July 2015 Monthly Member Bulletin
More ID Breaches Occur as Payments Migration Remains On Track
Dear Members of the Smart Card Alliance,
After spending the last few months writing about the trials and tribulations of our federal government and the pitiful usage rates of government employee ID cards and healthcare IDs, I hoped to shift gears and talk about the positive results we are hearing on the payments front regarding the migration to EMV chip technology. However, before I jump into the payments waters, I want to talk about alarming new developments on the government security front, and some recognition by top leaders that action on implementing strong authentication needs to begin now.
Largely driven by the humiliating record on progress reported in government’s 2015 FISMA report — that 41% of civilian agency personnel were using PIV credentials to log in — followed by the troubling announcement that 4 million personnel files were stolen by Chinese hackers from the Office of Personnel Management (OPM), Tony Scott, the Federal CIO, announced on June 12th an initiative called the 30 Day Cybersecurity Sprint. The emergency cyber cleanup concentrates on instituting two-factor authentication; increased monitoring of networks for signs of hacking activities; and patching older systems as well as more securing more recent vulnerabilities.
Such aggressive action to enforce the use of PIV for two-factor authentication is starting to show results, with a 20% increase in usage in one month. Yet before the 30 day period even came to a close, new revelations of a previous massive data breach totaling 21 million civilian and military personal records was reported last week by OPM. This breach actually occurred before the 4 million data breach.
It took the impact of 9/11, plus three more years, to jolt the government into action with the signing of HSPD-12 in 2004. This directive created the smart card-enabled PIV ID card and the mandate to issue them to every federal employee. After this latest OPM data breach, which includes sensitive security clearance records of all government personnel and individuals requesting security clearances, Social Security numbers, email addresses, and some biometrics, I don’t think it will take more than a few months before we see a mandate for all agencies to begin using PIV cards for network log in as well as enforcement for the mandate.
On the EMV migration front, there is good news to report from the most recent EMV Migration Forum Members Meeting, held on June 23-24 near Washington’s Dulles airport. Consumer awareness about chip cards has reached 71%, according to a recent MasterCard poll. This has been driven by multiple market actions: successful consumer education tools like the www.GoChipCard.com website created by the Forum; recent feature stories in consumer news outlets about how payments are changing with more secure chip technology; and the fact that most of the top 10 issuing banks (which account for over 80% of the consumer credit cards and 60% of the debit cards) have been doing mass replacements of existing mag stripe cards with new chip cards for the last 6 months.
Merchants have so far been slower to turn on the chip-enabled terminals, except for Walmart and Sam’s Club. This is mostly because merchants have no incentive to be early adopters and take on the responsibility for training a legion of shoppers who will find out that swiping their cards will no longer work and they have to follow the terminal prompts to learn how to use their new chip cards. That will take some time for consumers and store employees to get used to. If more big retailers time their activation in a similar time frame, the consumer learning curve will be swift and the burden of teaching shoppers how to transact with their new chip cards will distributed evenly among everyone.
However, waiting too long will also have consequences. Once summer turns into fall and the fraud liability shift takes place in October, retailers will be dangerously close to their holiday season when IT systems are locked down and no changes to software and hardware are permitted. If bugs in their EMV software show up during the holiday season, there will be little choice but to live with the problems and experience customer service problems, or enable “fall back” to magnetic stripe transactions; this could lead to higher numbers of declined transactions for consumers and merchants taking on the counterfeit fraud liability that comes with being the least secure party in the payment transaction. Issuers don’t want to see that happen either. Data breaches and counterfeiting incidents that occur during the holiday season and after issuers have completed the conversion to chip cards are going to cost issuers three to four times more to replace each card if a breach occurs, even if they cancel the card before any fraudulent activity happens.
