INTERACTIVE MULTITASK CREDIT CARD TECHNOLOGY

Marc Rippen, Harry Braunstein, Craig Nelson, Carl Schuck, Concurrent Technologies Corporation, Largo, FloridaPhilippe Guillaud, Innovative Card Technologies, Los Angeles, California

Philippe Blott, nCryptone, Boulogne, France

Abstract-The convergence of several technologies has allowed the electronics industry to introduce the next generation of interactive multi-tasking financial transaction cards, with embedded power and processing capabilities. The credit card started as a magnetized data plate carrying the owners name, the account number, and the store(s) where it could be used. Several generations of credit cards have come and gone since then. The next generation of credit card—smart cards—incorporate micro processing and data storage capability and provide enhanced security for financial transactions. Smart Cards have not yet gained significant market share in the United States (U.S.). This lack of market penetration is due, in part, for the need to provide power and communications from the card reader to access the smart chip, as well as the perceived lack of apparent value added, given the cost to upgrade an extensive network of card readers to facilitate that functionality. This paper will deal with the next generation credit card. Advances in robust micro-circuitry, nanotechnology, displays, speakers, switches, and battery technology have led to the development of credit/debit cards with significantly enhanced capabilities. By introducing an embedded power source, a credit card can be used to provide novel modes of communication, such as the ability to play audio files or produce complex audio encrypted data and validate the authenticity of the transaction.

I. INTRODUCTION

A convergence of technologies has allowed the electronics industry to introduce the next generation of interactive, multi-tasking, financial transaction cards, with embedded power and processing capabilities. The credit card began as a magnetized data plate carrying the owners name, the account number, and the store(s) where it could be used. The next generation of credit card, smart cards, incorporated micro-processing and data storage capability and provided enhanced security for financial transactions. It has not been able to gain significant market share in the United States (U.S.). This lack of market penetration stems from the need for the card reader to provide power to the card. The lack of apparent value added, given the cost to upgrade an extensive network to facilitate the new functionalities has also contributed to the card’s lack of acceptance. This paper will deal with the next generation credit card. Advances in robust micro-circuitry,

nanotechnology, displays, speakers, switches, and battery technology has led to the development of credit/debit cards with significantly enhanced capabilities. By introducing an embedded power source, a credit card can be used to provide novel modes of communication, such as the ability to play audio files, display information, produce complex audio encrypted data, and validate the authenticity of the transaction. The card can be used to provide a light source for examining a bill in a dimly lit environment.

Credit/debit card security controls have not followed pace with their increased monetary limits and frequency of use. This gap has made these types of transactions a prime target for criminal activity and has provided a market opportunity for self-powered, interactive multi-tasking card technology. The factors to improve fiscal protection are faster data access and processing, and the ability to use additional means to confirm the identity of the card bearer prior to transaction completion. The next generation of credit card offers this capability at the point-of-sale, improving security for all. Data processing and other functionalities designed into the card will allow for encrypted sales and financial transactions both on-line and through voice media, so that only the legitimate card holder will be able to conduct these activities.

This paper will discuss the evolution of embedded power technology, micro-circuitry, micro-passive displays, micro-speakers, membrane switches, and micro-light emitting diodes (LEDs) and how these technologies create value to the card issuer, the user, and the merchant.

II. TECHNICAL CONCEPT

A new generation of smart card is based on an embedded electronics platform containing a battery, a secure microcircuit, a display for visual output, one or more buttons for input, a speaker for output, biometrics sensors and LEDs; all completely integrated in a credit card form factor capable of meeting ISO standards. The integrated security chip can be used to execute an algorithm that sends a unique one-time security pass code to the display, or for audio output to the handset microphone for telephone-based audio confirmed transactions. The choice to use this multifunctional platform approach is driven by the following factors:

Portability: the credit card, which can be carried in the user’s wallet or pocket, is always within reach.

The development of technology to allow the introduction of advanced capabilities on a credit card platform using smartcard chip-enabled functions such as biometric authentication, unique one-time password (OTP) generation, magnetic strip read/write, wireless communications, visual display, and audio broadcast.

