A smart card a type of chip card is a plastic card embedded with either a microprocessor
and a memory chip or only a memory chip with non-programmable logic. Smart cards can carry
all necessary functions and information on the card. The card data is transacted via a reader
that is part of a computing system. Smart cards can be used as an access tool, payment tool,
and as a medium for keeping personal records. Smart card-enhanced systems are in use today
throughout several key applications, including healthcare, banking, entertainment and
transportation.. To various degrees, all applications can benefit from the added features
and security that smart cards provide
First introduced in Europe over a decade ago, smart cards debuted as a stored value tool for pay phones to reduce theft. As smart cards and other chip-based cards advanced, people found new ways to use them, including charge cards for credit purchases and for record keeping in place of paper.
In the U.S., consumers have been using chip cards for everything from visiting libraries to buying groceries to attending movies, firmly integrating them into our everyday lives. Several states have chip card programs in progress for government applications ranging from the Department of Motor Vehicles to Electronic Benefit Transfer (EBT). Many industries have implemented the power of smart cards into their products such as the new GSM digital cellular phones to TV-satellite decoders.
WHY SMART CARDS
Smart cards greatly improve the convenience and security of any transaction. They provide
tamper-proof storage of user and account identity. Smart cards also provide vital components
of system security for the exchange of data throughout virtually any type of network. They
protect against a full range of security threats, from careless storage of user passwords
to sophisticated system hacks. Multifunction cards can also serve as network system access
and store value and other data. People worldwide are now using smart cards for a wide
variety of daily tasks, these include:
> Loyalty and Stored Value
A primary use of smart cards is stored value, particularly loyalty programs that track
and incentivize repeat customers. Stored value is more convenient and safer than cash.
For issuers, float is realized on unspent balances and residuals on balances that are
For multi-chain retailers that administer loyalty programs across many different
businesses and Point of sale systems, smart cards can centrally locate and track all
data. The applications are numerous, from parking and laundry to gaming, as well as all
retail and entertainment uses.
> Securing Information and Physical Assets
In addition to information security, smart cards achieve greater physical security of services
and equipment, because the card restricts access to all but the authorized user(s). E-mail and
PCs are being locked-down with smart cards. Information and entertainment is being delivered
via to the home or PC. Home delivery of service is encrypted and decrypted per subscriber
access. Digital video broadcasts accept smart cards as electronic keys for protection.
Smart cards can also act as keys to machine settings for sensitive laboratory equipment and
dispensers for drugs, tools, library cards, health club equipment etc.
Smart cards make it easy for consumers to securely store information and cash for purchasing. The advantages they offer consumers are:
- The card can carry personal account, credit and buying preference information that can be accessed with a mouse click instead of filling out forms.
- Cards can manage and control expenditures with automatic limits and reporting.
- Internet loyalty programs can be deployed across multiple vendors with disparate POS systems and the card acts as a secure central depository for points or rewards.
- Micro Payments” - paying nominal costs without transaction fees associated with credit cards or for amounts too small for cash ,like reprint charges.
> Personal Finance
As banks enter competition in newly opened markets such as investment brokerages, they are securing transactions via smart cards at an increased rate. This means:
- This will improve customer service. Customers can use secure smart cards for fast, 24-hour electronic funds transfers over the Internet.
- Costs are reduced: transactions that normally would require a bank employee's time and paperwork can be managed electronically by the customer with a smart card.
> Health Care
The explosion of health care data brings up new challenges to the efficiency of patient care and privacy safeguards. Smart cards solve both challenges with secure storage and distribution of everything from emergency data to benefits status.
- Rapid identification of patients; improved treatment
- A convenient way to carry data between systems or to sites without systems.
- Reduction of records maintenance costs.
> Telecommuting And Corporate Network Security
Business to business Intranets and Virtual Private Networks (VPNs) are enhanced by the use of smart cards. Users can be authenticated and authorized to have access to specific information based on preset privileges. Additional applications range from secure email to electronic commerce
> Campus Badging and Access
Businesses and universities of all types need simple identity cards for all employees and students. Most of these people are also granted access to certain data, equipment and departments according to their status. Multifunction, microprocessor-based smart cards incorporate identity with access privileges and also store value for use in various locations, such as cafeterias and stores.
TYPES OF SMART CARDS
Smart cards are defined according to the type of chip implanted in the card and its capabilities.
