feature
of public sector smart card deployments. It is
Latin America:
Opportunities for
smart cards in
government
In May 2007, GlobalPlatform and the Smart Card Alliance jointly hosted ‘Smart
Cards for Government and Payment’ - a two day smart card business conference Across the world, smart cards are used in
and exhibition in Mexico City that focused on the value of smart cards for numerous government and public sector
government and payment programmes.
From a public sector perspective, the key focus
of the event was smart cards for Government
and secure identification. A number of
influential business leaders from Latin
America, North America and Asia shared
their views and experiences relative to smart
card trends in regional government sectors,
the value of interoperable specifications and
successful deployments on a local, regional
and global scale, of government smart card
programmes for ID, access control and
healthcare. By sharing best practice and
implementation knowledge, speakers aimed
to engage and educate delegates on the value
that smart cards can bring when used for
government applications.
As a review of the event, this article provides
an insight into the current status of the Latin
American smart card sector, with a particular
focus on government. It identifies key
market drivers, together with the countries
and applications which offer vast potential
for growth in the short and medium term.
Case studies of regional implementations are
referenced and the ability of Latin America’s
governments to benefit from the experience and
knowledge of markets, industry organizations
and technology providers which have already
rolled out successful public sector smart card
programmes is also explored.
The Latin American
market
Industry watchers estimate Latin American
countries spent over US$200 million on card
technologies in 2006, up 70% from the previous
year. The SIM mobile telecommunications
10
smart card initiatives, demonstrating the
sector is by far the largest user of smart cards
in Latin America, followed by the payments
industry. Government ID applications and
public transport initiatives represent a much
smaller share of the overall smart card market.
Frost and Sullivan predicts that while SIM
mobile telecommunications applications will
continue to account for the greatest market
share within the foreseeable future, this sector
will gradually lose ground to the growing
payments, government ID and public transit
markets. The continued aggressive adoption
of EMV throughout Latin America will be
the primary driver of smart card growth in
the payments sector, while the proliferation of
smart transit fare cards and new government
secure identification, healthcare and other
initiatives will greatly increase the number
Government Smart Cards Latin America 2006
estimated that the government ID market will
grow to a 16.4% share of the total market by
2011.
Interestingly, Central and South America
is ranked fourth out of nine regions in the
UN’s Global eGovernment Readiness Report
2005, which places North America, Europe
and South and East Asia in the top three.
The Latin America government smart card
market is certainly on the verge of significant
expansion. This is reflected in Frost and
Sullivan’s predictions that of all smart card
markets in Latin America, the government ID
sector will grow at the fastest rate over the next
four years.
Smart cards for
Government
viability and benefits – such as flexibility and
cost-effectiveness – of smart card technology
relative to mass, scaleable and highly secure
deployments.
Latin America has a proven historical track
record regarding successful government smart
card programmes. Indeed the first smart
driving licence in the world was issued in 1995
in Mendoza, a province of Argentina, allowing
policemen to access information about the
driver, his/her latest offences, licence type and
number and a photograph of the holder at the
roadside, via hand-held readers. This was over
a decade ago.
If we look at more recent data from Frost
& Sullivan, however, we obtain a picture
of application-specific deployments within
the Latin American government smart card
market in 2006. At this time, the government
Card Technology Today • May 2007

sector utilising the greatest number of
smart cards was health and social services,
comprising 48.9% of the total Latin American
government smart card market. National ID
programmes came in a close second, with
40.5% and applications which accounted
for a significantly smaller share of the total
government smart card market were driving
licences with 8.1%, government employee ID
programmes with 2.0% and ePassports with
0.5%.
So, while there are ePassport pilots
underway in Brazil, Mexico and Venezuela
and smart driving licences have been deployed
in El Salvador, Mexico and Argentina, health
and national ID programmes are really the
driving forces behind the smart card market
at present. Two implementations of particular
significance in terms of card volume are the
Mexican health care card and the Brazilian
Public Key Infrastructure programme.
In the first quarter of 2006, a nationwide
initiative in Mexico was launched with the
aim of securely storing patient information,
ensuring citizens receive correct healthcare
benefits a n d re d u c i n g p a p e r b a s e d
administration. Seguro Popular, a Mexican
Government social security organisation,
began rolling out 3.7 million smart cards to its
members, each containing patient information,
prescription details and an ePurse which will be
used to load the patient’s health care subsidies.
On each visit to the doctor the patient will
produce his/her card, which can only be read
by authorised healthcare professionals, and
patient information can be viewed and updated
in real time. It is anticipated that the cards will
be successful in reducing administration costs
while minimizing the potential for benefit
fraud.
