Latin America: Opportunities for smart cards in government
of public sector smart card deployments. It is estimated that the government ID market will grow to a 16.4% share of the total market by 2011. Interestingly, Central and South America is ranked fourth out of nine regions in the UN’s Global eGovernment Readiness Report 2005, which places North America, Europe and South and East Asia in the top three. The Latin America government smart card market is certainly on the verge of significant expansion. This is reflected in Frost and Sullivan’s predictions that of all smart card markets in Latin America, the government ID sector will grow at the fastest rate over the next four years.
Smart cards for Government
In May 2007, GlobalPlatform and the Smart Card Alliance jointly hosted ‘Smart Cards for Government and Payment’ - a two day smart card business conference Across the world, smart cards are used in and exhibition in Mexico City that focused on the value of smart cards for numerous government and public sector smart card initiatives, demonstrating the government and payment programmes. From a public sector perspective, the key focus of the event was smart cards for Government and secure identification. A number of influential business leaders from Latin America, North America and Asia shared their views and experiences relative to smart card trends in regional government sectors, the value of interoperable specifications and successful deployments on a local, regional and global scale, of government smart card programmes for ID, access control and healthcare. By sharing best practice and implementation knowledge, speakers aimed to engage and educate delegates on the value that smart cards can bring when used for government applications. As a review of the event, this article provides an insight into the current status of the Latin American smart card sector, with a particular focus on government. It identifies key market drivers, together with the countries and applications which offer vast potential for growth in the short and medium term. Case studies of regional implementations are referenced and the ability of Latin America’s governments to benefit from the experience and knowledge of markets, industry organizations and technology providers which have already rolled out successful public sector smart card programmes is also explored.
sector is by far the largest user of smart cards in Latin America, followed by the payments industry. Government ID applications and public transport initiatives represent a much smaller share of the overall smart card market. Frost and Sullivan predicts that while SIM mobile telecommunications applications will continue to account for the greatest market share within the foreseeable future, this sector will gradually lose ground to the growing payments, government ID and public transit markets. The continued aggressive adoption of EMV throughout Latin America will be the primary driver of smart card growth in the payments sector, while the proliferation of smart transit fare cards and new government secure identification, healthcare and other initiatives will greatly increase the number
viability and benefits – such as flexibility and cost-effectiveness – of smart card technology relative to mass, scaleable and highly secure deployments. Latin America has a proven historical track record regarding successful government smart card programmes. Indeed the first smart driving licence in the world was issued in 1995 in Mendoza, a province of Argentina, allowing policemen to access information about the driver, his/her latest offences, licence type and number and a photograph of the holder at the roadside, via hand-held readers. This was over a decade ago. If we look at more recent data from Frost & Sullivan, however, we obtain a picture of application-specific deployments within the Latin American government smart card market in 2006. At this time, the government
The Latin American market Industry watchers estimate Latin American countries spent over US$200 million on card technologies in 2006, up 70% from the previous year. The SIM mobile telecommunications 10
Government Smart Cards Latin America 2006
Card Technology Today • May 2007
feature sector utilising the greatest number of smart cards was health and social services, comprising 48.9% of the total Latin American government smart card market. National ID programmes came in a close second, with 40.5% and applications which accounted for a significantly smaller share of the total government smart card market were driving licences with 8.1%, government employee ID programmes with 2.0% and ePassports with 0.5%. So, while there are ePassport pilots underway in Brazil, Mexico and Venezuela and smart driving licences have been deployed in El Salvador, Mexico and Argentina, health and national ID programmes are really the driving forces behind the smart card market at present. Two implementations of particular significance in terms of card volume are the Mexican health care card and the Brazilian Public Key Infrastructure programme. In the first quarter of 2006, a nationwide initiative in Mexico was launched with the aim of securely storing patient information, ensuring citizens receive correct healthcare benefits a n d re d u c i n g p a p e r b a s e d administration. Seguro Popular, a Mexican Government social security organisation, began rolling out 3.7 million smart cards to its members, each containing patient information, prescription details and an ePurse which will be used to load the patient’s health care subsidies. On each visit to the doctor the patient will produce his/her card, which can only be read by authorised healthcare professionals, and patient information can be viewed and updated in real time. It is anticipated that the cards will be successful in reducing administration costs while minimizing the potential for benefit fraud. Meanwhile in Brazil, the Public Key Infrastructure (PKI) programme led by the National Institute of Information Technology, which is a federal agency linked to the Presidency of the Republic of Brazil, is one of the largest electronic government digital credential programmes using smart cards and tokens in Latin America. Established in 2002 by the Brazilian Government, the PKI – known as ICP Brasil – aims to minimise paper based administration by using Internet services. It provides digital identity credentials to individuals and corporations in order to file electronically signed documents. According to Brazilian law, any electronic document is legally valid if it is certified by ICP Brasil or any other PKI where the concerned parties agree on the validity of the document. Naturally, the scope of this initiative is vast. Its impact on encouraging smart card
Card Technology Today • May 2007
deployments in the country has been extremely positive, not only because of the smart card programmes launched in association with ICP Brasil itself, but also because it has raised the profile and acceptance of smart cards as a valid, reliable and secure technology for government and public sector initiatives.