1. Vault Cards
2. RF Cards (Contactless Cards)
3. Combi Cards
4. Contact Cards
Memory cards (Embedded with memory chip with non programmable logic)
Microprocessor card (Embedded with microprocessor and a memory chip with programmable logic)
> Memory Cards
A memory-chip card (for example, pre-paid phone cards) can only undertake a pre-defined operation. Memory cards have no sophisticated
processing power and cannot manage files dynamically. All memories communicate to readers through synchronous protocols. There are three primary
types memory cards:
> - Straight Memory Cards
These cards just store data and have no data processing capabilities. These cards are the lowest cost per bit for user memory. They should be regarded as floppy disks of varying sizes without the lock mechanism. These cards cannot identify themselves to the reader, so your host system has to know what type of card is being inserted into a reader.
> - Protected / Segmented Memory Cards
These cards have built-in logic to control the access to the memory of the card. Sometimes referred to as Intelligent Memory cards these devices can be set to write protect some or all of the memory array . Some of these cards can be configured to restrict access to both reading and writing. This is usually done through a password or system key. Segmented memory cards can be divided into logical sections for planned multi-functionality
> - Stored Value Memory Cards
These cards are designed for the specific purpose of storing value or tokens. The cards are either disposable or rechargeable. Most cards of this type incorporate permanent
security measures at the point of manufacture. These measures can include password keys and logic that are hard-coded into the chip by the manufacturer. The memory arrays on
these devices are set-up as decrements or counters. There is little or no memory left for any other function. For simple applications such as a telephone card the chip has 60 or 12 memory cells, one for each telephone unit. A memory cell is cleared each time a telephone unit is used. Once all the memory units are used, the card becomes useless and is thrown away. This process can be reversed in the case of rechargeable.
>- CPU/MPU Microprocessor Multifunction Cards
The microprocessor card can add, delete, and otherwise manipulate information on the card. These cards have on-card dynamic data processing capabilities. Multifunction smart cards allocate card memory into independent sections assigned to a specific function
or application. Within the card is a microprocessor or microcontroller chip that manages this memory allocation and file access. This type of chip is similar to those found inside all personal computers and when implanted in a smart card,
manages data in organized file structures, via a card operating system (COS). Unlike other operating systems, this software controls access to the on-card user memory. This capability
permits different and multiple functions and/or different applications to reside on the card, allowing businesses to issue and maintain a diversity of ‘products’ through the card. One example of this is a debit card that also enables building access on a college campus. Multifunction cards benefit issuers
by enabling them to market their products and services via state-of-the-art transaction technology. Specifically, the technology permits information updates without replacement of the installed base of cards, greatly simplifying program changes and reducing costs. For the card user, multifunction means greater convenience and security, and ultimately, consolidation of multiple cards down to a select few that serve many purposes.
HARDWARE SOFTWARE CONSIDERATIONS
For the sake of clearly defining all of the different hardware devices that smart cards can be plugged into. The industry has adopted the following definitions.The term "reader" is used to describe a unit that interfaces with a PC for the majority of its processing requirements. In contrast a "terminal" is a self-contained processing device.
Both terminals and readers read and write to smart cards. Readers come in many form factors and in a wide variety of capabilities. The easiest way to describe a reader is by the method of it’s interface to a PC. Smart Card Readers are available that interface to RS232 serial ports, USB ports, PCMCIA slots, floppy disk slots, parallel ports, infrared IRDA
ports and Keyboards and keyboard wedge readers. Another difference in reader types is the on board intelligence and capabilities or lack thereof. Extensive price and performance differences exist between an industrial strength intelligent reader that supports a wide variety of card protocols and a home style win-card reader that only works with microprocessor cards and performs all processing of the data in the PC.
The options in terminal choice are just as wide. Most units have their own operating systems and development tools. They typically support other functions such as magstripe reading, modem functions and transaction printing.
Smart cards provide computing and business systems the enormous benefit of portable and secure storage of data and value. At the same time, the integration of smart cards into your system introduces its own security management issues, as people access card data far and wide in a variety of applications
There are two methods of using cards for data system security, host-based and card-based. The safest systems employ both methodologies.
Host-Based System Security
A host-based system treats a card as a simple data carrier. Because of this, straight memory cards can be used very cost-effectively for many systems. All protection of the data is done from the host computer. The card data may be encrypted but the transmission to the host can be vulnerable to attack.
A common method of increasing the security is to write in the clear (not encrypted) a key that usually contains a date and/or time along with a secret reference to a set of keys on the host. Each time the card is re-written the host can write a reference to the keys. This way each transmission is different.
