October 2014 Alliance Member Bulletin
Executive Director’s Corner
Smart Card Credentialing Carries More Weight
As we prepare for the upcoming 13th Annual Smart Card Alliance Government Conference, I have a sense that the ground might shifting under what had been a firm foundation for federal smart card-based identity credentialing and access control based on HSPD-12 and the accompanying standards. So the timing is right for government policy and standards setters to come together at this conference and discuss just what lies ahead with technology providers and security integrators. I can’t think of a more important time in the 10-year history of HSPD-12 for our smart card industry members to listen carefully and ask questions of our government leaders about the future of PIV, except for perhaps the first two years when the standards and policies were being drafted.
As recently as July, at the Alliance’s 10th Anniversary Celebration of HSPD-12 event, most of the talk was about the struggle it took on the part of government and industry alike to get to this point. Every government employee and most government contractors have now been issued a PIV credential that works as intended – as a tamper-resistant credential that can be rapidly authenticated electronically. When talking about the struggles of the past and thinking about the future of PIV and FICAM, one government spokesman commented that PIV implementation is very, very hard and the U.S. government is the only entity he could think of who would be able to see it to the end – because no one in government can envision going back to a necklace of ID badges again.
HSPD-12’s drafters were trying to solve a specific problem facing our government: how to secure IT systems for government-to-government, government-to-industry, and government-to-consumer channels. It is not the responsibility of government to solve security issues with business-to-business or business-to-consumer channels, so solutions being considered for that purpose should not change the direction of what the U.S. government does.
Some new voices from the mobile and cloud computing world are starting to suggest that the security infrastructure built on ten-year-old smart card standards needs to be reassessed or replaced. They are proposing an infrastucture that is lighter weight and more flexible, and driven by new commercial standards, rather than using smart cards that have been adopted by governments globally and already issued and implemented by our government and supplied by manufacturers who have invested hundreds of millions of dollars. Where have I heard this story before? Perhaps from some vocal merchant organizations who finally have to invest in more data security and more secure card acceptance systems and are demanding new payments technologies rather than investing in what already exists – the EMV chip standard that is used with great results by the rest of the world.
I am not pretending that PIV and the security systems that use token-based digital credentials for securing the enterprise are not in need of change. In fact, mobile phones, like the recently announced Apple iPhone 6, rely heavily on smart card security, and offer new ways to create, store, and deliver credentials that cards don’t offer. These innovative mobile iterations of ID badges solve a number of complex problems, but that should not change how the government establishes one’s identity, how they bind it to a device (card, phone, watch), and how they access identity information.
The many new shiny identity objects that are being debated and, in some cases, piloted with mixed results should not be considered capable substitutes for smart cards developed specifically for secure identity applications and used globally in passports and national ID projects, and in mobile devices like Android, Apple, and Windows devices.
I hope our government policy leaders and FICAM identity and security leaders will stay the course with HSPD-12, FIPS 201, OMB M-11-11, SP-800-73-4, and SP-800-63, resolve the challenges facing SP-800-157 (derived mobile credentials), and see the HSPD-12 vision to the end. The rest of the world is watching what the U.S. does, so it is not only important for our own security but for the security of other nations doing business with the U.S. government. I hope to see you on October 29-30 at the 2014 Government Conference.
Executive Director, Smart Card Alliance
In The Spotlight
This month the Smart Card Alliance profiles 2013 COE recipient Southeastern Pennsylvania Transportation Authority (SEPTA).
Please describe your company’s business profile and its offerings.
The Southeastern Pennsylvania Transportation Authority (SEPTA) was created by the Pennsylvania state legislature in 1964 and is an instrumentality of the Commonwealth of Pennsylvania. As the nation’s sixth largest public transit agency, the Authority serves the City of Philadelphia and its adjacent four suburban counties by transporting 1.2 million daily passengers over an extensive network of bus, trolley, subway and railroad lines. This network extends well into the neighboring states of New Jersey and Delaware, covering a 2,200 square mile region and home to a population of 4 million residents. As a service sector industry transit is both labor and capital intensive, and the Authority is no exception; requiring a workforce of 9,500 employees with annual resource needs for both physical plant and operations equivalent to $570 million and $1.2 billion, respectively. Operating within a large metropolitan area, SEPTA responds to a variety of travel market needs defined by geography, population, trip purpose and rider physical capabilities.
What role does smart card technology play in your business?
Smart card technology has played a major fare payment role in the transit industry for almost twenty years, beginning in Washington, D.C., and migrating to most of the large cities throughout the nation. These early adopters recognized the significant benefits of smart cards over magnetic technology, including increased security, faster speed, equipment life, and customer satisfaction. Clearly, agencies migrated away from ticket selling to a more cost effective model of revenue collection and management using technology advancements both in smart cards and data processing. Revenue collection costs, especially cash collection, represent a major industry challenge and smart cards have contributed to significant reductions in cash fares and associated costs. At SEPTA we are replacing our legacy fare system with an end-to-end electronic revenue collection system that features open architecture and acceptance of bank and non-bank forms of payment. Our riders will choose from a variety of payment options ranging from contactless cards to mobile devices to pay fares.
