Major payment organizations, including American Express, Europay International, MasterCard International, Mondex International and Visa International, today announced a new initiative to create common security guidelines for the smart card industry.
To this end, the organizations have formed the Smart Card Security Users Group (SCSUG), coordinated by the US National Information Assurance Partnership (NIAP), and with the cooperation of the international Common Criteria Management Committee.
The group will share information on security threats and security requirements, focusing on both chip hardware and smart card operating systems. The combined input from the five organizations will first be employed in the production of a Protection Profile for smart cards. This will address the chip and operating system security requirements for a smart card carrying EMV credit or debit applications as well as other applications requiring high security.
EMV (Europay, MasterCard, Visa) represents an agreed upon standard within the financial services industry for chip credit and debit applications developed to ensure interoperability of smart cards and terminals worldwide. An EMV Security Working Group is in the process of defining a Protection Profile for credit and debit applications, based on the SCSUG Protection Profile for the chip and operating software platform.
The Protection Profile will be developed under the Common Criteria for Information Technology Security Evaluation. The Common Criteria has evolved from a number of national and regional criteria, such as ITSEC, as an international standard (also known as "Multipart Standard IS 15408: Evaluation criteria for IT security") and is anticipated to replace these criteria over the next few years.
The Protection Profile defines a process for conducting security evaluations on IT products, such as network firewalls, and provides a basis for smart card security evaluations. Once evaluated and approved, the Smart Card Protection Profile will enable vendors to write Security Targets that show how their products meet the users' requirements. Smart cards manufactured to these requirements can then be tested and evaluated in an accredited, independent laboratory.
Issuers can be confident that if they buy an approved product, then the demands of the Protection Profile have been met.
"The beauty of this system is that it means we will have a shared, internationally recognized and cost effective process for evaluating the security of smart cards," says SCSUG coordinator Eugene Troy. "As more and more smart cards are introduced, such a process will be indispensable in maintaining the integrity of smart card systems and the confidence of issuers and users worldwide. It will help to ensure that there is the same high level of security across all smart card platforms and allow all parties to see how security requirements are met."
The draft SCSUG Protection Profile can be viewed at http://csrc.nist.gov/cc/sc/sclist.htm.
[ Home | Contact | MobiChat | Experts database | Let's do it ]
Comments to the content of this page can be posted on the MobiChat discussion group