Still a hard sell
While electronic purse applications make good sense within a micro-retail community like a university, within businesses smart cards are most valuable in their ability to improve information security.
With some modifications, most business applications can be set up to read digital signatures stored on smart cards as an alternative or complement to password-based logons.
By inserting the card into a reader, then entering a PIN or scanning a fingerprint as well, users can provide virtually irrefutable proof of their identity.
Used correctly, this technology can deliver major improvements in security--a worthwhile goal for any company. For example, smart cards can provide strong enough employee authentication that they enable single sign-on to multiple business systems.
Smart cards are also invaluable in tightening up administration of security policies, since cards are centrally managed and can be revoked instantly if necessary.
When linked into a corporate directory service, smart card revocation can be set to happen automatically as part of the procedure followed when an employee is terminated.
They are particularly promising for remote access, which has traditionally been extremely problematic since there's no way to accurately confirm the identity of the person sitting at the other end of the connection.
By issuing those workers with smart card readers, companies can reliably ensure that the authorised cardholder is indeed sitting at the other end of the connection.
This opens up the scope for extending access to sensitive information systems over IPSec-compliant Internet virtual private networks, which have already resolved encryption issues but become far more viable when paired with strong smart card-based authentication.
Using smart cards requires installation of hardware as well as software development to integrate them with existing business systems. Equipment is readily available, but becomes quite expensive when extrapolated across typical corporate installations of hundreds or thousands of computers.
There is also the expense and effort of defining project scope and smart card management plans; redeveloping applications to use smart cards; and, more ominously, the not-insignificant task of installing necessary infrastructure such as directory services.
Aiming to reduce the complexity of smart card solutions, some companies are offering corporate customers managed end-to-end security solutions built around the cards. Optus's OPI Trust service, for one, combines a smart card reader and management software with access to the Optus nationwide network to provide an outsourced, secure remote access solution.
Already being tested by at least three Commonwealth government departments and two Big-Four banks, OPI Trust highlights the growing role that service providers will play in getting smart cards into businesses in large numbers.
"It provides companies with a rapid approach to secure deployments, and is usually operational within weeks instead of months," says Chris Hancock, managing director of Optus Business.
"It's cost-effective, with low upfront costs, a pay-as-you-go charging model, and requires minimal user intervention. And for large businesses, the fact we have a national network guarantees there are no third-party handoffs or reseller agreements where you're not sure who's doing what. Trust and certainty are what customers are after."
It's obvious...isn't it?
Probably 4 or so factors affecting Smartcard deployment in Australia.
1) The cost of outlaying new POS terminals to accept smartcards. There are few initiatives out there. AMEX is a classic example. They deployed their new chip card but where are the readers. ANZ looks the most promising and are in the process of upgrading their ATMS and POS terminals to accept their own branded cards.
2) Magstripe card fraud is relatively low in Australia and banks cover the cost of any fraudulent transactions, so there is no real advantage for customers to transfer over to the new schemes.
3) Apart from Financial, GSM, and some security based applications, there's no real interesting applications for customers.
4) There are no dominating Smart Card standards. Telstra initiative at Adelaide UNI was a disaster. There needs to be an open and free SC standard (without any fine print). There are more smartcard forums and other group bodies, than actual standards.
5) Serious investment no were to be found for smart schemes. Whether this is a failure to deliver affect businesses cases, or no interest is difficult to tell.
Rob