Interoperable smart card standards Given that a number of smart card deployments are already well progressed in the region and that Latin American governments generally appear to be embracing smart card technology to address eGovernment objectives, reduce costs and improve services to citizens, the future growth of the regional smart card industry looks certain. To ensure that current investment in smart card infrastructure, and the technology itself, is protected for the future, however, it is vital that government decision makers are fully educated on and aware of the benefits and scope of basing smart card solutions on open, interoperable standards, such as the GlobalPlatform specifications. Governments in Latin America may reference many successful smart card implementations by governments worldwide, including Austria, Morocco, Moscow, Poland, Qatar, Saudi Arabia, South Korea, the Sultanate of Oman and the USA, to clearly understand the benefits offered by open standards, regardless of the complexity of the requirement. Using the US Department of Defense (DoD) as a widely recognised successful model, it is clear that open standards provided the solution to a specific issue – being able to use one card, known as the Common Access Card (CAC), across different government agencies and for use in both the physical and logical access context. In 1999, the US DoD began work on a programme to issue a smart, common-access identification card to 4.5 million active duty, Selected Reserve, DoD civilian and eligible contractor personnel with a target completion date of April 2004. The CAC is a smart card standard established by the Government Services Administration (GSA), a key purchasing arm of the US government, in conjunction with various military departments. The CAC card utilises GlobalPlatform technology to simplify the process of multiple government agencies deploying an interoperable smart card. The ultimate goal is to be able to use a CAC anywhere that the cards are accepted, regardless of which
Government Agency issued it. The CAC is the principal card used to enable physical access to buildings and controlled spaces and is used to gain access to the DoD’s computer network and systems. As of August 2006, over eleven million CAC cards had been issued. The cards have been issued on a decentralised basis at over 1,400 sites in 27 countries and at over 2,000 workstations, clearly illustrating the benefits of interoperable smart card standards. Following the roll out of the CAC, a dedicated GlobalPlatform Government Task Force has worked closely with the US Government to extend GlobalPlatform’s systems technology – specifically its Messaging Specification – to support the unique issuance requirements of the Personal Identity Verification (PIV) card for the US Federal Government. This will naturally benefit governments beyond that of the US and as an extension to this work, GlobalPlatform aims to develop a White Paper in 2007 which states GlobalPlatform’s value proposition in relation to eID initiatives. Another example of a government using open specifications is the Macau Government. In 2003, its Identification Department (DSI) commissioned the distribution of multiapplication smart-card based identity cards to all of Macau’s 460,000 citizens, resident within the Chinese Special Administrative Region (SAR), with a target completion date of 2007. In January 2003, distribution of the 460,000 GlobalPlatform multi-functional cards began. The cards have built-in security features to prevent forgery, such as the use of fingerprint matching for automated identity verification. They also allow the uploading of other applications to realise Macau’s eGovernment goals among others. The ultimate vision for the smart card is for it to serve as an all-in-one card combining, for example, ID card, driving license, student card, medical card, social security card and possibly ePurse functionality for secure electronic transactions. While these are just two examples of many government smart card programmes globally which are based on interoperable technology, the numerous gains provided by open standards include greater flexibility, economies of scale, multi-sourcing opportunities, faster time to market and the ability to share card space with strategic partner organizations or other government departments / agencies. Issuers who adopt open standards also stand to benefit from the long term assurance that their current investment in a smart card infrastructure is protected against future changes in their technical or strategic approach. The flexibility 11
feature offered by an interoperable smart card environment allows the programme to evolve in line with future business decisions and market considerations.
