June 2016 Monthly Member Bulletin
Executive Director’s Corner
Dear Members of the Smart Card Alliance,
Much has been discussed and written in the press lately about the slow speed of EMV chip transactions and the long delays merchants are experiencing getting their businesses EMV certified. Once they are certified, they can begin accepting chip cards and avoid potentially costly chargebacks for counterfeit card transactions that happen at retailers who are not EMV-enabled. The truths about EMV transaction times and the real reasons for why so many merchants are not yet EMV certified are hard to come by. Perhaps I can shed some light on both of these complicated issues by addressing what’s happening.
The EMV check-out experience, like just about everything else related to the U.S. EMV migration, is different in the U.S. than it is in most other countries. There are many variables which affect the transaction time, most of which are invisible to the consumer. Some have to do with consumers – for example, if they know whether to swipe or insert at that merchant, when to insert the card, what to do, other than stare at the terminal, while the card is being processed, and whether to sign the receipt or the terminal device.
I’m a savvy card user, and if I shop at ten EMV-enabled retailers with the same card in one day, even I will have ten entirely different checkout experiences. So how do I accurately describe my EMV experience? One might be pleasantly simple and fast; the next one agonizingly complicated and slow. Is that the fault of EMV, or the choices made by the retailer, the terminal provider, the processor, or the bank that issued the card? It is fair to point out that if I used my old magnetic stripe card at those same ten retailers, the differences would remain, but they would be far less pronounced than what I see with EMV cards.
It makes me nervous that Visa and MasterCard are suddenly reacting to the bad press and retailer pressures about longer EMV checkout lines. They’re both getting behind a modification to their EMV transaction flow to make the transaction time appear faster by moving up the point in the transaction messaging sequence when the terminal will prompt the cardholder to remove the card. The change, if and when it is implemented in the U.S., will have little or no effect on the total transaction time, and it will be not implemented by all merchants and not utilized by all issuers. So, my checkout experience at those same ten retailers is likely to be just as different between them as it is now. A more sound approach, I think, would be to let consumers adjust to the new technology and allow retailers and processors to work out the prompting, timing and transaction routing ripples over time.
The testing and certification delays are equally difficult to boil down to a simple explanation. I read a very good article recently that explained in a few sentences the five steps to certification. The first two steps are to enable the terminal to read the data from an EMV chip and communicate chip data outside the terminal to the processing world. The third, and most complicated step, is the direct interaction of that terminal’s data with their processor to reach each of the payments networks supported by that terminal. The fourth step involves accepting keys used for data security. The fifth and final step is to turn on that merchant’s system to the network after the previous steps have been tested and certified by each network.
Around this time last year, which was less than six months before the EMV fraud liability shift, there were few options for merchants to order terminals that came delivered with all five steps checked off. For many merchants, they could install terminals that passed the first two steps immediately, and wait for their processor to connect them to their EMV platform. That wait time for step three grew longer as the deadline approached for those merchants who got in the queue ahead of the liability shift. The millions of merchants who couldn’t or chose not to get their terminals installed and ready for step three with their processor until after the October deadline are now facing not only a longer queue but also increasing costs of counterfeit fraud chargebacks from issuers who beat the deadline for issuing new cards.
The payments brands and the many processors who are the main gatekeepers to certification came up with various tools and programs to expedite the troublesome certification for the third step with mixed results. The entire system has been overwhelmed with the volume of merchants who tried to squeeze their implementation into a narrow time window. Like rush hour traffic where everyone tries to merge onto the crowded certification freeway at the same time and traffic turns from a crawl to a stop, merchants are seeing the same effect with EMV certification. Some people have suggested that the fraud liability shift should be moved back, but that is only going to perpetuate the growing problem of fraud even longer.
ATM operators and retail petroleum retailers were given extra time, and it will be interesting to see if they used that time effectively or will end up suffering the same consequences of the retailers covered in the 2015 liability shift.
In the Spotlight
ID Technology Partners (IDTP)
A 2015 Smart Card Alliance Company of Excellence (COE) recipient, ID Technology Partners (IDTP), based in the Washington, DC metropolitan area, is a leading engineering and consulting firm specialized in the critical elements of identification systems. IDTP provides objective, unbiased support for ID system design, development, operation and deployment.