What trends do you see developing in your market?
Among the larger transit operators I see a shift away from the traditional card based, agency owned system with proprietary equipment and requirements; and instead moving toward a more flexible model that relies on conventional banking standards and off-the-shelf equipment. Clearly, processing speed advancements for payment cards are edging toward transit tolerance for passenger through put. Transit has been in the forefront for contactless payment for many years, and now has an opportunity to build upon this interface by accepting both bank and nonbank issued form factors at the point-of-entry. Mobile ticketing, either with NFC equipment readers or visual inspection, also represents a noteworthy trend in the industry, and cities like Dallas and Portland have had better than expected uptake on mobile use. Lower installment costs coupled with a relatively quick deployment schedule are attractive features for operators. Finally, the push toward EMV adoption in the U.S is foremost on the minds of transit operators as they grapple with challenges ranging from the type of cards available to riders (contact only versus dual interface) to needed modifications on equipment.
What things must you overcome to leverage those trends?
Transit agencies recognize that limitations in public subsidy bring a much sharper focus on revenue generation limiting collection costs within the industry than in the past. Due diligence – the need to devote sufficient time to develop and evaluate a strategy prior to execution – should not be underestimated. Further education from resources like the Alliance on topics concerning EMV and NFC would contribute greatly to industry understanding about the many tradeoffs involved in technology decisions.
Visit SEPTA at www.septa.org
The Smart Card Alliance Mobile and NFC Council published a new white paper, Host Card Emulation (HCE) 101 in August 2014. The white paper provides an educational resource on HCE, describing what it is, how it’s used, how it compares with the secure-element-based card emulation approach, what key considerations are for payment applications, and what security aspects should be considered for HCE-enabled applications.
Council participation is open to all Smart Card Alliance members. If you would like to participate in a Smart Card Alliance Council or in one of the Council projects, please contact Cathy Medich.
Welcome New Members
- Airbus Defense and Space, General member
- Department of the Interior, Government member
- OTI, Latin America
New CSEIP Recipients
- Steve Bowen, Eid Passport Inc
- Johnny E. Caldwell, Johnson Controls
- Malcolm, Ceasar, Global Networks Inc
- Tachung Chang, Integrated Security Technologies, Inc.
- Jesse Devitte, XTec, Incorporated
- Colin Doniger, DHS OCSO
- Jason Goodloe, XTec, Incorporated
- Donald Hamilton, Department of Homeland Security
- Brian Havecost, Signet
- David Helbock, XTec, Incorporated
- Bryan Ichikawa, Deloitte
- Jorge A. Lozano, Condortech Services, Inc.
- Michael Margolis, Integrated Security Technologies, Inc.
- Marcus Mathis, Security Install Solutions
- John Placious, Integrated Security Technologies, Inc.
- Doug Ritchey, Communications Resource Inc.
- Miguel Andres Rojas Handal, Condortech Services, Inc.
- John Schiefer, X-Tec, Incorporated
- Sean Schutte, X-Tec, Incorporated
- Blake Smith, Gallagher Group Limited
- Lars Suneborn, Smart Card Alliance
- Donald Thomas, Stanley Black & Decker
- Galen Weimer, Communications Resource Inc
- Shawn Zartman, Integrated Security Technologies, Inc.
Register for Government Conference & Workshop
You can still register for the Smart Card Alliance 13th Annual Conference scheduled for October 29 – 30 at the Walter E. Washington Convention Center in Washington, DC. If you plan to attend the October 28 Pre-Conference EPACS workshop on “Personal Identity Verification (PIV) in Physical Access Control Systems,” please note you must register for that separately.
Plan Now To Attend December Member Meeting
Registration is open for the Smart Card Alliance Member Meeting, which will be held December 7 – 9 at Rosen Shingle Creek in Orlando, FL. This end-of-year conference was created exclusively for Smart Card Alliance and SCALA members.
2014 Honor Roll
The 2014 Honor Roll and Top Contributors to the Smart Card Alliance Councils will be announced at the December Member Meeting. Recipients will be recognized at a ceremony dinner
EMV Webinar Replay Available
The EMV Migration Forum, in partnership with the National Retail Federation, hosted a one-hour webinar last month on “Merchant Considerations for U.S. Chip Migration.” Presenters included John Drechny, Walmart, Tom Litchford, National Retail Federation, Robin Trickel, Heartland Payment Systems, and Randy Vanderhoof, EMV Migration Forum. You can download the audio, video or webinar presentations here.