Selected Press Releases As Smart Cards Continue to Emerge in September  2006

US Department of State orders 2,000 fingerprint and smart card reader devices from Precise Biometrics

Precise Biometrics AB (publ.) has received a follow-up order from the US Department of State, worth MSEK 2.3 in total. The order is for more than 2,000 units, with a combination of fingerprint and smart card reader devices, Precise 200 MC and Precise 250 MC.

The procurement is the result of the expansion of the Department of State's program aimed at increasing computer network security through the implementation of smart cards and biometrics.

The Precise 200 MC and Precise 250 MC have been designed to meet the demanding requirement of IT and network security and are optimized for the Precise Match-on-Card(TM) technology, which conducts all biometric matching within the secure smart card environment.

Both the Precise 250 MC and Precise 200 MC have been approved for purchase by the US Federal government as a part of the US General Services Administration's (GSA) Approved Products List (APL). The GSA APL is an important requirement in the procurement process for the US Federal government Homeland Security Presidential Directive 12 (HSPD-12) and the closely aligned Federal Information Processing Standards 201 (FIPS 201). By fall this year all US Government agencies must initiate the deployment of smart card based ID cards, the so-called PIV (Personal Identity Verification) Cards.

The program Biometric Logical Access Development and Evaluation or BLADE, has been deployed at the agency's headquarters and in consulates around the world.

The order was purchased through one of Precise Biometrics' US resellers, the Mount Airey Group, who consult the US Federal government in the area of information technology security.

"Precise Biometrics is excited to be a part of a program as forward reaching and innovative as BLADE," states Christer Bergman, President & CEO of Precise Biometrics. "The continued adoption of our Precise Biometrics combination smart card and fingerprint readers is a testament to the quality and reliability of our devices, as well as the dedication to strong smart card and biometric solutions bolstered by our Precise Match-on-Card(TM) technology," continues Bergman.

"Mount Airey Group enjoys a strong and beneficial relationship with Precise Biometrics," states Joe Braceland, President and CEO of Mount Airey Group. "As a part of the support team for Department of State on the BLADE program, we have found the Precise Biometrics products and staff to be stellar assets for US Federal government project focused on IT security," continues Braceland.

Norway: BankID for Mobile Phones

Technologically, banks in Norway are among the world leaders, and the extensive cooperation in the industry has resulted in much simpler banking for customers. Another step in this direction is BankID for mobile phones, with Telenor as partner. The partnership will have enormous consequences for bank customers in the future," says Arne Hyttnes, Managing Director of the Norwegian Savings Banks Association.
The Norwegian banking industry, through the Norwegian Savings Banks Association and the Norwegian Financial Services Association (FNH), is behind the BankID Partnership (BankID Samarbeidet). The BankID Partnership has developed BankID, an electronic proof of identity which can be used for identification and signing agreements on the Internet.

BankID for mobile phones builds on the cooperative model in the BankID Partnership. The agreement between Telenor and the BankID Partnership is unique as there is no equivalent cooperation between the banking industry and the telecommunication sector in other countries.

"With BankID for mobile phones, we are helping simplify our customers' lives, while at the same time participating in a unique and innovative partnership with the banking industry," says Berit Kjoell, Division director in Telenor.

BankID for mobile phones strengthens BankID's position as the most widespread and widely used electronic proof of identity. Telenor is the first operator to enter into an agreement with the BankID Partnership, but this does not exclude other operators from signing a similar agreement.

BankID for mobile phones will be available in 2008 and all banks participating in the BankID Partnership may offer BankID to their customers. When that happens, 2.3 million Internet bank customers and 2.7 million Telenor subscribers will be able to identify themselves and sign agreements using a mobile phone. This means that customers decide the bank's opening times and have access to new services they need -- secure services, anytime and anywhere.

"The financial industry is at the forefront of using modern and cost-effective solutions to the benefit of people in general. BankID for mobile phones can help meet people's expectation of being able to satisfy their banking needs anytime and anywhere. Having to stand in line to pay bills is ancient history," says Arne Skauge, Managing Director of FNH.

Usage of mobile phones has gone beyond speech and SMS to areas such as MMS and the Internet. BankID for mobile phones is a natural part of this development, and will initially be used in four areas: logging on to Internet banks, mobile banking, electronic service for business and the public sector, and account-based payment services for the Internet and mobiles (BankAxess).

The BankID Partnership was set up by the Norwegian Financial Services Association (FNH) and the Norwegian Savings Banks Association to develop and coordinate infrastructure for the entire banking industry. The banks participate directly in the BankID Partnership through projects and involvement in working groups. Each bank issues BankID and supplies the market with accompanying services.

MTA Launches Smart Card Trial Program

July 11, 2006

A six-month trial program began Tuesday that allows riders at some subway stations to use Smart Cards to unlock turnstiles with a simple tap.

New York Giants running back Tiki Barber was on hand at Grand Central Station to demonstrate how it’s done.

The pilot project is only available on the Lexington Avenue line between Borough Hall and 138th Street. The new technology is designed to let riders go through turnstiles with just a tap of their credit card.

"We're going to get something, some way to quickly get through our turnstiles and get on our subways so we don't have to stand in line on hot days like this,” said Barber.

The MTA hopes the Smart Cards will reduce commute time.

"If it works, and we hope it will work, it will be our goal to outfit all of our stations with a system like this,” said MTA Chairman Peter Kalikow.

The Straphangers Campaign is also on board, congratulating the MTA for looking for new ways to make commuting more convenient. But, they also acknowledged concerns from the union that a citywide Smart Card program could mean a loss of jobs.

Only Citibank customers with a PayPass MasterCard or debit card will be able to test the new system.

Baiduri Bank first to introduce EMV Acquiring Service

By Azaraimy HH

Baiduri Bank has marked another milestone for being the first to introduce the "EMV Acquiring Service" in Brunei Darussalam.
The new service was officially launched during a ceremony held at The Rizqun International Hotel yesterday, which was attended by the guest of honour, Minister of Communications Pehin Dato Hj Awang Abu Bakar and some 200 people from the government and private sector including card merchants.

"This official launch marks a very important milestone for Baiduri Bank to be the first in Brunei to introduce the EMV Acquiring Service by installing EMV enabled Point of Sale (POS) terminals at our card merchant locations," Baiduri Bank General Manager Mr Pierre Imhof said during the launching.

