- Email: [email protected]
Viewpoint
FEATURE / VIEWPOINT lifecycles to be held on the same credential. Additionally, ANDiS4FIPS201 supports open source interfacing, which allows swift and seamless integration with other components of the PIV card-issuing infrastructure.
Healthcare The healthcare sector is also embracing smart card technology, a move that is being driven by the private sector and involves many stakeholders with different business interests. LifeNexus is deploying its smart card-based Personal Health Card with Inland Northwest Health Services (INHS), a member of the Northwest Regional Health Information Organization (RHIO) connecting 38 hospitals in north-west Washington and Idaho. The RHIO aims to facilitate the sharing of electronic medical records between doctors, laboratories and hospitals across large geographic areas. Speaking at the Smart Card Alliance/CardTech SecurTech conference in May, Christopher Maus said: “The LifeNexus Personal Health Card will act as a personal key people use to unlock access to their medical information.” He identifies two key benefits of using smart card technology for storing personal health and insurance information – security and portability. The LifeNexus card will store personal, insurance and medical information that people normally provide when they fill out forms at a doctor’s surgery or hospital. It will also store the details of any allergies, medicine restrictions, health conditions and recent medical results and lab tests. The information is protected by a PIN, so consumers have control over who can access it. Initially the firm will focus on equipping emergency departments to accept the card, speeding up admission and providing vital medical information. There are a number of other schemes throughout the US, which were also discussed at the Smart Card Alliance CardTech/ SecureTech show. For example, New York city’s Mount Sinai Medical Center is issuing its patients with smart card-based Personal Health Cards (PHCs) with the aim of ensuring they are accurately linked with their personal medical information. Language barriers, common names or even common addresses can lead to errors and result in combined or duplicate patient records. Correcting those records is a big expense for hospitals; Mount Sinai has initiated two major database cleanups in the past three years, each costing more than US$2 million. It has now joined with nine other institutions in the greater New York city area to create a regional HealthSmart Network that accepts a common PHC. 16
Card Technology Today
Viewpoint Some consequences of the credit crunch As everyone knows, the revelation this autumn that the banking industry’s loan books are stuffed with bad debt has caused a collapse of confidence among US and UK bankers, the smart card industry’s major customers. For the credit card industry an immediate consequence has been that the market for credit card receivables – which (like car loans and student loans) can be packaged up into bonds or securities – has seized up, depriving the institutions that provide these loans of a significant part of their funding. Meanwhile day-to-day business has to go on. Credit card applications are being vetted more carefully than ever, with wouldbe customers under 35 being targeted for extra scrutiny. Not surprisingly, free balance transfer offers are becoming rarer, and introductory rates for new cardholders now last for shorter periods. Next, and somewhat at odds with this tougher attitude towards new customers, at least one UK card issuer has been cutting back the credit limits of existing customers who pay off their bills every month (and are therefore considered to be ‘unprofitable’); the result of this is that these customers’ cards become largely useless as payment instruments. With cash tighter than ever, the threat of loss through fraud looms large. Use of a cardholder’s PIN code is in effect compulsory for face-to-face card transactions within the UK; and ‘chip and PIN’ has become part of the fabric of everyday shopping. It is true that card fraud losses continue to rise, but about 40 per cent of losses now consist of fraud abroad; this typically involves criminals using stolen UK card details at cash machines and retailer outlets in countries that have yet to upgrade to chip and PIN. This has to be a major concern; and in the present climate must surely induce a sense of urgency in countries where chip and PIN has yet to be rolled out. An even bigger worry now is online fraud, which accounts for more than half of card fraud losses. It is true that these losses need to be seen in the context of increasing numbers of online retailers and ever-growing numbers of online transactions. Nevertheless the pressure is on the card industry to take action against online fraudsters. The password-based Verified by Visa and MasterCard’s equivalent SecureCode service are now being marketed as extra security checks for online purchases. However some consumers are reluctant to sign up for the technology, on two grounds. First, the CVV number (which
is generated when the card is issued, by hashing the printed card information under a key known only to the issuing bank) is widely used in online transactions. It proves that the online customer has seen the card (or has seen a record made by somebody who has seen the card). If this is not robust enough, will the addition of a password add a great deal of security? Secondly, if the password does fall into criminal hands (through a successful phishing attack, for instance) and is used for an online transaction, it will be more difficult than ever for the genuine cardholder to refute the charge that he or she carried out the transaction. To add more muscle to the fight against online card fraud an old idea, which was first floated more than 20 years ago, has been resurrected. This is the smart card which carries a built-in one-time code generator: a numeric keypad on the reverse (with a minute display panel) is activated by entry of the holder’s PIN. The new code is then used to authenticate online purchases. Barclays’ PINsentry scheme, not yet fully rolled out, adopts a similar approach for making online payments from a current bank account, but uses a separate card reader as the one-time code generator. But to my mind the most significant consequence of the credit crunch is the widespread questioning of the belief that the private sector is necessarily best equipped to manage the basic functions of banking – taking deposits, making loans and transmitting funds. So it is not surprising that the UK government has taken advantage of the recent upheavals in the banking world to reconsider its plans (unpopular with many consumers and quite a few politicians) for putting out to tender the Post Office Card Account: the account is to remain in the hands of the state-owned Post Office. This decision should save thousands of post offices from being closed, and maintain a valuable service for several million pensioners and other customers, particularly in rural areas. There is even talk of a People’s Bank being created on the foundation of the existing Post Office network, to provide consumers and small businesses with the basic functions of banking outlined above. (The irony is that such a bank did once exist, not so very long ago, in the shape of the Girobank.) The scheme might be taken a step further: a rejuvenated and fully digitised Post Office could provide a network of local hubs where citizens could deal directly with local and national government. This would indeed be a welcome outcome of the credit crunch. David Jones