The development of commercial sources for low power displays, batteries, and other components in suitable form factors.

Recommendations to the U.S. financial industry by the Office of the Comptroller of the Currency (OCC) and Federal Financial Institutions Examination Council (FFIEC) to use multiple means of authentication in all electronic-based financial transactions.

III. DESIGN ISSUES

The first major design challenge to be overcome was to find or develop a battery and other components that would work within a credit card form factor. The typical ISO standard credit card is less than 1 mm thick by 86 mm wide by 54 mm high. The footprint required for the smart chip, display, controls and, perhaps, embossed characters leaves very little space available for the battery. The components need to be very energy efficient, so to not drain the battery prematurely. A target life of two years is typical for a credit card. Along with power and size constraints, the card must also be capable of surviving exposure to the environmental conditions to which a typical user would subject it. It must be capable of being flexed and must be temperature tolerant. When carried in a purse, for example, it can see summer temperatures of up 50°C in the U.S. (60°C in other parts of the world) and winter temperatures of below -20°C. It must be water resistant. The relative humidity to which a card is exposed can vary from near zero to 100%: the card may even be subjected to total immersion in water. The battery must not leak. All of the components used must present no safety or health issues and must be as environmentally benign as possible for disposal issues.

IV. PACKAGING

In the manufacturing of self-powered smart card devices, it is necessary to consider the existing manufacturing infrastructure which supports the present credit card manufacturing industry. The credit card industry is very price driven. Hot lamination processing is used in this industry to make the cards, as it is the most cost effective method using white and clear polyvinyl chloride (PVC) sheet materials. To reduce manufacturing infrastructure entry barriers to powered card applications, the card manufacturing equipment must be used as the packaging process. In this packaging process, the components of the cards are subjected to temperatures of up to 150° C and pressures of up to 2100 kPa.

Batteries and components were selected on the basis of their ability to survive this process. As this limited some of the components that could be used, another method of packaging was developed, referred to as “Cold Lamination.” Several companies have developed proprietary polymer materials that can flow at room temperature or slightly higher, and embed all the components with low pressure. This alternative method of packaging the card components has opened the door to the use of passive visual displays and rechargeable battery chemistry. Figures 1 and 2 illustrate the smart card assembly.

Figure 1. Card Assembly.

Figure 2. Explosion of Card Assembly.

V. POWER SOURCE

Since credit cards are disposable and current user behavior and infrastructure would not motivate or allow users to recharge their cards, a primary battery approach was initially taken. With the given design and packaging requirements, the optimum battery was found to be a primary Lithium polymer battery (LPB). The LPB uses a solid state electrolyte, is flexible, environmentally benign, and available in the needed form factor. Also, it can survive the hot lamination processing and user environments. The polymer electrolyte approach eliminates the leaking problem, but because of the slower ionic transfer in solid state electrolytes compared to liquid electrolytes, the internal impedance of the batteries is greater than liquid-based cells. LPB energy density (milli-ampere-hours (mAh)

per cubic millimeter (mm3)) is lower than for liquid electrolyte batteries. For example, 3 mAh/mm3 is typical of LPBs, which is less than 10% of the energy density for a typical AAA dry cell. The smart card Lithium polymer batteries, 25mm x 30mm x 0.3mm, deliver 10-20 mAh at 3V. These performance limitations increased the technical challenges in the design. A key challenge was finding a low power display technology. Micro flexible passive display technology was selected, as it only requires power in setting the image on the display. Once set, the display requires no power to maintain the image. Figure 3 illustrates a card incorporating a display for OTP.

Figure 3. Smart card with OTP Display.

The next generation of interactive credit cards will require a rechargeable battery if additional useful functions are to be realized. For card users, it is believed that in order to gain market acceptance, that recharging process must be independent of the user. The smart cards being used in Europe today, and the smart ID cards used by the U.S. Department of Defense (DOD), are not self-powered. The readers provide power to these cards at the point of use. These readers could be used to recharge a battery while the card is inserted for a transaction, without affecting the transaction time.