"This puts Brunei amongst several countries in the region to embark on the EMV migration project," he added.

The general manager said that Baiduri Bank has invested time and money to implement this EMV project in the Sultanate.

"We are now rolling out Phase 1, which is the EMV acquiring service for the merchants. (This will be) followed by the second phase of the project - to issue EMV chip cards to cardholders in the next few months," Mr Pierre Imhof said.

"In Phase 1, our merchants will receive EMV ready terminals, which will protect our merchants from potential financial losses," the general manager said, explaining that counterfeit card fraud could migrate from neighbouring countries due to Brunei's open borders and ease of travel nowadays.

"As the largest card merchant acquirer in Brunei, we feel it is our responsibility to take on this initiative," the general manager said.

"At Baiduri Bank, we are deeply committed to support and work with government agencies on various initiatives. Our EMV project provides a secure and efficient payment infrastructure and fully compliments the current government ICT initiative in developing a more advanced and secure payment industry," Mr Pierre Imhof said.

Meanwhile, Mr Kevin Tai, the director of implementation for VISA International, delivered a presentation on the EMV chip technology and its benefits to merchants.

EMV is the industry abbreviation for "Europay International, MasterCard International and Visa International", which represents the global standard for electronic financial transactions covering the operation of SMART card payment cards and terminals.

The business rationale for the introduction of EMV is the high level of security it offers to banks, merchants and cardholders.

EMV compliance in most countries is mandated by the country's central bank, given the recent increases in payment card frauds, and in particular, the rapid growth of counterfeit fraud.

In countries like Malaysia, Thailand and Australia, where payment card frauds are increasingly becoming more sophisticated, the need to protect the borders from fraud migration is necessary.

With the high level of expertise, commitment and support provided by Visa International, MasterCard International and selected vendors, Baiduri is confident that the transaction to EMV readiness will be a smooth and a resounding success.

Smart Cards Get Smarter

Jody Yen, 07.12.06, 8:30 AM ET

Like it or not, smart cards--microprocessor chips embedded in mobile devices and credit-card-sized plastic cards--are embedding themselves in our lives. Governments and businesses issue these cards for identification purposes, while credit-card companies, retailers and transportation agencies use the technology for security and the convenience of "contactless" transactions. The tiny computer chips also provide mobile devices such as cell phones and handheld computers with encryption and memory.

Smart card technology first gained traction in Europe, and companies based on the Continent still dominate this field. The largest public entity (in terms of market share) is Gemalto, formed on June 2, by the merger of Netherlands-based Axalto and Luxembourg's Gemplus (nasdaq: GEMP - news - people ). The merged company is headquartered in Amsterdam, Netherlands.

Meanwhile, investors have had a tepid response to Gemalto. Paris-listed shares of the $2.2 billion (combined sales) company, which holds half the worldwide smart-card market, have fallen 23% since the merger. Likely reasons for the decline: the expected loss of business from overlapping customers prior to the merger and concerns about competition from China.

Even with some initial loss in business, Gemalto's chief executive, Olivier Piou, expects the company to generate 10% annual revenue growth beginning in 2008. Management believes the combined operation can reap annual savings of $100 million. Identity and security, which currently make up 30% of Gemalto's revenue, offer strong growth opportunities. Market research and consulting firm Frost & Sullivan's smart-card analyst Jason Halverson estimates that through 2009 worldwide smart-card shipments will grow at an annual clip of 22% for financial services and 40% for identity and security applications for government. Headquartered in Palo Alto, Calif., Frost & Sullivan advises companies on developing growth strategies.

Gemalto has already supplied the U.S. Department of Defense and Department of Transportation with common access cards to buildings and information systems. In addition, Gemalto has been developing smart cards for e-passports, which can provide contact-free information, such as name, address and nationality, as well as biometric data such as fingerprints.

Citigroup analyst Lyonel Francoy expects 11% and 31% annual revenue growth, respectively, through 2009 in Gemalto's financial services and identity and security businesses. Francoy also thinks that the value of Gemalto is greater than the sum of its parts. "Valuation-wise, we believe the market is not paying the right price for the future champion," comments Francoy. Gemalto trades on the Euronext Paris exchange for only 14 times its Thomson IBES consensus earnings forecast for 2007 of $1.72 per share.

Another key player in smart cards is Oberthur Card Systems, based in Nanterre, France. Slightly more than half of Oberthur's $600 million in revenue comes from payment systems and mobile communications, but the company does have some exposure to the identity market. In March, Oberthur won a contract with the U.S. Department of the Interior to develop smart-card identification systems.

While there are rumors that the Gemalto merger could spark more consolidation in the industry, Citigroup's Francoy believes Oberthur is an unlikely target. He cites the company's limited presence in the telecommunications and identity and security industries and its significant non-chip-based credit-card business.

Shares of Oberthur have also been in a slump this year. Thanks to a 22% decline since the start of the year, Oberthur sells for only 11 times estimated 2007 profit. Francoy cautions that the company faces a strategic challenge of being caught in the middle between Gemalto and a number of smaller aggressive Asian competitors.

Other significant smart-card companies are privately held Giesecke & Devrient, of Germany, and Minnetonka, Minn.-based Datacard Group, which had sales of $400 million last year. Bigger global companies such as IBM (nyse: IBM - news - people ) and Hitachi (nyse: HIT - news - people ) also have a foothold in the industry.

September 12, 2006 09:17 AM Eastern Time

New ATM Study Reveals Evolving Business Model, Diverging Strategies; Analysis of Bank, Credit Union and ISO Deployers Provides the Most Comprehensive Assessment of the State of the U.S. ATM Industry

BOSTON--(BUSINESS WIRE)  As traditional metrics for measuring ATM performance decline, bank, credit union, and independent sales organization (ISO) ATM deployers are redefining how they manage the ATM channel. According to a new survey sponsored by the four leading electronic payments networks -- CO-OP Financial Services(R), NYCE(R), PULSE(R), and STAR(R) -- and conducted by Dove Consulting, a division of Hitachi Consulting, the ATM industry is becoming increasingly stratified.

