In Part III of our series on Standards and Specification Bodies, we will share an overview of the FIDO Alliance and EMVCo. Please be sure to view Parts I and II of this series, which discussed ISO and X9 in Part I and PCI and W3C in Part II.
What is it and what does it do? FIDO, which is by far the acronym you can have the most fun with, stands for Fast IDentity Online. The organization’s name is actually the FIDO Alliance. Strangely, at least in my opinion, their logo doesn’t include a dog. The FIDO Alliance “is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. The FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation.”1 FIDO currently maintains three sets of authentication specifications:
- FIDO Universal Second Factor (FIDO U2F),
- FIDO Universal Authentication Framework (FIDO UAF) and
- FIDO2 which includes W3C’s Web Authentication (WebAuthn) specification and the FIDO Client to Authenticator Protocol (CTAP) and is the Alliance’s newest set of specifications.
FIDO’s specifications are open and free for use globally.
Who is it? FIDO membership is open to any organization that is interested in helping create a more secure online ecosystem. FIDO is primarily a consensus-driven organization and members contribute by influencing the development of the FIDO specifications, establishing best practices for deployment, and driving awareness of the Alliance. A Board of Directors has fiduciary oversight of the Alliance. In addition to board members, entities may join as Sponsor Members, Associate Members and Government Members. The membership level an entity joins at will determine the benefits available to that entity. Only Board Members are “Voting Members.” A delegate from each board member is designated to vote on any matter brought before the board. The Government Member level is, not surprisingly, limited to government agencies, departments, etc. and also must be from the national or federal level. The FIDO staff is led by an Executive Director and manages the day-to-day activities of the Alliance. FIDO also has a liaison program for other associations. The MAG is a FIDO Liaison Partner.
How does it work? FIDO Working Groups develop all deliverables of the Alliance. Technical Working Groups have charters that specifically include the ability to develop specifications. Board and Sponsor Members have full participation rights in Working Groups. Government and Associate Members can participate fully in Working Groups except they do not have voting rights. In addition, Associate Members must be invited to participate in Working Groups. Only Board Members may serve as Working Group Chairs and vote on chartering Working Groups. Various Committees provide oversight for specific functions such as certification programs, technical working groups, marketing, and public policy. Participation in the committees is based on subject matter expertise in the area and requires approval from the Board or President.
Why do we care? The authentication standards developed by FIDO can have a significant impact on the customer experience on a merchant’s eCommerce site by eliminating the reliance on passwords for user authentication.
What is it and what does it do? EMVCo is sort of an acronym of an acronym. EMV® stands for Europay, Mastercard, Visa - the three card brands involved in the development of the original contact chip specification that we all know and love. EMVCo “manages and evolves EMV Specifications and supporting testing programmes that enable card-based payments products to work together seamlessly and securely worldwide.”6 Interestingly, EMVCo is technically not a standards body and refers to itself as “a global technical body…managing and evolving the EMV Specifications and related testing processes.”6 However, there are those that might disagree with this characterization.2 EMVCo refers collectively to all the specifications they manage as “EMV specifications” which includes not only the contact chip specification but the specifications for EMV Payment Tokenization, EMV 3-D Secure (3DS), and EMV Secure Remote Commerce (SRC is otherwise known as click-to-pay). You might note that contactless is not included in this list. While EMVCo manages a few books of the contactless specification, each card brand manages the book for their respective contactless kernel so only partial credit for contactless. However, as of this writing, EMVCo is actively working on a single contactless kernel specification that is intended to replace all of the card brands’ proprietary specifications over the course of time. What EMVCo does not do is as important to merchants as what it does do. EMVCo does not define, guide, or weigh in on implementations of the specifications. There will be more on that in a bit.
Who is it? EMVCo is now owned by the six global card brands known as Members: American Express, Discover, JCB, Mastercard, UnionPay, and Visa (Europay merged with Mastercard). The work of EMVCo is overseen by its six Members, the global card brands. An Executive Committee, comprised of Members, guides the long-term strategy. Work activities are managed by the Board of Managers which is made up of two representatives from, once again, each of the Members.
How does it work? The EMVCo Working Groups, staffed by card brand personnel, develop and maintain the specifications and the testing structure. Through the Associates program, other industry stakeholders can interact with the technical Working Groups and provide input and comments during the development and enhancement of the specifications. The MAG is an EMVCo Associate. Through participation in the Board of Advisors, Associates can vote on specification publication, but it is important to remember that each brand holds the ultimate control on how they choose to operationalize the standard. Recently, EMVCo opened their future draft specification to public comment which has not historically been an EMVCo practice.
Why do we care? The EMVCo specifications form the foundation of many card brand products and programs. While the implementation of the specifications (which EMVCo won’t engage on) plays a large role in the ultimate impact to merchants, how the specifications are written can impact the implementation options. One example of this is how the Card List in SRC is built. EMVCo’s specification called for cards to be ordered in the card list based on when the card was last used or last added. This could prevent a merchant’s co-branded or private label card from being displayed at the top of the list. How the card brands choose to implement these specifications also has a significant impact on merchant operations, costs, and decision-making. Let’s return to the contactless kernel specifications and EMVCo’s silence on implementations mentioned earlier as an example. While EMVCo is developing a specification for a single contactless kernel, it has no power to enforce the adoption of this specification by the card brands which could theoretically continue to support their own kernel specifications indefinitely. It is critical for merchants to understand the specifications and the resulting implementation options.
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.
We hope after learning more about the organizations that set the standards and write the specifications that impact so much of how the payments industry operates, your organization will consider getting involved in one or more of them, if you are not already involved, so that the merchant voice will be heard on topics that affect all our businesses every day.