The one segment of the merchant market that seems to be having the least trouble with the migration to chip are the small merchants and individual micro-merchants. New terminals are showing up everywhere you turn — in small gift shops, ice cream stores, and flower shops. Those merchants were able to buy or lease a new terminal for not much more than they were paying for their previous terminal. These standalone devices don’t involve costly upgrades to specialized point of sale machines and third party payment software that chain stores and medium-size merchants use. Because there are also fewer check-out lines and staff to train, these shop owners are happily accepting a mix of chip cards and older mag stripe cards rather seamlessly. It even gives these shops an opportunity to interact with their customers in a new and helpful way and make the shopping experience for customers better because they learned how to use their new cards and felt safer shopping at a store that cares about their security. It is not going to be like this everywhere, particularly when lines back up this summer with confused and impatient shoppers and frustrated cashiers, but that is another reason to seek out a local merchant and slow down, relax, and enjoy the summer.
Thank you for support of the Smart Card Alliance.
In The Spotlight
Giesecke & Devrient (G&D)
A 2014 Smart Card Alliance Company of Excellence (COE) recipient, Giesecke & Devrient (G&D) is a privately held, international corporation headquartered in Munich, Germany. The company was founded in 1852, and has 58 subsidiaries in 31 countries today. G&D employs over 10,000 people worldwide with annual revenue exceeding $2.4 billion. A leading international technology provider with a long tradition, G&D develops, produces, and markets products and solutions for payment, secure communication, and identity management. G&D maintains a leading competitive and technological position in these markets. The group’s clients most notably include central banks and commercial banks, wireless communications providers, businesses, governments, and public bodies.
What are G&D’s main business profile and offerings?
Life has become mobile – G&D ensures that it stays safe. When societies were still governed by geography, we had borders and boundaries to hold us back. But the digital revolution has allowed us to transcend those at the speed of light. Instant data sharing has become a way of life for billions of people worldwide and the age of the globally connected society has begun. But there is one thing that will never change: our need for security. That’s where G&D comes into play.
Our solutions, products, and services range from innovative hardware and software to end-to-end solutions for EMV, SIM and Device Management, LTE, Mobile Authentication, Subscription Management and M2M, as well as NFC for secure elements and HCE. In addition to spearheading mobile security solutions, G&D is also a leading company offering banknote and security printing, security paper, and banknote processing services.
What role does smart card technology play in your business?
For G&D, it’s all about securing credentials. Over the past 40 plus years, G&D has developed smart card technology, driven standards to ensure interoperability, educated our customers and built strong, mutually-beneficial relationships with banks, mobile network operators, transit authorities, governments and corporations. With convergence occurring in these industries, G&D is a present force, securing transactions and authenticity with smart card technology. We have a unique ability to bridge the gaps in the new ecosystem – with partnerships and technology – and to help drive adoption of new technology, such as HCE.
G&D continually develops new products and services to meet market demands and innovations to eliminate obstacles to smart card adoption. We actively participate in dozens of standards bodies and industry organizations, like the Smart Card Alliance, to further interoperability. In order to continue to build relationships with customers and dissolve potential concerns regarding our products and solutions, we have regular and constant discussions with customers, potential customers, and industry associates – such as those within the Alliance’s industry councils and the EMV Migration Forum.
What trends do you see developing in your market?
Data breaches are keeping consumers up at night. Inherent aspects of smart card technology, such as encryption, can go a long way towards mitigating some of the risks, but only if those methods are used. G&D, and the industry as a whole, has an opportunity to educate and strongly encourage the use of such methods to shore up the software implementations and infrastructure in order to minimize the weak links.
The focus for the U.S. payment market – and G&D – continues to be on EMV migration as we’re approaching the fraud migration deadline in October. As a world leader in this area, G&D is helping customers navigate the complexity of this space and deliver future proof, Durbin-compliant solutions.
G&D is also actively participating in the emerging markets of NFC and M2M. Both of these areas are a natural extension of our expertise in smart card technology. While not a new technology, NFC is transitioning from small pilots to commercial implementations. This market is also bringing new players into the mix that have not traditionally participated in the smart card space, which alters the landscape and encourages new partnerships. With embedded SIMs, the M2M market has introduced new complexities for subscription management, a new group of participants and new considerations as to how smart card products impact the daily lives of consumers. Securing the Internet of Things (IoT) will be critical going forth.
What obstacles to growth do you see that must be overcome to capitalize on these opportunities?