November/December 2008
Healthcare The healthcare sector is also embracing smart card technology, a move that is being driven by the private sector and involves many stakeholders with different business interests. LifeNexus is deploying its smart card-based Personal Health Card with Inland Northwest Health Services (INHS), a member of the Northwest Regional Health Information Organization (RHIO) connecting 38 hospitals in north-west Washington and Idaho. The RHIO aims to facilitate the sharing of electronic medical records between doctors, laboratories and hospitals across large geographic areas. Speaking at the Smart Card Alliance/CardTech SecurTech conference in May, Christopher Maus said: “The LifeNexus Personal Health Card will act as a personal key people use to unlock access to their medical information.” He identifies two key benefits of using smart card technology for storing personal health and insurance information – security and portability. The LifeNexus card will store personal, insurance and medical information that people normally provide when they fill out forms at a doctor’s surgery or hospital. It will also store the details of any allergies, medicine restrictions, health conditions and recent medical results and lab tests. The information is protected by a PIN, so consumers have control over who can access it. Initially the firm will focus on equipping emergency departments to accept the card, speeding up admission and providing vital medical information. There are a number of other schemes throughout the US, which were also discussed at the Smart Card Alliance CardTech/ SecureTech show. For example, New York city’s Mount Sinai Medical Center is issuing its patients with smart card-based Personal Health Cards (PHCs) with the aim of ensuring they are accurately linked with their personal medical information. Language barriers, common names or even common addresses can lead to errors and result in combined or duplicate patient records. Correcting those records is a big expense for hospitals; Mount Sinai has initiated two major database cleanups in the past three years, each costing more than US$2 million. It has now joined with nine other institutions in the greater New York city area to create a regional HealthSmart Network that accepts a common PHC. 16
Card Technology Today
Viewpoint Some consequences of the credit crunch As everyone knows, the revelation this autumn that the banking industry’s loan books are stuffed with bad debt has caused a collapse of confidence among US and UK bankers, the smart card industry’s major customers. For the credit card industry an immediate consequence has been that the market for credit card receivables – which (like car loans and student loans) can be packaged up into bonds or securities – has seized up, depriving the institutions that provide these loans of a significant part of their funding. Meanwhile day-to-day business has to go on. Credit card applications are being vetted more carefully than ever, with wouldbe customers under 35 being targeted for extra scrutiny. Not surprisingly, free balance transfer offers are becoming rarer, and introductory rates for new cardholders now last for shorter periods. Next, and somewhat at odds with this tougher attitude towards new customers, at least one UK card issuer has been cutting back the credit limits of existing customers who pay off their bills every month (and are therefore considered to be ‘unprofitable’); the result of this is that these customers’ cards become largely useless as payment instruments. With cash tighter than ever, the threat of loss through fraud looms large. Use of a cardholder’s PIN code is in effect compulsory for face-to-face card transactions within the UK; and ‘chip and PIN’ has become part of the fabric of everyday shopping. It is true that card fraud losses continue to rise, but about 40 per cent of losses now consist of fraud abroad; this typically involves criminals using stolen UK card details at cash machines and retailer outlets in countries that have yet to upgrade to chip and PIN. This has to be a major concern; and in the present climate must surely induce a sense of urgency in countries where chip and PIN has yet to be rolled out. An even bigger worry now is online fraud, which accounts for more than half of card fraud losses. It is true that these losses need to be seen in the context of increasing numbers of online retailers and ever-growing numbers of online transactions. Nevertheless the pressure is on the card industry to take action against online fraudsters. The password-based Verified by Visa and MasterCard’s equivalent SecureCode service are now being marketed as extra security checks for online purchases. However some consumers are reluctant to sign up for the technology, on two grounds. First, the CVV number (which
is generated when the card is issued, by hashing the printed card information under a key known only to the issuing bank) is widely used in online transactions. It proves that the online customer has seen the card (or has seen a record made by somebody who has seen the card). If this is not robust enough, will the addition of a password add a great deal of security? Secondly, if the password does fall into criminal hands (through a successful phishing attack, for instance) and is used for an online transaction, it will be more difficult than ever for the genuine cardholder to refute the charge that he or she carried out the transaction. To add more muscle to the fight against online card fraud an old idea, which was first floated more than 20 years ago, has been resurrected. This is the smart card which carries a built-in one-time code generator: a numeric keypad on the reverse (with a minute display panel) is activated by entry of the holder’s PIN. The new code is then used to authenticate online purchases. Barclays’ PINsentry scheme, not yet fully rolled out, adopts a similar approach for making online payments from a current bank account, but uses a separate card reader as the one-time code generator. But to my mind the most significant consequence of the credit crunch is the widespread questioning of the belief that the private sector is necessarily best equipped to manage the basic functions of banking – taking deposits, making loans and transmitting funds. So it is not surprising that the UK government has taken advantage of the recent upheavals in the banking world to reconsider its plans (unpopular with many consumers and quite a few politicians) for putting out to tender the Post Office Card Account: the account is to remain in the hands of the state-owned Post Office. This decision should save thousands of post offices from being closed, and maintain a valuable service for several million pensioners and other customers, particularly in rural areas. There is even talk of a People’s Bank being created on the foundation of the existing Post Office network, to provide consumers and small businesses with the basic functions of banking outlined above. (The irony is that such a bank did once exist, not so very long ago, in the shape of the Girobank.) The scheme might be taken a step further: a rejuvenated and fully digitised Post Office could provide a network of local hubs where citizens could deal directly with local and national government. This would indeed be a welcome outcome of the credit crunch. David Jones
November/December 2008