Stakeholders Driving Payment Evolution and Digital Identity

April 2007 ACTion Newsletter

IN THIS ISSUE

1. Editorial Comment
2. New Privacy Design Tools Launched
3. Interpro Technology Signs CUETS To Bring New Generation Shared Branch Service To Canadian Marketplace
4. Desjardins Smart Card To Be Launched In St-Jérôme
5. Vodafone and G&D Launch SIM Card Specification Initiative For Secure Element in NFC Mobile Phones
6. Collis & Aspects Open an Office in Boston
7. Gemalto Empowers World's 1st Secure SMS-Based Mobile-Payment Service
8. EDS Selected By Gsa For $66 Million Hspd-12 ID Management Services Contract
9. Oberthur's E-Passport Eal4+ Certified High Security Certification Required For European Union Members
10. U.S. DOD Taps Corestreet For Enterprise-Wide Credential Validation Deployment
11. Venezuela Issues Electronic Passports
12. Visa Creates Global Contactless Program
13. Smart Card Standard Incorporates GlobalPlatform Specification
14. Barclays Tightens Online Banking Security
15. London To Boost Oyster Smart Card Uptake By Giving Away 100,000 Of Them
16. Additional Stories Available In Members Only Section

ACT CANADA THANKS OUR NEW & RENEWING MEMBERS

PRINCIPAL

Credit Union Central of Canada ~ member since 1990

GENERAL

SCM Microsystems ~ member since 2004

UPCOMING EVENTS

CardTech/SecurTech
May 15 - 17, 2007
San Francisco, CA, USA
http://www.ctst.com
ACT Canada members receive 10% off delegate registration fee (including early-bird & renewal rates). Contact Andrea McMullen for more details - andrea@actcda.com.

ACT Canada presents Cardware 07
Government Focus Event - June 21st in Ottawa, ON, Canada
Financial Focus Event - June 25th in Toronto, ON, Canada

World eID
Sept.19 - 21, 2007
Sophia Antipolis, French Riviera
http://www.strategiestm.com/events/se/index.htm
ACT Canada members receive 25% delegate discount (including early-bird & renewal rates). Contact andrea@actcda.com for more details.

1. EDITORIAL COMMENT
Source: Catherine Johnston, President & CEO, ACT Canada (04/27)

A Shot Across the Bow

Associations representing almost 300 US banks are suing TJX Companies, seeking to recover tens of millions of dollars in damages resulting from a database breach that may have compromised more than 45 million credit and debit card numbers. More financial institutions may join the suit.

One might ask:

Could TJX and other public/private organizations prevent such breaches by increasing their security with smart card based tokens and security applications?

Will TJX and others argue the payment card information would be less of a target if we all used counterfeit resistant EMV chip cards?

This is getting interesting, but I have to applaud the payment industry for holding other stakeholders accountable for their security choices. After all, the card associations and their members invest heavily to maintain the levels of security that we as customers expect. As consumers, we should join them in holding all stakeholders in the payment process accountable.

2. NEW PRIVACY DESIGN TOOLS LAUNCHED
Source: ACT Canada (04/27)

ACT Canada announced the release of a new privacy design tools in response to governments and other issuers who choose to use contactless or RFID card technologies.

"There is no question that Canadians want the convenience and transaction speed that is available when contactless technology is used, but we also want to insure that private information is protected," said Catherine Johnston, President & CEO of ACT Canada. Recently there has been debate about the proposed use of long range RFID technology (a form of contactless technology normally used for the movement of goods) for a US/Canada cross border ID. This tool will allow both governments to determine the privacy protection levels for that application.

"With database breaches becoming commonplace and identity fraud increasing, Canadians are vulnerable. Corporations, as well as governments, should use these procedures to ensure they protect us from criminals and themselves from lawsuits, such as the one now facing TJX", concludes Johnston.

The strength of the PIA procedure is that it provides an easy way for designers to assess privacy issues and identify, design and implement appropriate solutions to achieve reliable levels of privacy in an organization's smart card applications, as well as in databases, paper forms and reports, and on remote devices. Johnston added, "Organizations can now produce useful applications that are sensitive to all privacy concerns by incorporating privacy protection through every stage of development and implementation."