Stratification of the ATM Industry

In 2004, findings from the ATM Deployer Study showed an industry at a cross roads. Deployment growth was outpacing transaction growth, resulting in declining per-ATM transaction levels -- particularly foreign acquired transactions (i.e., revenue-producing transactions performed by another deployer's cardholders). Declining revenues, coupled with fixed or increasing costs driven by regulatory requirements (e.g., Triple DES) and increased rent and cost of funds, were putting increasing pressure on ATM deployers' profitability. As a result, the ATM industry was in search of a new model.

Over the last two years, the search for a new model has prompted many deployers, particularly financial institutions, to re-evaluate the role of the ATM: is the ATM purely a cash dispenser, or is it a strategic customer delivery channel?

How deployers answer that question underpins their ATM strategy, and determines how they manage their ATMs -- from how many they deploy and where they deploy them, to what functionality they support and what software they run. As a result, we are now entering a third phase in the evolution of the ATM industry, one that is characterized by the stratification of deployers' ATM strategies: the search for a new model has resulted not in one new model, but many new models, with deployers bifurcating along two dimensions: ATM access (proprietary vs. shared) and user experience (differentiated vs. undifferentiated).

The 2006 ATM Deployer Study provides an in-depth look at the industry's key performance metrics (including transaction volumes, surcharge rates, and operating expenses), recent industry trends and developments (check imaging, ATM branding), and deployers' strategies and priorities. It also presents an outlook for the ATM industry over the next few years, as the industry's business model(s) evolve and deployers' strategies diverge.

Some of the key findings from the study include:

1. ATMs and Transaction Volumes

The average number of monthly transactions per ATM, a key industry metric, varies significantly depending on the type of ATM deployer and the location in which an ATM is placed. Financial institutions' on-premise ATMs currently average 3,651 transactions per ATM per month, compared to 1,807 for their off-premise ATMs and 329 for ISO ATMs.

Per-ATM Transaction Profiles

FI On-Premise FI Off-Premise ISO
------------------------ ---------------- --------------- ------------
Average Txns/ATM/month 3,651 1,807 329
% Foreign Acquired 20% 49% 100%
------------------------ ---------------- --------------- ------------

Based on transaction data provided by deployers and estimated segment shares, the study estimates that U.S. ATMs currently perform 8 billion transactions per year -- representing $600 billion in dispensed cash.

Total U.S. ATM Transactions

Average
Transactions/ Total Annual
Segment Total ATMs ATM/month Transactions
----------------- ------------------ ----------------- ---------------
On-Premise 130,000 3,651 5.7 Bn
Off-Premise 71,000 1,807 1.5 Bn
ISO 195,000 329 0.8 Bn
----------------- ------------------ ----------------- ---------------
Total 396,000 8.0 Bn
----------------- ------------------ ----------------- ---------------

Of note, while ISOs account for almost half of all ATM placements, they account for only 10 percent of the industry's total ATM transaction volume.

2. ATM Functionality - Customer Relationship Management (CRM) & Check Imaging

Most of the advanced features currently offered by deployers are banking functions, with shared deposits, domestic account-to-account transfers and mini statements topping the list. Going forward, however, most deployers are focusing on advanced marketing and CRM functionality that will enable them to tailor the user experience to individual cardholders and strengthen their customer relationships and cross-selling capabilities. Deployers' top three areas of interest for future advanced functionality are targeted marketing campaigns, product offers (e.g., credit card solicitations), and cardholder preferences.

One of the industry's hottest topics is check imaging and ATM deposit automation. After three years of testing and pilots, it appears as though imaging ATMs are ready to hit the mainstream.

Image-enabled ATMs currently represent a very small portion of deployers' ATMs, but this dynamic is set to change. Large banks that already have image-enabled ATMs project that, by 2008, imaging ATMs will make up 31 percent of their ATM networks; for large credit unions, imaging ATMs are projected to constitute 45 percent of their ATM mix by 2008.

3. Migration to Windows and Advanced Software

Although no longer sold, OS/2 continues to dominate the ATM landscape, with the majority of ATMs -- 58 percent -- currently running on OS/2. The pervasiveness of OS/2 will not last much longer, however: 63 percent of ATMs in the U.S. are projected to be running on Windows by 2008.

ATM Operating System Mix, 2006 vs. 2008

Operating System 2006 2008
--------------------- --------------- -----------------
DOS 1% 1%
OS/2 58% 22%
Windows 26% 63%
Other 15% 14%
--------------------- --------------- -----------------

ATM technology is poised to change significantly as deployers migrate from OS/2 to Windows and from proprietary software to open standards. For much of their thirty-year life, ATMs have been vertically integrated devices, combining hardware and software from one provider. As hardware and software become 'decoupled', deployers are no longer locked into the proprietary software that accompanies a terminal; as a result, selecting ATM software is becoming a strategic decision in its own right -- and one that has significant implications for deployers' future ATM capabilities.

4. ATM Surcharge Rates

Deployers continue to increase the surcharge fees they charge to non-customers, currently averaging $1.74 at an on-premise ATM and $1.79 at an off-premise ATM.

Average Surcharge Rates, 2001 - 2006

2001 2003 2006
------------------------ ----------- ----------- -------------
On-Premise ATMs $1.45 $1.57 $1.74
Off-Premise ATMs $1.48 $1.65 $1.79
------------------------ ----------- ----------- -------------

Combined with an average foreign fee of $1.27, consumers currently can pay more than $3.00 every time they use an ATM that is not deployed by their own FI. As the cost of using a foreign ATM increases, the value consumers place on having access to a large network of free ATMs increases -- which means, from a competitive perspective, that a deployer's ability to provide convenient fee-free access to ATMs is becoming an increasingly important part of their value proposition. To this end, many deployers are pursuing one or more of the following strategies to increase ATM access: participating in selective surcharge alliances, introducing surcharge reimbursement programs, and negotiating ATM branding agreements.

5. ATM Economics

Deployers continue to face challenging ATM economics, as measured on a direct basis. Deployers currently earn an average of $1,104 per month at their on-premise ATMs, and $1,013 at their off-premise ATMs.

On the expense side, deployers incur average monthly expenses of $1,444 per on-premise ATM, and $1,450 per off-premise ATM, although there is significant variation between deployer segments.

