07 June 2010

Old, meet New: PCITF - the Payment Card System as Trust Framework




Contrary to what the proponents of "unfettered capitalism" say, business requires rules, regulations, and laws.  Alan Greenspan, for example, points out that at a minimum, all capitalism requires the concept of private property, embodied in law.
To build a public identity system that is also a business, requires a framework, too. In March, 2010, at RSA Conference 2010, a basis for frameworks, the Open Identity Exchange was announced:
"Industry leaders Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton today announced the formation of the Open Identity Exchange (OIX), a non-profit organization dedicated to building trust in the exchange of online identity credentials across public and private sectors. OIX also received initial grants from the OpenID Foundation (OIDF) and Information Card Foundation (ICF) to advance assurance for open identity technologies."

The key concept of the OIX is the trust framework.  In the words of OIX, "In digital identity systems, a trust framework is a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa."
The payment card industry, PCI, has just such a trust framework, their operating rules, that map perfectly into the OIX trust framework concept.  Since the PCI (Visa, MasterCard, American Express, Discover, JCB) is one of the most financially successful systems in the world, this validates the value of the OIX trust framework idea.

At IIW 10, I gave hosted a session on this.  I put the slides on slideshare.net.   They include some background on the payment card system in case you are new to it and I included a few slides on the EMV smartcard.  EMV is important because it provides a tamper-resistant security module in the smartcard that holds secrets.  EMV could be the basis for strong authentication that will help us finally build trustworthy identities on the Internet.

No comments: