Visa International has taken steps to measure its smart card security against a widely recognized international benchmark.
The bank card association last week published a Smart Card Protection Profile, which delineates the technology's security vulnerabilities and steps that can be taken to counteract them.
A protection profile is an element in winning certification under the Common Criteria for Information Technology Security Evaluation. Visa posted its document for comment at the www.visa.com Internet site and is encouraging the entire chip card industry to go the Common Criteria route.
Certifications under Common Criteria and a similar program called Information Technology Security Evaluation Criteria, or ITSEC, are increasingly being sought by smart card, cryptographic system, and other data protection vendors as neutral endorsements of their products' effectiveness.
Vendors will be able to take the Visa protection profile's description of smart card security requirements and show the ways their own systems measure up. Those "security targets" would be submitted to independent, government-authorized laboratories.
Products that pass rigorous lab testing are assigned to categories- Evaluation Assurance Levels, as defined by the Common Criteria-ranging from EAL1 through EAL7, with the highest number denoting the most structured and airtight procedures.
Mondex International Ltd., the chip card venture begun in the early 1990s by National Westminster Bank of London and now controlled by MasterCard International Inc., is pursuing ITSEC E6, the highest level of assurance under that older methodology.
Outside the card industry, Microsoft Corp. said April 28 that its Windows NT 4.0 technology received an ITSEC E3 certification from a United Kingdom agency. NT's next version, Windows 2000, is to be submitted under Common Criteria, Microsoft said.
Common Criteria, derived in part from ITSEC, is becoming a standard, classified as ISO 15408 by the International Organization for Standardization. Visa said that by next year this standard will provide a basis for all smart card security evaluations.
Lance Johnson, senior vice president of risk management at San Francisco-based Visa International, said its protection profile "is the culmination of everything we have learned" on every application and function relating to smart cards.
Visa, Mondex, and others dealing with electronic forms of money and highly valued information commodities have commissioned laboratories and consultants to perform sophisticated analyses and attacks, and to help build safeguards against observed threats.
The resulting protection profile "adds to the significant knowledge already demonstrated by the vendor community, and clearly specifies the threats smart cards face," Mr. Johnson said. "It provides vendors with a statement of security requirements and ensures, through validation by independent certified labs, that card security continues to meet our stringent, high standards."
Visa is offering its documentation as a basis for multiple-application cards, which carry services provided by companies in more than one industry, as well as for the more straightforward electronic purse or stored-value programs that proliferated in the early days of smart cards.
Mr. Johnson pointed out that another Visa standardization proposal, the Common Electronic Purse Specifications, has won widespread support. "The Visa Smart Card Protection Profile will allow CEPS issuers to systematically compare the security of products built to those specifications," he said.
He pledged that Visa will "continue to work with vendors to ensure that their efforts complement our own."
