September 2017 Monthly Member Bulletin

• From the Executive Director
• New Webinar Series
• Council Highlights
• New EMV Resources
• Congratulations New Certificants
• Training and Certification Dates
• Event Registration

Executive Director’s Corner

Could Contactless Be Around the Corner?

There is mounting evidence that the next wave of EMV chip cards to be issued will be dual-interface cards, with both contact and contactless capability. While contactless card volumes were rising around the world, the U.S. market was still laboring in its shift to EMV contact cards. An estimated 750 million of these EMV contact cards are now in consumers’ hands, and more than 50 percent of card transaction volume and nearly 60 percent of card spend involve the use of a chip card at a chip-enabled merchant. Now that consumers are more comfortable with this first level of change, simply tapping, rather than inserting, their payment cards will make the consumer experience even more attractive.

Consumers will also like the speed of contactless payment compared to the EMV contact chip. It is not so much the extra seconds that will be shaved off the time to complete the transaction, but more the advantage of being able to pull out a contactless card anytime during the scanning and bagging process, tap it on the contactless-enabled terminal and get the beep or message that it is okay to put the card away. That is a significant improvement over EMV today.

The economics of issuer investment in dual-interface cards are never going to be better than right now. The card manufacturers have excess capacity and chip inventories, and are competing on price to maintain market share. The business case for contactless has been proven for issuers in countries like the United Kingdom and Australia, where card use and average transaction values are increasing with contactless and cash spend is going down. With U.S. consumers shifting back to embracing more lucrative credit cards after years of seeing debit card usage rise, the added cost is not as much of a factor anymore.

The rise of dual-interface EMV will not be met with the same enthusiasm by retailers, who are still adjusting to EMV contact acceptance and have not yet fully realized the benefit of lower fraud costs. The incremental change of enabling and certifying their terminals for EMV contactless will be far simpler and less disruptive than EMV was, with many large and small retailers ready and waiting for the cards to arrive. Let’s hope it’s a welcome change for everyone involved.

Alliance Statement on Equifax Data Breach

It’s devastating that Equifax so severely mishandled the personal information of 143 million consumers. At a time when the U.S. payments industry is making significant investments to protect consumers from stolen card data, criminals are looking for new ways to commit fraud. Unfortunately, this enormous theft of consumer data is only going make it easier for criminals to commit new account fraud and account takeovers. Consumers should be vigilant in using the tools available to protect their personal credit information, including adding security freezes, reviewing all accounts regularly, and turning on alerts and multi-factor authentication whenever possible. Now it is more important than ever for organizations to implement more stringent identity proofing processes for consumers opening new accounts, applying for credit or conducting sensitive transactions. Equally important for organizations serving consumers is the implementation of advanced authentication techniques for consumers accessing existing accounts and for employees and other authorized parties accessing consumer data. The responsibility for preventing fraud lies with the organizations holding consumer information and granting privileges based on that information. Equifax failed at protecting consumer information. Now consumers and other organizations need to protect themselves from Equifax’s failure and ensure that they don’t become the next victims.

New Webinar Series

Beginning in October, the Secure Technology Alliance will offer a six-part webinar series on how to procure and implement a PIV -enabled physical access control systems (PACS) for government facilities. The series, created for systems engineers, facility managers, physical security personnel, and other government facilities’ stakeholders, will launch in October, with future webinars scheduled in 2018. Each webinar will focus on one aspect of implementing PIV-enabled PACS for a government facility.

As an introduction to the multi-part series, the first webinar, “How to Plan, Procure and Deploy a PIV-Enabled PACS,” will provide an overview of the PACS landscape, identify the key stakeholders and outline what to know before starting a new project. The first webinar will be held on October 19, 2017 at 2:00 pm ET (11:00 am PT). To register, visit https://attendee.gotowebinar.com/register/5564948691556327682. The second webinar will be held Nov. 30; future dates will be announced once they are scheduled.

