October 2016 Monthly Member Bulletin

• From the Executive Director
• New Webinars Scheduled
• Spotlight on 2016 COE Recipients
• Council Highlights and Other Resources
• 2017 Payments Summit Registration
• Upcoming Training Sessions
• 2016 Annual Review Publication

Executive Director’s Corner

Dear Members of the Smart Card Alliance,

Recent events have driven home the importance of developing sound technology and policy around securing the Internet of Things (IoT). In the last few weeks, distributed denial of service attacks (DDOS) were executed by unknown hackers who used thousands of Internet-connected security cameras and digital video recorders to flood their targets with a massive volume of commands that affected significant parts of service providers’ networks. Many of these devices were manufactured in China without normal security protections, and became unexpected pawns in the hacker’s scheme to disrupt the Internet.

Brian Krebs, the former New York Times reporter turned prominent security expert who exposes criminal hacking gangs and their techniques, was the target of one of these attacks. He warned that hackers have developed a new means of attacking web sites based on corralling thousands of devices connected to the Internet of Things. Krebs added that “to address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.”

At the Smart Card Alliance Security of Things Conference held in Chicago earlier in the month, the Alliance put forth a strong case for why the Alliance’s IoT Security Council is ideally suited to address this urgent call to action from Krebs, one of the nation’s leading security experts. The Council is currently working on a white paper about using hardware security such as secure elements and embedded chip technology in combination with other security techniques to ensure IoT devices are secure.

Embedded security can establish the “identity” of each device, ensure that access to the device is only allowed to authenticated and authorized entities, and protect the data being generated or delivered to the device. These are fundamental requirements to prevent unauthorized tampering with how these devices are designed to work, and protect the privacy and security of the vast amount of data the devices generate.

These recent attacks — one of which was more than four times the size of the largest reported attack last year — used IoT devices instead of computers and servers, and is the latest example of the IoT vulnerabilities that exist today, demonstrating why the security of things is so critical. To protect connected devices and their data, the IoT industry needs the attention, coordination and commitment to security that the payments industry is putting into securing payments and that countries put into identity documents to protect their borders.

The Smart Card Alliance has historical knowledge of security vulnerabilities, and has been raising awareness about how secure chip technology addresses these problems. Nearly 15 years ago we helped define the value of using chips of electronic passports. We explained how contactless payments cards used chips to generate dynamic data to protect payments and how EMV contact chips cards took that security even further. We prepared the smart phone industry to include secure elements and SIMs to protect NFC-enabled contactless payments. We helped refine and guide the NIST government standards for Personal Identity Verification (PIV) ID cards based on deploying chip technology and strong authentication for physical and logical access control for federal employees and contractors. Now, it is time for the Smart Card Alliance to step up and guide the IoT industry on the proper way to secure the expected 21 billion IoT devices by 2020. It started with our first Security of Things conference and it will become our new mission over the coming years — to be the industry security association that Brian Krebs is asking for that is leading the way forward to secure IoT ecosystems. Join us in our effort to be the leader in IoT security.

Upcoming EMV Webinars

Two Smart Card Alliance webinars have been scheduled; registration is open and complimentary, so reserve your spot today.

EMV Tokenization
On Thursday, November 3, at 1 p.m. ET/10 a.m. PT, the Mobile Council will present “EMV Tokenization,” providing an overview of the topic that has the potential to be a payments security game-changer for its ability to protect sensitive account data for in-store and online transactions. Register by visiting https://attendee.gotowebinar.com/register/5182475867510822401 or clicking here.

Contactless EMV Payments and Issuers
The Payments Council will present “Contactless EMV Payments: Issuer Opportunities,” on Wednesday, Nov. 9, at 1 p.m. ET/10 a.m. PT. The webinar will cover items including how contactless fits into today’s payment industry, what is different from earlier adoption attempts, and why now is the ideal time to go contactless. Register for the November 9 webinar by visiting https://attendee.gotowebinar.com/register/7678823559134243587 or clicking here.