But parts of the keys are in the clear for hackers to analyze. This security can be increased by the use of smart memory cards that employ a password mechanism to prevent unauthorized reading of the data. Unfortunately the passwords can be sniffed in the clear. Access is then possible to the main memory. These methodologies are often used when a network can batch up the data regularly and compare values and card usage and generate a problem card list.
Card-Based System Security
These systems are typically microprocessor card-based. A card, or token-based system treats a card as an active computing device. The Interaction between the host and the card can be a series of steps to determine if the card is authorized to be used in the system. The process also checks if the user can be identified, authenticated and if the card will present the appropriate credentials to conduct a
transaction. The card itself can also demand the same from the host before proceeding with a transaction. The access to specific information in the card is controlled by A) the card’s internal Operating System and B) the preset permissions set by the card issuer regarding the files conditions.
There are predominately two types of card operating systems. One type of card OS is the most cost- effective in many businesses because you only pay for the size and functions that you specify. This Classic approach treats each card as a secure computing and storage device. Files and permissions to these files are all set by the issuer in advance.
The only access to the cards is through the operating system. There are no back doors, no reconfiguration of file structures on the card. Data is read or written to the card through permissions set only by the issuers. The operating system performs a set of “applications” such as authentication and encryption as requested through commands sent to the card. The CardLogix M.O.S.T. OS is one example of this type.
The second methodology is the Disk Drive approach to card operating systems. The card is a computing device with an active
memory manager this allows you to load onto the card specific applications and files. The card operating
system allows for active file allocation and management. It is designed for card programs that have a long expected user life (4 years +). Java Cards and the Microsoft Windows
Card OS are examples of this approach. These cards have a much higher risk of tampering
due to the ability to introduce active applets and or viruses into the card. You could conceivably replace a purse or file with a low value with a new purse that has the same name with a higher value.
Initial issuance of these cards is costly, due to the sophistication of the OS. The advantage of this approach is that card replacement costs can possibly go
down through the use of in field upgrades. These card architectures need a larger memory for future unplanned upgrades and a larger program memory to upload applets. This translates to larger semiconductors at a higher cost. These approaches also come with a licensing burden that is ultimately paid by the card issuer. Also, the security infrastructure costs are much higher to manage due to the
multiple points of entry to card system functions,
Primarily, smart card standards govern physical properties and communication characteristics of the embedded chip and are covered through the ISO 7816-1,2,3.
Application-specific proprieties are being debated with many large organizations and groups proposing their standards. Open system card interoperability should apply at several levels -1) to the card itself, it’s access terminals (readers), the networks and the card issuers’ own systems. This will only be achieved by conformance to international standards. This Site's sponsors are committed to
compliance with ISO and CEN standards as well as industry initiatives such as EMV, the Open Card Framework and PC/SC specifications.
These organizations are active in smart card standardization:
The International Standards Organization (ISO) facilitates the creation of voluntary standards through a process that is open to all parties. ISO 7816 is the international standard for integrated-circuit cards (commonly known as smart cards) that use electrical contacts. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with what ISO 7816 does NOT cover as
well as what it does. Copies of these documents can be purchased through ANSI American National Standards Institute. ANSI’s address and phone is: 11 West 42nd Street, New York, NY 10036 - (212) 642-4900.
National Institute of Standards and Technology (NIST) publishes a document known as FIPS 140-1, "Security Requirements for Cryptographic Modules". This concerns physical security of a smart card chip, defined as a type of cryptographic module.
Europay, MasterCard and Visa have created their "Integrated Circuit Card Specifications for Payment Systems". The specification is intended to create common technical basis for card and system implementation of a stored value system. Integrated Circuit Card Specifications for Payment Systems can be obtained from a Visa, MasterCard or Europay member bank. It may also be posted on the VISA web site.
Microsoft has proposed a standard for cards and readers, called the PC/SC specification. This proposal only applies to CPU cards.
CEN or the (Comite’ Europe’en de Normalisation) and ETSI (European Telecommunications Standards Institute is focused on telecommunications, as with the GSM SIM for cellular telephones. GSM 11.11 and ETSI300045. CEN can be contacted at Rue de Stassart,36 B-1050 Brussels, Belgium, attention to the Central Secretariat.
ISO 7816 Summary This is a quick overview of what the 7816 specifications cover. Some of these are frozen and some are in revision; please check with ANSI for the most current revision. ISO 7816 has six parts. Some have been completed; others are currently in draft stage.
