develop security guidelines for smart cards.
American Express Co., MasterCard International, the MasterCard affiliates Europay and Mondex, Visa International, and JCB of Japan said they have formed the Smart Card Security Users Group, SCSUG. The group will share information on security threats and requirements and will pursue standards that adhere to an international evaluation system known as Common Criteria, according to a joint statement.
Also participating in the announcement last week was the National Institute of Standards and Technology, which, with the National Security Agency, makes up the National Information Assurance Partnership, the U.S. validation body for Common Criteria.
The end result, scheduled to be in place by June, will be "a shared, internationally recognized, and cost-effective process for evaluating the security of smart cards," said Eugene Troy of the National Institute of Standards and Technology, who is the SCSUG coordinator.
The Mondex smart card program this year attained the highest achievable level under an older methodology, the Information Technology Security Evaluation Criteria, which is one of the bases for Common Criteria. Visa had concurrently been circulating a "Smart Card Protection Profile" geared toward Common Criteria requirements. A working group of EMV, the Europay-MasterCard-Visa chip card standardization initiative, has been defining a protection profile for credit and debit applications.
The profile to emerge from the joint effort, building on Visa's proposal, "will enable vendors to write 'security targets' that show how their products meet users' requirements," the sponsors said. "Smart cards manufactured to these requirements can then be tested and evaluated in an accredited, independent laboratory. Issuers can be confident that if they buy an approved product, then the demands of the protection profile have been met."
Mr. Troy said the process "will help to ensure that there is the same high level of security across all smart card platforms and allow all parties to see how security requirements are met."
SCSUG has posted a draft profile at http://csrc. nist. gov/cc /sc/sclist.htm.
-- Jeffrey Kutler
