Selected Press Releases
As Smart Cards Continue to Emerge in 2006

Citibank to trial contactless payments on subway

Published: 30/01/2006 15:13:00

Citibank is to conduct a six-month trial of contactless payments technology at ticket barriers on the New York subway. Citi says the tests are being conducted in league with the Metropolitan Transportation Authority and MTA New York City Transit and will use MasterCard's PayPass technology.

The bank says participants in the subway trial will be able to pay for their fare at the point of entry by simply tapping their new Citi MasterCard card or payment tag on a specially equipped reader mounted on a subway turnstile.

The trial will take place at select Lexington Avenue Line 4 5 6 stations. During the trial, participating customers will have the pay-per-ride option, including the 20% bonus, available to them. No passes or transfers to buses will be available.

MTA executive director Katherine Lapp, says: "Contactless payments hold the promise of simplifying fare payment for customers who travel throughout the MTA network, while also providing for operating efficiencies and cost savings."

Please put your smart card up to the sensor again

Tue 31 Jan 2006

In case you thought New York wasn't moving quite fast enough for you, the MTA would like to speed things up a bit.

You still shouldn't run on stairs, or save time by not putting on your pants, but a new technology is being applied to MetroCards to speed up the turn-style process.

The MTA is considering replacing the often frustrating magnetic-stripe MetroCards with a quicker, more reliable technology, and will use the results of the trial to determine how best to proceed, transit officials said.
The new metro credit card/pay passes/smart card/key fob things will be available to "specially selected customers" on the 6 train between 125th Street and Bowling Green, and Jay Street/Borough Hall in Brooklyn and 23rd Street/Ely Avenue in Long Island City.

Everyone will still get a free $2 ride, but, sorry, no more free transfers to buses, which will not be equipped with the new readers.

So, these new credit card/FOB key things sound like lots of fun. They help people get gas and McDonald's faster — why not get on the subway more quickly. We guess the MTA doesn't have anything else to do besides think of better MetroCard technology. Like, figure out a contract with the TWU for example.

Contactless Payments Gain In Quick-Serve Market

Card Technology Jan 13 2006 :

By end-2005, about 15,000 retailers in the US were predicted to accept Visa-branded contactless payment cards, with Visa USA estimating this total to exceed 35,000 by the end of 2006. As of December 2005, over 4.3 million MasterCard PayPass (contactless payment) cards and fobs were in circulation in the US, and about 25,000 merchants accepted PayPass. Most merchants have reported positive experiences with contactless payments even if readers for POS terminals cost in the region of USD 100 to USD 150, with a definite payback of increased purchase volume.

Contactless payments are ideal for quick-serve environments such as fast-food restaurants and convenience stores where customers want to pay and leave quickly. By end-2006, fast-food chain Arby’s aims to have 20 to 25 per cent of customers using contactless payments, particularly at drive-through lanes, where 5 to 15 seconds per transaction can be saved. Gas retailer Sheetz has also found contactless cardholders to shop at its stores more often and spend more per visit, which confirms the value proposition of contactless cards as defined in the card schemes’ trials.

With one in five quick-serve restaurants in the US not accepting credit or debit cards as of 2005, according to the National Restaurant Association (NRA), these businesses have a larger upfront investment for contactless payments, which require card-acceptance infrastructure. Visa however reports that spending on its cards at fast-food outlets grew by 67 per cent in 2004 versus totals for 2003. Similarly, with many industry surveys showing cash to be declining as a payment option, contactless payments represent a way for the card associations to gain more of the cash market.

Related Links:
Low-Value Card Purchases Gain Ground In The US
Contactless Payments Achieving A 'Ripple' Effect
Visa USA Extends Small-Value Payments Program


AIX EN PROVENCE, FRANCE, January 30th, 2006 –

INSIDE Contactless today announced that it has entered into an agreement with TradeWind Technologies LLC to combine the two companies’ technology to deliver the market’s first multi-standard Secure Digital (SD) contactless reader. INSIDE’s innovative PicoRead chipset has been integrated into TradeWind’s industry leading ContactlessONE SD contactless reader, enabling Pocket PCs and Palm devices to read and write to 13.56 MHz ISO tags and smart labels.

“Working together, INSIDE and TradeWind have married contactless technology with the ease-of-use of handheld devices, providing a cost-effective, easily deployable platform for contactless applications in a wide range of industries, including healthcare, corporate, consumer and manufacturing,” stated INSIDE Contactless’ Project Manager, Olivier Carron. “PicoRead’s unique low-cost, low-power design and multi-standard technology makes it the perfect chip for this groundbreaking small form factor, turning any PocketPC or Palm with an SDIO slot into an extremely easy-to-use contactless device.”

“Combining simple-to-use handhelds with contactless technology is a logical extension of existing devices,” stated Doug Yeager, president of TradeWind Technologies. “TradeWind’s ContactlessONE SD contactless reader is already proving its worth in customer deployments. We anticipate high demand for these readers as more and more companies and institutions move to using contactless technology for capturing critical data and information.”

The readers feature a very small form factor – just 28mm by 28mm, extending outside a PocketPC or Palm device’s external SD slot by a mere 6mm. With INSIDE’s PicoRead contactless technology, the TradeWind SD contactless reader is compatible with all standards, including ISO 15693, ISO 14443A and B, ISO 18000 and FeliCa™ chips. PicoRead’s robust capabilities ensure high performance, while its crypto support provides a high level of security, and its low power consumption significantly extends battery life.

INSIDE’s PicoRead technology is designed to address the fast growing demand for a high performance, low-cost RF 13.56MHz contactless interface for large scale applications where low-power and small footprint are required. Applications benefiting from this innovative product include access control for corporate campuses, government installations and hotels, as well as logical access via integration into laptops, keyboards, handheld terminals, and consumer electronic devices such as PDAs and mobile phones.

Korea's Chohung Bank Issues JCB Brand Smart Card: Chohung 365 BC JCB Card

Tokyo, Japan, Jan 17, 2006 - (JCN Newswire) -

JCB, the only Asian-based international payment brand, is happy to announce that Chohung Bank, Korea's oldest financial service institution with over 100 years of history has launched the Chohung 365 BC JCB Card smart card compliant with the global EMV standard. This is the first full-scale launch of a JCB smart card in Korea. The recruitment campaign for the 365 BC JCB card started last month, and has already generated a high number of applications.

The new Chohung 365 BC JCB Card leverages chip technology to offer a wider range of services including BC miles redeemable for tickets on all airlines in Korea, the Korea Train eXpress (KTX) mileage program, and the OK cashback program, which is a major loyalty program affiliated with many national chain stores.

A significant advantage is that Chohung 365 BC JCB cardmembers can choose to have the T-money function incorporated into the IC chip, which enables them to use a postpaid T-money service on subways and buses in Seoul and other local districts. T-money function can also be used to pay admission at amusement parks and other spectator facilities, as well as parking fees. Other benefits include discounts offered at nationwide SK gas stations, major cinemas, hotel discounts of 20 to 50% off, and airline discounts from 5 to 7% off, while purchases of foreign currency receive a 30% discount on the exchange commission at Chohung Bank.

"Smart cards not only provide greater protection against fraudulent use and counterfeiting than magnetic stripe cards, but also give JCB partners such as Chohung the possibility of developing highly differentiated products like the 365 BC JCB Card with its wide range of value-added services by taking advantage of chip technologies", said Mr. Seiji Kashitani, General Manager of JCB International Asia based in Seoul.

"Our highest goal is to contribute to our customer's daily life. That's why the 365 name represents our commitment to satisfying customers 365 days a year. The average human body temperature is 36.5C, and we think about providing service to each customer as a human being, every day, as part of their everyday lives", said Mr. Ko Hong Man, Deputy General Manager at Chohung Bank. "What is more, we can now offer our customers JCB's international service commitment with worldwide acceptance through JCB's 13.2 million merchant network in 190 countries and territories."

