June 2017 Monthly Member Bulletin

• From the Executive Director
• Spotlight on Intercede
• New IoT Security Event
• Alliance Member Survey
• Council Highlights and Other Resources
• Upcoming Training Sessions

Executive Director’s Corner

Digital Payments and IoT Coming into Focus

For most of us in the mainstream payments and mobile commerce world, digital payments adoption discussions mostly center on device-centric mobile wallets using NFC at retailers like McDonalds and Walgreens, or merchant apps on mobile devices using QR codes at retailers like Dunkin Donuts and Starbucks. These two camps still represent the bulk of all payments transactions involving alternatives to EMV chip cards. But this landscape is changing even before most of the baby boomers start catching up to the mobile-first habits of their twenty-something millennial children.

Millennials barely paused to take notice of NFC stalwarts like Apple Pay and Samsung Pay, which have had lagging adoption due to the slow growth in merchant acceptance. This group is racing ahead using peer-to-peer payments to take physical cash out of their lives and make digital cash available on their devices. And for services and retailers like Uber for rides, Starbucks for their coffee fix or Domino’s for their late night pizza, the millennials use apps to both order and pay. This increasing availability and frequency of use of digital forms of money and payments mean that millennials (and others) are relying on mobile devices for more of their daily usage habits. With new advances by Apple Pay and Samsung Pay to include everything from membership cards, gift cards, and merchant loyalty cards with personal online payment credentials, eliminating the physical wallet is starting to seem very likely. Digital forms of payment are coming into focus quickly – both for in-person payments and through cloud-based retail and banking apps.

So how does the Secure Technology Alliance help payments industry leaders stay up to date with the changes happening around us? We start a new conference of course! I am excited to announce IoT Payments 2017, October 10-11, 2017 in Austin TX. This two-day event will bring into focus the rapid advances in digital payments and the Internet of “Commerce” Things. Join us as we explore the world of IoT payments, including mobile technologies, wearables, and connected consumer appliances, and unravel the changes emerging in the ecosystem to support payment device personalization, authentication, and processing of digital currencies and digital payments.

We look forward to seeing you in the fall.

In the Spotlight

 

A 2016 Center of Excellence recipient, Intercede is a cyber-security company specializing in digital identity, derived credentials, and trusted application management for a hyper-connected, increasingly mobile world.

Please describe your company’s business profile and its offerings

Intercede has been delivering trusted solutions to high profile customers for over 20 years. Our products, services and solutions create a foundation of digital trust between connected people, devices, apps and service providers, combining expertise with innovation to provide world-class cyber-security. We have worked with US federal agencies, most of the largest aerospace and defense corporations, and major players in financial services and telecommunications. Some of our offerings include:

• MyID is a complete identity and credential management system that assigns trusted digital identities to employees, citizens and machines. MyID makes it simple to issue password-free, trusted digital identities, so organizations can be sure that the people and devices connecting to their environments are who and what they claim to be
• MyTAM, enabling trusted applications to be loaded into the secure Trusted Execution Environment (TEE) on Android devices. MyTAM provides hardware-level security for Android apps, protecting their sensitive data from the threat of malware or hacking
• RapID, “the Password Killer for Killer Apps”, enables app developers to easily build cost-effective, password-free identity authentication into mobile apps, with just a few lines of code and our SDK 

What role does smart card technology play in your business?

Smart cards remain an important factor in the digital identity market. Many clients still opt for the simplicity and reliability of issuing smartcards to their employees as part of a strategy to effect multi-factor authentication for logical access. But mobile devices, such as smart phones and tablets, are increasingly becoming the choice for many connected employees. And that’s why we now offer mobile credential solutions, including a derived PIV solution for the US federal market that is fully compliant with FIPS 201-2.

What trends do you see developing in your market?

First, and not a minute too soon, we’re seeing the death of passwords. It used to be that multi-factor authentication was in demand mostly among government agencies (both in the US and overseas) and in the aerospace and defense market. But, increasingly, we’re seeing commercial entities aggressively pursuing strategies to leave passwords behind in favor of secure digital identities. That includes the financial sector, healthcare and telecommunications, among others.