Council Highlights

• Council projects. A summary of all active Council projects is posted on the Secure Technology Alliance members-only site
• The Access Control Council
• completed the development of a PACS deployment playbook for the GSA CIO and is working with GSA to publish the playbook. The Council is also hosting a webinar series on PIV-enabled PACS implementation for government physical security specialists. The first webinar, “How to Plan, Procure and Deploy a PIV-Enabled PACS,” is scheduled for October 19 and will feature Michael Kelley (Parsons), Lars Suneborn (Secure Technology Alliance), Randy Vanderhoof (Secure Technology Alliance), and William Windor (DHS) as speakers. The second webinar, “Facility Characterization and Risk Assessment,” is scheduled on November 30
• The Health and Human Services Council is working on a healthcare 2.0 webinar presentation
• The Identity Council is developing a white paper on the mobile identity landscape. The white paper will assess the market landscape, document use cases and identify best practices and requirements
• The Internet of Things (IoT) Security Council is developing a white paper on IoT and payments. The white paper will provide a resource that outlines best practices for implementing payments with IoT devices as guidance for developing IoT payment-enabled applications
• The Mobile Council is continuing work on two white papers: mobile profiles and provisioning; Trusted Execution Environment (TEE) 101. The Council is also developing two webinars based on the mobile identity authentication white paper and the TEE 101 white paper
• The Payments Council has three white papers in process: EMVCo Payment Account Reference (PAR) use cases; implementing payment-enabled wearables; contactless payments implementation challenges. The Council is also defining a project on approaches to secure the card-not-present environment
• The Transportation Council is currently working on two projects: an NFC and mobile ticketing webinar and part two of the multimodal payments convergence white paper

If you would like to participate in a Secure Technology Alliance Council, please contact Mike Strock, [email protected].

New EMV Resources

• The U.S. Payments Forum Petroleum Working Committee and Communications & Education Working Committee hosted a webinar, “Accepting EMV Chip Payments at the Fuel Pump,” on September 20^th. The webinar recording and presentation are available on the EMV Connection web site
• The Forum Petroleum Working Committee also published “Petroleum Industry: EMV FAQs,” to provide a common, consistent understanding of EMV issues in the U.S. retail petroleum industry.
• The Forum Transit Contactless Open Payments Working Committee published the white paper, “Technical Solution for Transit Contactless Open Payments Use Case 1: Pay As You Go/Card,” to provide guidance for technological solutions that could be used to implement contactless open payments in transit using the first Working Committee-defined Use Case 1 – Pay As You Go/Card. Additional use cases based on other scenarios outlined in the white paper are expected to be addressed by the Working Committee in future projects
• The Communications and Education Working Committee published an update to the Implementing EMV in the U.S.: How the U.S. Common Debit AIDs Facilitate Debit Transaction Routing and Ensure Durbin Compliance video recording to add information on Cardholder Verification Method (CVM) selection
• The U.S. Payments Forum published the updated Understanding the U.S. EMV Fraud Liability Shifts white paper in July. The white paper includes details for each of the participating networks regarding their respective liability shifts for counterfeit and lost-or-stolen fraud for POS devices, ATMs, and AFDs. The white paper also includes information on technical fallback and manual key-entered transactions, cross-border transactions, and mobile and contactless transactions

Member Survey Winner

Congratulations to Jatin Deshpande of G+D Mobile Security. Jatin was one of hundreds of members who participated in our yearly member survey; names were entered into a drawing to win an Amazon Echo, and Jatin’s entry was selected. Thank you to everyone who provided us with feedback.

Congratulations New CSCIP/P Recipient

• Li Zhou, Ingenico Canada

Congratulations New CSEIP Recipients

• Jason Adams, U.S. Marshal Service
• Dan Burnell, Convergint Technologies
• Jon Bybee, Parsons Corporation
• Edgar Freeze, Security Install Solutions
• Eric Johnson, U.S. Marshal Service
• Mark Meredith, U.S. Marshal Service
• Tom Owens, E2 Optics
• Cheri Pool, Integrated Environments
• David Raymond, Trofholz Technologies
• Sean Reynolds, U.S. Marshal Service
• Richard Shafer, Xpect Solutions
• Rob Weaver, Stanley Black & Decker

Training/Exam Dates and Recertification Dates

CSCIP/G Training and Exam, Oct. 17 (training) and Oct. 18 (exam), National Center for Advanced Payments and Identity Security

CSEIP Recertification. The online instructor-led review course is four hours, from 11 AM ET – 3 PM ET. The hour-long exam follows from 3 PM ET to 4 PM ET. Register for one of the three certification dates listed below:

• Oct 12, 2017
• Nov 09, 2017
• Dec 07, 2017

Have you registered for IoT Payments 2017 yet? There’s still time to register for the conference, which will be held October 10-11, 2017 at the Hyatt Regency Hotel in Austin, Texas. This new event will bring together financial executives, device and application providers and retail industry experts on the evolving intersection of payments and the Internet of Things (IoT).

 

Register early and save! The Payments Summit is the premier industry event covering all things payments, including FinTech, EMV chip technology, mobile wallets, NFC, contactless, open transit systems and more. Making this an even more robust conference, this is the third year that the Alliance and the International Card Manufacturing Association (ICMA) are co-locating events, giving attendees a broader perspective from the core manufacturing and personalization of a card, to the rapid evolution in secure payments. 2018 also brings together membership from the U.S. Payments Forum, resulting in the most comprehensive gathering of card and payments professionals than ever before.