JCB's presence in Korea began in 1983 with acquiring operations with Bank Credit Card Association, now called BC Card Co., Ltd., and issuing operations with BC began in 1993. With Korea's rapid economic growth, the first two years saw 500,000 BC JCB cards issued. In 1997, JCB started license acquiring and issuing operations with LG and Korea Exchange Bank Credit Service Co., Ltd. Followed by issuing programs by Shinhan Bank in 2002 and Kookmin Bank in 2004, JCB card members in Korea continue to increase.

In 2004, JCB acquired a one-third ownership in EMVCo along with Visa and MasterCard to participate in the EMV Specifications standards maintenance that ensures worldwide interoperability and acceptance of smart card payment systems. JCB is actively sharing its expertise in smart card technology with issuing partners around the world.

Visa unveils redesigned credit card

Friday February 3, 2006 KUALA LUMPUR:

Visa International has introduced a new card design with enhanced security features that make counterfeiting more difficult while opening new business opportunities for its member financial institutions, the company said in a statement. 

“The new holographic magnetic stripe and EMV (Europay-MasterCard-Visa) chip card had been endorsed by International law enforcement agencies,” Visa said. 

The company said the new security component combined the “easy to recognise, difficult to reproduce'' hologram with the functionality of the magnetic stripe, making the card more difficult for fraudsters to reproduce and easier for merchants to recognise. 

Apart from that, Visa has also enhanced the signature panel with a tamper-evident element and a “VOID'' pattern underneath to provide extra levels of security. 

“Cardholders will now find the three-digit security code (CVV2) easier to read when they shop online or over the telephone,” Visa said, adding that the new card design represented the second phase of Visa’s efforts to refresh and evolve the brand. 

Visa New Card Design

The new Dove hologram and security features integrated with magnetic strip.

“This rebranding exercise will be a gradual change-over as current Visa cards will still be in circulation and be accepted until 2010,” Visa International Asia Pacific Ltd country manager for Malaysia, Jeffrey Perera. 

“Maybank was Visa's first member bank to introduce the new card design in Malaysia which is ‘Wave enabled’, allowing cardholders to benefit from the same level of acceptance and convenience as any other cards,” Perera added. 

Visa Wave is the first Visa contactless smart-card built on the global EMV standard

New Research Shows Loss of Personal/Financial Data the No. 1 Concern of Consumers Worldwide

25 January 2006

A global survey of consumer attitudes released today by Visa International reveals that the theft or loss of personal or financial information is the number one concern among consumers worldwide, with 64% expressing anxiety over such an occurrence.

The global response to theft or loss of information surpassed environmental degradation (62%) and terrorism (58%) as causes for concern. Other major issues for the consumers were job losses (57%), disease or epidemics (55%) and natural disasters (48%).

China, however, recorded an even higher concern level with information security than the worldwide average, with 77% of Chinese indicating they are highly concerned about having personal or financial information lost or stolen. 76% of consumers in India were also very concerned about lost or stolen information.

Both China and India were in the top four countries most concerned about lost or stolen personal information among the 12 countries surveyed. At 52% and 48% respectively, the levels of concern drop significantly among consumers in Japan and Australia, the other two Asia Pacific markets included in the survey.

Corresponding to China’s overall concerns, 90% of the Chinese reported that they were more concerned as a result of what they had heard or seen on the news. Along with South Africa, this was the highest global response recorded in this category.

“This survey confirms for Visa that data security is as much a concern to consumers in China as it is to others around the world. Ensuring world class data security in rapidly developing markets is a top priority for Visa and its members” said Peter Maher, executive vice president and general manager, Risk Management, Visa Asia Pacific.

Australian consumers reflected the importance they placed on the role of advanced technologies to authenticate the transactions of genuine cardholders, with 63% of them saying it would make them feel much more secure, compared to the global average of 57% for this response.

Advanced security technologies such as EMV chip and data encryption are key fraud prevention programs, which Visa and its members are introducing to drive down fraud levels. Malaysia has already completed a national migration program to EMV chip and has introduced encryption throughout its payment system. The new technology has virtually eliminated counterfeit fraud in Malaysia.

Other data security initiatives being run across Asia Pacific include Visa’s Account Information Security, which helps merchants and payment processors improve their data security standards to safeguard cardholder data; as well as Verified by Visa - an online authentication program. Fraud as percentage of Visa's volume has declined in the last decade and is at an all-time low.

Globally, consumers also viewed broader education as part of the solution, with 40% reporting that they would feel more secure if they had more information about how to protect themselves against loss of their personal data. Still, education efforts are also making an impact, as consumers report changes in behavior, particularly when shopping online:

- 63% of consumers say they are more careful when disposing of financial statements
- 50% look at the privacy policies of companies with which they do business
- 62% of online shoppers are more discriminate about the sites at which they make purchases

Other potential measures cited by surveyed consumers included better enforcement of laws and zero liability for fraudulent use of payment cards, a protection already in place in Asia Pacific, Canada and the United States.

More than 6,000 consumers across the United States, Canada, the United Kingdom, Germany, Russia, South Africa, Australia, China, India, Japan, Mexico, and Brazil responded to the survey, which was conducted in November and December 2005 by Harris Interactive. The margin of error is +/- 1.3%.

A Startup Readies a Payments Network Based on Driver’s Licenses

(January 18, 2006)

A startup company led by the former head of a processor of automated clearing house transactions is readying a network that will allow consumers to use their driver’s licenses to pay for goods at the point of sale. Boulder, Colo.-based Combined Payments Network LLC plans to formally unveil its product, called FastLane Secure Payments, at a major trade show for independent sales organizations in April. The new network will join a mounting effort by entrepreneurs to offer retailers payment systems that don’t rely on the bank card networks, whose pricing policies have come under intense attack by merchant groups over the past year. “The market is really asking for an alternative to the existing credit card networks,” says Carl Towner, chief executive at Combined and formerly chief executive at First American Payment Processing Inc., a company he sold in November 2004 to concentrate on FastLane.

Already, companies like Debitman Card Inc. and Pay By Touch Solutions have begun to make headway among merchants by marketing alternative POS payment systems that play to retailers’ anger over rising bank card interchange fees. In the past six months, merchant groups have filed some 47 lawsuits against Visa, MasterCard, and assorted banks over interchange. Like Debitman, FastLane will rely on the ACH settlement network. And, like Pay By Touch, which links payments to consumers’ fingerprints, it relies on something nearly ubiquitous among consumers—at least among those 16 years old and up. “I consider Pay By Touch to be our number-one competitor,” says Towner. He says FastLane’s advantage lies in the fact that it requires little investment by merchants, since it depends on cards and POS devices already in the marketplace. FastLane will require a software download by client retailers.

FastLane, which Towner says will be launched at the upcoming Electronic Transactions Association’s exhibition in Las Vegas, will concentrate at first on offering merchants the ability to link loyalty and gift card programs to customers’ driver’s licenses. About half of the states issue mag-striped licenses, Towner estimates, and these cards account for about 70% of all drivers licenses issued.

As consumers enroll in these programs, they will be asked to tie their checking accounts to their licenses as well. If they do, they will select a PIN and will be able to use their licenses as debit cards, with payments settling through the ACH. They will also use a seven-digit account number assigned when they swipe their driver’s licenses or, as will be the case with licenses lacking mag stripes, enroll online. Later, Towner says FastLane will offer lines of credit as well, which will turn the government-issued pieces of plastic into credit cards.