A synergistic relationship Current trends and future forecasts show that the government smart card market in Latin America is growing at a significant and rapid rate. Smart card technology is fast becoming a cost-effective, safe and proven facilitator of eGovernment services and the roll out is set to continue for the foreseeable future.
At this stage in the market’s lifecycle, governments throughout Latin America can clearly benefit from the experience, knowledge and decision-making processes of other governments which have already deployed successful smart card solutions world-wide. GlobalPlatform and the Smart Card Alliance hosted the Smart Cards for Government and Payment in Mexico in May to address this clear need for regional industry discussion and education around the benefits of smart cards, best practice implementations and the advantages of deploying products and infrastructure based on interoperable standards.
As leading industry bodies, with synergistic goals across diverse smart cards sectors, including government, financial, mobile telecommunications, healthcare, transit and retail, and many geographies world-wide, it is hoped that this event will be the first of many collaborations and joint initiatives between the two organisations. This feature was provided by Kevin Gillick, executive director, GlobalPlatform and Randy Vanderhoof, executive director, Smart Card Alliance. They can be contacted at: kevin_ [email protected]
or [email protected]
The EMV factor
Flexibility, fraud and two-factor authentication Forrester Research forecasts that, in Europe alone, over 130 million people will be using remote banking services by 2007, up 75 million compared to 2005. This trend has been welcomed by banks and financial service providers, who can keep branch costs low, while increasing transaction frequency. At the front end, customers are afforded greater freedom and more immediate control over their finances. However, a less welcome trend accompanying this development is that of fraudulent transactions, notably card-not-present (CNP) fraud. Historically, banks have relied on the use of static passwords to enable remote access to banking applications. However, highly sophisticated fraudulent techniques are fast rendering this one-factor authentication system obsolete. Statistics released by APACS in March 2007, reveal that online banking fraud in the UK increased from £23.2 million in 2005 to £33.5 million in 2006, whilst card-not-present (CNP) fraud grew by 16% to £212.6 million in 2006 from £183.2 million in 2005. These losses are being compounded by the increasing customer reluctance to use online financial services which they deem to be insecure One particularly ubiquitous security issue has been the emergence of phishing as the foremost weapon in the criminals’ arsenal. In very basic terms, phishing involves a fraudster masquerading as a financial institution in order to steal a customer’s account information. 12
More recently, criminals have been using increasingly sophisticated spy-ware including trojan horses, key logging and screen scrapper programmes, which capture screen shots to obtain end-user credentials. To minimise the financial impact of this type of fraud, and bolster customer confidence, banks and other financial institutions have begun to upgrade their current passwordbased authentication solutions to stronger, two-factor authentication. Common implementations of two-factor authentication (2FA) use ‘something you know’ as one of the two factors, and either ‘something you have’ or ‘something you are’ as the other factor. A common example of 2FA is a bank card (credit card, debit card); the card itself is the physical ‘something you have’ item, and the personal identification number (PIN) is the ‘something you know’ password that goes with it. The use of a remote card authentication device to enter the PIN code that is not connected to the PC leaves no room for online fraud.
A key driver behind the implementation of 2FA is migration towards EMV payment cards. EMV migration continues to drive authentication technology, since banks can releverage their considerable investment in the technology and use it for security purposes. Europe is ahead of other regions in this respect with forecasts from MasterCard predicting the percentage of EMV-enabled cards in Europe at 67% this year. The banking and financial services industry is starting to wake up to the need for greater security for online transactions. With Gartner warning that static passwords will become obsolete in two years, the industry is moving towards wide-spread implementation of two-factor authentication. In the US, federal regulators went as far as to state that banks must have two-factor authentication on their websites by the end of 2006.
Current authentication solutions A range of security solutions is currently available including tokens, smart card readers and devices that generate one-time passwords (OTP). Pocket-sized EMV-compliant smart card readers incorporating a challenge/response capability appear to offer the most promising long-term answer to online authentication problems - at least in European and Middle Eastern markets. Not only do the readers leverage the considerable investment by the banking industry in EMV chip card migration, but they can also be extended in scope to cover other forms of CNP fraud. As for the process itself, banks provide their customers with a hand-held card reader, which does not require a direct connection to a personal computer, and often incorporates a user familiar PIN pad. The customer inserts
Card Technology Today • May 2007