Monthly Per-ATM Expense by Deployer Segment

On-Premise ATMs Off-Premise ATMs
--------------- ------------------------ -------------------------
Large Bank $1,131 $1,736
Other Bank $1,313 $1,256
Large CU $1,976 $2,549
Other CU $1,912 $2,578
Large ISO N/A $680
Other ISO N/A $522
Overall $1,444 $1,450
--------------- ------------------------ -------------------------

Most segments, on average, lose money on their ATMs. As their profit margins deteriorate, many financial institutions are recalibrating their ATM strategies, shifting away from revenue generation and refocusing on meeting the needs of their customers.

About the 2006 ATM Deployer Study

The 2006 ATM Deployer Study is the fourth in a series of bi-annual studies sponsored by the leading EFT networks as part of their ongoing commitment to industry research. Conducted in the spring of 2006, this study tracks the ongoing evolution of the U.S. ATM industry and provides an in-depth look at current ATM performance metrics, recent industry trends and developments, and deployers' strategies.

The findings presented in the 2006 ATM Deployer Study are based on survey responses from a nationally representative sample of 161 bank, credit union, and ISO deployers. Study participants include 26 of the top 50 retail banks (and 8 of the top 10), 12 of the top 25 credit unions, and 3 of the top 10 ISO ATM owners. As of March 2006, study participants had deployed 134,110 ATMs, representing 34 percent of ATMs deployed in the U.S.

On card displays become reality, making cards more secure

Saturday, September 16 2006
Are displays for smart cards finally more than just talk?

Marisa Torrieri, Contributing Editor

It’s your credit card … spiked with something extra … a thin, flexible display with a readout similar to that of a calculator. But you don’t just make transactions with this card. With this baby you make them two-factor style, fusing something you know (your card number), with something you definitely have in your possession (your card).

Why would a cardholder care?

Here’s one reason: in growing digital-transaction real-world scenario, where more and more purchases are made online, the party on the other end receives your card number and security code, but there’s no way of knowing that you actually are the one holding the card. No biggie … until some ID-stealing thief’s trying to purchase a dozen iPods online using your number.

Fortunately, this new kind of card is on the horizon, and will allow consumers to conduct secure transactions with two-factor authentication with ease. A growing number of companies are developing thin, password-generating card displays that can be incorporated into your trusty cards. Equipped with displays, that can now be mass-produced at rapid speed, these new powerful cards generate single, numeric pass codes that change at the push of a button, transaction to transaction. In the future, people will be able to
view things such as recent bank transactions and credit card balances – on the cards themselves.

Because U.S. consumers and the financial institutions that serve them continue to resist technologies such as One-Time-Password tokens, that make consumers do more work to secure their transactions, display-equipped cards are generating a great deal of interest as an alternative for secure two-factor authentication.

In the next six months, a number of companies working with electronic displays, like Aveso Inc., SmartDisplayer, and InCard Technologies, are hoping to see their slender, powerful, high-tech wares bear fruit.

Financial applications are, arguably, the hottest and most promising markets for display technology cards, thanks to nearly one-year-old Federal Financial Institutions Examination Council (FFIEC) guidelines, recommending that institutions to bear the burden of incorporating two-factor authentication methodologies into their offerings to enhance security.

“This is another hardware or token format,” says Emily de Rotstein, executive vice president of marketing for Aveso Inc., a company that develops printed electronic displays. “If you’re a bank in America, you can brand the card, personalize the card, and add OTP functionality to the card itself. It’s the logical next step in the evolution of a payment card for secure online authentication.”

According to Ms. de Rotstein, technology such as Aveso’s allows for easy integration of electronic displays into high-volume printed products such as credit cards and packaging labels. Because displays are produced using existing print-manufacturing techniques, display devices can be scaled cost-effectively in the hundreds of millions of units, volumes required to support a global industry standard for the electronic display card.

How the technology works, why it makes transactions better

Sure, the form factor – a slender, powered card that give you a one-time-password, and may even be able to display credit card balances – is a sexy proposition. Especially in light of the FFIEC guidelines. But what about the technology?

To get an idea of how a thin electronic display works, one must first understand that it is just one of three critical components of a display card: the other two are the battery (the power source, which allows for a number to be generated), and the microprocessor (the chip that runs algorithmic applications to generate numbers).

Display technology allows for a one time passcode to be generated and show up, on a card’s surface, within seconds. So a person holding the card possesses two-factor authentication – something they know (secret password), and something they have (the card itself). The combination lessens the likelihood of identity theft.

And that’s just for starters.

The display card will potentially be able to display all sorts of information to its users; numeric, electronic displays give numeric information, for example.

“Thin and flexible electronic displays enable new applications that have not been possible displays that have not been possible in the past due to the limitations of the traditional, glass-based displays,” says Ms. de Rotstein, referring to glass-based, liquid crystal displays found in such applications as watches and phones. “Traditional displays are often too thick or too fragile for integration into the standard credit card. By overcoming these hurdles, plastic, flexible displays will transform the payment card and deliver benefits to consumers and card issuers alike.”

It’s those applications Innovative Card Technologies (InCard) is banking on in a series of pilots set to begin in the fourth quarter of 2006, says CEO/Founder Alan Finkelstein.

“The world is becoming aware that a random generator is the fastest, most cost effective way to get secure technology to the mass market,” says Mr. Finkelstein.

InCard is the exclusive provider of a flexible display technology called SmartDisplayer, developed by the Taiwanese company of the same name, as it relates to displays placed in a card form factor.

InCard Technologies recently created its DisplayCard with OTP and it plans to pilot the card later this summer. The card, via an embedded chip and an display, generates an OTP at the push of a button. Then, the card is authenticated by a secure server to confirm that the genuine cardholder is the one making the transaction.

So, by the time cold snow has replaced this slip-and-slide summer, will interest in these cards generate a new kind of heat? InCard, for one, is crossing its fingers. “When we started to look into this three or four years ago, we met with everybody who was trying to develop technology and components like these,” says Mr. Finkelstein. “From the time they showed us a display that was working, it still took three years of R&D and many millions of dollars.”

Still, the bottom line comes down to consumer behavior, the perceived
necessity of two-factor security, and, according to Mr. Finkelstein, the question: “Do you want to carry two or three of those tokens or would you rather put a card (with a flexible display) in your wallet?”