By April, Combined Payments will have set up three data centers to support consumer entrollment, drive messages to point-of-sale terminals, and switch transactions. FastLane will transmit encrypted transaction messages from terminals to the secure data centers, with critical information handled only on offline servers. Because of bank card costs and recent security concerns, FastLane will likely exclude Visa and MasterCard products, Towner says.

The company plans to charge merchants up to 25 cents per transaction, but will return anywhere from a nickel to a dime to merchants for each FastLane transaction performed anywhere by a consumer enrolled by those merchants. It will also deliver short marketing pitches to POS terminals as transactions are processing, and will share marketing fees with merchants for each positive response garnered from customers. Under a $2 million agreement Combined Payments has struck with an unnamed mortgage company, for example, FastLane will charge the lender $4 per “yes” response and share half with merchants.

Still, though he hopes FastLane could ultimately deliver transactions to merchants at little or no net cost to them, Towner says cost of payments is not his biggest selling point. “I’m not pushing cost, I’m pushing security and convenience,” he says. “We’re really poking a finger in Visa and MasterCard’s eye on security.”

So far, Combined Payments has not marketed FastLane to merchants, though Towner hopes the introduction of the new network at the ETA show will attract ISOs to help sell the system. And, though FastLane is so far certified only on VeriFone terminals, Towner says other POS terminal makes will be added later. Towner and his partner, former transaction-processing executive Burt Walker, have funded the company with their own money, with $2.1 million in development cost incurred so far. “We’re investing heavily and not seeking outside capital,” Towner says.

In November 2004, Towner and other defendants paid almost $1.6 million to the Federal Trade Commission to settle a suit the FTC had filed in January alleging First American Payment Processing and other companies had processed ACH transactions on behalf of fraudulent telemarketers. The defendants also agreed not to process for telemarketers. Towner, who says he settled mainly to avoid further legal costs, says the telemarketing ban will have no effect on FastLane’s prospects, since the product is focusing on point-of-sale merchants. He adds that FAPP had stopped processing for telemarketers nearly a year before the FTC filed its suit, that there had been six of them, and that the average length of time FAPP had processed for any of them was 90 days.

EMVCo launches common card payment application spec

13 January 2006

Intra-industry cards standards body EMVCo has announced a common payment application for debit and credit card processing, which it hopes will reduce the cost and complexity of chip migration for issuers of EMV – Europay/Visa/Mastercard –cards.

The CPA is the outcome of a cooperative effort by Japanese card issuer JCB, MasterCard International, Visa International, card issuers and the users of EMV specifications. EMVCo calls it a 'common core definitions-compliant application', which essentially means that it offers a common platform for EMV-based debit and credit processing. This enables issuers to use a single processing system for all cards, regardless of brand.

"Since EMV implementation began, it became apparent that the smart card industry and issuing banks in particular could benefit from a common payment application that would be able to carry all payment system brands. Such an application could greatly decrease the time, cost and complexity of migrating to EMV by enabling a single host processing system to handle multiple card payment brands," said the EMVCo board of managers at the launch.

Link to EMVco Press Release

Protestors Demonstrate Outside the National Retail Federation's Annual Conference in New York

Smart Multimedia Gallery January 16, 2006

Today in New York, dozens of protestors stood outside the Javits Center during the National Retail Federation's annual conference and expo. The group was demonstrating against the interchange fees that card associations like Visa, MasterCard and American Express charge to retailers every time a consumer uses a credit card. The topic of interchange fees has been a hot button issue for the retail industry, which paid approximately $39 billion in fees to the card associations last year. Ultimately, this cost is passed onto consumers through higher prices. Retailers interested in eliminating their interchange fees were encouraged to sign up at (Photo: Business Wire) --(BUSINESS WIRE)--A photo, taken today outside the Javits Center during the National Retail Federation's annual conference in New York, showing protestors demonstrating against interchange fees associated with major credit card companies is available on Business Wire's Web site, and AP PhotoExpress.

Texas goes live with a smart card-based benefits card

Wednesday, January 25 2006

Speed, convenience and quicker reimbursement all add up to a successful launch of the WIC smart card program in Texas. WIC, a federal program begun in 1974, stands for Women, Infants and Children and provides participants with nutritious foods, counseling, and referrals to health and other social services at no charge. The program serves low-income pregnant, postpartum and breast-feeding women, and infants and children up to age 5 who are at nutrition risk.

In most states, women are given WIC vouchers or checks that they redeem at grocery stores for WIC-eligible foods and beverages, such as milk and infant formula. But in Texas, all that is changing.

After a year-long pilot program in El Paso, the state's Department of State Health Services (DSHS) is expanding the use of an electronic benefits smart card for purchases made by WIC clients, replacing the paper voucher system.

"The pilot went very well," said Hank Lundberg, part of the DSHS Electronic Benefits Transfer Development project. Last October, the state began the gradual implementation of the WIC smart card program, issuing its Lone Star Card to women in the north central Texas area near Dallas. This same card is also used for food stamp and TANF (Temporary Assistance for Needy Families) recipients, he said.

"It will be an incremental expansion," said Mr. Lundberg of the multi-year project. "We had to break this up into manageable pieces so stores can get ready."

The smart card, produced by Gemplus and issued through First Data Government Solutions, contains a chip that stores food benefits data for all members of a household participating in the WIC program. "The card is loaded for each client at a WIC clinic," Mr. Lundberg said.

At the grocery store, the user inserts the card into a device at the register, where the card stays until the purchases are complete. "Computer systems of WIC-authorized grocers read the cards at a checkout terminal and match the information to items as they are scanned," said Mr. Lundberg. Store computers identify WIC-approved items based on scanned product codes. When the WIC client is finished, she is prompted to remove her card.

The items are deducted from the user's card as the items are rung up. When the client comes through the lane, two transactions are actually conducted, one for the store and one for WIC, explained Mr. Lundberg. Those WIC transactions are then bundled "and sent to us electronically."

Each card contains food benefit information covering three months, calculated on a month-by-month basis. As items are purchased, the card is automatically updated with the remaining balance.

Under the old system, WIC-eligible items had to be separated and totaled so the vouchers could be properly redeemed. This process took extra time at the cash register. No more.
"A huge benefit for the client is the ease in using the card," said Mr. Lundberg. "Instead of carrying a big wad of paper (vouchers), they just have this one plastic card. In the past, if the client lost the vouchers, we had no mechanism to replace them, but if they lose the card, we now know what they've used and we are able to easily replace the card."

Supermarkets love it too, not only for the time it saves a cashier, but because it reduces the time it takes for the store to be reimbursed for the WIC items. "With paper, it takes three to four weeks to get reimbursed,” said Mr. Lundberg. “With electronic transactions, redemptions occur in only three to four days."

And the users? "They don't want to go back to paper," he said.

The new program "virtually eliminates fraud. Also, the cashier doesn't have to think about whether it's a WIC or non-WIC item," he added.

Before the state even began its pilot program, it worked closely with retailers, making sure the system would work with the various cash register systems in use. "Let's say the grocer users NCR or IBM systems. We worked with the grocers to make sure their ECR (electronic cash register) vendors could integrate the electronic benefits transfer (EBT) function into their software," said Mr. Lundberg.

The program will also work for the small grocer who may not have the sophisticated electronic cash register capability of the chains. "We have an EBT-compatible device developed for the small operation," he added. "We have three commercial vendors who have developed solutions for small grocers which does the same thing as the electronic cash register."

That, he added, was one reason Texas' program is more successful than pilots that started, and failed, in other states. "Many states were trying to set up a stand-aside solution where they had two systems running," he said. "Cashiers had to scan twice and in a lot of cases that hasn't worked very well."

Another reason for the state's success is the number of people who participated in the pilot program. "We had more participants covered in our pilot than in all the other states combined," said Mr. Lundberg.

