Card issuers have welcomed financial industry agreement on a common model to evaluate the security of smart cards using internationally accepted standards.
The model, called the Smart Card Protection Profile, has been developed by the Smart Card Security User Group (SCSUG). It is based on the Common Criteria for Information Technology Security Evaluation, and marks the first time the criteria have been applied across a single industry segment.
Members of the SCSUG, which include American Express, Europay International, JCB, MasterCard International, National Institute of Standards and Technology, and Visa International, worked with major governmental bodies to develop the Protection Profile.
Sponsors of the Common Criteria include government agencies in Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, Netherlands, New Zealand, Norway, Spain, the United Kingdom, and the United States.
The Common Criteria, also known as ISO 15408, defines a process for conducting security evaluations. The Protection Profile specifies the security requirements that smart cards should meet to address the needs of the financial services industry, and identifies the framework for verifying compliance to those requirements.
The Protection Profile will influence future smart card product development efforts. Smart cards will be evaluated in accredited laboratories that determine whether or not the design specifications and implementation meet the security requirements. Card issuers will no longer have to deal with two or more different security standards and developers can manufacture products to one standard, reducing their costs.
"This is a significant development in the use of smart cards by the financial services industry,” says Kenneth Ayer, chair of the SCSUG. "For the first time we have industry- wide agreement on security standards for smart cards, which will lower costs for banks, make market introductions faster, and simplify the evaluation process for financial institutions and the vendors who supply them."