Second, as mentioned above, many clients are looking seriously at mobility, and concluding that mobile or derived credentials should be part of their strategy. In other words, instead of seeing mobile devices as a threat, they are harnessing the power of smart phones to make logical access both more secure and more convenient, further improving the productivity of the workforce.

And, last, we’re seeing a growing interest in cloud-based identity services. Many clients may not have the budget or the in-house expertise for a traditional, on-premise solution, but they are very interested in exploring how secure, digital identities can be rolled out as-a-service, in the cloud. That approach has the potential to make multi-factor authentication available to a much larger market.

What things must you overcome to leverage those trends?

I think the key to each of these developments is trust. Clients will not scrap passwords and move to digital identities unless they’re convinced that it’s a more secure approach. They won’t implement mobile credentials unless they’re sure it’s just as safe as using smartcards. And they won’t consider cloud services unless they can trust the service provider to handle their information securely.

Intercede has been in this business for more than 20 years, and we have earned the trust of many high-profile, security-conscious clients. Given the innovative products that we are delivering, I’m confident that we’ll continue to keep the trust of our existing clients, while also earning the trust of new clients in new industries.

Learn more by visiting https://www.intercede.com/

Council Highlights

• Council projects. A summary of all active Council projects is posted on the Secure Technology Alliance members-only site
• The Access Control Council is currently working on two projects, the development of a PACS deployment playbook for the GSA CIO and an education series on PIV-enabled PACS implementation for government physical security specialists
• The Health and Human Services Council is working on a healthcare 2.0 webinar presentation. The Council charter is also being reviewed, to align with the revised focus and mission of the Secure Technology Alliance.
• The Identity Council is launching a new project, a white paper on the mobile identity landscape. The white paper will assess the market landscape and identify best practices and requirements
• The Internet of Things (IoT) Security Council is recruiting participation in a new white paper project on IoT and payments. The white paper will provide a resource that outlines best practices for implementing payments with IoT devices as guidance for developing IoT payment-enabled applications
• The Mobile Council is continuing work on two white papers: mobile profiles and provisioning; Trusted Execution Environment (TEE) 101. The Council is also developing two webinars based on the mobile identity authentication white paper and the TEE 101 white paper
• The Payments Council has two white papers in process: EMVCo Payment Account Reference (PAR) use cases; best practices for payments with wearables. The Council is also defining two projects on contactless payments implementation challenges and approaches to secure the card-not-present environment
• The Transportation Council sponsored a panel on EMV and parking at the International Parking Institute (IPI) conference in May. The Council is currently working on two projects: an NFC and mobile ticketing webinar and part two of the multimodal payments convergence white paper

If you would like to participate in a Secure Technology Alliance Council, please contact Mike Strock, [email protected].

New EMV Resources

• The U.S. Payments Forum Communications & Education Working Committee published a new resource, the Acquirer Testing & Certification The glossary defines terms used in acquirer EMV testing and certification forms
• The Forum Communications & Education Working Committee also published the white paper, EMV Receipt Best Practices, to review recommendations and requirements for data elements found on receipts for chip-on-chip transactions

Welcome New Member

Chicago Transit Authority

Congratulations New Recipients

CSCIP Certification

• Maziya Mavvaj

CSCIP/G Certification

• Nikita Jain, American Express
• Apurv Tripathi, American Express
• Michelle Wilson, U.S. Department of State

CSCIP/P Certification

• Lokesh Rachuri, Capgemini
• John Xier, Foothill Transit
• Ahmad Husaini Ahamed Zakeri, Malaysian Electronic Payment System

CSEIP Certification

• Neil Bolin, CertiPath
• Michael Casey, CertiPath
• Eric Johnson, Volta Systems Group
• Robert Krecker, Booz Allen Hamilton
• James Pinckney, BAE Systems
• Nicola Pisani, M.C. Dean
• Bruce Riddle, Environmental Protection Agency
• Jefferson Tross, Versar
• Brandon Welling, ASI