He said the state is "still working on final implementation dates. After we complete Collin County (near Dallas) next month, we'll be expanding to west Texas, Midland-Odessa and just east of El Paso but south of the Panhandle. It's a pretty large area and that expansion will start in June. In September we'll be expanding into the Panhandle, Lubbock and Amarillo."


Is It Time To Say Goodbye to Paper Money?

By Walaika K. Haskins January 30, 2006 7:00AM  Top Tech News

Creating a cashless society in the U.S. with either mobile phones or smart cards would require enormous effort by players in several industries, said the Yankee Group's Joe Levine, including credit-card companies, mobile-phone service providers, manufacturers, and retailers.

Gig-E and Fast Ethernet point-to-point, outdoor wireless bridges from LightPointe. Connect remote facilities. Eliminate monthly charges. Replace low-bandwidth bridges. Optical Wireless and breakthrough fully integrated DualPath outdoor wireless products. Get instant online price estimates.

Since the late 1990s, when the expansion and adoption of the Internet created a bona fide Mecca for retailers and shoppers, people have looked forward to the day when physical cash would no longer be the mainstay of payment transactions. When the Internet boom came to a screeching halt in 2000, some experts believed that it also marked the end of efforts to establish digital currencies.

But the continuing success of the online payment service PayPal, as well as the recent adoption of so-called e-cash by 15 million people in Japan, has bought the electronic-money movement new momentum.

Money from Nothing

The push for electronic money became an integral part of the digital revolution during the mid to late '90s. It was based on the premise that consumers would balk when asked to submit their credit-card numbers when making a purchase.

Giving online customers a way to convert physical cash into digital coin seemed like the solution. This "e-money" would be stored offline on cards embedded with a chip -- smart cards -- or within a computer's hard drive, and it could be used to make any kind of purchase.

A bevy of private digital currency start-ups hit the Web. But these currencies amounted to little more than digital Green Stamps. Designed for use online only, the currencies that were created by companies such as,,, and others were not connected to any government or central bank.

While some promoters and consumers found the lack of government involvement a plus, most shoppers and merchants were hesitant to jump in to these online money schemes. Many companies folded as the dot-com boom began its downturn in 2000.

Konichiwa, E-Money

Today, however, for 15 million Japanese, paper money is a thing of the past, according to the Japan Research Institute. No longer solely used for online purchases, e-money, accessed via a smart card or mobile phone, has become a way of life for many consumers in Japan.

The e-money trend began there roughly four years ago as a service for busy, on-the-go train commuters. Today, specially equipped mobile phones and smart cards are used to purchase items from convenience stores, department stores, restaurants, newsstands, supermarkets, and other retailers. The Japan Research Institute estimated that by 2008 some 40 million Japanese, roughly one-third of the country, will be using electronic money.

Technologies such as FeliCa, from Sony, use integrated chips that enable devices to receive and emit electronic signals. These "contactless" or near-field communication (NFC) devices include mobile phones, transit cards, and prepaid e-money cards.

Japanese Economic Monthly reported last year that NTT DoCoMo, the country's leading mobile-communications company, had sold some 3.34 million handsets equipped with the FeliCa technology through April 2005. In 2005, the number of digital-money transactions more than doubled, averaging around 15.8 million each month, according to statistics from the two largest electronic-money providers in Japan. Some Japanese supermarkets have reported that up to 40 percent of all purchases now are made with e-cash.

Other countries, notably Hong Kong and Canada, also have implemented electronic-cash systems that have seen some adoption. But if you are waiting for similar technology to become the norm in the United States, you might want to hang on to those greenbacks.

Coming to America

Joe Levine, a senior analyst at Yankee Group, is skeptical that U.S. paper money or coins will fall by the wayside anytime soon. Creating a cashless society in the U.S. with either mobile phones or smart cards would require enormous effort by players in several industries, he said, including credit-card companies, mobile-phone service providers, manufacturers, and retailers.

Japan is so far along because companies like DoCoMo are the heavy hitters in their industries, Levine said, and have made significant investments to develop e-cash technologies. DoCoMo, for instance, invested some $900 million to acquire a 34 percent stake in Sumitomo Mitsui Cards, Japan's second-largest credit-card company.

After that deal, announced last April, the credit provider started developing point-of-sale terminals and ATMs for use with DoCoMo's mobile-wallet handsets. Levine said he has not seen anything like that type of commitment in the U.S., as American service providers do not seem as focused on e-money as an opportunity.

"We're more fragmented here [than in Japan], with a larger number of tier one [mobile companies] and a portion of the country that is served by tier-twos," Levine said. "There isn't the same sort of dominant player [like DoCoMo]. There isn't a single wireless company that if they got behind a standard, it would become the standard. And that's a significant difference, that we have a larger, less-consolidated market."

Charles Goldfinger, a consultant who has advised the European Commission on e-finance and smart-card-based financial applications, agreed that DoCoMo's relative dominance in its industry and its base of some 50 million subscribers helped digital money become successful in Japan.

"In the U.S., the telcom situation is very different," Goldfinger said. "The fact that the U.S. has several major mobile services providers as well as several leading financial institutions will hinder the effort to achieve a digital-money standard."

Adapting Dinosaurs

Some technology prognosticators, including Microsoft Chairman Bill Gates in 1994, have gone so far as to say that banks are "dinosaurs." When cash disappears, the argument goes, banks become extinct.

But banks as well as credit-card companies are already involved in developing contactless cards and other electronic-cash technologies. In Japan, for instance, said Goldfinger, the Central Bank in Japan was pushing for e-money, in particular through DoCoMo.

"Banks," said Goldfinger, "are adaptive dinosaurs and anyone who writes them off is crazy. I say that because they will still continue to run the payment business and ultimately [digital money] is a payment business."

According to Levine, the digital-money movement will be driven by credit-card companies, not mobile-service providers, which will have to find a way to work with the credit-card companies that already have hundreds of thousands, if not millions, of merchant relationships in the U.S.

"Credit-card companies are already involved in digital money," said Levine. "Credit-card companies have been pushing hard to increase their share of small-value transactions. It's one of the last areas where credit cards are not used that widely."

Technological Baby Steps

Although Levine and Goldfinger both said that the U.S. is likely to be one of the last countries to make the shift to digital funds, they also said that some change has begun already.

Cingular, for example, is currently conducting a trial e-money system at Phillips Arena in Atlanta, home of that city's Hawks and Thrashers sports teams. The service, which uses Nokia mobile phones equipped with Phillips NFC chips, currently is available only to 250 season-ticket holders who have a Visa account with Chase bank. The fans use the phones to purchase concessions inside the arena.

Credit-card companies also are rolling out contactless credit cards. Blink by Chase, PayPass by Mastercard, Contactless by Visa, and Express Pay by American Express are the newest frontier for credit issuers. The NFC-based cards do away with swiping and signatures. Instead, consumers simply hold their card up to the reader and the transaction is complete.

The push in the last six months to launch the contactless cards is the second such effort by credit-card companies, and should be much more successful, Levine said.

"One of the keys this time around is that [the credit providers] have actually succeeded in getting a few major merchants to sign on," Levine said. "[Contactless cards] are supported more and more by major merchants and that's one of the big keys -- merchant acceptance."

Upgrading the point-of-sale payment system will cost merchants a significant sum, Levine said. It is a chicken-and-egg problem. Merchants are reluctant to make a significant investment in a technology that is not in the hands of consumers, and those same consumers are reticent to use a new technology that is only narrowly accepted.

One selling point of the new contactless cards, however, is that they still have the familiar magnetic stripe, so people can use them at any store.

"You're not going to have a person using something that is not accepted by a number of stores," Levine said. "That advantage here is that [for] the merchants that are enabled to do the contactless payment, you can wave [the card] and for those who are not, you can swipe it."

