Smart Card Forum Inc.
8201 Greensboro Drive
Suite 300
McLean, VA 22102 USA

+1(703) 610-9023
+1(703) 610-9005

Introduction

The Smart Card Forum was created in 1993 to promote the widespread acceptance of smart card technology in North America. Central to the Forum's mission are: (i) providing education in the marketplace about the benefits of smart card technology, (ii) helping its members identify viable business propositions and (iii) providing policymakers with the information they need to develop sound public policy positions on relevant issues. The issue of consumer privacy brings all of these elements into sharp focus. Indeed, in the arenas of consumer acceptance and policy development, no issue is more visible or perhaps more important than privacy. As a result, smart card business propositions will only be successful if consumers, policymakers and Forum members understand the role this technology can play in protecting privacy while efficiently and securely delivering services and benefits.

I. Privacy In The Consumer Context

While privacy has many meanings, privacy in the consumer context is commonly defined as the consumer's interest in knowing how personal information will be used by a business or government agency, the benefits which will accrue to the consumer for such use and how the consumer can choose to limit or prevent that use. Smart card technology, if properly designed and implemented, can enhance both the fact and the perception of the consumer's ability to exercise a much greater degree of control over personal information than is the case with any comparable delivery system. The Smart Card Forum strongly believes that an understanding of the benefits that can be provided and how privacy can be protected by smart card technology will lead to greater consumer acceptance and a healthier business environment for the development of this technology.

The following discussion of issues, educational opportunities and suggested business practices is intended as a guide for our members. It is based on the simple premise that consumer oriented design and implementation of this technology, coupled with education of consumers and policymakers, make good business sense.

• The consumer should be educated about what a smart card is. A brief description of how smart cards work may be helpful in dealing with consumers. The following may be useful general information in doing that. There are two basic kinds of smart cards. An "intelligent smart card" contains a microprocessor that actually stores and secures information and "makes decisions" as required by the card issuer's specific application needs. New information can be added to these cards and processed by the microprocessing unit. Monetary value, for example, can be added or debited as required. The second type of card is better described as a memory card. These cards are primarily information storage cards that contain stored value which the consumer can "spend" in a pay phone, retail, vending or related transaction. Many of today's prepaid telephone cards are memory cards. In both types of cards, the integrated circuit chip allows the stored information to be protected from damage or theft. As the storage capacity of cards increases and their costs decline, smart cards will have enhanced processing and other capabilities, making them the equivalent of portable computers, the "computer in the pocket."

• The smart card can be a consumer empowerment tool. Smart cards in general can provide consumers with a high degree of information control. The smart card microprocessor chip functions much like a miniature computer. To a greater extent than possible through other technologies, the consumer can play a role in determining what information, or value, is placed on that chip and deciding who receives access to it and when. In the future, the microprocessor chip will provide the consumer with a much broader array of choices with respect to applications placed on a card. It is important that consumers understand the large role they can play in choosing applications and managing the disclosure of personal information to issuers of the cards, merchants and other third parties.

• Smart card technology is not a product but an efficient and secure delivery system for consumer products and services. Smart card technology is an enabling tool which provides access to products, services or value. Current industry regulations and privacy safeguards will continue to apply to the services, products or value being accessed or the business transactions being conducted by use of this technology. However, as this is a new technology for consumers, there is a real need for industry members to ensure that its applications are responsibly implemented.

• Industry self-regulation and prompt and clear responses to consumer questions will go a long way toward demystifying the technology and ensuring consumer acceptance of its various applications.

• The security provided by smart card technology is unequaled in the context of broad-based consumer access devices for services, products and value. While security issues will always pose challenges to any technology, it is imperative for the smart card industry to effectively communicate to consumers the very high level of security and protection provided by smart card technology. No broad-based system is ever totally secure. However, successful unauthorized attempts to access or alter data in a smart card system are unlikely because of the prohibitive cost of those efforts. In addition, the technology can support various forms of cardholder identification including identification (such as PINS and biometrics) that can be verified on the card itself.

• Smart card technology permits higher levels of protection over consumer information. Not only can smart card technology be designed to allow consumers to determine who receives access to sensitive or confidential data, the technology can also be designed to securely compartmentalize information storage so that access to one application on a multi-application card will not allow access to other applications which may exist on the same card. In fact, the greatly increased levels of security possible in smart card designs should remove consumer concerns that access to a financial function, for example, could provide access to a health care function. This technical capacity to securely segregate functions on the card itself can be supplemented by ensuring that the device which reads the card is programmed only to perform the particular function being used. Depending on the application and the level of privacy protection appropriate for that application, the consumer will be able to further protect data on the card by personal passwords or PINs unique to each compartmentalized application.

• Members of the Smart Card Forum are encouraged to adopt consumer privacy principles and make them known to their customers. The strength of the Smart Card Forum is the diversity and breadth of its membership. Some of its members are in regulated industries, others are not. Some of its members have adopted a code of responsible information practices, consumer privacy principles or similar guidelines, others have not. THE SMART CARD FORUM STRONGLY ENCOURAGES RESPONSIBLE CONSUMER PRACTICES BY SMART CARD APPLICATION PROVIDERS AND ENDORSES INDUSTRY SELF-REGULATION. THE FORUM ENCOURAGES ITS MEMBERS TO INCORPORATE INTO SMART CARD APPLICATION DESIGNS THE CONSUMER PRIVACY PROTECTIONS AND CHOICES THIS TECHNOLOGY PERMITS AND TO ADOPT A CODE OF RESPONSIBLE INFORMATION PRACTICES OR SIMILAR POLICIES COVERING THE USE OF CONSUMER DATA THAT MAY BE OBTAINED THROUGH THESE APPLICATIONS. Because of the diverse membership of the Smart Card Forum, it is not possible for the Forum to provide a guide for all represented industries. However, the Forum has attached a Guide to Responsible Consumer Information Practices as a suggested framework around which each member should develop a policy which takes into account the realities of the industry that member represents. The guiding principle should be to give the consumer a comfortable and reasonable level of knowledge and control over personal information used to achieve the economic or other benefit the member provides.

• The Smart Card Forum has established a Privacy Task Force to assist its members, consumers and policymakers in understanding consumer and policy concerns relating to smart card technology. The Smart Card Forum Privacy Task Force will support Forum members in developing policies which educate consumers and policymakers about the technology. In particular, its ongoing role will be to educate members about which types of information and value can be stored on smart cards, how access to that information or value is achieved and protected, and how consumers can make informed decisions regarding disclosure of personal information in exchange for the benefits offered.

Summary

For smart card technology to be successful, it must be embraced by consumers and it must not be unnecessarily or unwisely regulated by policymakers. In some ways, the very designation of this technology as "smart" has become a barrier to acceptance. The industry and its members must forcefully make the point that the technology does nothing by itself. What makes this technology "smart" is the empowerment it provides to the consumer to access benefits, services or information in a highly personalized, efficient and secure environment. It is the intention of the Smart Card Forum to continue to work closely with other industry groups, governmental agencies and consumer groups to assist consumers in achieving the levels of disclosure and information necessary to use this technology effectively with maximum privacy protection.

Guide To Responsible Consumer Information Practices