Meanwhile in Brazil, the Public Key
Infrastructure (PKI) programme led by the
National Institute of Information Technology,
which is a federal agency linked to the
Presidency of the Republic of Brazil, is one
of the largest electronic government digital
credential programmes using smart cards
and tokens in Latin America. Established in
2002 by the Brazilian Government, the PKI
– known as ICP Brasil – aims to minimise
paper based administration by using Internet
services. It provides digital identity credentials
to individuals and corporations in order to file
electronically signed documents. According
to Brazilian law, any electronic document is
legally valid if it is certified by ICP Brasil or
any other PKI where the concerned parties
agree on the validity of the document.
Naturally, the scope of this initiative is
vast. Its impact on encouraging smart card
Card Technology Today • May 2007
deployments in the country has been extremely
positive, not only because of the smart card
programmes launched in association with ICP
Brasil itself, but also because it has raised the
profile and acceptance of smart cards as a valid,
reliable and secure technology for government
and public sector initiatives.
Interoperable smart card
standards
Given that a number of smart card deployments
are already well progressed in the region and
that Latin American governments generally
appear to be embracing smart card technology
to address eGovernment objectives, reduce
costs and improve services to citizens, the
future growth of the regional smart card
industry looks certain.
To ensure that current investment in smart
card infrastructure, and the technology
itself, is protected for the future, however, it
is vital that government decision makers are
fully educated on and aware of the benefits
and scope of basing smart card solutions on
open, interoperable standards, such as the
GlobalPlatform specifications.
Governments in Latin America may
reference many successful smart card
implementations by governments world-
wide, including Austria, Morocco, Moscow,
Poland, Qatar, Saudi Arabia, South Korea,
the Sultanate of Oman and the USA, to
clearly understand the benefits offered by
open standards, regardless of the complexity
of the requirement.
Using the US Department of Defense
(DoD) as a widely recognised successful
model, it is clear that open standards provided
the solution to a specific issue – being able to
use one card, known as the Common Access
Card (CAC), across different government
agencies and for use in both the physical and
logical access context.
In 1999, the US DoD began work on a
programme to issue a smart, common-access
identification card to 4.5 million active
duty, Selected Reserve, DoD civilian and
eligible contractor personnel with a target
completion date of April 2004. The CAC
is a smart card standard established by the
Government Services Administration (GSA), a
key purchasing arm of the US government, in
conjunction with various military departments.
The CAC card utilises GlobalPlatform
technology to simplify the process of
multiple government agencies deploying an
interoperable smart card. The ultimate goal
is to be able to use a CAC anywhere that
the cards are accepted, regardless of which
feature
Government Agency issued it. The CAC is the
principal card used to enable physical access
to buildings and controlled spaces and is used
to gain access to the DoD’s computer network
and systems.
As of August 2006, over eleven million
CAC cards had been issued. The cards have
been issued on a decentralised basis at over
1,400 sites in 27 countries and at over 2,000
workstations, clearly illustrating the benefits
of interoperable smart card standards.
Following the roll out of the CAC, a dedicated
GlobalPlatform Government Task Force has
worked closely with the US Government to
extend GlobalPlatform’s systems technology
– specifically its Messaging Specification – to
support the unique issuance requirements of
the Personal Identity Verification (PIV) card
for the US Federal Government. This will
naturally benefit governments beyond that
of the US and as an extension to this work,
GlobalPlatform aims to develop a White Paper
in 2007 which states GlobalPlatform’s value
proposition in relation to eID initiatives.
Another example of a government using
open specifications is the Macau Government.
In 2003, its Identification Department (DSI)
commissioned the distribution of multi-
application smart-card based identity cards
to all of Macau’s 460,000 citizens, resident
within the Chinese Special Administrative
Region (SAR), with a target completion date
of 2007.
In January 2003, distribution of the 460,000
GlobalPlatform multi-functional cards began.
The cards have built-in security features to
prevent forgery, such as the use of fingerprint
matching for automated identity verification.
They also allow the uploading of other
applications to realise Macau’s eGovernment
goals among others. The ultimate vision for
the smart card is for it to serve as an all-in-one
card combining, for example, ID card, driving
license, student card, medical card, social
security card and possibly ePurse functionality
for secure electronic transactions.
While these are just two examples of many
government smart card programmes globally
which are based on interoperable technology,
the numerous gains provided by open standards
include greater flexibility, economies of scale,
multi-sourcing opportunities, faster time to
market and the ability to share card space
with strategic partner organizations or other
government departments / agencies. Issuers
who adopt open standards also stand to benefit
from the long term assurance that their current
investment in a smart card infrastructure
is protected against future changes in their
technical or strategic approach. The flexibility
11
 feature
offered by an interoperable smart card
environment allows the programme to evolve
in line with future business decisions and
market considerations.