Part 1: Physical characteristics-ISO 7816-1:1987 defines the physical dimensions of contact smart cards and their resistance to static electricity, electromagnetic radiation and mechanical stress. It also describes the physical location of an IC card’s magnetic stripe and embossing area.
Part 2: Dimensions and Location of Contacts- ISO7816-2:1988 Defines the location, purpose and electrical characteristics of the card’s metallic contacts (see above illustration).
Part 3: Electronic Signals and Transmission Protocols- ISO 7816-3:1989 defines the voltage and current requirements for the electrical contacts as defined in Part 2 and asynchronous half-duplex character transmission protocol (T=0). Amendment 1:1992 Protocol type T=1, asynchronous half duplex block transmission protocol. Smart cards that use a proprietary transmission protocol carry the designation, T=14. Amendment 2:1994 Revision of protocol type selection.
Part 4: Inter-industry Commands for Interchange- ISO 7816-4Establishes a set of commands for CPU cards across all industries to provide access, security and transmission of card data. Within this basic kernel, for example, are commands to read, write and update records.
Part 5: Numbering System and Registration Procedure for Application Identifiers- ISO 7816-5:1994 establishes standards for Application Identifiers (AIDs). An AID has two parts. The first is a Registered Application Provider Identifier (RID) of five bytes that is unique to the vendor. The second part is a variable length field of up to 11 bytes that RIDs can use to identify specific applications.
Part 6: Inter-industry data elements- ISO 7816-6 Details the physical transportation of device and transaction data, answer to reset and transmission protocols. The specifications permit two transmission protocols: character protocol (T=0) or block protocol (T=1). A card may support either but not both. (Note: Some card manufacturers adhere to neither of these protocols. The transmission protocols for such cards are described as T=14).
NOTABLE INTERNATIONAL PROJECTS
- Three Los Angeles bus operators have awarded contracts worth nearly $6.3 million to San Diego-based Cubic Transportation Systems to equip more than 400 buses to accept smart cards.
- US General Service Administration (GSA) for a government-wide Smart Access Common ID project valued at over $1.5 billion over ten years.
- Jordan began rolling-out a Smart Card-based medical records project that automates patients' medical and insurance information. The scheme, by the National Health Insurance Administration Company of Jordan, launched in the capital of Amman with M.O.S.T Smart Cards from CardLogix, PC Pay readers from Innovonics, and eClaim software from IdealSoft.
- Smart Cards are being used by US soldiers with the NATO peacekeeping mission in Bosnia-Herzegovina for personal purchases from a haircut to a burger.
- Gemplus, Sun Microsystems and Visa International announced a three dollar Open Platform multi- application Smart Card called GemXpresso Lite, which is compliant with Open Platform 2.0 and Java Card 2.1 specifications, for Visa member banks. Gemplus said it had been able to reduce the price of the card by changing the chip memory. Java Cards would normally have 32K EEPROM and 32K ROM. GemXpresso Lite is based on a 16K EEPROM/48K ROM chip.
- France Telecom Mobiles (FTM) commercially introduced the world's first high-volume debit / credit mobile commerce service called Paiment "CB" sur mobile. The service combined Oberthur Card Systems' SIMphonIC card, Carte Bancaire cards and dual slot mobile phones to enable users to purchase and pay for goods and services, including their France Telecom, electricity and gas accounts.
- The Waldorf Astoria, one of the world's top hotels, chose TESA Entry Systems' HT28 Smart Card electronic locking system to secure the hotel's 1,750 rooms.
- UK company easi Solutions began equipping Hilton hotel rooms with unique desks incorporating the latest computer technology to assist business travellers send and receive e-mails, shop, listen to music and surf the net. A Smart Card is used for access to the desk which contains a PC, Smart Card reader, CD and floppy drive, printer and scanner all in the comfort of the hotel room.
9Other interesting projects included a world first with Globalstar do Brasil installing mobile satellite telephones on Itapemirim's 43 inter-city buses in Brazil enabling passengers to make calls using pre-paid Smart Cards while travelling.
SMARTCARDS IN INDIA
- In Asia, India represents a great deal of potential and a very strong market is developing here after China and Japan.
- Presently India has got approximately 50 million smart cards users with around 30% usage in Cell phone SIM cards.
- Indian smart card industry is growing @ 45% per annum.
- The smart card business potential of India is expected to reach US $ 6 billion by the year 2010.
