June 2009 Archives

CUPPS: The Platform of the Future (Airline Kiosk)

By Administrator on June 26, 2009 7:04 PM
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications that it will initially address. The biggest benefit will be that one air carrier application will be able to run anywhere on any CUPPS providers platform.

While the technical trials are ongoing, the compliance trial parameters are being defined and the technical specification updated with lessons learned. Errors and omissions are being fixed so that the time required to execute the specification update segment can be minimized.

There are currently four active trials in progress - Las Vegas (ARINC), Orlando (SITA), Dublin (Ultra) and Brussels (RESA). "While the actual execution of the trials has changed over time due to the installation and site-specific needs, the overall progress is proceeding as planned," said Samuel Ingalls, Assistant Director of Aviation, Information Systems, Las Vegas McCarran International Airport, who is also Chair of the CUPPS Leadership Team. He continued: "Our original goal was to have the technical trials completed by April 15, 2009, but we learned through the pilot process that the critical milestone in the schedule is the publication of the Technical Specification. Each of the four trials is progressing with different tasks, in different orders, based on the participants' views and needs, and therefore they are completing the trial milestones in different orders. This flexibility has allowed us to learn more in a quicker manner, as well as giving everyone the freedom to complete their tasks in a manner that is comfortable for them."

Once the technical trials are completed, the applications and platforms will be compliance tested and then certified to the specification. The specification will be updated then published by IATA.

The technical trials are scheduled to be complete on 15 July; the certification trials are scheduled to be complete on 8 July for platforms and 15 July for applications. The technical specification is scheduled for completion by 15 September.

There are currently four active trials in progress - Las Vegas (ARINC), Orlando (SITA), Dublin (Ultra) and Brussels (RESA). Once the technical trials are completed, the applications and platforms will be compliance tested and then certified to the specification. The specification will be updated then published by IATA.

There are currently four active trials in progress - Las Vegas (ARINC), Orlando (SITA), Dublin (Ultra) and Brussels (RESA). Once the technical trials are completed, the applications and platforms will be compliance tested and then certified to the specification. The specification will be updated then published by IATA.

Catherine Mayer, SITA's Vice-President for Airport Services, explained that the pilot is critical to ensure that the technical standard works as expected, especially the interoperability of CUPPS applications among the different platform vendors. "The intent is to have vendors test their platform with at least two airline applications and for these same airlines to test their new CUPPS application on at least two vendor's platforms," she said. "If there are technical issues or discrepancies, the Technical Committee can update the technical specification before its final release, again ensuring success and following a logical practice that is new for aviation industry Recommended Practices. This is the first time that the industry has ever ensured such testing and recommended practice development; it is a great showing of the benefits of industry collaboration."

SITA began testing at Orlando in January, with WestJet passengers checked-in and boarded using the CUPPS technology. When testing is fully completed, SITA's AirportConnect Open platform will be considered as CUPPS compliant prior to a general product launch later in the year.

Lufthansa is participating in the pilot trials with SITA at Orlando and RESA at Brussels. "We have been conducting thorough testing of our CUPPS application (CLIP - CUPPS LH Integration Platform) and the platform suppliers' platforms we are doing pilot trials with," said Thomas Jeske, senior manager - IT infrastructure, Lufthansa. "It is of no surprise that while for the first time these new platforms and the LH middleware get integrated an array of issues arise that even a very thorough Technical Specification could not foresee. So we have had several test runs (integration tests) in our labs both with SITA and RESA. We have reached a stage where we feel our code is stable enough to provide it to SITA and RESA to do their own testing/integration testing in their labs."

ARINC's CUPPS platform went live at Las Vegas McCarran in January. ARINC worked with the international IATA/ATA/ACI CUPPS team to develop the CUPPS Technical Specification published in 2008. The company fast-tracked its deployment of the vMUSE CUPPS platform installed for the CUPPS Pilot Project at Las Vegas McCarran. John Belcher, ARINC Chairman & CEO, said: "This is a true breakthrough for the aviation industry. CUPPS represents a major investment by ARINC that will give the industry tremendous savings. ARINC's vMUSE platform is now being enhanced to simultaneously run legacy CUTE applications, newer CUPPS applications, and airlines' native applications - a capability we launched in Singapore in November 2007."