ACT Canada would also like to acknowledge and thank Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario (IPC) and her staff. This PIA would not be possible without the comments of the IPC and their assistance with the production of this publication.

ACT Canada and the IPC developed and co-published two earlier Privacy Impact Assessment Procedures. "Working together, we have sought ways to promote advanced card applications and technology that are privacy enabling", says Johnston. This publication is available on the ACT Canada website http://www.actcda.com.

3. INTERPRO TECHNOLOGY SIGNS CUETS TO BRING NEW GENERATION SHARED BRANCH SERVICE TO CANADIAN MARKETPLACE
Source: CUETS (04/17)

INTERPRO Technology announced it has signed an exclusive contract with CU Electronic Transaction Services (CUETS) to replace their existing Inter-Credit Union (ICU) and MasterLink platform.

The agreement between CUETS and INTERPRO will expand Shared Branching in the Canadian marketplace. The INTERPRO solution will bring EMV capability and replace the existing ICU platform that currently serves over 200 credit unions. Masterlink, In Branch PIN management, chip card diagnostics and issuance will be provided as part of the enhanced branch services.

CUETS will also use INTERPRO to offer Shared Branch financial services through an enhanced delivery service channel, where credit unions can come together and share their branches and locations to service their members. The service will provide the credit unions a stronger presence and member retention by serving their members where they live, work and travel while maintaining costs and efficiencies. CUETS provides services to over 400 credit unions throughout Canada.

CUETS is a member of ACT Canada; please visit http://www.cuets.ca.

4. DESJARDINS SMART CARD TO BE LAUNCHED IN ST-JÉRÔME
Source: CNW Telbec (03/31)

Starting in the spring of 2008, members of Desjardins caisses in the city of Saint-Jérôme, north of Montréal, will be the first to be able to carry out debit and credit transactions using the Desjardins smart card.

Desjardins teams are currently working on modifying ATMs and payment terminals in various businesses in Saint-Jérôme. Gradually, over the next few years, all of Desjardins' equipment will be adapted for use with this new technology.

5. VODAFONE AND G&D LAUNCH SIM CARD SPECIFICATION INITIATIVE FOR SECURE ELEMENT IN NFC MOBILE PHONES
Source: ICMA Daily News (04/10)

Vodafone and Giesecke & Devrient (G&D) are teaming up to develop a secure storage element for NFC-enabled mobile phones. This element, intended for trusted applications in NFC mobile devices, is the SIM card, with Vodafone and G&D driving the necessary standardization forward. NFC is wireless-based technology that enables contactless transmission of data between two NFC devices over short distances (i.e., a few centimeters). With their proven, highly secure smart card technology, SIM cards are a natural choice for securely storing information, such as, credit card functions or railroad tickets in mobile phones. Vodafone and G&D will continue developing the specification before making it available to a wider audience in the middle of the year.

In a bid to take mobile NFC systems mainstream at a manufacturer-independent and global level, the industry is currently working on creating the necessary standards to ensure interoperability between all system components. This objective is also behind the initiative launched by Vodafone and G&D to establish SIM cards as a standard, trusted mobile NFC application host.

Giesecke & Devrient is a member of ACT Canada and an exhibitor at Cardware 07; please visit http://www.gi-de.com.

6. COLLIS & ASPECTS OPEN AN OFFICE IN BOSTON
Source: Collis (04/09)

Collis and Aspects Tools have opened an office in Boston: Collis America. The rapidly growing global customer base of Collis and Aspects Tools sees the need for a central office to service the strong growth and demand in the US and Canada.

Collis will be providing high quality testing tools, consultancy and training with a focus on smart card based, electronic transactions and identification, EMV, e-Passport and mobile technology to the US and Canadian markets. Aspects Tools is Collis' Mobile Competence Centre for all products and services offered to the Mobile industry.