Please describe your company’s business profile and its offerings
IDTP is a small business that can deliver unique support capabilities to large-scale ID initiatives, the access security marketplace, and related technology industries. Even as a small firm, the company boasts over 250 years of combined biometric technology staff experience, and is approaching 200 years of identification program and smart card technology staff experience. We have a national-level reputation in smart card credentialing and biometric identification disciplines with career-veteran experts recognized for real-world project experience, and extensive involvement in developing standards, compliance testing tools and industry best practices. Our clients include agencies of the U.S. government, Fortune 500 companies, and other commercial businesses.
What role does smart card technology play in your business?
The effective integration and application of smart card technology is a key element in our ID program support services. For example, IDTP is involved in high visibility large-scale ID credentialing programs where we provide technical subject matter expertise in smart cards as well as interrelated technical areas that include biometrics, Public Key Infrastructure (PKI), and access control. We understand that a smart card-based credentialing program must focus on the organization’s mission objective and business/functional requirements. We then recommend the best technical approach and ensure that the utility of card issuance and life-cycle management is taken into consideration. IDTP has hands-on knowledge of smart card technology including manufacturer’s unique technologies, selection considerations, standards compliance, system design, CONOPS, program specs, application profiles, conformance analysis, operational and functional requirements, card and reader hardware specifications, integration strategies, conformance testing, program development, management and deployment. We also address technology obsolescence and refresh in a program’s design. Clients engage the services of IDTP to ensure the success of their smart card program. IDTP also holds a GSA Schedule contract.
What trends do you see developing in your market?
The increased focus on access security, both logical and physical, is driving the secure credentialing market. The Personal Identity Verification (PIV) standard for federal employees and contractors is finally resulting in wider operational use of PIV in the U.S. federal sector. This is driven both by policy directive as well as a result of a renewed focus on using smart cards for access to sensitive information systems. The latter focus follows the recent breach of sensitive personal data at the Office of Personnel Management. We also see the potential for biometrics to be more widely accepted as an authentication factor in place of PIN or as a third authentication factor in combination with validation of the smart card certificate. Virtual credentials on mobile devices that are linked through PKI to the certificates on smart cards represents another trend that we are closely monitoring.
What things must you overcome to leverage those trends?
We will continue to be an active participant in standards organizations such as NIST, ANSI and ISO to offer our expertise in helping to make the operational use of advanced identification technologies relevant to the user experience and mission requirements. It makes no sense to stand up a technical standard that results in an implementation that does not provide the operational performance or user experience that is required.
Learn more by visiting http://www.idtp.com.
Councils published two white papers and continued work on six white papers. The new IoT Security Council launched its activities and the Access Control, Health and Human Services, Identity, Mobile and Transportation Councils started planning new projects.
If you would like to participate in a Council, please contact Mike Strock, [email protected].
New EMV Resources
All EMV resources are available on the EMV Connection web site
Welcome New Members
- ATSL TeleSoft (PVT) Ltd
- Pinellas Suncoast Transit Authority
Congratulations New Recipients
- Honore Afene, UL*
- Jaison Jacob, UL*
- Dinesh Babu Kolavennu, UL*
- Felipe Riso Bezerra Leite, UL*
- Margaret Liu, UL*
- Frank Luo, UL*
- Asim Patra, UL*
- Manish Raje, UL*
- Bart van Hoek, UL*
- Gabriel Ciurescu, MC Dean, Inc.
- Dana Kellogg, Brivo Systems, LLC
- Jared Schmall, World Telecom & Surveillance, Inc.
- Don Smith, HLCG
- Jon Waters, Signet Technologies, Inc.
*Denotes Corporate Exam
Save the Date for Security of Things (SoT) Conference
Make sure you’ve marked your calendar to attend a two day conference at the Hilton Rosemont Chicago O’Hare Hotel in Chicago Oct. 18-19, 2016 on the Security of Things. This exciting new meeting from the Smart Card Alliance will highlight how industries are collaborating on standards, why secure IoT architecture is necessary, and what best practices are for secure IoT frameworks. Add in the best networking in the industry and you’ll see why this is a conference you’ll want to attend.
Upcoming Training Sessions
New training sessions for the CSCIP and CSCIP/P certification have been scheduled this month at the new National Center for Advanced Payments and Identity Security in Crystal City, just outside of Washington D.C, located at 2900 Crystal Drive, Arlington, VA. Classes fill up quickly so register now to reserve your spot. The CSCIP/P training will be held June 27-28, and the CSCIP training will be held June 29-30, 2016.
CSEIP on the Road
The next CSEIP training course will head out West on July 13-14, with the HID PIV reader course scheduled for July 12. Both courses will be held at the HID Academy, 611 Center Ridge Parkway, Austin, TX.