The Correct Change

So, what would get the U.S. to the day when cash becomes obsolete? According to Levine, we are still far enough away that trying to foresee a turning point is difficult.

In the same way that cash was still on the scene after the introduction of checks, so will it eventually coexist following any adoption of digital money, Goldfinger said. Nor will e-cash eliminate credit cards and debt, he said. People still will be reluctant, he pointed out, to use a prepaid card to buy something like a computer.

The move by wireless-communications companies to deploy third-generation (3G) broadband wireless technology could push the U.S. closer toward digital money, said Goldfinger, because then the country would at least have the necessary infrastructure to support widespread mobile-phone payment transactions.

"There is a lot of talk about digital money, but, in terms of what is actually happening on the ground, the U.S. is way behind," Goldfinger said. "This may change because the U.S. is jumping ahead of the queue with 3G and [other next-generation] technologies."

Another potential catalyst: the behavior of 20-somethings.

For those born after 1985, credit- and debit-card usage is much higher for day-to-day purchases than for older Americans. Many college students, Levine said, lead an essentially cashless lifestyle, carrying very little money and relying heavily on their debit cards in conjunction with a few credit cards.

There is little reason, Levine said, to believe that those college students will shift back to using cash in the same way that their parents' generation uses cash today. These young adults, he said, are the first generation over the last 10 to 15 years that has grown up with easy access to electronic payment.

"It will be interesting to see how those people mature in terms of their payment behavior," Levine said. "It is logical to expect that the people who [use debit and credit cards almost exclusively] today will continue that in their 30s and 40s."

Can contactless payments take hold?

BY James Bickers, editor 16 Jan 2006

When compared to the time it takes to write a check, swiping a traditional credit card is blisteringly fast. Untold hours have been saved for merchant and consumer alike by the gradual shift toward electronic payments at retail.

But in those businesses where every second counts — whether it’s a department store or a quick-serve restaurant or a convenience store — shaving just a few more seconds off a transaction time can snowball into savings of millions of dollars. It is this urge to get customers served and out the door faster that is leading many companies large and small to consider contactless payment systems.

The latest retail giant to take the plunge is the 7-Eleven c-store chain, which operates 5,300 stores in the United States. The chain recently announced that all of its stores would be equipped to accept the "blink" card from Chase Bank. Chase has begun delivering the new cards, which consumers simply hold near or "tap" on a terminal instead of swiping, to 1.3 million users in Texas and Florida.

"Because 7-Eleven is synonymous with convenience, anything we can do to improve a customer’s shopping experience at our stores is always under review," said 7-Eleven’s vice president of business development Rick Updyke in a news release. "Chase cards with blink provide customers with a faster, easier transaction. It fits well with 7-Eleven’s strategy of providing consumers quick, convenient service."

Fast food, faster

One of the industry segments that appears most drawn to contactless is foodservice. QSRs in particular seem to have much to gain, given that the average contactless transaction can be 8 to 10 seconds quicker than a swiped transaction.

Pizza Pizza, the largest pizza operation in Toronto with 180 locations, took the contactless plunge in June 2005. Pat Finelli, Pizza Pizza’s vice president of marketing, said the company had been seriously looking at the technology since the year prior.

"We tailored the program to meet the needs of our key consumers — urbanites from 18 to 30," he said. "A multifaceted marketing program supported the launch and helped to get the word out among this demographic."

Finelli said consumers were quick to adopt the new technology, and from anecdotal feedback, "both our consumers and franchise partners appreciate the added convenience, speed and simplicity of the program."

"Contactless payments are about speed and convenience, which benefits consumers and merchants," said Tom O'Donnell, senior vice president, Chase Card Services. "With contactless payments, consumers don’t have to waste time fumbling with change, but can quickly present their card, pay for their goods and be on their way." He said that the average contactless transaction is 10 to 40 percent shorter than a swiped one.

But how do you get customers excited about yet another card, when wallets and keychains are already bulging with plastic? In the case of Chase blink, the contactless hardware is integrated into a traditionally shaped card, which also features a magnetic stripe — so the card can be used at any payment terminal, not just those equipped to read blink.

Small transactions like food or gas seem to be the biggest target for contactless schemes. Catherine Graeber, principal analyst for Forrester Research, said that other ideal uses would be video stores, movie theaters, newsstands and transit ticketing.

As such, she doesn’t worry about security concerns floated during early discussions about the technology — "sky-is-falling" worries about thieves being able to read the card in your pocket by standing next to you with a wireless device in theirs.

"Personally, I feel that because contactless cards are typically authorized for small dollar amounts, it doesn’t seem like fraudsters would find this a highly attractive target," she said.

However, consumers might disagree — Graeber said that of the consumers surveyed who have yet to use a contactless card, 24 percent were worried about fraud, particularly if the card is lost or stolen.

What needs to happen?

So what does need to happen to convince consumers and merchants to add yet another card to their arsenal? Graeber said that contactless payment methods have a great amount of potential, but are by no means a guaranteed "slam-dunk." She said three things need to happen in order for the technology to succeed.

 The cards need to be interoperable.   "MasterCard, Visa and American Express can’t each do their own thing, requiring the merchant to have multiple card readers."

A sufficient number of merchants need to sign up. "The card associations and card issuers need to get a critical mass of merchants in a concentrated geographic area to accept the cards. Smart cards were a dud because there was no place to actually use the cards."

 Security promises must be made. "Card issuers need to offer a security guarantee that offers zero-liability on lost or stolen cards, or unauthorized access to accounts."

E-Passport Testing to Begin at San Francisco International Airport

WASHINGTON, D.C., Jan. 13 /PRNewswire/

A live test of e-Passports, that contain contactless chips with biographic and biometric information and the readers that are capable of reading these e-Passports, begins January 15, 2006 at Terminal G at San Francisco International Airport (SFO).

This test is a collaborative effort between the United States, Australia, New Zealand and Singapore that will run through April 15, 2006. "This test provides an important opportunity to work with our international partners to further the Department of Homeland Security's efforts to put in place an e-Passport reader solution by the fall of this year," said Jim Williams, director of US-VISIT, a Department of Homeland Security (DHS) program.

Participants include citizens of Australia and New Zealand who have been issued the new e-Passports, Singapore Airlines crew and officials holding trial e-Passports and U.S. diplomatic and official e-Passport holders. The test will assess the operational impact of using new equipment and software to read and verify the information embedded in the e-Passports. Participants will present their e-Passports when arriving in the United States at SFO, at Changi Airport in Singapore or at Sydney Airport in Australia.

The e-Passport contains the holder's biographic information and a biometric identifier, in this case a digital photograph, embedded in a contactless chip set in the passport. The inspection process for those participating does not change. The e-Passports being tested are enabled with a security feature known as Basic Access Control (BAC), which helps prevent the unauthorized reading, or "skimming," of information from e-Passports.

This is the second live test conducted between the United States, Australia and New Zealand. The goal of the live test is to gather information that can support countries around the world in their development and implementation of e-Passports that comply with International Civil Aviation Organization (ICAO) standards. It will also provide valuable information on the capability of the reader technology. "The results of the previous test, held at Los Angeles International Airport (LAX) and Sydney Airport, indicated that further testing would be beneficial to our development of a fully operational system," Williams said. "So we will conduct further testing to allow for the evaluation of new technologies." Biometrics included in a contactless chip provides a further means by which the identity of visitors may be verified, thus preventing entry by imposters and the use of fraudulent documents.

Biometrics provide border officials with a critical tool in making admissibility decisions, thus enhancing homeland security. A DHS priority, US-VISIT enhances the security of our citizens and visitors, facilitates legitimate travel and trade, ensures the integrity of our immigration system and protects personal privacy.