VI. SOFTWARE

The smart card platform provides for a readily programmable, software driven device in which components are integrated, as needed, to support the card’s required functionalities. The interaction and control of the components within the platform, and to systems with which the platform communicates, are programmable at the factory and could be further programmed by the issuer and user to brand or personalize its functionality. The systems architecture is defined by the platform application and the client. Security programming and software is driven by platform applications and by validation to National Institute of Standards and Testing (NIST), General Services Administration (GSA), and/or banking standards. On-card memory and processing ability allow for real time tracking of account balances, loyalty rewards, and other utilization

data by the user and issuer. The details of the software and the algorithms are not discussed in this paper for security reasons.

VII. FINANCIAL TRANSACTIONS

A smart card platform can be used to hold and transmit data via magnetic stripe or smartcard chip to allow for the continued use of existing reader infrastructure in the U.S. For prevention of electronic identity theft and fraud, additional functionalities allow the card to provide authentication security for card-reader-not-present transactions. This can be done using OTP security and applies to online and telephone banking, and to retail transactions. Because transactions in these formats are most vulnerable to fraud, the OTP function, combined with a biometric on-card authentication function, could provide a significant security and cost savings advantage for issuers, as well as identity fraud protection for the users. For an online transaction, the user experience would appear much like a standard login. For example:

1. User accesses his/her bank Web site2. User uses biometric authentication and/or enters login

ID and static password or Personal Identification Number (PIN)

3. An OTP is generated and displayed on the card4. User enters OTP onto Web interface5. Web server contacts authentication server for

verification6. Authentication server validates OTP with Application

Program Interface (API) middleware7. User gains access to bank account and completes

transaction.

An OTP can also be supplied to electronic retailers to verify card ownership during an e-commerce transaction and to telesales agents during a phone transaction. Data access security works in a similar way. When coupled with a static PIN code and/or on card biometric authentication, OTP provides multi-factor authentication, such as that recommended by financial institutions of the Office of the Comptroller of the Currency (OCC) in their advisory letter AL 2001-8, which introduced the document generated by FFIEC, entitled: “Authentication in an Internet Banking Environment,” October 12, 2005. A PIN can be used with the OTP and biometric authentication in several different ways. The first method is through a Web or phone interface, with on-card biometric authentication and/or a PIN, in conjunction with an OTP entered separately (as is described above). Another option is entering a concatenated code (the PIN and OTP combined into one string). Thirdly, the PIN can be entered into the card in order to receive an OTP. Fourthly, the PIN entered is used in a calculation of the OTP (thus a wrong PIN would generate an invalid OTP).

One desired functionality for financial cards is wireless financial transaction capability. Non self powered cards have been used for the last decade but are limited as they use very short range radio frequency identification (RFID)-based transactions. Other wireless technologies exist that can be integrated into a card platform to provide for contact free use of the device. One such technology utilizes Zigbee communications protocols providing for 20 to 30 meter range with very low power consumption at a low bandwidth. This would be ideal, because bandwidth is not a critical factor with typical card applications.

VIII. SECURITY

On card Biometric Fingerprint Authentication is a very desirable functionality that is presently available and enabled in a powered smart card platform. It can be used to allow the generation of OTP so that existing financial exchange infrastructure can be used without costly upgrades.

OTP is the result of a cryptographic calculation with a single direction. The algorithm, defaulted to Open Authorization (OATH) event-based, can also be changed upon request. For this reason, a provision was made regarding the capacity of the chip used. The OATH algorithm is a good choice because it is becoming an industry standard, backed by a global consortium of more than 60 authentication companies. Thus, the adoption of this standard throughout the entire security marketplace will make it possible for the OTP card to be compatible with the necessary middleware. The OATH cryptographic calculation uses a starting seed of 20 bytes. This seed is hashed through the algorithm, and the result is the seed of the subsequent calculation. Thus, the starting seed is no longer present in the card once the first calculation has been carried out. This characteristic guarantees that the seed which allows the authentication of the card is no longer in the hands of the user but only on the side of the protected server.