- Presently, India has got around 3 million mobile phone users and it is expected to reach 8 million users by year 2003.
- The requirement of smart cards as identity cards, the combined municipal card and the welfare sector is expected to be 600 million by the year 2005.
- The demand for smart cards in Health care & Transportation sectors is expected to reach 350 million by the year 2005.
- 10 Member consortium consisting of Compaq, ProtonWorld, ACI, Gemplus, Schlumberger, Infineon, Datacard, Alittleworld, CMS, FSS, Mixtorf are planning to launch a multi-application smart card based payment infrastructure project in India.
- Orga is planning to provide 50 million cards (GSM Phone Cards and Banking Cards ) in the Indian market by the year 2005.
- Intel is introducing research in chip development designing in India after Japan.
Notable Smart Card Projects in Indian
- Asia's first Smart Cards Driving Licence system launched in Gujarat - To be implemented by the Delhi-based Smart Chip Limited, with equipment imported from Orga Kartensysteme GmbH of Germany, the Rs 60 crore project promises to vastly improve traffic systems , without increasing the cost of individual licences.
- Employee's Provident Fund to issue smart cards soon for its 2.6 crore subscribers which would be accessed through its 267 offices.
- Smart Cards for Government employees & Labour in Goa will be issued soon.
- ICICI Bank plans to launch smart cards with real time online integration for facilitating transactions, payments to utilities and services etc.
- Gujarat State Smart Card Driving licence - the biggest project of its kind in World.
- Delhi's traffic police is planning to introduce smart card driving licence.
- Rajasthan milk card project - the world's first milk collection point based on smart card technology in India run exclusively by women.
- Indian government & UNICEF have launched the village Watsan information system, which ensures the construction and maintenance of the wells..
- Metro railway, Kolkota is going to issue smart season tickets instead of magnetic strip cards shortly.
- Petro cards - BPCL
- Prepaid cards used in cyber cafes of HPCL and many more
- Smart Loyalty Programme as in the case of Snowhite Apparels,HomeSaaz etc
- Smart dealership loyalty programme in the case of Hewlett-Packard India Ltd
- Smart Employee Management as in the case of LML Ltd, TVS Electronics, TVS Suzuki etc.
- Another important project is the Reserve Bank of India (RBI) sponsored SMARS (Smart Rupee) project. The project was launched in 1997 at the Indian Institute of Technology; the consortium includes banks such as the State Bank of India, Canara Bank and Citi Bank, terminal manufacturers like VeriFone India Pvt Ltd, systems integrators like, Aplab Limited, Ascom India Pvt Ltd, CMS Computers Ltd, and card manufacturers like Gemplus and Schlumberger.
- Mumbai Campus Scheme…… the SMARS (smart rupees) project involves the issue of smart cards to students and staff for use in around 150 on-campus merchants and retailers.
- Smart Health Management as in the case of Wockhardt Hospitals, Bhopal Gas Relief Project etc.
- Brihanmumbai Electric Supply and Transport (BEST) has now decided to introduce contactless cards for ticketing across its entire network.etc.
FUTURE PROSPECTS FOR SMART CARDS
The global smart card market is growing at 11% per year and will reach $8 billion in sales by 2006, according to a study released today by U.S.-based research firm The Freedonia Group Inc. That’s an increase from $4.7 billion spent in 2001 on
smart cards and related readers, software and services. Unit growth will double to nearly 4 billion smart cards by 2006, fueled in part by the gradual migration of debit and credit cards from magnetic stripe to chip technology. Worldwide, bank-issued smart cards will grow form 85
million units n 2001 to 300 million in 2006. Smart cards that identify customers to their mobile phone carriers, called SIM or UIM cards, will grow from 375 million units shipped in 2001 to 950 million units, Freedonia predicts. Hester says the growth will come from non-GSM carriers incorporating SIM cards into their handsets; deepening penetration of GSM,
especially in Asia; and third-generation GSM phones that will generate demand for replacement SIM cards in Europe and other established GSM markets. China is the fastest-growing market, with smart card revenues projected
to grow from $825 million in 2001 to $1.75 billion by 2006, and units from 325 million to 950 million units. The U.S. smart card market will grow from $150 million in sales in 2001 to $475 million in 2006, with shipments growing from 30 million to 200 million units, Hester days. He says half of the 2006 shipments, or 100 million cards, will be bankcards, but that
will still represent a small portion of the U.S. credit and debit card market. ( 2003-03-27 )