To date, more than 46 million visitors to the United States have been processed through US-VISIT without adversely impacting wait times, and more than 990 criminals or immigration violators have been intercepted as a result of the use of biometrics. For more information on US-VISIT, or to learn more about entry procedures, please visit the US-VISIT Web site at

Golf fans to use contactless payments at PGA events

Thursday, January 26 2006

Food and beverage stands at a number of major professional golf events will allow fans to pay for purchases with MasterCard's PayPass contactless cards and tokens.

Prom Catering to Accept MasterCard® PayPass™ at PGA TOUR Events in 2006

PGA TOUR Spectators to Speed through Lines with the Convenience of ‘Tap & Go™’ Contactless Payment Technology at Food and Beverage Stands

Purchase, New York, January 26, 2005 – MasterCard International today announced that Prom Catering – a leading caterer for local and national PGA TOUR (TOUR) tournaments – will accept MasterCard® PayPass™-enabled cards and devices at its food and beverage stands at select events during the 2006 season. The stands will accept the new contactless payment option at the point-of-sale for 14 TOUR events this year, beginning with the FBR Open in Scottsdale, AZ, February 2-5, 2006.

Using MasterCard PayPass, spectators will see more drives, chips and putts instead of standing in concession lines and fumbling for cash. Spectators simply tap their PayPass-enabled MasterCard cards or devices on a specially-equipped terminal that utilizes a radio frequency (RF) chip to complete the transaction. Prom Catering will have terminals that accept MasterCard PayPass at stands in high traffic areas on the first, ninth, tenth, and eighteenth hole locations.

“Prom Catering is thrilled to offer spectators a convenient, easy-to-use, contactless payment system at several TOUR events this year,” said Bill Given, vice president of Prom Catering. “When we unveiled the terminals at the Tour Championship last season, not only did our credit card sales go up about 20%, but the line sped up as well, allowing us to serve more customers. We look forward to providing the same kind of expedited service in 2006.”

“We’re pleased that our spectators can spend less time in line and more time watching the terrific golf on the course,” said Mike Bodney, Senior Vice President of Championship Management, PGA TOUR. “We welcome MasterCard PayPass to the TOUR with Prom Catering and look forward to the enhancements it will bring to the overall spectator experience at our tournaments.”

MasterCard PayPass transactions are completed quickly, securely and easily, without fumbling for cash and coins, swiping a card or signing a receipt. Moments after the cardholder taps his or her PayPass-enabled MasterCard card or device, account details are communicated to the terminal and then processed through the MasterCard secure network for clearing and settlement.

“Golf tournaments are an ideal location for MasterCard PayPass because golf spectators are there to watch their favorite players, not to wait in line,” said T.J. Sharkey, vice president of business development for the U.S. Acceptance Group at MasterCard International. “With PayPass on the course, consumers purchasing food and beverages can pay more quickly and conveniently,” he continued. “The lines will move faster and fans won’t miss the action they came to see.”

MasterCard PayPass will be accepted at the following PGA TOUR Events in 2006: The FBR Open (Scottsdale, AZ, February 2-5), THE PLAYERS Championship (Ponte Vedra, FL, March 23-26), Barclay’s Classic (Westchester, NY, June 8-11), The U.S. Open (Westchester, NY, June 15-18), and the TOUR Championship (Atlanta, GA, November 2-5). In addition, MasterCard PayPass will be accepted at the following Champions TOUR events: The ACE Group Classic (Naples, FL, February 17-19), Liberty Mutual Legends of Golf (Savannah, GA, April 21-23), FedEx Kinko’s Classic (Austin, TX, April 28-30), Allianz Championship (Des Moines, IA, June 2-4), Bank of America Championship (Concord, MA, June 9-11), Greater Kansas City Golf Classic (Overland Park, KS, June 30-July 2), Ford Senior Players Championship (Dearborn, MI, July 14-16), 3M Championship (Blaine, MN, August 4-6), and Administaff Small Business Classic (Spring, TX, October 13-15).

MasterCard PayPass acceptance is ideal for sports venues and other cash-dominant environments, such as convenience stores, quick serve restaurants, drug stores, and movie theaters, where speed and ease of use are essential. PayPass-enabled cards, like other traditional MasterCard cards, also include magnetic stripe technology, so cardholders can use the cards anywhere MasterCard is accepted around the world. PayPass technology can also be used in a number of devices, such as a convenient fob that fits on a key chain for easy access. Users simply tap their PayPass-enabled key fob on the PayPass reader at participating merchants and they are on their way.

The following merchants have announced that they will accept MasterCard PayPass: participating McDonald’s, 7-Eleven stores, Ritz Camera Centers, Boater’s World Marine Centers, Sheetz, Regal Entertainment Group theatres (Regal Cinemas, United Artists Theatres and Edwards Theatres), Duane Reade, CVS, Quick Chek, Wawa and Meijer Stores. PayPass is also accepted at QWEST Field, M&T Bank Stadium, Lincoln Financial Field, FedExField, Giants Stadium, Arrowhead Stadium and Ford Field homes of the Seattle Seahawks, Baltimore Ravens, Philadelphia Eagles, Washington Redskins, New York Giants/New York Jets, Kansas City Chiefs and Detroit Lions respectively, and at Citizens Park, home to the Major League Baseball Philadelphia Phillies. For more information about MasterCard PayPass, visit

NEW RFID Blocking Wallet Protect your money and privacy!

With the proliferation of RFID devices and related privacy concerns, it seemed due time to create the RFID Blocking Duct Tape Wallet. There are many ways to prevent Radio Frequency ID tags from being transmitted from devices. I often use my work badge and school ID which both contain RFID tags. With drivers licenses, credit cards, and cash now beginning to contain RFID tags, why not create a protective wallet.

RFID chips now exist in: Chase's Blink Credit Card Mastercard PayPass Credit Card United States Passport · Euro Bank Notes etc...

There are two materials which disseminate Radio Signals with incredible success... Water & Metal. Although you could fill a bag full of water and place your money, wallet, or whatever else in it, let's continue with the metal route. A single layer of aluminum foil of only 27 microns thick is often enough to block the RFID signals of most readers or 1mm of dilute salt water. A quick test at my work place using my badge confirmed the effectiveness of a layer of aluminum foil. (insert obligatory aluminum foil hat joke) So... the next step was to design a wallet with aluminum foil embedded inside. Using the plans to make Duct Tape Wallets I created previously, it was simple to modify them to include the aluminum foil.

If your simply looking for a bit of casual protection, simply stacking your cards next to each other will assist in reducing their strength.

Technical details on RFID (.pdf) Please see the original construction plans at this point...

In creating a RFID Blocking Duct Tape Wallet, the only step that needs to be modified is the first one. To create a sheet of RFID Blocking tape, simply place a sheet of foil on the table, and place strips of Duct Tape overlapping on top. Once created, the sheet can be cut with scissors to the sizes needed to continue making the wallet.

I chose to make one more addition to my RFID Protective Wallet. A simple flap on the left hand side prevents cards inside the wallet from broadcasting even while the wallet is open half way. If there are cards you wish to broadcast at will, consider creating a pocket of only tape on the outside of the wallet for you to slip the card into.

Visa, MasterCard want banks to pursue EMV technology

Vidyalaxmi & Preeti R Iyer / Mumbai January 17, 2006

Visa and MasterCard, the global payment service providers, are pushing banks to adopt a new technology standard through a differential fee structure.

Both have announced an interchange fee that seeks to incentivise installation of point of sale (PoS) terminals and issue of cards that comply with EMV (Europay MasterCard Visa) standards. EMV is a technology where chip-based cards can be used.

