Home | Subscribe | Contact Us | Advertise Home | Subscribe | Contact Us | Advertise
Two organizations raise the bar for U.S. document security
The United States lags behind its peers when it comes to document security. Industry professionals who work in the security market want that to change. They’ve begun championing tough standards that distinguish best practices from bad habits. They plan to raise the bar on what constitutes true security. “Overseas, it’s hard to find checks that aren’t watermarked. I would guess that in the United States only about 30 percent have them,” says David Badilla, marketing manager at Appleton Security Products, Appleton, Wis. “Americans look more at check cost, perhaps believing they won’t be victims of fraud. It’s a bit like sticking one’s head in the sand.”
Two industry organizations lead the way to higher standards. The North American Security Products Organization (NASPO) and the Document Security Alliance (DSA) consist of suppliers, manufacturers, distributors and end users that have a stake in greater security. Their individual efforts help educate other stakeholders on the risks associated with counterfeit documents and fraud.
By Andy Brown
Founders of the North American Security Products Organization recognized a disparity in how other countries treat document security. “In other parts of the world, there are standards and controls for the production and issuance of security documents. Here in the United States, anyone can print a check,” says Mike O’Neil, chairman of NASPO’s board of directors and COO of manufacturer ProDocument Solutions.
Members of NASPO worked together to develop a compliance standard that has since been recognized by the American National Standards Institute (ANSI). The standards translate to three classes of certifications that NASPO awards. Class I is the toughest to achieve, but most companies should be able to reach a Class III just by conducting best business practices, says O’Neil.
Four Steps Toward Compliance
These procedures help improve security and bring companies closer to NASPO certification:
Participating companies begin the certification process by reviewing a checklist of requirements necessary to achieve compliance with the standard. Depending on the certification class, the list includes items such as using closed-circuit cameras in the facility and performing background checks on potential employees.
The company then submits a survey based on its self-audit, and a NASPO auditor completes an onsite inspection to verify compliance. After any discrepancies are corrected, the auditor recommends to the NASPO board of directors that the company be certified. The company is free to market the certification, but NASPO itself never reveals the results of an audit.
End users often prompt their vendors to achieve certification. “Private industry is starting to say it needs a secure supply chain,” says O’Neil. “If you lose personal information, you can be held liable for those losses, and it can have a significant impact on your financial situation.” To reduce liability, companies demand that their vendors implement security protections. “A huge problem in our industry is credibility,” says O’Neil. “If everyone can hold up their hand and say, ‘I’m a security printer,’ then we have a problem.”
Many distributors offer checks and financial documents to customers the same as they would any other printed product. They take an order and place it with a manufacturer. What they don’t realize is the liability they might be taking on if they don’t handle the product properly and ensure customers know how to minimize their risk. “There are some very good distributors out there who understand the security business and its repercussions, but to others, it’s all about selling products,” says O’Neil. “In my view, distributors struggle in this arena, because they may not understand some of the liability they’re dealing with.”
For one thing, security features inherently are more effective when they’re customized. The more generic a security feature, the less effective it is. “If you have security technologies—holograms, papers, inks—available in the public domain, the value of that security technology is zero,” says O’Neil. “True security is a value added sell. It involves controlling the materials so they have security value and market value.”
One potential benefit of NASPO certification is access to controlled security technologies, including special presses and different grades of paper and ink. “We can create very secure products, but we’re not going to use technology that’s readily available. Because we’re certified, we can talk to suppliers that have that technology,” says O’Neil.
Andy Brown is managing editor of Print Solutions magazine. Email comments to abrown@PSDA.org.
NASPO CERTIFICATIONS
To a greater or lesser degree, all companies certified by NASPO address customer related risks, information risks, security material risks, supply chain risks, physical intrusion risks, personnel risks, disaster recovery risks, breach of security risks and more.
Class I: High Security
“NASPO Class I Certified Organizations will be expected to deliver a very high level of security assurance by anticipating and effectively controlling all credible forms of fraudulent action to the point where attempts are eliminated because the barriers appear insurmountable and the chance of success appears non-existent. In the event that fraudulent acts do occur, organizations in Class I must be prepared to fully mitigate their effects.”
Class II: Medium Security
“NASPO Class II Certified Organizations make security products where the consequences of fraudulent action are less serious, but still must maintain a high level of security assurance. This level of assurance must be satisfactory and sufficient to protect the end-user’s investment in the security product. In the event that fraudulent acts do occur, organizations in Class II must be prepared to substantially mitigate their effects.”
