Smart Cards In The USA


Published on

Presentation given at the 3rd Annual Banrisul IT Forum in Porto Alegre, Brazil, 5-6 April, 2010 as part of a panel on International trends in secure transactions and related technology.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Gemalto World Traveler Program: Mobile Contactless Payments Trialled Live at Mobile World Congress 2010: Visa and DeviceFidelity Collaborate to Accelerate Adoption of Mobile Contactless Payments:
  • Image from
  • San Francisco Bay Area TransLink Card: Seattle/Puget Sound Area ORCA (One Regional Card for All) Card:
  • Photo from, GSA Managed Service PIV Service Provider (see also
  • PIV Interoperable:
  • Final bullet points from Identity Management in Healthcare Smart Card Alliance Webinar, September 22, 2009 Richard D. Marks Patient Command, Inc. McLean, Virginia [email_address]
  • Images from Identity Management in Healthcare Smart Card Alliance Webinar, September 22, 2009 Paul Brian Contino Vice President of Information Technology Mount Sinai Medical Center Mount Sinai School of Medicine (212) 659-1429
  • Smart Cards In The USA

    1. 1. A current overview of smart card activities in the USA Smart Cards in the USA Mike Neumann President, Agile Set, LLC Austin, TX USA 5-6 April, 2010 Porto Alegre, RS, Brasil
    2. 2. <ul><li>Payment </li></ul><ul><li>Transit </li></ul><ul><li>Identification </li></ul><ul><li>Healthcare </li></ul><ul><li>Interoperability </li></ul>Overview
    3. 3. Payment <ul><li>EMV in the States? When? </li></ul>
    4. 4. EMV in the States – when? <ul><li>Market Motivators </li></ul><ul><ul><li>Convenience </li></ul></ul><ul><li>Market De-motivators </li></ul><ul><ul><li>Magstripe still dominant </li></ul></ul><ul><ul><li>Fractured (or no) market leadership on new/secure technology </li></ul></ul><ul><ul><ul><li>Merchants have seen too many pilots over the years </li></ul></ul></ul><ul><ul><ul><li>NFC? +/- SIM/USIM, MicroSD </li></ul></ul></ul><ul><li>Market Enablers </li></ul><ul><ul><li>Infrastructure largely in place for contactless transactions </li></ul></ul><ul><ul><li>Single-party rule in D.C., however no actionable legislation </li></ul></ul>
    5. 5. <ul><li>Federal Reserve Bank of Philadelphia, Card Payments Center </li></ul><ul><ul><li>February 2010 special meeting; financial institutions, payment brands, processors, merchants, software and tech providers </li></ul></ul><ul><li>Smart Card Alliance Payments Summit, February 2010 </li></ul><ul><li>Takeaways: </li></ul><ul><ul><li>Merchants and Processing partners want to be involved in choosing a direction alongside brands and issuers </li></ul></ul><ul><ul><li>No support for continuously evolving PCI DSS security standards (mainly driven by the banks) </li></ul></ul>Current discussions in the U.S. Source: Smart Card Alliance, Feb. 2010 Executive Director’s Letter
    6. 6. <ul><li>The United States is the last EMV holdout in North America </li></ul><ul><li>Cost of fraud to the banks and payment schemes historically just written-off. Not a significant cost to issuers. </li></ul><ul><li>Bank failures and Government bailouts have truly impacted credit markets in the U.S. </li></ul><ul><li>Issuer response has been predictable, but disappointing: </li></ul><ul><ul><li>Increased “Fraud Alert” activity, causing dramatic increases of rejected (legitimate) transactions based purely on geography </li></ul></ul><ul><ul><ul><li>Cardholder must declare travel plans to issuers </li></ul></ul></ul><ul><ul><li>No “card present” or secure cardholder verification (EMV) </li></ul></ul>Anti-Fraud: A Consumer’s View
