June 2016 Monthly Member Bulletin

• Executive Director’s Corner
• COE Spotlight: IDTP
• Council Highlights
• New EMV Resources
• Save The Date – Security of Things Conference
• Training Dates

Executive Director’s Corner

Dear Members of the Smart Card Alliance,

Much has been discussed and written in the press lately about the slow speed of EMV chip transactions and the long delays merchants are experiencing getting their businesses EMV certified. Once they are certified, they can begin accepting chip cards and avoid potentially costly chargebacks for counterfeit card transactions that happen at retailers who are not EMV-enabled.  The truths about EMV transaction times and the real reasons for why so many merchants are not yet EMV certified are hard to come by.  Perhaps I can shed some light on both of these complicated issues by addressing what’s happening.

The EMV check-out experience, like just about everything else related to the U.S. EMV migration, is different in the U.S. than it is in most other countries.  There are many variables which affect the transaction time, most of which are invisible to the consumer.  Some have to do with consumers – for example, if they know whether to swipe or insert at that merchant, when to insert the card, what to do, other than stare at the terminal, while the card is being processed, and whether to sign the receipt or the terminal device.

I’m a savvy card user, and if I shop at ten EMV-enabled retailers with the same card in one day, even I will have ten entirely different checkout experiences.  So how do I accurately describe my EMV experience?  One might be pleasantly simple and fast; the next one agonizingly complicated and slow.  Is that the fault of EMV, or the choices made by the retailer, the terminal provider, the processor, or the bank that issued the card?  It is fair to point out that if I used my old magnetic stripe card at those same ten retailers, the differences would remain, but they would be far less pronounced than what I see with EMV cards.

It makes me nervous that Visa and MasterCard are suddenly reacting to the bad press and retailer pressures about longer EMV checkout lines. They’re both getting behind a modification to their EMV transaction flow to make the transaction time appear faster by moving up the point in the transaction messaging sequence when the terminal will prompt the cardholder to remove the card.  The change, if and when it is implemented in the U.S., will have little or no effect on the total transaction time, and it will be not implemented by all merchants and not utilized by all issuers.  So, my checkout experience at those same ten retailers is likely to be just as different between them as it is now. A more sound approach, I think, would be to let consumers adjust to the new technology and allow retailers and processors to work out the prompting, timing and transaction routing ripples over time.

The testing and certification delays are equally difficult to boil down to a simple explanation.  I read a very good article recently that explained in a few sentences the five steps to certification.  The first two steps are to enable the terminal to read the data from an EMV chip and communicate chip data outside the terminal to the processing world.  The third, and most complicated step, is the direct interaction of that terminal’s data with their processor to reach each of the payments networks supported by that terminal.  The fourth step involves accepting keys used for data security. The fifth and final step is to turn on that merchant’s system to the network after the previous steps have been tested and certified by each network.

Around this time last year, which was less than six months before the EMV fraud liability shift, there were few options for merchants to order terminals that came delivered with all five steps checked off.  For many merchants, they could install terminals that passed the first two steps immediately, and wait for their processor to connect them to their EMV platform.  That wait time for step three grew longer as the deadline approached for those merchants who got in the queue ahead of the liability shift.  The millions of merchants who couldn’t or chose not to get their terminals installed and ready for step three with their processor until after the October deadline are now facing not only a longer queue but also increasing costs of counterfeit fraud chargebacks from issuers who beat the deadline for issuing new cards.

The payments brands and the many processors who are the main gatekeepers to certification came up with various tools and programs to expedite the troublesome certification for the third step with mixed results.  The entire system has been overwhelmed with the volume of merchants who tried to squeeze their implementation into a narrow time window.  Like rush hour traffic where everyone tries to merge onto the crowded certification freeway at the same time and traffic turns from a crawl to a stop, merchants are seeing the same effect with EMV certification.  Some people have suggested that the fraud liability shift should be moved back, but that is only going to perpetuate the growing problem of fraud even longer.

ATM operators and retail petroleum retailers were given extra time, and it will be interesting to see if they used that time effectively or will end up suffering the same consequences of the retailers covered in the 2015 liability shift.

In the Spotlight

ID Technology Partners (IDTP)
A 2015 Smart Card Alliance Company of Excellence (COE) recipient, ID Technology Partners (IDTP), based in the Washington, DC metropolitan area, is a leading engineering and consulting firm specialized in the critical elements of identification systems.  IDTP provides objective, unbiased support for ID system design, development, operation and deployment.

Please describe your company’s business profile and its offerings
IDTP is a small business that can deliver unique support capabilities to large-scale ID initiatives, the access security marketplace, and related technology industries.  Even as a small firm, the company boasts over 250 years of combined biometric technology staff experience, and is approaching 200 years of identification program and smart card technology staff experience. We have a national-level reputation in smart card credentialing and biometric identification disciplines with career-veteran experts recognized for real-world project experience, and extensive involvement in developing standards, compliance testing tools and industry best practices.  Our clients include agencies of the U.S. government, Fortune 500 companies, and other commercial businesses.

