How to boost credit card security? Kantara’s Brennan weighs in
Editor’s Note: This story has been updated to correct Joni Brennan’s name.
With the holiday shopping season in full swing, Americans are pulling out their credit or debit cards to buy presents and gifts for loved ones. However, a slate of recent high profile cybersecurity breaches at retailers is casting a bit of a dark shadow over the holiday cheer this year. People rightly worry if using their credit cards in person at stores or when shopping online will expose their personal or financial information to hackers. Nobody wants to have his or her money or identity stolen, yet credit cards are still the most convenient way to pay for goods at stores and one of the only ways to order things online.
To beef up the security of credit cards, President Barack Obama signed an executive order that laid the groundwork for applying new technologies, like having an internal chip applied to the cards. One of the nonprofit groups that is currently vetting and setting up those new security standards is the Kantara Initiative. Working as part of the U.S. National Strategy for Trusted Identities in Cyberspace, Kantara’s role is to certify security for the digital network and bring the U.S. consumer debit and credit card security more in line with the rest of the world.
We took a few moments to talk with Kantara Executive Director Joni Brennan about working on the front lines of credit card security, and how the government effort is working to improve the safety and reliability of credit and debit card transactions.
John Breeden II: Can you tell us how the Kantara Initiative was formed and where it fits into the government’s attempts to tighten security?
Joni Brennan: The Kantara Initiative was formed in 2009 as a nonprofit 501(c)(6) organization. Key digital identity stakeholders formed it as a vehicle to connect business, government, and research and education communities through more trustworthy identity services. The Kantara Initiative Board of Trustees represents a diverse set of leaders, including ForgeRock, Experian, CA Technologies, the Internet Society, NRI and Radiant Logic.
The Kantara Initiative operates as the premier U.S. government trust framework provider for the Federal Identity and Credential Access Management program of the General Services Administration. A trust framework provider develops rules, tools and technology profiles for adoption by communities as a means to verify trust in identity and service providers. The Kantara Initiative’s program has verified identity services offered by industry leaders, including Experian, Symantec, Verizon and ID.me.
JBII: Does the Kantara Initiative look at all aspects of security or just specific ones?
JB: The Kantara Initiative explicitly focuses on digital identity and its intersection with security and privacy practices. That said, our new areas of focus for innovation are centered around identity relationships between people, entities and things as part of the connected life that the Internet of Things (IoT) will enable.
JBII: Why is the group called the Kantara Initiative?
JB: Kantara has roots in the Arabic word meaning to bridge as well as in the Swahili word meaning harmony. The organization was founded with a vision of bringing together varying stakeholders to work to harmonize approaches to digital identity standardization. The goal was not to create one solution but rather to create bridges that enable connections between partners and markets, businesses and consumers, and governments and citizens.
JBII: Looking at debit and credit cards specifically, what is the presidential initiative that is driving the change and what does it call for?
JB: The executive order discusses debit cards and implementation of chip and PIN technology. Chip and PIN technology is not new. In fact, it is the standard in most parts of the world. The executive order seeks to bring the U.S. consumer debit card experience and security more in line with the rest of the world. While debit cards are one part of a transaction-based ecosystem, digital identity is another part. The executive order also references the National Strategy for Trusted Identities in Cyberspace. The executive order may be responding to the many consumer personal data and monetary breaches that we have seen in the news. These breaches lower user trust in Internet and technology services. The NSTIC aims to help create an ecosystem of trust for digital identity issuance, acceptance and general use that would enable better protection for security and personal privacy, as well as a more intuitive user experience with usernames and passwords than what exists today. The Kantara Initiative programs are aligned not only with the U.S. NSTIC but also with other national strategies from around the world. This is an area where the Kantara Initiative seeks an innovative solution for borderless digital identity experiences.
JBII: Would the addition of the chip to credit cards do anything to protect online purchases?
JB: Potentially. Our digital and physical worlds are more and more connected. Bringing better security practice to any part of the ecosystem will help improve the ecosystem as a whole and raise the collective bar for all participants in the market, creating a more predictable and trustworthy environment. This delicate trust and seamless predictability is the foundation for innovation and consumer engagement.
JBII: What are some of the steps that will drive the digital identity infrastructure to mature more rapidly, with a focus on security and authentication, that can move us beyond the era of user IDs and passwords?
JB: I suggest that the presidential executive order is actually providing a step in this direction. Governments can provide leadership and take initiative to implement the type of solutions that advance the market. The last section of the executive order calls for agencies to develop a plan to be delivered in 90 days to move U.S. government agencies forward, beyond user IDs and passwords. The agencies will have 18 months to implement the order. Raising the bar beyond user IDs and passwords for government-agency-to-citizen interaction will raise the bar for vendors as well. The order will help set a target that can be an incentive and serve as proof of concept well beyond government use cases.
In addition, providing businesses with more incentives to see identity as an opportunity rather than as a technical problem helps to drive innovation. The simple fact is that innovating your identity service and strategy is and will be more and more of a key market differentiator. Businesses that do identity well will have a better and more engaged relationship with their customers, and that leads to better loyalty and more opportunities. Shifting our collective mindsets from challenges to opportunities will bring more partners to the table.