    7. 7. <ul><li>Banks may issue limited numbers of “dual-mode” cards to “high-end” customers </li></ul><ul><ul><li>Cards would contain Magstripe for domestic payment, EMV chip and PIN for foreign card-present transactions </li></ul></ul><ul><li>Mobile Payments via NFC smartphones </li></ul><ul><ul><li>Will Europe lead here yet again? (GSM World: “Mobile Contactless Payments Trialled Live at Mobile World Congress 2010”) </li></ul></ul><ul><ul><li>Will U.S. largely skip EMV cards and move to branded payment applications in mobile smartphones? </li></ul></ul>Signs of what may come next
    8. 8. Transit <ul><li>Contactless payment for multi-mode transportation systems </li></ul>
    9. 9. <ul><li>Common driver in all deployments – easy for all </li></ul><ul><ul><li>Consistent contactless, durable payment vehicle </li></ul></ul><ul><ul><li>Cash up front for service provider; reconciliation on back-end </li></ul></ul><ul><li>Recent deployments provide seamless payment experience across transit modes (bus, metrorail, regional train, ferry) </li></ul>Convenience is Key
    10. 10. Identification <ul><li>Government and Enterprise (and Commercial?) </li></ul><ul><li>First steps toward a U.S. Citizen card? </li></ul>
    11. 11. <ul><li>Presidential mandate (HSPD-12) directing that all Federal Employees and “inside” contractors shall </li></ul><ul><ul><li>pass a background security check and register biometrics, </li></ul></ul><ul><ul><li>and be issued a smart card carrying PKI credentials. </li></ul></ul><ul><li>U.S. Department of Commerce NIST (National Institute of Standards and Technology) directed to develop PIV standards </li></ul><ul><ul><li>FIPS-201 is the Federal Standard defining PIV </li></ul></ul><ul><ul><li>Several “Special Publications” (SPs) contain the details </li></ul></ul><ul><li>Less than one year from HSPD-12 until first credential issued </li></ul>U.S. PIV: Personal Identity Verification
    12. 12. <ul><li>HSPD-12 Credentials (PIV Cards) issued as of 1-Dec-2009 </li></ul><ul><ul><li>Employees: 3,981,788 (86%)* </li></ul></ul><ul><ul><li>Contractors: 1,110,231 (72%)* </li></ul></ul><ul><li>Background Investigations Completed as of 1-Dec-2009 </li></ul><ul><ul><li>Employees: 2,755,682 (59%)* </li></ul></ul><ul><ul><li>Contractors: 598, 051 (39%) </li></ul></ul>PIV Issuance Statistics <ul><li>20 Federal Credential Issuance infrastructures in operation </li></ul><ul><li>55 system integrators and 463 products on GSA AP&S List </li></ul>Source: GSA ( ), *percentage basis unclear
    13. 13. <ul><li>PIV is the only U.S. Government Standard applicable to a strongly-authenticated identification credential, vetting and issuance process. </li></ul><ul><li>Designed exclusively to meet the requirements set forth by HSPD-12. </li></ul><ul><li>Many PIV concepts are attractive to Federal, State and Local agencies wishing to issue their own “IAS” credentials based on PIV technology and concepts. </li></ul><ul><li>In May 2009, the Federal CIO Council released “Personal Identity Verification Interoperability for Non-Federal Issuers” </li></ul>PIV – I; PIV “Interoperable”
    14. 14. <ul><li>Non-Federal organizations would like to issue credentials that are: </li></ul><ul><ul><li>Technically interoperable with Federal PIV systems, and </li></ul></ul><ul><ul><li>Issued in a manner which allows Federal relying parties to trust the credential </li></ul></ul><ul><li>Defines minimal requirements for non-federally issued identification cards: </li></ul><ul><ul><li>Common terminology for identification cards </li></ul></ul><ul><ul><li>Technical requirements </li></ul></ul><ul><ul><li>Identifier namespace </li></ul></ul><ul><ul><li>Trusted Identity (issuance, PKI) </li></ul></ul>PIV – I; PIV “Interoperable”, cont.