According to the new fee regime, the bank which owns the PoS terminal (called the acquirer bank) will pay 120 basis points of the billed value to the bank which issued the card (called the issuing bank) if the card is EMV-compliant and the PoS terminal is non-EMV compliant. The normal fee paid to the issuing bank is 110 basis points.

To incentives banks, which have installed EMV-compliant PoS terminals, the fee paid to the card-issuing bank will be 100 basis points if the card swiped is non-EMV compliant.

“The commercials between the issuing and acquirer banks have been sorted out by the new interchange fee structure introduced by Visa and MasterCard to ensure that most banks become EMV-compliant,” said B Madhivanan, joint general manager, ICICI Bank.

The fee paid to the issuing bank would be 95 basis points if the EMV-compliant PoS provides the facility of keying in PIN by the card user. The interchange fee would remain unchanged at 110 bps if both the PoS terminal and the card are EMV-compliant, said a banking source.

Merchant establishments, where the PoS terminals are installed, pay up to 2 per cent interchange fees to the acquiring bank. Of this, 30 basis points is paid to Visa or MasterCard, the interchange fee to the card-issuing bank and the balance is retained by the acquirer bank.

Riding high on the late-mover advantage, ICICI Bank’s 97 per cent of the 85,000 POS terminals are EMV-complaint. Nearly 85 per cent of Citibank’s 27,000 POS terminals are also EMV-compliant. Now only about 40,000 more POS terminals installed by various banks need to be replaced by EMV-compliant ones.

T R Ramachandran, business manager-cards, Citibank, said “Migration from a magnetic strip to a chip-based technology is desirable, yet it is not an immediate need. Fraud, however, remains the fundamental driver necessitating the migration.”

However fraud rates in India aren’t as high as those prevalent in Europe and South Asia, said sources. ICICI’s Madhivanan said, “EMV standards have gained significance as most global banks have the practice of issuing smart cards. When foreign tourists come in they need to have an option to use their smart cards on our PoS terminals.”

The cost per EMV-compliant PoS terminal is Rs 9,000 to Rs 10,000 if a bulk order of 20,000 to 40,000 such terminals is placed.

US Army Standardizing on Tumbleweed PKI Validation Solution for Secure Messaging and Cryptographic Log-on REDWOOD CITY, Calif.--

(BUSINESS WIRE)--Jan. 30, 2006--

Army Accelerating PKI Implementation to Meet New DoD-Wide Mandate Requiring 100 Percent Smart Card Log-On Authentication by July 31, 2006

Tumbleweed(R) Communications Corp. (NASDAQ:TMWD), a leading provider of email security, managed file transfer, and identity validation appliance and software products, today announced that the United States Army has contracted with TKCIS, an Alaskan Native 8(a) corporation, to procure the Tumbleweed Validation Authority(TM) (VA) in support of the Army's efforts to achieve enterprise-wide public key infrastructure (PKI) validation for smart card log-on and secure messaging. Tumbleweed VA is based on the open standard Online Certificate Status Protocol (OCSP, RFC 2560), and is already the most widely deployed PKI validation solution in the U.S. Department of Defense (DoD). Designed to validate the status of digital certificates in real time, Tumbleweed VA ensures that revoked credentials cannot be used for secure email, smart card login, web access, wireless, VPN, or other electronic transactions.

The Army began accelerating deployment of Tumbleweed VA earlier this month in response to a new DoD-wide mandate requiring all military services and agencies to implement PKI and 100 percent use of smart card cryptographic log-on to the Non-Classified IP Router Network by July 31, 2006. The mandate also requires implementation of public key enabling for user authentication, digital signatures, and encryption on all desktops, servers, and laptops. The Joint Task Force-Global Network Operations (JTF-GNO) accelerated the PKI implementation schedule in response to an increasing number of attacks and attempts to steal U.S. military secrets and slow network operations. The use of VA for enabling smart card cryptographic log-on also meets other directives on identity protection, including Homeland Security Presidential Directive 12 (HSPD 12).

"This award supports the Army's goal to leverage the existing investment in its public key infrastructure, and to realize the Tumbleweed VA's potential as an enabling technology for protecting critical information infrastructures and assuring the integrity of communications," said Ann Smith, Tumbleweed's Vice President, Federal Sales. "Once VA is fully deployed, more than 800,000 Army personnel will be able to use their Common Access Cards (CAC) in compliance with the new DoD mandate to access department networks, communicate via e-mail, and conduct other transactions with a substantially greater level of assurance."

Under its PKI initiative, the DoD has issued almost five million digital certificates to military personnel and civilian contractors. This digital certificate, stored on a CAC or "smart" card, includes the user's name, organization, and other identification information. The smart card is used to secure mission-critical applications such as email, web server access, network access, and system login.

As part of the DoD's "Defense In Depth" strategy, all DoD senders must digitally sign email messages using their smart card. Like any physical credential, however, digital certificates must be validated at time of use to ensure the certificate is not revoked or expired. In particular, DoD organizations must validate the status of the digital certificate stored on the smart card when used to sign an email message or perform any trusted transaction.

To align operations with the DoD's PKI and Defense In Depth initiatives, the Army decided to standardize on Tumbleweed VA, concluding that the product satisfies its requirements for a cost-effective solution that provides capabilities to speed the real-time validation of digital certificates, ensure secure communications, and to support the system-wide use of smart cards for cryptographic access to desktop, server, and network resources. Performing cryptographic logon via smart card will eliminate the need for individuals to use multiple passwords for accessing network systems.

In addition to supporting the Army's PKI initiatives, the contract award to TKCIS will help the Army expand its efforts to increase the percentage of government contracts awarded to Native American and tribally-owned small businesses. Partnering with Tumbleweed will enable TKCIS to expand the depth and breadth of the solutions and expertise the company can offer.

TKCIS' Senior Vice President, GSA & Systems Integration Division, Joel Lipkin, notes that "as an IT solutions and services provider, you must have the ability to offer industry-leading components to drive real growth and satisfy customer requirements. Partnering on this contract with Tumbleweed, clearly a market leader in email security, file transfer security, and identity validation solutions, provides us with a greater business development platform for driving growth in the solutions as well as the services components of our operations."

SwipeLess Burgers (1/19/2006)

Mickey Dees is expanding the availability of contactless payments in 12,000 U.S. locations. McDonald's USA is the latest national merchant partner to accept contactless "ExpressPay" from American Express. AmEx has been working with contactless payments since 2002. It is also the first issuer to launch contactless cards nationally with the rollout of "Blue from American Express" with the "ExpressPay" feature in June 2005. "ExpressPay" is also embedded in the "Clear from American Express Card" and available via a key fob that can be linked to any AmEx card. "ExpressPay" will be available at more than 12,000 McDonald's restaurants nationwide. Merchants now accepting "ExpressPay" also include: AMC Theatres, Boater's World, CVS/pharmacy, Duane Reade, Loews Cineplex Entertainment, Meijer retail supercenters, Regal Entertainment Group, Ritz Camera and Sheetz.


Swapping ‘swiping’ for the convenience of Prox-Cards

Published On Tuesday, January 10, 2006 11:21 PM

By JOSHUA P. ROGERS Crimson Staff Writer

My wallet is frayed, and I’m not alone; I find that this is a common affliction among Harvard students. It’s frayed from pulling out my ID card several times a day in order to swipe it through machines that serve various purposes all over campus. I do this not once but twice, for example, during the jaunt from courtyard to bedroom.

After five semesters of such swipery, my wallet is on the verge of a nervous collapse; it just wasn’t meant for this kind of extreme use. I estimate that I remove my ID card from my wallet more than twenty times a day.

Yet this mass murder of wallets is totally avoidable on campus. Many other schools use ID cards with proximity antennae. Yale is one such school.