To whom it may concern:

EMVCo is pleased to announce the following documents are now available at http://www.emvco.com:

1. EMV CPS v1.1 Draft specification available for public review and comment:

This document has been made available for download in order to solicit public comments. Please note that EMVCo expects all comments by November 15, 2006. Comments accepted by EMVCo will be included in the document prior to its final release. Please provide your comments to the specification by completing the comment form also included at the bottom of this email and send to secretariat@emvco.com.

This specification standardizes EMV card personalization leading to faster, more efficient and more economical solutions. It offers benefits which include: lower set up costs, faster time to market, greater choice of supplier (card and personalization bureau) and an enhanced ability to switch suppliers.

Card personalization is one of the major cost components in the production of EMV cards. This specification standardizes the EMV card personalization process with the objective of reducing the cost of personalization thus facilitating the migration to chip.

The main purpose of this new version is the introduction of a new feature presented as personalization Direct method. It also introduces several clarifications as well as other new optional features.

Thanks in advance to all of you to take the time to review this draft specification. It is important for recommended changes to be as detailed as possible in order to receive proper consideration from EMVCo. This includes technical issues, identifying where clarification could be provided, editorial etc.

2. The official Card Type Approval Process documentation for both CCD and CPA cards is now available for download on the EMVCo.com website.

Card Type Approval is verification by EMVCo that a specific card product has demonstrated sufficient conformance to the EMV specifications. The Card Type Approval Process includes both functional and security evaluations. These two documents describe EMVCo's processes for functional evaluation of card products to be followed by chip providers, card product providers, test laboratories, and auditors. Limited information regarding security evaluation is included for completeness.

The CCD version addresses Card Type Approval for card products implementing theCommon Core Definitions specifications and the CPA version addresses Card Type Approval for card products implementing the Common Payment Application specifications.

Regards,

The EMVCo Communication Secretariat


Attached files:

One-touch shopping
Consumers increasingly accepting of technology that uses fingerprints to buy groceries

By PAUL GORES pgores@journalsentinel.com

Posted: Sept. 9, 2006
 

When Katy Weber goes shopping at Roundy's Metro Market in Milwaukee, she doesn't bring a purse, credit card, debit card, check or cash.

The Pay By Touch system uses 40 data points on the finger to scan a print, says a company spokeswoman. She says privacy is protected under the system.

All she needs to pay for her groceries is her index finger.

A sensor pad at the checkout counter scans her finger, automatically registers any discounts and then debits her bank account.

For Weber, 28, using the Pay By Touch pad is a matter of convenience.

"I don't have to dig around in my purse," she said.

The idea of shopping without bringing a purse or wallet might take some time to catch on, but companies using the finger-scan system say that, store by store, it is gaining acceptance.

Jewel-Osco is the biggest user in the Milwaukee area of the Pay By Touch system, which is the industry leader in the touch-system payment technology. It rolled out the system last spring, and the system is available in all 15 Jewel-Osco stores in Wisconsin.

In Jewel-Osco's four-state area, about 56,000 customers are signed up for it, said Juanita Kocanda, Jewel-Osco's manager of public affairs.

"It's very well received," Kocanda said. "We get positive feedback, especially from the people who write checks, because it comes right out of your checking account and you don't have to write a check."

Nationally, the Pay By Touch system is used at more than 2,000 retail locations, said Shannon Riordan, spokeswoman for the 4-year-old San Francisco firm. She said that, combined with a check-cashing system the company sells, it has signed up 2.5 million consumers.

System is secure, company says
The finger system is more secure than using a credit or debit card or writing a check, because there are no numbers on a card or check that an identity thief could steal, Riordan said. Pay By Touch users are required to punch in a search code to start the transaction - usually easy-to-remember digits like a telephone number - but without the finger scan, no one else can gain access to the account.

"Overall, for merchants and shoppers alike, it greatly reduces the chances of fraud at the point of sale," Riordan said.

Riordan stressed that the finger image used to authenticate a transaction is not an actual full fingerprint.

"It uses 40 data points from your finger," she said. "That is the amount of data that gets encrypted right then and there."

But surveys show some consumers, as much as they like the sureness of biometric identifiers, still find something Big Brotherish about letting anyone scan the print side of a finger, said Avivah Litan, a financial technology consultant with the firm Gartner Inc. in Stamford, Conn.

"Some people like the convenience, other people think it's a big privacy imposition," Litan said.

Riordan said there is nothing to worry about, even though she understands why it's a concern.

"If we don't respect people's privacy - if we aren't dedicated to that - we are going to fail as a business," she said. "So we are motivated. This is a very, very important promise that we make and keep with our Pay By Touch members."

At Roundy's Metro Market, which has used the system for two years in a pilot program, fear of having a fingerprint in a database doesn't seem to be an issue, said customer service manager Robin Moga. She said that might be because of the store's clientele, which includes many young adults.

"They love the new technology. They are all about it," Moga said.

Looking for new markets
Customers sign up for Pay By Touch at no charge at kiosks in stores where it's used. A scanner at the kiosk records the finger data needed. The sign-up process requires a driver's license, a voided check and, if desired, a preferred shopper card for discounts.

Although retail stores such as supermarkets are the "early adopters" of the finger-scan payment technology, other types of retailers are showing an interest, Riordan said.

"People, as time progresses, will see it in more and more places, and it will become commonplace," she said.

Banks invest in better security online
Fraud spurs tougher access to accounts

By Laura Smitherman Sun reporter

Originally published September 10, 2006

Online banking, a service that has spared consumers a trip to the branch and given them access to accounts with a few keystrokes, is about to become more complicated.

Banks are rolling out security programs to better identify online customers after federal regulators, alarmed by the rising incidence and sophistication of identity theft, imposed a year-end deadline. Many banks are trying to balance security with convenience, while grappling with costs and technological challenges.

For most consumers, the changes mean that a user name and password won't be enough anymore.

Users could be prompted to provide their dog's name or high school mascot when logging on to an account, or they could be required to enter the correct coordinates from a table on a card like those used in bingo or the childhood game Battleship. If they are a commercial client moving large amounts of cash, a fingerprint scan might be in order.

Some banks also are "deputizing" customers by enabling them to prohibit or limit certain kinds of transactions on their accounts, or by alerting them to suspicious account activity.