It is important to take additional measures to secure the information inside the card. A fraud attempt may include opening the card to collect information (tampering method). In order to avoid this kind of attack, all the sensitive components are put together in the same chip and a chip bit lock is activated which allows no one, not even the manufacturer, access to the sensitive areas of programming that could be manipulated to gain access to sensitive information. Thus, the attack becomes much more difficult, and even impossible, without implementing considerable technological means. Moreover, all sensitive information is stored in the volatile memory of the chip in random access memory (RAM) and only exists as long as the chip is electrically powered. Any attempt to open the card, if it succeeds, would cause a simultaneous rupture in the electrical supply, and would erase the contents of the

memory along with the sensitive data. In the long term, the chip currently used may be replaced by an Europay, MasterCard and Visa (EMV) chip. As this type of protected chip has not been initially designed to function from an embedded power source, adaptations are being developed to take this characteristic into account and to guarantee a 2-year lifespan to meet ISO standards.

IX. CUSTOMER BENEFITS

The smart card platform provides many benefits to both the customer and the user. The ability for on card biometric authentication embedded directly into a card platform makes it impossible to use a stolen card. It provides financial service providers a means for product differentiation and a major decrease in fraud liability costs for card-not-present transactions. The smart card platform can also be used to track loyalty programs on a transaction basis and to redeem points for goods or services. In addition, the card could provide positive identification of the bearer for other applications.

X. ADVERTISING AND PROMOTIONS

Given the functionality of wireless communications, on-card displays and audio on-card processing and memory; the smart card platform can also be used to communicate with or reward a user on a real time basis at the point of sale. Other in-store devices can trigger personalized displays based upon wireless communications with the user’s cards.

XI. NEXT STEP

Driven by identity theft, globalization, and the global war on terrorism, many western countries are in the first stages of developing identification cards; many of which will include some biometric authentication capability. In theory one card could function for many applications. This card could act as a driver’s license, passport, employee ID, automated teller machine (ATM), locator and communications device.

Smart cards have been very successful in reducing fraudulent use of credit cards in Europe to near negligible levels. They have not been used by the U.S. credit card industry because of high per card costs and the high cost of replacing the existing magnetic card reader infrastructure. The development of a powered smart card platform which can operate with any existing reader and incorporate biometric authentication is a very technically viable option. The process to introduce this technology to the marketplace will be driven by the cost to manufacture these cards, which is, in turn, a function of volume and the maturity of critical technologies.

CONCLUSIONS

The use of interactive multitask credit card technology (Smart Cards) is expected grow quickly because:

1. It is a great technology to reduce fraud and identity theft

2. The technology’s market share will grow with time and cost savings

3. The technology enables the increased mobility of the users

4. The technology facilitates financial transactions5. The technology opens the financial market to a new set

of business opportunities.

ACKNOWLEDGEMENTS

Figures 1 and 2 are from nCryptone’s Web site: http://www.ncryptone.com. Figure3 is from Innovative Card Technologies.

REFERENCES

[1] General Services Administration Office of Government-wide Policy (2004), Government Smart Card Handbook, Retrieved May 1, 2006 from: http://www.smartcardalliance.org/industry_info/index.cfm.

[2] D. Davis Balaban, T. Rueter, and K. Woodward, (2006), The Future of Smart Cards, Card Technology, Retrieved May 5, 2006 from: http://www.cardtechnology.com/article.html?id=200603015RXWB9XC.

[3] Office of the Comptroller of the Currency Advisory Letter 2001-8 to use Federal Financial Institutions Examination Council, “Authentication in an Internet Banking Environment,” July 20, 2001. Retrieved May 4, 2006 from: http://www.ffiec.gov/PDF/pr080801.pdf.

[4] R. Arnfield, (2006), What Was That Number Again, Card Technology, 10(4), 34-43.

[5] A. Shah, (2004), Visa Toys with Credit Card Displays Small LCD Could Display Account Info, but Challenges Remain, PC World, Retrieved May 3, 2006 from: http://www.pcworld.com/news/article/0,aid,115910,00.asp.

[6] T. Jackson, (2006), Save a Tree, Forbes.com, Retrieved May 4, 2006 from: http://www.eink.com/press/coverage.html.

[7] Solicore Company Website, Retrieved May 3, 2006 from: http://solicore.com.