In the Spotlight

Congratulations to the Class of 2016

The Smart Card Alliance Center of Excellence (COE) recognizes an elite mix of member companies who, each year, reach the highest level of active participation in the Alliance by having made outstanding contributions in the form of providing valuable time, talent and resources across a wide mix of Alliance activities. We are delighted to welcome 23 companies who have achieved this designation:

• Advanced Card Systems
• American Express
• CPI Card Group
• Chase Card Services (NEW)
• Discover Financial Services
• First Data
• Gemalto
• Giesecke & Devrient
• Heartland Payment Systems (NEW)
• Hewlett-Packard Enterprise Services
• Infineon Technologies (NEW)
• Ingenico, North America
• Intercede Limited (NEW)
• MasterCard Worldwide
• NXP Semiconductors
• Oberthur Technologies
• TSYS
• Underwriters Laboratories (UL)
• Valid USA (NEW)
• Visa
• Wells Fargo (NEW)
• Xerox
• XTec, Inc.

Inclusion in this exclusive level is directly related to the following criteria members demonstrated in 2015-2016:

• Industry Council recognition for Honor Roll participants or Top Contributor to one or more of our Industry Councils
• Council officer position elected by peers
• Number of employees with LEAP/CSCIP/CSEIP training and certification
• Corporate CSCIP training and certification participation
• Alliance conference and event sponsorship of $5,000 or greater in the last year
• Supporting membership in multiple chapters (SCALA) or affiliated organizations (U.S. Payments Forum (formerly EMV Migration Forum)

These COE recipients will be recognized in a number of ways throughout 2017. Congratulations to the companies for their continued involvement in Alliance activities.

Council Highlights

Councils held one webinar, have two new webinars open for registration, and continued work on 12 other projects.

• The Access Control Council is currently working on the development of a PACS deployment playbook for the GSA CIO
• The Health and Human Services Council featured Michael Magrath, VASCO Data Security, on October 14 to discuss the HIMSS Identity Management Council activities. Kelli Emerick, Secure ID Coalition, will be joining the October 28^th call to provide an update on the Medicare Common Access Card legislation
• The Internet of Things (IoT) Security Council held a well-attended Council meeting at the Security of Things conference and will be discussing next projects on upcoming calls. The October 11^th Council call featured a guest speaker, Sandra Baer, from Personal Cities, to discuss the impact of IoT on smart city initiatives. The Council is completing a white paper on embedded hardware security for IoT applications
• The Mobile Council announced its November 3^rd EMV Tokenization webinar. The Council is currently working on three white papers on: mobile identity authentication; mobile profiles and provisioning; and Trusted Execution Environment (TEE) 101
• The Payments Council held a well-attended webinar, Contactless EMV Payments: Merchant Opportunities, on October 6th. The second webinar in the series, Contactless EMV Payments: Issuer Opportunities, is scheduled for November 9^th. The Council is also working on four other projects – merchant and issuer contactless payments infographics; contactless payments security Q&A update; EMVCo Payment Account Reference (PAR) use cases white paper; blockchain and smart card technology white paper
• The Transportation Council is currently working on the multimodal payments convergence white paper, updating the reference architecture white paper, and developing a webinar on mobile ticketing and NFC.
• All councils will be electing their 2017/2018 steering committees and officers by the end of this year. If you would like to participate in a leadership role for any of the councils, please contact Cathy Medich, [email protected]

If you would like to participate in a Smart Card Alliance Council, please contact Mike Strock, [email protected].

New EMV Resources

The Smart Card Alliance and the U.S. Payments Forum (formerly the EMV Migration Forum) have produced a number of EMV resources.

• The Smart Card Alliance Payments Council webinar, Contactless EMV Payments: Merchant Opportunities, discussed how contactless fits into today’s payment industry; what is different from earlier adoption attempts; and why the ideal time to go contactless is now
• The U.S. Payments Forum published a new white paper, Optimizing Transaction Speed at the POS. The white paper presents on three categories of approaches to help speed transactions and discusses their potential impacts for each stakeholder group in the U.S. payments ecosystem: “Faster EMV” solutions (i.e., Quick Chip and M/Chip Fast), contactless/Near Field Communication (NFC) transactions, and other EMV checkout optimization practices. For each category, a detailed description and analysis are presented, including considerations and implications for various stakeholder groups.

Welcome New Member

• Burden Consulting, Ltd.

Congratulations New Recipients

CSCIP/Government Certification

• Diana Farris, XTec, Inc.

CSEIP Certification

• Brent Arnold, XTec, Inc.
• Michael Hamilton, KBRwyle
• Nnamdi Martyn, U.S. Environmental Protection Agency
• Stephen Mergens, XTec, Inc.
• Jaime Santiago, Bureau of ATF
• David Smith, Signet Technologies, Inc.
• Brian Young, Integrated Security Solutions, Inc.