A synergistic relationship
Current trends and future forecasts show that
the government smart card market in Latin
America is growing at a significant and rapid
rate. Smart card technology is fast becoming
a cost-effective, safe and proven facilitator of
eGovernment services and the roll out is set to
continue for the foreseeable future.
Flexibility, fraud
and two-factor
authentication
Forrester Research forecasts that, in Europe alone, over 130 million people will be
using remote banking services by 2007, up 75 million compared to 2005. This trend
has been welcomed by banks and financial service providers, who can keep branch
costs low, while increasing transaction frequency. At the front end, customers are
afforded greater freedom and more immediate control over their finances.
However, a less welcome trend accompanying
this development is that of fraudulent
transactions, notably card-not-present (CNP)
fraud. Historically, banks have relied on the
use of static passwords to enable remote access
to banking applications. However, highly
sophisticated fraudulent techniques are fast
rendering this one-factor authentication system
obsolete. Statistics released by APACS in March
2007, reveal that online banking fraud in the
UK increased from £23.2 million in 2005 to
£33.5 million in 2006, whilst card-not-present
(CNP) fraud grew by 16% to £212.6 million
in 2006 from £183.2 million in 2005. These
losses are being compounded by the increasing
customer reluctance to use online financial
services which they deem to be insecure
One particularly ubiquitous security issue
has been the emergence of phishing as the
foremost weapon in the criminals’ arsenal. In
very basic terms, phishing involves a fraudster
masquerading as a financial institution in order
to steal a customer’s account information.
12
At this stage in the market’s lifecycle,
governments throughout Latin America can
clearly benefit from the experience, knowledge and
decision-making processes of other governments
which have already deployed successful smart
card solutions world-wide. GlobalPlatform and
the Smart Card Alliance hosted the Smart Cards
for Government and Payment in Mexico in May
to address this clear need for regional industry
discussion and education around the benefits
of smart cards, best practice implementations
and the advantages of deploying products and
infrastructure based on interoperable standards.
More recently, criminals have been using
increasingly sophisticated spy-ware including
trojan horses, key logging and screen scrapper
programmes, which capture screen shots to
obtain end-user credentials.
To minimise the financial impact of this
type of fraud, and bolster customer confidence,
banks and other financial institutions have
begun to upgrade their current password-
based authentication solutions to stronger,
two-factor authentication.
Common implementations of two-factor
authentication (2FA) use ‘something you know’
as one of the two factors, and either ‘something
you have’ or ‘something you are’ as the other
factor. A common example of 2FA is a bank
card (credit card, debit card); the card itself
is the physical ‘something you have’ item, and
the personal identification number (PIN) is the
‘something you know’ password that goes with
it. The use of a remote card authentication device
to enter the PIN code that is not connected to
the PC leaves no room for online fraud.
As leading industry bodies, with synergistic
goals across diverse smart cards sectors,
including government, financial, mobile
telecommunications, healthcare, transit and
retail, and many geographies world-wide, it is
hoped that this event will be the first of many
collaborations and joint initiatives between
the two organisations.
This feature was provided by Kevin Gillick,
executive director, GlobalPlatform and Randy
Vanderhoof, executive director, Smart Card
Alliance. They can be contacted at: kevin_
gillick@globalplatform.org or rvanderhoof@smart
cardalliance.org
The EMV factor
A key driver behind the implementation of
2FA is migration towards EMV payment
cards. EMV migration continues to drive
authentication technology, since banks can re-
leverage their considerable investment in the
technology and use it for security purposes.
Europe is ahead of other regions in this respect
with forecasts from MasterCard predicting
the percentage of EMV-enabled cards in
Europe at 67% this year. The banking and
financial services industry is starting to wake
up to the need for greater security for online
transactions. With Gartner warning that static
passwords will become obsolete in two years,
the industry is moving towards wide-spread
implementation of two-factor authentication.
In the US, federal regulators went as far as
to state that banks must have two-factor
authentication on their websites by the end of
2006.
Current authentication
solutions
A range of security solutions is currently
available including tokens, smart card readers
and devices that generate one-time passwords
(OTP). Pocket-sized EMV-compliant smart
card readers incorporating a challenge/response
capability appear to offer the most promising
long-term answer to online authentication
problems - at least in European and Middle
Eastern markets. Not only do the readers
leverage the considerable investment by the
banking industry in EMV chip card migration,
but they can also be extended in scope to cover
other forms of CNP fraud.
As for the process itself, banks provide
their customers with a hand-held card reader,
which does not require a direct connection to
a personal computer, and often incorporates a
user familiar PIN pad. The customer inserts
Card Technology Today • May 2007