My envy of Yale’s ID cards dates back to my experience at 2003’s Harvard-Yale game. I was staying in Branford, one of Yale’s residential colleges, with a friend from high school. Returning from some late-night revelry, it so happened that my host was already asleep. And so it was that I found myself locked out of the entryway. I patiently waited for an Eli to come by so that I could be swiped in. Several crimson-colored sweatshirts passed me by before I found a gentleman wearing a white t-shirt with a picture of a bulldog copulating, “doggie style,” with a somewhat distressed-looking pilgrim in crimson. I knew I was in luck. After a polite request, he walked up to the door and positioned his posterior in front of the card reader. Magically, the door clicked open.

I was amazed, and inquired how such a feat could be accomplished.

“I don’t know,” he said, “some kind of chip or something.”

These sophisticated IDs are called Prox-Cards, and it isn’t unreasonable to ask Harvard to install them in residential dorms on campus. This year, University President Lawrence H. Summers allocated over $6 million to fund student space. In previous years, the College allocated $20,000 to each House for gym renovations from the discretionary budget. Why don’t we use a little bit of next year’s discretionary budget to install this convenient technology?

In Lowell House there are about 18 entryways. For good measure, let’s say that with the library, dining hall, and basement entrances, there are 30 “swipe-points” currently in Lowell. At $175 per reader it would still only cost $5,250 to buy proximity card readers for all of Lowell. And Lowell is one of the biggest Houses; the costs would be much lower for Houses like Currier with fewer points of entry.

I know I’m neglecting the costs of installation and printing the new cards, but it seems unlikely that the cost would approach $20,000 per House, which was the cost of the gym upgrades a few years ago. I’d even be willing to pay a higher penalty for lost ID cards if I could remove the act of swiping from my daily repertoire.

Like most amenities, Prox-Cards would be taken for granted after a few years like they are at other schools, but they would continue to make a difference in the lives of students. In this case then, the convenience outweighs the costs

Monday, January 9 2006 - Understanding DPA attacks and the countermeasures available to protect smart cards

By Ken Warren, Smart Card Business Manager Europe, Cryptography Research

The primary reason for smart card technologies growing success in the marketplace is simple – security. Smart cards are self-contained security units that can provide unparalleled barriers to fraud and piracy. But what if they were actually discovered to be insecure? Even worse, what if attackers could unobtrusively defeat a smart card’s security using inexpensive equipment? Would governments, businesses, and consumers continue to rely on them for critical transactions?

This is the threat the industry has faced since the late 90’s when scientists at Cryptography Research Inc., discovered a vulnerability called Differential Power Analysis (DPA). DPA is an attack that attempts to compromise data on a device by monitoring the electrical activity of the chip.

Realizing the impact that these fraudulent attacks could have on the industry, smart card vendors and issuers were informed of the vulnerability and were provided with patent-pending countermeasure techniques to help ensure subsequent smart cards would be secure. Today, most smart card standards mandate DPA resistance as an important component of the system’s overall security requirements. DPA resistant techniques are available to smart card manufacturers and silicon providers under a DPA Countermeasure Licensing program represented by a “lock” logo.

What is DPA?

At the fundamental level DPA is a power analysis attack which attempt to compromise data on a device by measuring the electrical activity of the chip. All device operations and programming activity involves specific electrical activity at the transistor level, which can be accurately monitored as power consumption. The power trace, or ‘signature’, is a direct function of the particular operation being performed and data that is being processed.

SPA - Simple Power Analysis

The least complex technique is known as Simple Power Analysis (SPA). An SPA attack directly observes a device’s power consumption – a process which has been likened to monitoring a patient’s heart beat on an EKG. Analysis of the resulting power traces on a smart card can reveal information about which computational process are being employed, distinguish non-volatile memory programming, or identify cryptographic routines as they execute. By studying detailed features of a power trace, individual device instructions can be distinguished, and data dependant variations in program flow can be observed. In particular, key-dependant power variations during cryptographic processing can reveal secret key values.

Sound complicated? Unfortunately, it’s not complicated enough. A device that is vulnerable to SPA can be compromised by the analysis of a single power trace captured during a normal transaction. What’s worse, the attack can be automated and completed in seconds by even relatively unsophisticated fraudsters. The good news is that effective countermeasures against SPA are relatively straightforward.

DPA – Differential Power Analysis

DPA is a more complex and more powerful variation of SPA. With DPA many power traces are gathered, and statistical analysis and error correction techniques are used to extract information leaked across multiple operations. The robustness of these techniques allows very small differences in power consumption to be isolated, even when the signal level is a good deal smaller than the ‘noise’ from other processes, measurement errors and even deliberate attempts to obscure the signal.

In a typical DPA attack the smart card is monitored whilst performing a number of cryptographic operations, and power traces are recorded for each operation (typically this information is stored on a computer hard drive). After suitable signal processing the attacker uses the collection of sampled traces to test ‘guesses’ about the key or other secret information. If the attacker makes a correct ‘guess’ there will be statistically significant correlation in the set of power traces, resulting in an identifiable DPA signal. If the guess is incorrect or if suitable countermeasures are present, than there will be no correlation of the traces and no DPA signal will be observed.

The attack is completed by making multiple guesses about the key information and using the DPA process to verify or refute successive guesses.

DPA attacks can be automated and usually take between several minutes and several hours to conduct. DPA countermeasures are described in further detail below, and can involve a combination of hardware, software, protocol, and crypto designs.

What are the implications of a DPA attack?

At a fundamental level all smart cards aim to ensure that a particular ‘asset’ is used or accessed in an ‘authorised’ or permitted manner. Software and cryptographic keys on the smart card are used to protect these assets.

A successful SPA or DPA attack on the smart card provides an attacker with means to access, bypass, or clone, the authorisation criteria for the assets protected by the card.

In any applications this has a significant business impact, as fraudulent misuse of mobile phones, transportation services and pay TV signals result in lost provider revenue. In applications such as banking and digital identity the consequences can be catastrophic. Copying or cloning of banking cards enables fraudulent credit and debit card transactions to be conducted; criminals possessing keys for prepaid cards or e-purse applications can create electronic money. But perhaps the most worrying scenarios involve the cloning or forgery of Smart Card used for government-issued ID credentials.

In contrast to most other attacks on smart cards, SPA and DPA are non invasive and inexpensive to repeat, and in many situations the cardholder would have no idea that a successful attack has taken place. Since smart cards are nearly always relied upon for their security merits, resistance to SPA and DPA attacks is essential for nearly all smart card applications.

DPA Countermeasures

The fundamental countermeasures to DPA and other power analysis attacks are patented. Effective deployment of DPA countermeasures requires careful design and implementation. Although many smart card products in the market today include DPA defenses, some are considerably more effective than others.

As previously stated successful DPA countermeasures generally involve a combination of hardware, software, protocol and crypto design. Some of the common types of DPA countermeasures are:

  • Noise generation – increase the amount of noise detected by an attacker

  • leakage reduction – reduce the amount of detectable key related signal

  • leak resistance – design protocols which maintain security even when information does leak

Smart card customers need to know that the products they are purchasing are secure against DPA attacks. A DPA Countermeasure Licensing Program has been designed to assist vendors in ensuring that countermeasures in their products are effectively implemented. Vendors which have successfully implemented and tested licensed countermeasures in their devices will be able to display the ‘DPA Lock’ logo on their products and in marketing literature.

Going forward the smart card industry will continue to evolve, building upon its outstanding growth in recent years. Smart cards offer a highly cost effective and flexible solution for a range of applications benefiting commerce, governments and consumers. But above all else smart cards offer security, and an essential component security are robust defenses against would be attackers. Effective DPA countermeasures are a vital component in protecting the smart card, and its future success.

The security promise of smart cards still exists, though it is worth being sure the cards you are issuing are properly protected.