"They have really knuckled down, and you feel more secure when you log on," said Kat Hudson, 37, of Fells Point. She said she does most of her banking online after a thief stole her paper checks and tried to cash one. "I wouldn't say it's entirely foolproof, but I would say it's safer."

More than 35 million American households bank online, though the growth rate slowed to about 10 percent last year from more than 300 percent a decade ago, according to Online Banking Report, an industry newsletter. Financial institutions expect the added security will reassure current customers and draw technophobic consumers to the Internet, which is cheaper for banks to maintain compared with brick-and-mortar branches.

A poll by the American Bankers Association shows that one-fourth of customers go to the Internet most often for their banking needs, as opposed to branches or automated teller machines. Online transactions are projected to account for 44 percent of all self-service banking including ATMs and touch-tone phone systems by 2010, compared with 10 percent at the beginning of the decade, according to Tower Group Inc., a financial services advisory firm.

Several national banks have unveiled new anti-fraud protections. Bank of America Corp., the largest online banker and biggest in Maryland by market share, finished a national rollout of its program this summer and has begun airing television advertisements promoting it.

But many midsize banks and community thrifts have yet to implement the extra security, crunched between regulators who are refusing to move back the deadline and a dizzying array of security vendors, including startup companies, some hawking unproven products.

"Many institutions have failed to act, hoping against hope for a last-minute reprieve," analysts Susan Feinberg and George Tubin of Tower Group said in a recent report. "The regulators are serious. They are not kidding. Banks must stop stalling."

Federal regulators instructed banks late last year to assess risks associated with Internet banking applications and to implement the necessary security measures to ensure that an online customer is indeed who they say they are. The regulators gave banks until Dec. 31 to do so or face increased scrutiny from examiners.

Jason Herzberger, a 26-year-old Lutherville resident and victim of identity theft -- someone opened a cell phone account in his name -- said he also does most of his banking online and welcomes the security changes.

"It's a terrific concept," he said.

Internet banking was born a decade ago when banks such as Wells Fargo & Co., based in the technology hub of San Francisco, began allowing customers to view account statements online. At first such access required special software, but banks soon set up sites on the Internet. Since then, Internet use has exploded -- and so has online fraud.

Identity fraud cost industry and consumers $57 billion in 2005. While the number of victims has shrunk slightly, the crimes are scoring bigger payoffs that have grown 20 percent in two years to an average of $6,383. Nearly 10 percent of victims who knew how their personal information was stolen said it happened online, according to Javelin Strategy & Research, a consulting firm.

Still, security experts say few banks had employed what is known in the business as "multifactor authentication" to verify a retail customer's identity online, until regulators stepped in. Banking officials said fraud losses were small and didn't warrant the cost and customer confusion that comes with the extra security.

Some experts say consumers are more at risk of identity fraud from throwing a paper account statement in the trash than from banking on the Internet.

Baltimore-based Mercantile Bankshares Corp. plans to launch a system in the coming weeks that uses "cookies," or information that a Web site puts on users' hard drives so it can remember them. If customers log on from a computer they don't normally use, they are posed a "challenge question" that asks for information not typically kept in a wallet, such as their mother's maiden name or city of birth.

First Mariner Bancorp, another Baltimore bank, plans to implement a similar system as soon as next month. The bank also will use a program that prompts customers to choose a picture from an online gallery. The picture, perhaps a fish or flower, appears at the site to signal it's legitimate.
First Mariner's customers were targeted in a so-called "phishing" scheme last year in which hackers sent them e-mails and directed them to Web pages that looked nearly identical to the company's official site. Such traps are intended to dupe consumers into divulging account information and passwords. Bank officials say they are not aware of any losses stemming from the scheme.

"We've had a couple of incidents like most of our competitors; you can't be on the Internet anymore without something happening," said Kevin Lynch, head of electronic banking at First Mariner.

But, he added, "there's a fairly significant group of customers who are not using online banking because they are scared."

Mercantile also has experienced phishing attacks, but Larry Bloom, a vice president in charge of online banking products, said the bank has been able to shut down schemes "rather quickly." Earlier this year, the bank's security service provider helped squash a scheme aimed at a Midwest bank with a similar name.

At M&T Bank, based in Buffalo, N.Y., with a large presence in Maryland, commercial customers were given hand-held electronic devices last year that periodically generate random numbers to be used as passwords for online transactions. Earlier this year, the bank put in another system that tracks the online behavior of customers, such as routine log-on times, to better spot imposters.

And in December, M&T will offer customers the ability to receive alerts when unusual activity happens on their accounts. For example, customers could ask that they be called for additional authorization over the phone any time a bill of more than $1,000 is paid from their account online. Or they could ask that they get a text message any time more than $150 is withdrawn using their ATM card.

Regulators took pains not to endorse one security technology over another. That didn't stop a number of vendors from promoting themselves as "approved providers" of online security products. Many of the products were so new that banking officials worried about choosing a solution that could be ineffective or become outmoded quickly, industry observers said.

"There has absolutely been some concern," said Bruce Cundiff, research analyst at Javelin Strategy. "But there is enough brain trust at financial institutions to really understand the difference between these fly-by-night organizations and providers with solid products."

At Owings Mills-based K Bank, Vice President Denise Wiggins said the company considered a number of options but settled on a matrix, or a card with a series of columns and rows of numbers and letters. Beginning this summer, when customers log on, they are asked to provide a particular combination of coordinates in addition to their user name and password.

"Identity theft has become a part of our lives, and we felt this gave our customers the flexibility and security they needed," Wiggins said.

She added that customers immediately warmed to the idea.

"One person e-mailed me the morning we launched the system to say, 'You sank my battleship.'"

laura.smitherman@baltsun.com

The Sunday Times September 10, 2006

Online shoppers may get own card terminals to beat fraud


HIGH street banks are to introduce new anti-fraud systems to stem the growing tide of internet crime sparked by the introduction of chip-and-pin technology, writes Yuba Bessaoud.

Under a scheme being developed by the Apacs payment network, bank customers using the internet will be given hand-held terminals that generate a different eight-digit code for each transaction. Customers can only gain access to their online account with this code.

Although the technology will initially be used by online (and phone) bank customers, Apacs hopes it can later be extended to purchases on retail websites.

Figures from Apacs, which groups together banks and card firms, show 26.6m people made at least one internet purchase last year, spending £22 billion. In addition, 15m customers regularly carry out banking transactions online.

