A Capability Maturity Model for Data Carriers and Digital Wallets
Over time, payment cards, driver licences and now Germany’s national eID have all climbed up a technological ladder to provide better security, usability and mobility. These are exemplars of a large set of ubiquitous, almost mundane credential tokens—often dubbed “IDs”—including student cards, membership cards, employee badges, tickets, passes, professional licences and passports. Most of these items were first rolled out as pieces of paper or cardboard, and later took the form of more robust plastic cards with electronic means for presenting credential information. Where fraud is a problem, credentials adopt a range of security features, both physical and increasingly digital. Smartcards with embedded reprogrammable microprocessors can prove the originality of a cardholder’s details and transactions, and smart phones add further layers of automation and extended anti-fraud features.
Fundamentally, all these identification tokens act as personal data carriers to help people prove their credentials in different contexts. Over time, data carriers have evolved into powerful digital wallets. This paper maps the progression of data wallets in respect of automation, security and privacy protection onto the five stage Capability Maturity Model.
News: German National ID goes Mobile
German citizens will soon be able to carry their national electronic ID (eID) on certain smart phones thanks to work being done by the German government’s Office for Information Security, Deutsche Telekom and Samsung . The solution involves cloning the eID smartcard ― which is NFC-enabled ― onto the phone’s secure element.
This development is simply the latest in a steady progression of digitisation of the German national identity system.
The same evolutionary path is evident across many different types of credential, classically starting with paper cards and progressing in stages through passive data carriers and “smart” cards to arrive at smart phones. This pattern has repeated in near-identical fashion (albeit at different rates) with credit cards and driver licences, seeing them become powerful digital wallets.
The capabilities of data carriers
This evolution of data carrier and digital wallet technologies can be mapped onto the familiar five stage Capability Maturity Model (CMM). By vividly demonstrating how the pattern is repeatable might help to accelerate the modernisation of other credentials so the benefits of usability and fraud resistance get to be enjoyed more widely.
We first described the evolution of data carriers as a tool for identity and attributes management . To recap briefly, steady improvements ― firstly in data storage and then around cryptography ― have seen active or “smart” devices emerge with the ability to present verified data about their respective holders.
In retail payments, smartcards now dominate. What makes a smartcard “smart” is its ability to prove cryptographically that the cardholder was in control of a transaction. The user’s knowledge of a PIN or their possession of a biometric can be verified (matched) on the card itself, to prove (to a high level of confidence) that the card is in the right hands at the time it is used. Not only that but each separate transaction is digitally signed by a private key within the chip which is unique to the cardholder, thus cryptographically marking the transaction as original. And furthermore, the cardholder data carried by the chip can be digitally signed (that is, certified) by the card issuer, in effect branding the account details and showing their provenance.
The cryptographically bound bundle of transaction and cardholder details produced each time a chip card is used carries forward the imprimatur of the issuer and cannot feasibly be counterfeited. The sophistication provided by smartcards has been replicated in the Secure Elements of smart phones and the Trusted Platform Modules of many personal computers.
Five levels of Maturity
The increasing power and sophistication of data wallets, from passive read-only paper cards through smartcards to smart phones, can be characterised in levels as follows.
- Human Readable. Plain text account holder details carried in a convenient form for human consumption; historically printed on paper, perhaps with a watermark, the issuer’s autograph and/or an official seal; data is transcribed by the receiver by hand.
- Machine Readable. Data carried in some sort of memory― magnetic stripe, bar code or PROM ― so it can be automatically transferred to a terminal; data transfer is passive, reading from the card and writing to the terminal. The ISO 7816 plastic card specification and the magnetic stripe customer data coding standards of the American Bankers Association have dominated at this level and are widely used across many industries.
- Signs of Origin. The data carrier now has provenance features such as holograms and optically variable printing, to frustrate illicit copying or counterfeiting. A prototypical digital provenance feature was the CVV (Card Verification Value) printed on the back of a credit card, which was originally used to evince originality when account details are read out by the cardholder over the phone; the CVV was not left behind on the carbon copies resulting from normal manual card processing and was therefore less accessible to the early “dumpster diving” ID thieves.
- Cryptographically Verified. A range of digital techniques dramatically strengthen the originality of the device and its actions. When a PIN or biometric must be matched to activate a card or some such, it proves that the customer was in control. Digital signatures also prove originality. in two respects. Firstly, cardholder data is signed (i.e. certified) by the device issuer, and secondly. each transaction is also signed in the chip to prevent transaction replay or counterfeiting. A smartcard can be aware of the setting in which it is being used; for example, it will not talk to unapproved terminals, which prevents card skimming and cloning.