Class III: Entry Level Security
“NASPO Class III Certified Organizations (unlike Class I & II organizations) are not focused on, and/or do not exclusively manufacture security products. Those products produced generally suffer only from the threat of minimal economic loss and have limited consequences. As a result, full time security assurance may not be warranted but must be satisfactory and sufficient to protect the end-user’s investment in the security product. Organizations in Class III must have plans in place to mitigate the effects of fraudulent acts should they occur.
Source: Security Risk Management Requirements Definition Document: Overview for Prospective Members, www.naspo.info.
By LaShell Stratton
In the months following the Sept. 11 attacks, law enforcement and intelligence agencies conducted extensive investigations to retrace the steps of the 19 hijackers. How had these terrorists managed to conduct the attacks with such precision? The investigators made a chilling discovery. At least two of the men who boarded the planes that later crashed into the Pentagon and the World Trade Center had used fake IDs and had obtained them easily.
Khalid Almihdhar and Abdulaziz Alomari had purchased their IDs from an Egyptian immigrant, Mohammed El-Atriss, who ran phony document outfits in Paterson, N.J. and Elizabeth, N.J.
With this new information, the federal government and American Association of Motor Vehicle Administrators realized that they desperately needed the printing and security industries’ help. Though states and the federal government could impose laws with harsher penalties for those who manufacture and sell fake IDs (El-Atriss received only five months in jail and five years of probation for his crime), they needed advice from the industry on how to prevent similar forgeries and counterfeit documents from going undetected. The war on terror would involve many fronts and the private sector would have to be included.
“Sept. 11 was the catalyst for the creation of the Document Security Alliance,” says DSA President David Snodgrass. “Our whole organization is dedicated to security. We don’t charge for it. We just want to be patriotic, to do our bit to help.”
Taking Off The Marketing Hat
In December 2001, DSA held its first meeting in Washington, D.C. Forty companies attended along with representatives of the U.S. Secret Service. According to the DSA web site, the purpose of the meeting “was to weigh the interest and commitment of the industry to participate in a series of symposiums that would provide input from industry experts on possible methods to trace identification cards and/or documents to the point of personalization and manufacturing.”
“Sept. 11 was the catalyst for the creation of Document Security Alliance. Our whole organization is dedicated to security. We don’t charge for it. We just want to be patriotic, to do
our bit to help.”
David Snodgrass, President
Document Security Alliance
Washington, D.C.
Since that first meeting, DSA has written six white papers advising how the government can create better security documents and better detect the false ones.
“We never say you need X, Y and Z features,” Snodgrass explains. “We try to take off our marketing hats at the door.”
DSA instead offers helpful hints like, “Layering is important. You don’t have one silver bullet when it comes to document security,” Snodgrass says. “You have to have many security measures.”
DSA further distinguishes itself from other document security organizations in that being a part of the industry is not the only prerequisite for membership. “You have to pass proper security clearance to become a member,” says David Badilla, marketing manager for Appleton Security Products, Appleton, Wis. (Appleton Security Products is a member of DSA.)
Making Documents Better
Snodgrass says that of all the white papers DSA has written, “Probably the most important so far deals with U.S. government IDs.”
Starting next year, the federal government will move toward issuing smart IDs to all of its employees. The smart cards or integrated circuit cards will have memory storage components that include the names of employees, their agencies and even digitized photos and biometric components such as their fingerprints. But DSA warns that there is too much high-technology involved in the smart cards and not enough of the basics of document security.
“There’s been a lot of emphasis on the electronic part of the cards, but the government needs to know that visual security is important too,” Snodgrass says. He argues that overt or easily identifiable mechanisms are particularly important in the case of “airlines that might let federal employees on board when they show the new ID card. But most airlines probably won’t have the electronic scanners necessary to read those smart cards. They need to be able to look at them and see whether or not they’re legitimate IDs.”
Though IDs are a major focus of DSA, Snodgrass says the organization “wants to extend our horizon past drivers’ licenses and IDs to other secure documents such as birth certificates.”
“DSA is working hard to develop a solution to the current birth certificates dilemma,” Badilla explains. “There are hundreds of versions of birth certificates in this country and they vary from state to state, even from hospital to hospital. The record keeping of the documents is pretty loose too. But birth certificates are the breeders of other legal documents like driver’s licenses. With that being the case, we definitely have a problem and it’s a problem we’re trying to solve.”
DSA members have appeared before Congress to testify about document security. “We’ve had a couple of Capitol Hill days that have been quite successful,” Snodgrass says. “We have established a reputation as the go-to people on this issue.”
Only time will tell whether DSA will have a long-term impact on how the government handles document security. “It’s a little bit early to tell whether they’ve used our suggestions,” Snodgrass admits. “We’ve certainly gotten a positive response from them though.”
LaShell Stratton is assistant editor at Print Solutions magazine. Email comments to lstratton@PSDA.org.