    15. 15. <ul><li>Transportation Worker Identification Card (TWIC) </li></ul><ul><ul><li>Initial rollout to “blue water” port workers </li></ul></ul><ul><ul><li>Strong reliance on biometrics </li></ul></ul><ul><ul><li>Emphasis on physical access </li></ul></ul><ul><li>First Responder Authentication Card (FRAC) </li></ul><ul><ul><li>Several field demonstrations over recent years to test and demonstrate in-field realtime authentication of credentials (CAC, PIV, PIV-I (FRAC) and Driver’s Licenses) </li></ul></ul><ul><li>Several States and localities are considering this technology, mainly in context of FRAC </li></ul>PIV-I: Programs
    16. 16. <ul><li>U.S. (INCITS/ANSI) industry national standards effort to develop a multi-part national standard for a “IAS” smart card command set </li></ul><ul><li>Work item initially launched to produce a “Technical Report” (guidance, like PIV-I), but work grew into a Standard </li></ul>GICS: Generic Identity Command Set <ul><li>INCITS Project #2094, “GICS” </li></ul><ul><ul><ul><li>Part 1: Card Application Command Set </li></ul></ul></ul><ul><ul><ul><li>Part 2: Card Administrative Command Set </li></ul></ul></ul><ul><ul><ul><li>Part 3: Testing </li></ul></ul></ul><ul><ul><ul><li>Part 4: Card Application Profile Template </li></ul></ul></ul><ul><li>Parts 1, 2, and 4 in Draft. No GICS products to date. </li></ul>
    17. 17. <ul><li>“ ID Card for Workers Is at Center of Immigration Plan” </li></ul><ul><ul><li>Wall Street Journal, March 8, 2010 </li></ul></ul>Things we never thought we would hear in the U.S. Source: unscientific WSJ poll associated with article
    18. 18. Healthcare <ul><li>Electronic records are the mainstream focus in the news today. </li></ul><ul><li>Strongly-authenticated Identification is essential to ensure safety and privacy. </li></ul>
    19. 19. <ul><li>American Recovery and Reinvestment Act of 2009 (ARRA) $728 Billion ‘Stimulus Package’ </li></ul><ul><li>Health Information Technology for Economic and Clinical Health Act (HITECH) $19.4 Billion for HER Adoption </li></ul><ul><li>Business processes and technology are deeply affected by this legislation </li></ul><ul><ul><li>Responsibilities for, and liabilities related to, security </li></ul></ul><ul><li>Identification is critical – but unaddressed. </li></ul>Recent Legislation Source: Smart Card Alliance Healthcare Webinar, Richard D. Marks
    20. 20. Health Information Exchange Source: Smart Card Alliance Healthcare Webinar, Paul Brian Contino
    21. 21. Interoperability: ISO/IEC 24727 <ul><li>Empowering the Application for Strong Authentication </li></ul><ul><li>A Framework for Interoperable IAS Systems </li></ul>
    22. 22. <ul><li>A Six-Part Standard Providing </li></ul><ul><ul><li>End-to-end security </li></ul></ul><ul><ul><li>Application Interface </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Authentication Protocols </li></ul></ul><ul><ul><li>Command and Procedural Translation </li></ul></ul><ul><li>Not covering </li></ul><ul><ul><li>On-card command sets </li></ul></ul>Interoperability with ISO/IEC 24727
    23. 23. <ul><li>Utilizes investment of existing secure credentials </li></ul><ul><li>Provide a common set of semantics by which each Card-Application may describe itself to interested Client-Applications </li></ul><ul><li>Raise the “language” of communication with smart cards and other secure credentials to be directly compatible with modern interfaces </li></ul>How ISO/IEC 24727 Achieves Interoperability
    24. 24. <ul><li>Previous standards/specifications were developed either “client-down” or “card-up” </li></ul><ul><li>“ client-down”, e.g. </li></ul><ul><ul><li>PKCS#11 – general, but uncoordinated across the API </li></ul></ul><ul><ul><li>CSP (CAPI) – Single function of a single application view </li></ul></ul><ul><li>“ card-up”, e.g. </li></ul><ul><ul><li>The entire ISO/IEC 7816 series </li></ul></ul><ul><ul><li>(nearly?) all middleware based on ISO/IEC 7816 </li></ul></ul><ul><li>ISO/IEC 24727 is the first series of standards to be designed with both in mind. </li></ul>Is ISO/IEC 24727 redundant?
    25. 25. <ul><li>Card-Application </li></ul><ul><li>Service </li></ul><ul><li>Action </li></ul><ul><li>Target </li></ul><ul><li>Access Control List (client-application centric) </li></ul><ul><li>Access Control Rule (card-application centric) </li></ul>Model of Computation Semantics A well defined language syntax
    26. 26. ISO/IEC 24727-3 Basic Entity Relationships
    27. 27. <ul><li>An International Standard to connect IAS systems to secure tokens </li></ul><ul><ul><li>Speaks semantics of IAS Client-Applications, with </li></ul></ul><ul><ul><li>Means to map to constrained devices </li></ul></ul><ul><li>Flexible, standardized, mechanism to specify and identify new Authentication Protocols </li></ul><ul><li>Testing; methodology and practice </li></ul><ul><li>Multiple stack configurations to support legacy (APDU-constrained) devices and modern “connected” secure devices </li></ul>ISO/IEC 24727 Summary
    28. 28. Obrigado! Questions? <ul><li>Mike Neumann </li></ul><ul><li>Agile Set, LLC </li></ul><ul><li>Mike.Neumann at agileset dot net </li></ul><ul><li> </li></ul><ul><li> </li></ul>