Collis is a member of ACT Canada and an exhibitor at Cardware 07; please visit http://www.collis.nl or http://www.collisamerica.com.
Cardware 07 Program Designed for the Canadian Market

EMV stakeholders are looking for a significant amount of information, according to our recent survey, and governments are focussed on credentialing information. To meet these needs, Cardware 07 will have a full track and 2 workshops in Toronto on June 25th. A full day is devoted to information that will help stakeholders attain profits, minimize costs and hear from other stakeholders. The first workshop focuses on specific issues that need to be addressed to roll out EMV and the second provides information for everyone who is in the early stages of EMV, including staff from retailers, issuers, acquirers and others.

One June 21st, the government Cardware will address the practical issues of identity credentialing for both employees and citizens. For more information on registration, exhibiting or sponsoring, please contact ACT Canada.

7. GEMALTO EMPOWERS WORLD'S 1st SECURE SMS-BASED MOBILE-PAYMENT SERVICE
Source: ICMA Daily News (04/10)

Gemalto announced it is providing Belgian mobile operator BASE with a comprehensive solution which allows its subscribers to perform secure payment by just sending an SMS. This revolutionary service is extremely convenient, as it enables consumers to pay with their mobile phone anytime, anywhere, quickly and easily. It also permits merchants to get paid immediately. Gemalto supplied BASE with a mobile payment application compatible with third generation SIM cards, incorporating the m-banxafe technology designed by Banksys, the company behind the authorization, security and guarantee of electronic payments in Belgium. Gemalto also provided the specific personalization services required to guarantee the highest levels of security for SMS-based transactions. The service went live on March 20, 2007.

This mobile-payment capability targets all kinds of practical services such as home deliveries, taxi rides or baby-sitting. Through an easy-to-navigate menu, the payee enters a payment request into his mobile phone. The payer receives this request, specifying the amount and the name of the payee, on his handset screen and accepts the transaction by entering the secret code he selected at service activation. Then both the customer and the merchant receive an SMS confirming the transaction.

The m-banxafe technology enables a link between the SIM card and the subscriber's banking card and account. During the activation process, the customer selects his mobile payment PIN code through the menu of his mobile phone. Then he inserts his banking card into the point of sales terminal of a BASE shop or into an ATM. He just has to select the activation option of the menu to create the link between his banking details and the PIN code on the SIM card. Banksys' m-banxafe enables reloading of the calling credit and live access to the account balance. This application has been designed in cooperation with all Belgian banks, ensuring the same level of security as that achieved with a banking card. From now on, all new Base subscribers will be issued an m-banxafe-enabled SIM card.

Gemalto is a member of ACT Canada and an exhibitor at Cardware 07; please visit http://www.gemalto.com.

8. EDS SELECTED BY GSA FOR $66 MILLION HSPD-12 IDENTITY MANAGEMENT SERVICES CONTRACT FOR FEDERAL AGENCIES
Source: EDS (04/25)

EDS announced it has been selected by the U.S. General Services Administration to provide identity management services to federal government civilian agencies. These services will allow agencies to comply with Homeland Security Presidential Directive 12 (HSPD-12), which calls for a mandatory government-wide standard for a secure common form of identification for all federal government employees and contractors.
The single award GSA Federal Supply Schedule task order is worth $66 million and will run through September 2011 if all options are exercised.

Under this contract, the EDS team will support GSA in issuing identity credentials to approximately 420,000 employees at 42 federal civilian agencies. EDS will provide a shared service solution for end-to-end managed services for core HSPD -12 system components

EDS is a member of ACT Canada; please visit http://www.eds.com.

9. OBERTHUR CARD SYSTEMS' E-PASSPORT EAL4+ CERTIFIED HIGH SECURITY CERTIFICATION REQUIRED FOR EUROPEAN UNION MEMBERS
Source: BUSINESS WIRE (04/19)

Oberthur Card Systems has received the EAL+4 certification1 for its native electronic passport, ID-OneTM ePass. With this mandatory certification, European Union members now have a commercial source of electronic passports which meet Basic Access Control requirements.

In addition, this electronic passport chip is certified with Active authentication, feature that offers a higher security.

This e-passport - which is already ICAO compliant - is a prestigious addition to Oberthur Card Systems' ID-One product line. This strengthens the group's position in the ID market with a comprehensive and aggressive roadmap for the e-passport market worldwide.

Oberthur is a member of ACT Canada and an exhibitor at Cardware 07; please visit http://www.oberthurcs.com.