- Intelligent / Adaptive. Smart phones have the processing power and diverse sensors to capture a rich array of signals about the device in use, such as the user’s behaviour, their recent transaction history, time of day and geolocation. The device software can apply complex permissions management to control what the user can do and can look for anomalies indicative of misuse or abuse.
The Capability Maturity Model is illustrated in the following table using examples from selected industries. A more detailed discussion follows.
The credit card industry over a period of sixty years has been the prime mover of data wallet evolution, from Maturity Levels 1 through 5.
The American Banking Association standardised exactly how cardholder data is encoded in different tracks of the magnetic stripe. The same standard was widely adopted across many other industries for employee IDs, student cards, driver licences, mass transit tickets, healthcare, club membership cards, library cards, loyalty and government ID. Mag stripe coding, plus the ISO 7816 card specifications, created a universal plastic card UX, and Data Wallet Maturity Levels 2 & 3 became globally ubiquitous.
It seems digitisation in retail payments has been the main motivation for smartphone wallets like Apple Pay and Samsung Pay and thus the attainment of Data Wallet Maturity Level 5.
Driver licences have advanced from fragile pieces of paper to plastic cards in most parts of the world. As licences morphed into broadly-accepted de facto identity documents, they became prime targets for counterfeiting by organised crime, and so anti-fraud features have become commonplace, including holograms, optically variable printing and guilloche engraving.
In Australia, the state of Queensland introduced a chip in their driver licence over ten years ago, reaching Maturity Level 3 for perhaps the first time in the world. Many licensing authorities are now moving to mobile phone-based driver licences, often with bespoke QR code data carriage. The International Organisation for Standardisation is drafting a Mobile Driver Licence (mDL) standard ISO 18013-3 with NFC technology for secure and rapid data presentation from one mobile device to another.
Government entitlements in Australia and the U.S.A.
Australia’s universal public health insurance scheme Medicare has used a plastic card with magnetic stripe for decades. Over 2004-06 a small smartcard pilot was undertaken in the state of Tasmania. At first the objectives were simply to upgrade the mag stripe to make the card more difficult to clone or counterfeit. That initiative was then subsumed into a larger Access Card proposal with a broader mission to rationalise a number of social security accounts and reorganise them within a new national Human Services administration.
The chip-based Access Card attracted widespread protests for its semblance to a national identity, something most Australians have long resented. In 2007 a change of federal government saw the smartcard abandoned (at around the same time as the British government cancelled its national ID card project over similar civil concerns).
No administration in Australia has ever returned to the worthwhile idea of simply upgrading the Medicare card to chip for fraud resistance, and the card remains at Data Wallet Maturity Level 2. Multiple proposals to adopt Common Access Card technology (the defence force smartcard) in the U.S. Medicare system have come and gone over the years.
Notoriously, the U.S. Social Security card has yet to advance past Data Wallet Maturity Level 1.
Conclusion: Smart data wallets and data quality
Chip cards (at Maturity Level 4, especially when NFC contactless connectivity is built in) and the secure elements of smart phones (at Level 5) are increasingly important, with data wallets being used more and more in the digital domain. These technologies fundamentally protect the quality and reliability of the data they carry and present on behalf of their holders, as follows:
- Provenance: the holder’s details are certified by the issuing authority through a digital certificate bound to the chip
- Consent: each fresh transaction is digitally signed ― automatically and seamlessly ― on behalf of the holder with a private key in the chip
- Possession: the fact that the device was unlocked by a PIN or biometric proves (to a reasonable degree of confidence) that the rightful user was in control of the transaction
- Privacy: the superior accuracy and provenance of user data presented from a cryptographic chip makes transactions reliable without further identification and exposure of personal data
- Originality: provenance and proof of possession allow a relying party to tell the difference between original Personal Data and counterfeited or stolen data.
This basket of security mechanisms has come to characterise what are now often called Verifiable Credentials. If these mechanisms define the technology, then the original verifiable credential can be recognised in the Chip-and-PIN payment card (circa 2000) or indeed the mobile phone SIM card from the early 1990s.
With Data Wallet Maturity Level 5 now established in banking and driver licensing, this benchmark can be taken up in all sectors where mission-critical identifiers are an integral part of the system. Healthcare and social security are overdue for better ID protection. While privacy anxieties have dominated in these fields, the Data Wallet Maturity Model shows how IDs and personal details can remain separate and secure when upgrading to superior technologies. And the uniform user experience of mobile credentials ― cryptographically verified by sophisticated algorithms now standard under the covers ― can be naturally extended to all walks of life.
References. Germany to begin rollout of open national digital identity service ‘later this year’, Sarah Clark, NFC World, July 29, 2020
. Reframing Digital Identity as Data Protection, Steve Wilson, Constellation Research, Nov 25, 2019
This article can be downloaded as a white paper: Lockstep WP – Data Wallet CMM (1.2)