Technologies for Secure Electronic Transactions

Randy Vanderhoof, Executive Director Smart Card Alliance

ICMA Card & Personalization ExpoApril 2014

Deployed Around the Globe and in the U.S.•Payment applications: contact and contactless credit and debit cards; transit payment cards

•Telecommunications applications: mobile phone subscriber identity modules; pay telephone payment cards

•Identity applications: employee ID badges for physical access to buildings and secure computer and network access; citizen ID documents; electronic passports; driver’s licenses; online authentication devices

•Healthcare applications: citizen health ID cards; health provider ID cards; portable medical records cards

Secure Electronic Transaction Changes Are Happening

3

EMV4

EMV Chip and ?????

EMVChip

Set-up

CardInterface

Contactless/mobile

CardAuthentication

SDA/DDA

CardholderVerification

PIN or Sig TransactionAuthorization

Online/ offline

5

Signs of Progress:

Estimates based on 2013 results:• 17 million to 20 million chip cards (< 2% of ~1.0 billion cards)• 2 million EMV-capable terminals (~ 20% of ~12 million POS)

• 2103 and Projections for 2014 to 2016

PO

S

6

Next Steps for U.S. Migration

• Keep talking – real movement happens when the right people are in the same room

• Avoid distractions from things that are NOT consistant with EMV requirements for the US market

• Document progress, revisit problem areas, communicate all potential options

• Ask questions …there may be many answers

• If someone shares information that helps you, pass it alone and help the next guy

If you are not engaged in the decisionmaking about EMV, you are already behind

7

Big Issues Remain:

Federal Reserve decision on its appeal of Regulation II Debit card interchange fees and routing rules

Consensus on multiple single common AIDs per card Resolution of debit routing without adding cost, complexity, and

sacrificing choiceo US Common AID and what it means for issuers/ merchantso Aligning testing & certification processes to allow acquirers

time to EMV enable merchantso Phase One implementation planning – Orlando, FLo Education – “who educates whom “ definitiono Timelines – will it all happen by October 2015?

8

NFC9

What Does Mobile Payment and Mobile Wallet Mean To You?

Mobile Wallet - Functionality on a mobile device that can securely interact with digital valuables –Mobey Forum 2013

Paving the way for Mobile Wallets

Payment is Only Part of a Mobile Wallet

Examples of Alternative Approaches of Mobile Wallets

Mobile Schemes Mobile Wallet Characteristics

Isis Full NFC, proximity payment, card image in phone

Google Hybrid NFC, proximity with cloud storage of card

PayPal Non-NFC, funding source in Cloud, with companion card, in-store “check-in” to mobile POS systems

Level up, MCX QR code, cloud-based funding source, ACH or card

Starbucks QR code, closed loop stored value with funding card

Square Location-based, facial linked to cloud,

IPhone Cloud, iOS device-centric, linked to iTunes account

Others 280 + combinations

NFC and Mobile Payments

Card Emulation Mode

NFC Conclusions

Mobile payments and mobile wallets have a long time to go until they reach ubiquity

Mobile payments creating new (lower cost) payments choices for retailers – not a replacement

NFC and Cloud payments equally complex and difficult to scale – sustainability??

Security remains a factor for consumers Large, well known brands have an advantage

over lesser known solutions The mobile payments landscape could be

radically different in 5 years

HealthID16

Medical ID Card

Emergency Care

Physician ID & Credentials

Eye Care

Express Registration

Insurance e-Claims Processing

Dental Care Immunizations Record

Prescription Processing

Secure Medical Record Access

Capabilities of Smart Card basedElectronic Healthcare Identity Credential

Medicare Common Access Card Act of 2013 (H.R 3024)

•Calls for an upgraded Medicare card, based on a secure smart card, to verify who is eligible to give and receive benefits as a pre-condition to the claim ever being presented to the Centers for Medicare and Medicaid Services (CMS) for payment.

•It shall protect the personal information of every beneficiary and puts in place a front-end prevention system to only allow authorized providers and suppliers to bill for Medicare services.

Upgraded Medicare Cards

For beneficiaries, the new smart card would securely store the Medicare claim number (identifier) (which today is the Social Security number) on a secure micro-controller.

Does not call for use of biometrics for beneficiary authentication.

Not recommending biometrics for Medicare or Medicaid beneficiaries at this time due to the significant challenges and costs of enrollment.

CMS has estimated the cost to remove the SSN from the beneficiary card to be $317M

Provider and Supplier Medicare Cards

• Providers and suppliers will also receive a new smart card, securely storing their National Provider Identity number (NPI), so that only they can use it.

• Biometric authentication is recommended for providers and suppliers in the Medicare CAC system. This would extend to billing agents within a doctor’s office or hospital.

• By requiring identity verification of providers and beneficiaries before a claim can be filed and payment processed, Medicare would easily eliminate more than fifty percent of the fraud within the current system.

Gov’t ID

21

Multiple Government-Issued IDs

22

Government Identity Card Trends

• Federal PIV mandates under HSPD-12 and OMB M-11-11 are still strongly supported

• PIV cards PIV-I cards CIV cards• Federal worker identity part of immigration reform• Mobile credentials being driven by BYOD, not to

replace cards• Strong chance for Medicare CAC pilots to be funded

this year• State CIO’s are following Federal ICAM guidelines

with requirements for high assurance credentials• States need for electronic authentication increasing re-examining government assistance programs to

cut costs and combat fraud under austerity guidelines - more cloud-based services

Driver’s licenses, govt-assisted health benefits cards, big data servers

23

Randy VanderhoofExecutive DirectorSmart Card Alliancervanderhoof@smartcardalliance.org

1-609-587-4208

www.smartcardalliance.org