MasterCard International is troubleshooting its smart card operations before a wide-scale rollout in the United States.
MasterCard has hired Cigital, a Dulles, Va.-based provider of software risk analysis for financial institutions, to ensure that its chip-powered cards perform the way MasterCard and its member banks intend them to. Software risk management is the practice of applying proven methodologies and technologies throughout the entire software development lifecycle to ensure that software behaves the way it's supposed to.
The goal is to be sure chip cards are as secure as their magnetic-stripe predecessors. Because the chip is the common platform for various bank applications, Cigital is examining the software controlling those applications for security vulnerabilities.
MasterCard elected to proactively identify and mitigate its software business risks, instead of trying to correct a problem after it surfaces. "Ensuring that MasterCard's smart cards are initially designed and architected for maximum cardholder protection is a large part of managing our smart card technology," according to Terry Stanley, vice president of chip card security at MasterCard.
MasterCard, which has issued some 100 million chip cards, has spent five years building the infrastructure for U.S. smart card use, said Beth Horowitz, vice president of e-business services at MasterCard.
Smart cards are far more common abroad, especially in Europe, but the company is ready to issue smart cards whenever U.S. banks are ready, Horowitz said. While some banks are testing the cards, none have rolled them out to the mass market. Horowitz wouldn't predict when that's likely to occur.
Earlier this year, MasterCard took over operating control of Mondex, the London-based smart card firm that provides the stored value functionality on the MasterCard chip.
MasterCard uses various consultants worldwide for its smart cards. It began working with Cigital last spring, focusing on the U.S. market. "We chose Cigital for their expertise in managing and mitigating potential security and reliability risks associated with software-driven programs," Stanley said.
Cigital is examining the platforms and applications involved, and may also examine lines of software code. It will examine MasterCard's entire system-the cards themselves, applications, Web servers, security and more.
Cigital is assessing every aspect of the chip cards' performance, especially debit/credit and other application software. "You want to step out of the gate and get it right," said Mark McGovern, director of technology at Cigital. "We help them understand capabilities, inabilities and vulnerabilities."
Cigital must certify that MasterCard's chip cards are compatible with the MULTOS, JavaCard and Windows smart card operating platforms, plus whatever applications banks decide to load onto the cards. Some banks may limit smart card use to credit and debit transactions; others may build loyalty programs onto the cards or offer them as a log-on tool for online banking.
Cigital must also certify that the cards can interface with retailers' point-of-sale systems and the Internet.
While Cigital uses some automated tools, much of the work depends on human expertise. "We know aspects that have caused problems in the past for other clients," McGovern said.
Security lapses tend to occur when a flaw crops up in an application, or the application is put to uses it wasn't intended for, McGovern said, citing bad phone lines as an example.
After talking to MasterCard and bank executives about their goals, Cigital analysts began working down to the technical details of how a system is built and deployed. Discrepancies between what the business or marketing staffs intend and what the technical department can provide are a common source of trouble, McGovern said.
Another potential source of problems is the speed with which software is developed, said MasterCard's Stanley. The rush to get technology to market makes it vulnerable to flaws, because software developers may not be well versed in smart cards. Because of their size, the cards have limited processing power, he added.
Neither Cigital nor MasterCard officials would indicate what flaws, if any, Cigital has already discovered or identify specific areas of concern. "MasterCard has been very diligent," McGovern said.
More than 1.7 billion MasterCard, Cirrus and other branded cards are in use worldwide. In the first half of 2001, the cards were used for $459 billion worth of transactions.
HQ: Purchase, N.Y.