To keep things in perspective I am writing this after reading and watching all the press on the proposed UID.  Although laud India for taking such a bold step with the ensuing huge task of defining and implementing the roll out of a UID to over a billion people have asked myself many times how this is going to be done and is there a way it can be done to reap the intended benefits.

I having been working on and off in India since 1993 in the financial transaction space. I have been fortunate to see the many changes and the progress that has been made at all levels of infrastructure, education, social and economic fronts. India has proven the capability and capacity to make changes when needed and the UID with its potential benefits both, socially and economically is another step in India taking global leadership.

Unique India ID as envisaged by government of India through Nandan Nilekani holds huge promise of a revolutionary framework, if rightfully thought out and executed, would create tremendous synergy among key systemic components of overall Indian governance leading to breakthrough levels of inclusion and nation development.

The unique project with unique questions:

However looking at the UID in its entirety I find myself asking some questions which I think need to be answered and have not seen either the question or the answers in any press or other media releases. Questions like what are the objectives to be achieved socially, economically and politically and the most important question what does the citizens get out of this initiative. This question of what does the citizen get is paramount to the success of this initiative as their participation will ultimately deem the success or failure. I would assume that some of the services will become more efficient and therefore faster. I could also assume that the amount of paper forms to fill out would go down and therefore make it easier to do transactions with the various agencies.

The answers to these questions defines the scope of the project and frames the types of data that needs to be captured in a way that it can be mined to produce the desired benefits. There is also much talk about the value and links to other Government agencies some of which have their own form of ID specific to that agency, that then leads me to the question if there are agencies with ID’s in existence, which agency has the most penetration into the population and is most frequently used so as to facilitate building the database of the population? I have read that one of  the suggestions is the Know your Customer data used in the banking sector as the basis for this and do not see how that facilitates meeting this objective as the majority of the population does not deal with banks as evidenced by the growth in the Micro-finance industry in India.

Thinking about this question and what could be the answer? I came to the conclusion that the most used ID with the greatest penetration in the population is the Ration Card. Although the Ration card is at the family level once you have identified the family you can then identify the immediate family hierarchy, the number of people in their household ,their gender, age, and other data that might be of value like .A notice can be sent to an individual when he/she   is required to get an ID card

Data security will need the most serious thought

There is another question, that I keep asking myself especially when I see  a number of large companies all having relevant technologies   in managing massive databases such as Yahoo interested in the UID initiative. It made me ask the question   ) is the best approach to build a single massive data base to store, authenticate, and mine the data.

Or is there an existing infrastructure, protocol being used by an industry that can be a model to make the task easier and manageable. Having most of my career being in retail and payment industry I concluded there is. It is the model used by the financial payment industry as implemented by Visa and MasterCard having a global network with the appropriate protocols and processes.  I am assuming that these protocols and processes are the same required for the UID initiative and that is to identify an individual and authenticating that this is in fact that individual at any point of transaction. it appears to me that a similar protocol and process  fits the UID  like a debit or credit transaction which is the interaction of the point of transaction with the decision maker of that transaction to authenticate that this is the person authorized to make this transaction and is this in fact a legitimate transaction. As everyone knows, one of the biggest issues faced by an initiative like this is identity theft, and , the potential is the same with the UID initiative as the ID must be authenticated and the data must be secured.  In a financial transaction where authentication takes place in authenticating the requestor and authenticating the merchant .The Cardholder data used to complete and settle this transaction must be secured as is mandated under PCI DSS and the EMV Chip card protocol. These protocols and standards are specifically designed to authenticate and transact a financial transaction in a secure manner as well as protect the cardholder from have his personal data compromised and used in a fraudulent manner.

I have also seen and heard that the plan to use biometrics such as a thumb print for authentication has a 0.4% failure rate and given the population this is not an acceptable failure rate. Since this is considered the best technology for authentication available a solution may be to have 2 levels of authentication with the second being an encrypted pin

It’s not the change per se people resist, but the process by which it is done. To further look at how this infrastructure can be leveraged, assuming some type of card will be issued and that card will be able to be read by some device such as a merchant POS, then the question is -can this be done? And the answer is yes -as all merchant terminals are Chip Card enabled and programmable and have an application that run in them that meets the specific requirements of the merchant and the bank. This means there is a terminal base in existence that can be leveraged provided the banks, Visa and MasterCard agree. This then makes the only cost at the individual level, the cost of issuing the Chip card. I am advocating Chip card as it is more secure and less prone to compromise due to the encryption capability.

