluetooth low energy (BLE) that is an excellent resource on what BLE is, how it’s used and how it fits with other mobile technologies. Download this terrific educational resource from our website.
EMV Webinar Available
The EMV Migration Forum Communication and Education Working Committee presented a one-hour webinar on “Effective Communication Practices for U.S. Chip Migration,” which offered communications best practices for financial institutions and retail organizations to internal staff and their respective cardholders/customers. The webinar provided a takeaway framework for the creation of clear and effective communications for industry stakeholders to aid the U.S. market in understanding and embracing chip payments and their many security benefits. You can download the webinar recording or the webinar presentation.