10. U.S. DOD TAPS CORESTREET FOR ENTERPRISE-WIDE CREDENTIAL VALIDATION DEPLOYMENT
Source: SecureID News (04/03)

The U.S. Department of Defense announced it has selected the CoreStreet Validation Authority for enterprise-wide deployment. Together with other recent acquisitions of CoreStreet products, the DoD will now be able to validate the legitimacy of all 3.5 million service members and contractors, using the DoD Public Key Infrastructure, a scale that would have been impossible with other technologies. Such applications include smart card logon, digitally signed email, and access to secure web portals.

As part of the selection, the DoD has deployed CoreStreet Validation Authorities and dozens of CoreStreet VA Responders at major DoD IT nodes around the globe in an effort to greatly expand their Robust Certificate Validation System (RCVS). The selection also gives the DoD access to CoreStreet's exclusive MiniCRL technology, which enables certificate validation to occur in extremely low-bandwidth environments.

CoreStreet is a member of ACT Canada and an exhibitor at Cardware 07; please visit http://www.corestreet.com.

11. VENEZUELA ISSUES ELECTRONIC PASSPORTS
Source: ICMA Daily News (04/03)

The Bureau for Venezuelans and Foreigners' Identification (Onidex) started issuing electronic passports, but only in five offices nationwide, said Onidex head José Javier Morales.

Onidex offices in Plaza Caracas; La Trinidad, southeast Caracas; Los Ruices, northeast Caracas; Catia, northwest Caracas, and Maracay, central Aragua state, are issuing the document. However, within the next 40 days the fingerprint-capture machines necessary for passports will be in place in 25 offices nationwide, Morales said. He added that in two months they will be able to issue 240,000 passports a month, 180,000 units above the current number.

"We are going up from 600,000 passports a year to over 3.5 million passports a year," Morales said.

12. VISA CREATES GLOBAL CONTACTLESS PROGRAM
Source: CardTechnology (04/24)

Visa Europe will announce this week it will adopt the "Visa payWave" name for its contactless payment service, Card Technology has learned. Visa's U.S. branch announced yesterday it would take the name as part of a "consumer awareness campaign" around contactless.

Visa wants to build momentum behind the planned launch of contactless payment this fall in London. Visa has been promoting a contactless brand, "Visa Wave," in Taiwan, South Korea and Malaysia and the rest of the Asia -Pacific region outside of Japan for more than a year. But it maintained a low-key "Visa Contactless" name for its contactless feature in the United States and Europe.

The global program will yield an "integrated marketing campaign to highlight the speed and convenience of the Visa payWave feature," Visa said in a statement.

Visa Canada is a member of ACT Canada; please visit http://www.visa.ca.

13. SMART CARD STANDARD INCORPORATES GLOBALPLATFORM SPECIFICATION
Source: CardTechnology (03/30)

The international committee that sets standards for contact smart cards has added a new provision governing how new applications are added to smart cards, incorporating technology from the GlobalPlatform industry group. The new provision, part 13 of the ISO/IEC 7816 standard that governs contact smart cards, was published earlier this month by the Switzerland-based International Organization for Standardization, or ISO. "It's always better to rely on an ISO standard because you can be sure it is open, free, and available to anyone," Marc Kekicheff, vice chair of GlobalPlatform tells Card Technology's sister publication CardLine Europe. He says ISO's incorporation of the GlobalPlatform technology into its standard means that vendors following the GlobalPlatform specification can easily provide ISO-standard products.

Kekicheff says the push to standardize this post-issuance process came from officials in Japan, where government agencies are offering a variety of smart cards as identification documents and want to be able to add new features to those cards after issuance. Whether this will affect banks and credit card issuers, Kekicheff says, "depends on how many multiapplication cards banks want to do." While many banks around the world are converting to smart cards that conform to EMV, the global standard for chip-based payment cards, most of the chip-based bank cards issued to date are single-function credit or debit cards. GlobalPlatform software has been a common addition to Java-based smart cards, including many SIM cards, providing security for loading applications and post-issuance downloads of data.