Chip and pin helped cut card fraud by 13% to £439m last year from a 2004 high of £504m. Now, however, so-called “card not present” fraud, which consists mainly of internet scams, has risen 21% to £183m.

The urgency of curbing internet fraud was highlighted last week when The Sunday Times reported how Russian gangsters are selling credit card details, pin numbers and personal information of British customers over the internet for just £1 a time.

“Chip and pin was brought in to deal with counterfeit and lost and stolen card fraud, it wasn’t introduced to tackle card-not-present fraud. What the industry is doing now is looking at ways to utilise chip and pin technology in an online environment,” said a spokesman for Apacs.

The new system, called two-factor authentication, involves each customer being given a hand-held chip-and-pin terminal. Each time they carry out a transaction, they slot their card into the machine and enter their pin number.

The device then produces an eight-digit number that must be entered into the website before any financial transaction can be carried out. The code is matched against a constantly changing bank database after which it becomes defunct, meaning any fraudster intercepting the transaction would find only a meaningless number.

Any potential cost to customers would be decided by the individual banks, depending on overheads, take-up rates and inter-bank competition.

The scheme, which it is hoped will become an industry standard, is based on trials carried out by individual banks such as Lloyds TSB and Barclays. Lloyds TSB issued 23,500 customers with an “access code device” in 2005. During the trial, none of the customers reported fraud on their account, the bank says.

Some critics have expressed concern the system may not be completely fraud-proof — for example, skilled hackers may be able to intercept the code and link it to a card in the short time before it is discarded.

If it works for online banking, Apacs will begin negotiating with retail websites to adopt it.

Credit card companies form security council

By Erica Ogg Staff Writer, CNET News.com

September 7, 2006

The five major credit card companies have teamed up in the interest of better security.

American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International announced Thursday the creation of an organization to develop and maintain security standards for credit and debit card payments. It's the first time the five brands have agreed on a single, common framework.

The newly formed Payment Card International (PCI) Security Standards Council will manage the PCI Data Security Standard, first established in January 2005 with the intention of making its implementation more efficient for all parties involved in a payment card transaction. That includes merchants, payment processors, point-of-sale vendors, financial institutions and more than a billion card holders worldwide.

The companies have come together despite being in competition with each other because they say ensuring better security will benefit everyone.

"First of all, it's to protect the information of our mutual customers and to make the process of data security compliance easier," said Rob Tourt, vice president of network services for Discover.

Having a single data security standard is a critical issue for the entire industry and will simplify the process, said Brian Buckley, Visa's senior vice president of international risk management.

"Our view is that this is first and foremost an important initiative to get data security in place for payment cards," he said.

Having the common accepted set of rules should foster broader compliance, said Bruce Rutherford, MasterCard's vice president of payments. Those rules include instructions on proper data encryption, common technical standards and security audit procedures.

The first action of the new council was to update the PCI security standard, which was promised in May. The revision gives instructions for how to implement the new standards and clarifies language that was previously considered vague. For example, terms such as "periodically" and "regularly" were swapped for definite deadlines like "annually" or "quarterly" where appropriate. A statement released by the newly formed council said the revisions were the result of feedback from vendors,  merchants and payment processors.

 

White House Seeks Fresh Info on Smart-Card Efforts

Top IT exec calls for updates on plans for complying with security directive

Jaikumar Vijayan  
 

September 04, 2006 (Computerworld) --

Federal agencies last week were told to provide the White House with an update by this Friday on their readiness to comply with a presidential directive requiring them to start issuing smart identity cards to all government employees and contractors by Oct. 27.

The updates were requested in a memo sent by the White House Office of Management and Budget (OMB) to agency CIOs. The memo included a template for agencies to use to update information on their strategies for implementing the requirements of the smart-card directive and on the status of their efforts to do so.

The smart-card mandate, officially known as Homeland Security Presidential Directive 12, was issued in August 2004. HSPD-12 requires all federal agencies to use a common ID credential â?� so-called personal identity verification (PIV) cards â?� to authenticate workers and control access to buildings and IT systems.

Last week's memo from de facto federal CIO Karen Evans came at a time when many agencies are scrambling to meet what is widely viewed as an extremely aggressive deadline, said Greg Kriezman, an analyst at Gartner Inc.

"OMB is in the habit of setting the bar high in terms of getting things done," Kriezman said. He added that the level of preparedness among agencies is "a real mixed bag" at this point.

In February, the Government Accountability Office released a report listing several challenges that agencies faced in meeting HSPD-12. Among them was too little time to test and acquire the needed IT equipment, as well as the budgetary risks involved in implementing biometric security tools built around technology standards that had yet to be finalized.

Linda Koontz, director of information management issues at the GAO, said last week that some of the problems cited in the report are on their way to being resolved. For instance, products that comply with the technology standards set by the government for HSPD-12 have started to become available, Koontz said.

Koontz added, though, that agencies still face hurdles. "I think the OMB is being aggressive on this, and they are trying to move the government," she said. "But budgetary concerns and the time frame still remain a challenge."

On the technology front, all of the major standards related to the deployment of the new cards have been published, said William MacGregor, manager of the PIV program at the National Institute of Standards and Technology. NIST was responsible for drafting the standards on which the PIV cards are based.

"Many policies and operating procedures need to be established for card issuers, of course," MacGregor said. But those "are not technology standards per se, and generally they are the responsibility of the agency and the PIV [card] issuer," he added.

In her memo, Evans noted that only changes to previously stated implementation plans need to be submitted to the OMB this week. OMB officials will provide agencies with written evaluations of their updated plans, she wrote.

September 06,2006

Hearing aids that work through bone could revolutionize listening

A Halifax researcher has developed a hearing aid that works through a bone behind the ear, predicting the technology will also change the way people listen to music and use cellphones as well as military communications.  Dr. Manohar Bance, a surgeon at Dalhousie University, said his team has created next-generation hearing aids that are placed without surgery on the bone behind the ear and can be taken on and off. The devices transmit vibrations from a tiny electronic box through the bone into the inner ear, Bance said.  "Our research has shown there are some special spots you can put these things without much pressure. There are sweet spots on the head that we can access that allow us to put sound into the inner ear at a much more efficient way than we used to.  "Bance said the technology developed in his Bone Conduction Hearing Technologies Project could revolutionize the way people listen. For example, users could attach the device and pick up music transmissions without earphones,  he said. The technology also improves the sound quality on cell phones, reducing distracting background noise, he said. Bance also said police and soldiers could use the devices to conduct private security communications. In fact, the research arm of the Department of National Defense - Defense Research and Development Canada - is working on the project, along the Halifax region's Capital Health Authority, the University of New Brunswick. The devices will likely be available as hearing aids within three years, Bance said. After that, the researcher aims to roll out the technology with consumer applications.