Keeping in line with the infrastructure as mentioned, does it make sense to do this at the central government level, without considering doing it at the state level.  It appears to me, it will be more politically correct to let each state manage its population and get the benefits and implement programs as the data mining reveals the need. The fact that people in India are becoming increasingly mobile; India already has a method whereby, you can identify which state you come from with the car license plate. If you were to have the authentication switch in each state and preceded each ID number with the State as you do on a car license plate, and a card came into a switch that was from another state, you would simply switch it to that state for authentication. If a card consistently comes from another state you can then investigate if this person has relocated and require a new UID for to represent the state where they are living, as well as all the other cards such as ration card.

In conclusion there is no right or wrong answer; it just turns out to be Time and Money to implement a project of this magnitude. So in my simplistic view I feel better having given my view and asking and answering my own questions. Coming from an intense payments background some could say I am narrow minded and that might be true, but one thing I am sure of leveraging something similar is better than reinventing the wheel.

About Monte Harris:

Monte Harris is an American National currently based out of Chennai India, is the Founder and Managing Director of Owe Global solutions (p) Ltd (www.owegs.com) . Owe Global Solutions (OGS) is Global banking technology company focused in the business of “Facilitating secured Data transaction processing”.

Monte also served as Chairman and MD of Verifone India for 6 years building their Software development center from less than a 100 engineers to over 400 engineers and building the prestigious Verifone technology park, which were part of early IT revolution in India., thereafter was the global Engineering Head for eFunds in Chennai ,India (now Fidelity National information services) till he founded Owe Global Solutions in early 2008.

The security of your computer and data is crucial for you and the success of your company. Lost or stolen information can reveal company secrets, or expose your confidential or personal information. The more you do to keep your computer secure, the safer your information will be. Use these 10 tips to learn ways you can help protect your computer, your data, and your company’s network.

1. Work with your IT department

Make sure that you install all of the patches and updates that your IT department recommends. In addition to installing Windows and Office updates, your IT department might require you to install additional security software, such as a firewall or custom software to help you connect from remote locations. Making these regular installations will keep your computer and your company’s network as secure as possible.

2. Use strong passwords

Passwords provide the first line of defense against unauthorized access to your computer, and a good password is often underestimated. Weak passwords provide attackers with easy access to your computer and network. Strong passwords are considerably harder to crack, even with the latest password-cracking software.

A strong password:

• Is at least eight characters long.
• Does not contain your user name, real name, or company name.
• Does not contain a complete dictionary word.
• Is significantly different from previous passwords. Passwords that change just slightly—such as Password1, Password2, Password3—are not strong.
• Contains characters from each of the following groups:
  • Uppercase and/or lowercase letters.
  • Numbers
  • Symbols (!,@,#,$,%, etc.)

3. Don’t enable the Save Password option

Make it mandatory for you—or someone else trying to access your computer—to enter your password on all operating system or application settings. If a dialog box prompts you about remembering the password, rather then requiring you to enter it, just choose no. Allowing the password to be saved negates having the password at all.

4. Use network file shares instead of local file shares

Rather than opening up your computer to co-workers, use network file shares to collaborate on documents. And restrict access to the network file share to only those who need it. If you’re working on a team, you have lots of other options—such as using Microsoft Office Groove 2007 or Microsoft Office SharePoint 2007.

5. Lock your computer when you leave your desk

If you’re going to be away from your desk for a while, make sure your computer is locked.

6. Use password protection on your screensaver

Sometimes you’re away from your desk for longer than you unexpected. Plan for those situations by setting up your computer so that it locks itself after a specified amount of time.

7. Encrypt files containing confidential or business critical files

You keep valuable and sensitive data on your computer. You might have sensitive information about your company or clients, or your personal bank statements on a laptop you use at home and work. Encrypting your data keeps it as secure as possible. To help keep unauthorized people from accessing your data—even if your computer is lost or stolen—you should encrypt all sensitive data. In the Enterprise and Ultimate editions of Windows Vista, you can use BitLocker™ Drive Encryption to encrypt the entire volume. In Windows XP and all editions of Windows Vista, you can use the Encrypting File System (EFS) to protect important files. We highly recommend that you learn how to encrypt a file or folder to keep it safe.

8. Don’t open questionable e-mails

If an e-mail message just doesn’t look right, it probably isn’t. Forward the e-mail message to your IT administrator to verify before you open it.

9. Encrypt e-mail messages when appropriate

If you’re sending confidential or business-critical information, encrypt the e-mail and any files attached to it. Only recipients who have the private key that matches the public key you used to encrypt the message can read it.