14. BARCLAYS TIGHTENS ONLINE BANKING SECURITY
Source: Barclays (04/23)

Barclays is stepping up the security of its UK online banking service by issuing 500,000 customers with one-time password generators from digital security firm Gemalto.

Gemalto's portable PINsentry is a chip card reader and PIN entry device that works with standard chip-and-PIN bank cards to generate one-time-only passwords.

Barclays says that the passwords will be used for online customer log-in and for carrying out certain payments. The passwords will replace current passcodes and memorable words.

PINsentry is compliant with EMV and with the MasterCard and Visa Chip Authentication Program (CAP) 2007 specifications, according to Gemalto. The device also meets the requirements of UK payment association APACS.

Barclays says PINsentry will be issued free of charge to its Internet banking customers. The contract between the two firms calls for Gemalto to deliver 500,000 units to Barclays' customers by the end of 2007 and includes options for additional deliveries into 2008.

Initially, readers will be issued to personal banking customers who make online payments to new third-party accounts. Customers who make payments to standard suppliers on Barclays' pre-established payment beneficiaries list, such as utility and credit card companies, will not be sent the devices initially, says Barclays.

The readers will also be issued to premier banking customers and to small and medium-sized business customers who use online banking to set up third-party payments to new accounts.

Gemalto is a member of ACT Canada and an exhibitor at Cardware 07; please visit http://www.gemalto.com.

15. LONDON TO BOOST OYSTER SMART CARD UPTAKE BY GIVING AWAY 100,000 OF THEM
Source: PublicTechnology.net (04/18)

The Mayor of London is launching a major new campaign to encourage all Londoners, particularly those on a low income, to use an Oyster card, which provides the cheapest way of travelling on London's public transport system. The campaign will include giving away 100,000 Oyster cards on a first come, first served basis to new customers.

Oyster has been a huge success and this promotion is aimed at encouraging those who are not taking advantage of the cheaper, faster and more convenient travel it provides to do so. As part of the promotion, 100,000 Oyster cards will now be given away through national, local and community press adverts, targeted at London's communities where Oyster take-up is lower. Fares are always cheaper using Oyster: a single bus fare is £1 and a single Tube fare is £1.50 - these are the same as 2000 prices.

The free Oyster cards are available on a first come first served basis for all passengers who currently do not already have one. Those who apply will not have to pay the usual £3 deposit.

With more than 10 million Oyster cards issued, over three-quarters of all Tube and Bus journeys are now made using Oyster. The latest figures show that the number of single journeys now paid for by cash is extremely low, at just 4% on London Underground and 3% on buses.

The Mayor of London, Ken Livingstone, said: "Oyster has revolutionised the way people travel in London. Fares are cheaper using Oyster and it has speeded up the network by reducing queues. With more than ten million Oyster cards issued, the vast majority of people across London are already enjoying its benefits. This campaign is encouraging Oyster uptake amongst passengers who are still paying cash and therefore paying more. You can buy an Oyster card over the counter at any London Underground ticket office without filling out any forms or providing any personal information."

The campaign starts on Monday 16 April across a range of publications..

16. ADDITIONAL STORIES AVAILABLE IN ACT CANADA MEMBERS ONLY SECTION

These additional stories are available to ACT Canada members via the Members Only section of our web site. Click on the link below to access this section.
If you are a member of ACT Canada but do not have your login details please contact me - andrea@actcda.com.
http://www.actcda.com/members-only/members-only-news/

U.S. BANK TO OFFER BIOMETRIC SECURITY FOR HOME BANKING

U.S.-based Bank of Utah says it's planning to offer keystroke biometrics as an alternative to smart cards or one-time password generators…

UK'S CITY OF CAMBRIDGE LAUNCHES RESIDENT LOYALTY CARD

In the United Kingdom, the city of Cambridge is to get its own electronic loyalty card for cooperative use by local shops, restaurants and leisure facilities, thanks to an initiative launched by the Cambridge City Council in conjunction with the Local Secrets online leisure guide....

For more information, please contact Andrea McMullen at 1 905 426-6360 ext 124 or email andrea@actcda.com.

Please forward any comments, suggestions, questions or articles to andrea@actcda.com. Please note that articles contained in this newsletter have been edited for length, and are for information purposes only.