What role does smart card technology play in your business?
The effective integration and application of smart card technology is a key element in our ID program support services.   For example, IDTP is involved in high visibility large-scale ID credentialing programs where we provide technical subject matter expertise in smart cards as well as interrelated technical areas that include biometrics, Public Key Infrastructure (PKI), and access control.  We understand that a smart card-based credentialing program must focus on the organization’s mission objective and business/functional requirements.  We then recommend the best technical approach and ensure that the utility of card issuance and life-cycle management is taken into consideration.  IDTP has hands-on knowledge of smart card technology including manufacturer’s unique technologies, selection considerations, standards compliance, system design, CONOPS, program specs,  application profiles, conformance analysis, operational and functional requirements, card and reader hardware specifications,  integration strategies, conformance testing,  program development, management and deployment.  We also address technology obsolescence and refresh in a program’s design.  Clients engage the services of IDTP to ensure the success of their smart card program.  IDTP also holds a GSA Schedule contract.

What trends do you see developing in your market?
The increased focus on access security, both logical and physical, is driving the secure credentialing market.  The Personal Identity Verification (PIV) standard for federal employees and contractors is finally resulting in wider operational use of PIV in the U.S. federal sector. This is driven both by policy directive as well as a result of a renewed focus on using smart cards for access to sensitive information systems.  The latter focus follows the recent breach of sensitive personal data at the Office of Personnel Management. We also see the potential for biometrics to be more widely accepted as an authentication factor in place of PIN or as a third authentication factor in combination with validation of the smart card certificate. Virtual credentials on mobile devices that are linked through PKI to the certificates on smart cards represents another trend that we are closely monitoring.

What things must you overcome to leverage those trends?
We will continue to be an active participant in standards organizations such as NIST, ANSI and ISO to offer our expertise in helping to make the operational use of advanced identification technologies relevant to the user experience and mission requirements. It makes no sense to stand up a technical standard that results in an implementation that does not provide the operational performance or user experience that is required.

Learn more by visiting http://www.idtp.com.

Council Highlights

Councils published two white papers and continued work on six white papers.  The new IoT Security Council launched its activities and the Access Control, Health and Human Services, Identity, Mobile and Transportation Councils started planning new projects.

• The Access Control Council, Health and Human Services Council and Identity Council held a joint in-person meeting on June 7th at the Smart Card Alliance National Center for Advanced Payments and Identity Security in Arlington, VA.  Council members discussed the government and commercial identity and access control markets and brainstormed ideas for new projects
• The Health and Human Services Council presented the new infographic, Healthcare 2.0: A New Paradigm for a Secure and Streamlined Healthcare Industry, at the National Association of Healthcare Access Management (NAHAM) conference in May
• The Identity Counci lcompleted the white paper, Smart Card Technology and the FIDO Protocols, developed as part of the Smart Card Alliance and FIDO Alliance liaison partnership
• The Internet of Things (IoT) Security Council was launched, with members now discussing potential projects.  An initial full member call was held with presentations on the IoT ecosystem and security framework
• The Mobile Council has a new charter and name.  The revised charter expands the Council’s activities to include all interface technologies and to focus on mobile applications requiring security.  The Council is currently working on a white paper on mobile identity authentication and is defining new projects on tokenization and Trusted Execution Environment (TEE)
• The Payments Council is working on three white papers: use cases for the EMVCo Payment Account Reference (PAR); block chain and smart card technology; and contactless payments value propositions for issuers and merchants
• The Transportation Council published the updated EMV and Parking white paper in collaboration with the International Parking Institute.  The Council is currently working on the multimodal payments convergence white paper, updating the reference architecture white paper, and discussing possible new projects

If you would like to participate in a Council, please contact Mike Strock, [email protected].

New EMV Resources

• The EMV Migration Forum published the updated white paper, EMV Testing and Certification White Paper: Current Global Payment Network Requirements for the U.S. Acquiring Community.  The white paper outlines updated payment network requirements and describes use cases that identify when testing or retesting is required for EMV chip and contactless terminals, when retesting is recommended as a best practice, and when only standard internal testing is advised
• The Smart Card Alliance Transportation Council EMV and Parking white paper describes critical aspects of deploying an EMV solution in the parking infrastructure

All EMV resources are available on the EMV Connection web site

Welcome New Members

• ATSL TeleSoft (PVT) Ltd
• Pinellas Suncoast Transit Authority

Congratulations New Recipients

CSCIP/P Certification

• Honore Afene, UL*
• Jaison Jacob, UL*
• Dinesh Babu Kolavennu, UL*
• Felipe Riso Bezerra Leite, UL*
• Margaret Liu, UL*
• Frank Luo, UL*
• Asim Patra, UL*
• Manish Raje, UL*
• Bart van Hoek, UL*

CSEIP Certification

• Gabriel Ciurescu, MC Dean, Inc.
• Dana Kellogg, Brivo Systems, LLC
• Jared Schmall, World Telecom & Surveillance, Inc.
• Don Smith, HLCG
• Jon Waters, Signet Technologies, Inc.

*Denotes Corporate Exam