10. Use the Junk E-mail Filter in Outlook

Receiving spam, or junk e-mail messages, isn’t just annoying. Some spam can include potentially harmful viruses that can cause damage to your computer and your company’s network. The Junk E-mail Filter reduces the amount of junk e-mail messages, or spam, you receive in your Inbox. Good news—if your junk mail filter is already active. But you can always change the settings.

The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures.

Traditional PCI Data Security Standard compliance may not apply directly to payment application vendors since most vendors do not store,  process, or transmit cardholder data. However, since these payment applications are used by customers to store, process, and transmit cardholder data, and customers are required to be PCI Data Security Standard compliant, payment applications should facilitate, and not prevent, the customers’ PCI Data Security Standard compliance. Just a few of the ways payment applications can prevent compliance follow.

1. Storage of magnetic stripe data in the customer’s network after authorization;

2. Applications that require customers to disable other features required by the PCI Data Security Standard, like anti-virus software or firewalls, in order to get the payment application to work properly; and

3. Vendor’s use of unsecured methods to connect to the application to provide support to the customer.Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches.

Yes, because chip technology means greater security and more streamlined processing, especially when combined with PIN authentication, which can reduce fraud. Merchants will no longer have to store vouchers for these types of transaction. Chip technology will also bring increased opportunities for self-service POS stations.

How will chip technology work?

The cardholder inserts the chip card into a card reader and leaves it in the terminal until the transaction is complete. The card reader identifies whether a card is PIN-enabled. If so, the customer will be prompted to enter their PIN rather than sign a receipt. Chip transactions will be similar to magnetic stripe transactions in most other respects.

Are there any changes to settlement procedures?

While chip technology eliminates the need for paper vouchers and streamlines reconciliation, it normally will not negatively affect back-end processes.

What are the fallback procedures if the POS terminal fails to read the chip?

If the chip fails, the magnetic stripe and signature can usually be used instead. Or, in chip and PIN countries, if the cardholder forgets their PIN, they may be allowed to use a signature. However, these options may be discontinued once migration to chip is sufficiently advanced within a particular country. This is one more reason why it is important to encourage customers to use chip technology now.

Non-compliance results in higher fees and severe fines in the event of breach. All merchants and service providers collecting and processing credit card transactions are required to comply with the PCI-DSS.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

Benefits of Implementing PCI-DSS ( based on www.visaeurope.com)

In today’s environment, security has become a consideration for every type of business.

By following the standardised, industry-wide procedures of PCI DSS, organisations can:

• Protect their customers’ personal data
• Boost customer confidence through a higher level of data security
• Insulate themselves from financial losses and remediation costs
• Maintain customer trust, and safeguard the reputation of their brand
• Provide a complete ‘health check’ for any business that stores or transmits customer information

As the technology used by merchants and their partners has evolved, card fraud has become more sophisticated. Any business that stores or transmits cardholder account data is a potential target.

PCI DSS protects cardholders and minimises the risk to your business.

Implementation of technological solutions that reduce the amount of card data handled by an organisation may also help considerably as they may:

• Reduce the amount of data at risk of compromise
• Reduce the scope of a PCI DSS compliance and other security and audit projects
• Simplify an organisation’s security needs and plans

Examples of technologies that may help increase your security and reduce the risk of compromises are the use of a PCI DSS compliant service provider, the use of a secure payment application, the implementation of EMV Chip and PIN, data encryption, and tokenisation.

Some networks and institutions increase their security level by exchanging the working key used on a regular basis. EFT SWITCH may be configured to allow dynamic key changes between itself and networks or devices. When exchanging a working key, it is necessary to store the new key in a “spare” location until the key exchange has been confirmed.

Having two fields for storing key cryptograms generally does this with a flag to indicate which cryptogram is active. Thus, during an exchange, the new key is written to the inactive field. Once the exchange has completed, the inactive and active fields have their roles switched.

The process of key exchange (where the remote system initiates a key exchange) is as follows:

1. The other system encrypts the new working key under the Key Encryption Key (KEK) and transmits it to EFT SWITCH.

2. EFT SWITCH collects the encrypted KEK and sends it, and the encrypted working key, to the Hardware Security Module (HSM) for processing.

3. The HSM processes the new key by:

3.1 decrypting the KEK cryptogram under its MFK

3.2 decrypting the new working key cryptogram under the KEK

3.3 encrypting the clear working key under its MFK

4. The HSM returns the new working key cryptogram to EFT SWITCH where it is written to the appropriate database table.

At a given time, only one key exchange message is processed.

For the financial messages, the dynamic key exchange is triggered under different conditions, e.g.

• After given number of times the KPE, the KMAC or the KME keys are used,
• Whenever a synchronization error between these keys occur,

After given number of  times an invalid PIN block error may occur