U.S. Banks Are Slow to Embrace Mobile Commerce
Regulations, costs keep most on the sidelines for now
Eric Lai Today’s Top Stories or Other Mobile/Wireless Stories

Mobilizing Enterprise Applications: Strategies for Wireless and Remote Success

September 04, 2006 (Computerworld)

 -- Imagine waving your New York subway pass in front of the cash register at a 7-Eleven convenience store to buy a sandwich. Or paying for items you found while surfing the Web on your cell phone by sending a text message.

Such futuristic exercises in the U.S. are already a reality in many Asian and European countries.

For example, Hong Kong residents can use the local subway pass, called an Octopus card, to pay for purchases at fast-food restaurants, convenience stores and vending machines. And Tokyo-based phone operator NTT DoCoMo Inc. offers mobile phones with embedded chips that can serve as either a rechargeable repository of stored money or as a credit card.

In the U.S., meanwhile, there have been only sporadic experiments in the use of next-generation payment schemes. Experts blame the slow U.S. adoption on the tentativeness of banks.

"Banks have given up ownership of some of this space and allowed third parties to proliferate," despite apparent interest from consumers, said Ray Mulhern, president of M-Consulting Group in Charlotte, N.C.

Indeed, technology vendors are beginning to roll out such services to a few U.S. users.

The developers include start-ups such as iBreva Corp., which is piloting a mobile-phone payments service in several small Silicon Valley stores, and larger companies such as PayPal Inc., a division of eBay Inc. In April, it unveiled PayPal Mobile, a phone-to-phone payments service that allows users to pay for merchandise via text messaging. Neither service uses a bank to clear payments.

Waiting for Customers

Some bank executives say they are waiting for customers to become more comfortable with the concept before offering such services.

"You have to understand the comfort level of the average American," said Judd Hol­royde, a senior vice president for global product management at Wells Fargo & Co. "He or she is still writing a tremendous amount of checks. I can't imagine a baby boomer being comfortable paying by phone."

Wells Fargo does not yet offer e-payment or mobile payment services.

Mulhern, a former senior executive for payments at Charlotte, N.C.-based Wachovia Corp., noted that banks are also held back by strict government regulations.

"Banks are looked at as keepers of safety and soundness in the payments world," Mulhern observed. "They are much more constrained. As a result, they are not going to move fast."

"Innovation is not a bank's strong suit," added Clayton Giordano, CEO of Palo Alto, Calif.-based iBreva. "They are highly motivated and interested, but they also realize it's a high-stakes game."

Other observers noted that the back-end IT architecture at many banks is siloed and inflexible.

"Most banks still have dedicated, hard-wired payment systems that they bought 10 to 15 years ago," said Matt Ellis, U.S. president for Clear2Pay NV/SA, a Brussels-based provider of back-end payments software to banks.

Some banks, such as Sioux Falls, S.D.-based First Premier Bank, have inched into mobile payment services. It offers a MasterCard-branded prepaid debit card linked to a cell phone payment service that was launched in March by Redwood City, Calif.-based Obopay Inc.

Banks spend a fortune to combat ‘card skimming’

03 September 2006

By Nic Cicutti Sunday Herald

High street and large supermarket banks are to spend hundreds of thousands of pounds on added security measures in an attempt to stem a growing wave of “card skimming” crime at cash machines across Scotland.
The move comes as figures show that the value of ATM fraud reached £21.4 million in the first three months of 2006, up 54% compared with the same period last year.

Levels of ATM fraud have grown by more than 250% in the past five years. Experts now say skimming accounts for the greatest proportion of cash machine fraud in the UK.

Skimming involves attaching a small electronic device to the card entry slot of a cash machine to record a card’s details without the cardholder’s knowledge. Criminals are then able to produce a counterfeit card and use it to withdraw money from a cash machine.

Last week, Sainsbury’s Bank was the latest to announce it will be spending £3.5m on security around its 885 cash machines across the UK, including dozens in Scotland. The measures include more CCTV cameras and new anti-skimming devices.

Last month, Tesco announced similar plans for its 1900 cash machines, at a cost of £3m. Duncan McKinnell, director of operations at Tesco Personal Finance, says: “ATM networks across the country are being increasingly targeted by fraudsters, so £3m is a worthwhile investment to protect our customers’ hard-earned cash.”

Lloyds TSB is also installing anti-skimming devices at all its cash machines around Scotland. The device, fitted to the machine itself, aims to thwarts fraudsters’ attempts to capture customers’ card details using sophisticated technology.

Matthew Timms, internet and ATM director at Lloyds TSB, says the bank’s move is only one of a number of measures it is taking to help stamp out fraud: “We are doing everything we can to ensure that our cash machines are safe to use.”

A spokesman at Bank of Scotland says that while card skimming is currently on the rise, in the longer term it should start to fall in the wake of the introduction last year of a new “chip and PIN” security system for debit and credit cards.

He says: “What makes skimming possible is the ease with which it is possible to copy the magnetic strips on the back of customers’ cards. It is currently possible to buy machines through the internet that allow skimming.

“But cards with magnetic strips are gradually being phased out and we expect that the growing use of chip-only cards will ensure that copying chips is not possible, because they are encrypted.”

Meanwhile, all the banks are urging customers who want to withdraw cash at their machines to be vigilant and help reduce the chance of fraudsters getting hold of their pin details.

TransLink studies 'smart card' fare systems

Transit riders could use transit credit cards to pay their fares by 2010 as TransLink studies options to eliminate the use of paper tickets and passes.

Registered 6-day subscribers to the The Vancouver Sun newspaper or electronic edition enjoy full access to The Vancouver Sun Online.

Plus as an added value, you will also have full access to the subscriber exclusive content at all of our newspaper websites. For a complete listing see "Newspapers" below.