SITA began testing at Orlando in January, with WestJet passengers checked-in and boarded using the CUPPS technology.

SITA began testing at Orlando in January, with WestJet passengers checked-in and boarded using the CUPPS technology.


For rest of story click here




EMV takes aim at U.S.

By Administrator on June 18, 2009 10:43 PM
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian Publications

Like a massive tidal wave, EMV continues to roll across the world, changing the global payments landscape. Since UK banks first committed to EMV five-years ago, more than 100 countries have taken the plunge in efforts to stem credit card fraud.

But the U.S. has always remained outside the EMV plan. This, however, may be changing as fraud, technology and business is changing the payments landscape.

Brian Byrne, head of product technology for standards and specifications at Visa estimates there are some 730 million EMV cards and 10 million terminals in existence around the world.

Toni Merschen, group head of chip at MasterCard Worldwide, notes that the Single European Payments Area initiative requires 38 countries to complete the migration to EMV by Jan. 1, 2011.

EMV gets its name from the companies which originally created it, Europay, MasterCard and Visa. Seven years ago Europay merged with MasterCard and the new standards body was renamed EMVCo. Its members now include Visa, MasterCard, Japan-based JCB and its newest member, American Express.

EMVCo's primary goal "is to facilitate global interoperability and compatibility of chip-based payment cards and acceptance devices through deployment of relevant EMV Specifications," says an EMVCo spokesperson.

EMV also goes by "chip and PIN," because the card contains a chip and a PIN is required before a transaction is processed. But nowadays, that chip and PIN moniker may be misleading. As Byrne, points out, many countries are foregoing the PIN part of EMV implementation, the predominant reason being that many consumers don't want to remember a PIN.

The country most advanced towards EMV implementation is the UK, the banks their were the first to adopt chip and PIN, says Merschen. Other markets that have reached maturity for EMV migration on either cards, point-of-sales devices and ATMs include France and Turkey in Europe and Malaysia in the Asia-Pacific region, he adds.

The migration isn't easy. Merschen says a number of infrastructure changes are required to handle EMV. "For issuers, there are new data elements that need to be supported by the issuer authorization and clearing host systems. Card data preparation, including key management, and card personalization also require hardware and software upgrades," Merschen says. "On the acquiring side, the impacts are similar. Acquirer host systems must be able to receive new data fields from terminals, which also need to be upgraded from both a hardware and software perspective."

Glitches all but resolved

In the early days of EMV there were issues, Merschen says, such as a shortage of approved products, lack of customer and vendor expertise with EMV and areas where the specifications left implementation options.

That was then. These issues from the early days of EMV have largely been resolved, says Merschen. "Robust migration processes are available to guide the banks, merchant, and consumers in their migration involvement," he adds.

Visa's Byrne describes the early road bumps as minor. "This card issued in country A was having some acceptance problems in country B. In some cases, some of the older terminals wouldn't work properly, but that was usually due to configuration issues, fairly minor stuff."

EMV in the U.S.?

So with the U.S. sandwiched between two EMV countries-Mexico and Canada-most think it's only a matter of time before the U.S. joins the EMV parade.

Paul Beverly, president of Gemalto North America, believes increased fraud will mandate such changes.

In an article in the spring 2009 issue of Regarding ID magazine, Beverly wrote: "The rest of the world is well on the way to EMV implementation. Europe and Asia have long been issuing cards and ... Latin America, faced with exploding credit card skimming fraud, is fully committed to EMV smart cards. .. Yet stakeholders in the United States still find fraud losses and identity theft risks acceptable. It is disappointing that U.S. companies are trailing the rest of the world in this area."

Charles Walton, executive vice president for payments for INSIDE Contactless, believes that the U.S. will ultimately get on board with the secure cards. "We're seeing inherent insecurities in the system, such as the Heartland Payment Systems hack. It's only a matter of time before these types of hacks will become intolerable."