The obstacles to growth in these areas have not changed. We have been challenged by a lack of infrastructure, consumer fears, and security concerns since the inception of smart card technology. Interoperability of IT system components is another major area to overcome, particularly with legacy systems that don’t communicate with each other. Over the years, consumer knowledge has greatly increased – and with EMV cards in consumers’ hands, we’ve made a giant leap forward, but even some who work in the smart card industry are cautious about the security risks associated with using aspects of the technology. To overcome these obstacles, we need to provide education, not only to the consumer, but also to the issuer/service provider to ensure that they are using the inherent security mechanisms, such as encryption, to protect consumers’ private information and reduce fraud.
For more information visit http://www.gi-de.com/usa/en/index.jsp.
Councils completed a webinar and white paper in June and have ten white paper projects in process. In addition, Council chairs or vice chairs participated in the Smart Card Alliance Board Strategy Meeting to discuss the status of their industry segments and Council projects.
- The Access Control Council submitted a response to the NIST request for input on the practical usability of the contactless PIV interface for the match-off-card biometrics use case.
- The Health and Human Services Council has two active projects: a white paper to respond to the GAO report, Medicare: Potential Uses of Electronically Readable Cards for Beneficiaries and Providers, and a white paper on EMV and the healthcare industry.
- The Identity Council is working on a white paper on the FIDO protocol and smart card technology.
- The Mobile and NFC Council hosted a successful webinar, Host Card Emulation (recording available), on June 18, with over 120 attendees and over 200 registrants. The webinar provided an overview of HCE and discussed security implementation considerations, examples of HCE use cases, and implementation challenges. The Council is also working on two new projects: a white paper on EMV and NFC (in collaboration with the Payments Council); a white paper on “NFC beyond payments.”
- The Payments Council is working on two new projects: a white paper on EMV and NFC (in collaboration with the Mobile and NFC Council); a white paper on tokenization.
- The Transportation Council completed the new white paper, EMV and Parking, in partnership with the International Parking Institute (IPI). The white paper was promoted at IPI’s annual conference. The Council is also working on: EMV and transit; reference enterprise architecture for transit open payments system.
The Smart Card Alliance also completed implementation of a new collaboration platform for Council communications and document sharing, https://sca-emfgroups.org. All Councils are now using the new platform to manage projects and mailing lists.
New EMV Resources
The EMV Migration Forum completed two new educational resources for the payments industry in June. All EMV Migration Forum resources are available on the EMV Connection web site.
New CSCIP Recipients
- Brent Arnold, XTec, Incorporated
- Matthew Ernst, XTec, Incorporated
- Thomas Keady, ICF International
- Stephen Mergens, XTec, Incorporated
- Rishi Purohit, ICF International
- Zachary Smith, SAIC
- Art Grijalva, TSYS
- Jin Hwan, TSYS
Upcoming CSEIP Training
The next training session for the CSEIP course will be held in Gaithersburg, MD (outside of Washington, DC), Aug. 11 – Aug. 13. This GSA-approved training program will provide certification required for E-PACS engineers employed by commercial organizations looking to bid on GSA procurement agreements for access control systems. The class fills up quickly, so register now if you’re planning on taking the class; the website lists other dates and locations of the training.
Register Now for the 2015 Member Meeting
Registration is now open for the Smart Card Alliance Member Meeting, an exclusive conference for members only. The conference will be held Oct. 4-6 at the Arizona Grand Resort in Phoenix. Training classes for CSCIP, CSCIP/G and CSCIP/P will be held on Oct. 4, with exams scheduled for Oct. 5. Plan ahead and register now for the training or exam.
Mark Your Calendars – NFC Solutions Summit
The NFC Solutions Summit, presented by the Smart Card Alliance and NFC Forum, will be held Oct. 7-8 at the Arizona Grand Resort in Phoenix. Do not miss this high-level meeting featuring speakers and presentations ranging from carriers, application developers, technology providers to end-users.
End-of-Year Publication – Showcase Your Company
The Smart Card Alliance will produce its popular “Annual Review” overview in December. If your company would like to be featured, please contact [email protected]ance.org about sponsorship opportunities.