Walton says hackers will look at the weakest point in the payment chain and exploit it. "If you start securing one point in the chain, it begins to expose the other points, the path of least resistance for water, will find the lowest point."

MasterCard's Merschen says that these fraud migration and data compromise incidents, plus the possibility of government regulation will lead several U.S. banks to consider EMV.

The handwriting is on the wall, so to speak. "It's inevitable that the U.S. migrate to EMV, primarily because fraud is escalating," adds Randy Vanderhoof, executive director of the Smart Card Alliance. "Major financial institutions in the U.S. are also international so it will not be a big step for them to issue these cards in the U.S."

Contactless and EMV

At first blush it would seem that contactless and EMV would be working toward opposite purposes, but Walton says EMV can run on top of contactless. "I would think of EMV as a security protocol that works with contactless as well as contact chips."

Visa is using EMV specs in its contactless payWave technology, Byrne says. "The way we're deploying contactless in the U.S. is using EMV specs," says Byrne. "It's based on EMV technology making use of strong security elements baked into EMV. These new cards will not only be accepted in readers in the U.S. but also in the UK."

The next generation of contactless cards will be a step toward EMV, says Vanderhoof. For example, MasterCard terminals certified for contactless also carry elemental portions of EMV. "We're seeing these gradual upgrades of the infrastructure to support it," he says.

Vanderhoof says these new rules for EMV contactless are different than those for EMV contact cards. Purchases under about $25 can be a contactless transaction in the UK, just like in the U.S. "Just tap it and go, no PIN or signature. After a certain number of transactions you might be required to enter your PIN."

Rest of story

Tokenization and Enterprise Security

By Administrator on June 7, 2009 5:14 PM
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. 

Credit Card Tokenization: Put All Your Data Eggs in One Basket--and Watch That Basket

I was on a call recently with Gartner, Inc., analyst John Pescatore to learn about credit card tokenization. Pescatore, who specializes in Payment Card Industry Data Security Standard (PCI DSS), encryption related to PCI DSS, and overall security of Internet systems for Gartner, explained that tokenization can reduce a company's odds of a data breach as well as reduce the cost and complexity of PCI DSS compliance and auditing. A couple of other Penton Media editors, including System iNEWS technical editor Mel Beckman, were also on the call, and I present our questions and Pescatore's answers here for your edification. [Editor's note: nuBridges Inc., a software company that recently released a tokenization product, arranged our discussion with Pescatore but did not attend the call or have any control over what was discussed.]

Pescatore: The basic issue we've seen from enterprises is that the PCI mandate says that certain types of data have to be masked or encrypted. However, encryption does carry costs and complexity, plus the real issue is that what businesses really need to do is minimize the number of places where they store the credit card data--because in order to encrypt card data, you need encryption keys. If you're storing this data in more places than you need, the odds get higher that your keys will get compromised. So in the past couple of years, we've seen a lot of movement away from blind encrypting.

Here's an example: A lot of pretty big companies don't have credit card payment as a big part of their business, but they have the PCI security requirement even for the small amount of payment processing they do. And they thought encrypting and other PCI security requirements were too complicated, so they outsourced the payment processing so they'd never store the card data, just a token. These companies could get full access to the transaction data, but the outsourced payment processor sends it to them without the card data. This idea of tokenization and masking started with these outsourcers. nuBridges is one of the first to work tokenization into a key management product. Now enterprises who either can't or don't want to outsource payment processing can do it themselves with tokenization. However, outsourced payment processors do have to get certified as PCI compliant.

rest of article

http://www.gokiosk.net/kiosk/tokenization-in-depth.pdf


« May 2009 | Main Index | Archives | July 2009 »


Related Ring Sites:
  GoKIS  |   ThinClient.org  |   keefner.com  |   Visi Kiosk site  |   KIOSK  |   Kis-kiosk.com  |
Resource Sites:
  Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
  Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |