Smart Card
Standards 101
Property of the Smart Card Alliance © 2009Spring 2007 2
Agenda
Is your bank account safe?
What is a Smart Card?
Standards for Interoperability
Fraud prevention through Smart Cards
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 3
Why Are Smart Cards Needed?
Smart cards significantly reduce fraud
Headline:
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 4
Fraud growing out of control
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 5
EuropeNetwork edge using
Smart Cards
•User Authenticates to
card
•Card Authenticates to
terminal
•Card can make
decisions
USHost based Security
•Neural Network
•Card Present with
Static data (CVC)
•LUHN check
•AVS, Zip code
“Intelligence”
Protection
How do we fix this?Historically Different Paths
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009 6
Smart Cards Defined
What is a Smart Card?• Embedded computer chip that is either a microprocessor
with internal memory or memory chip alone
• Contact or contactless designs
Memory Card• Telephone card
• Stored value
• No RSA Crypto
• Limited memory addresses
Microprocessor Card• Large EEPROM Memory (up to 128K)
• On-card functions (encryption, digital signatures)
• Multi application
• Open Platform (Java, Multos)
Contact Smart Card
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 7
Need for interoperability…
International Organization for Standardization (ISO) Worldwide association of over 100 national standards agencies
From Greek word “ISOS” meaning “equal” or “the same”
The prefix iso-, is commonly used in the three official languages of ISO (English, French and Russian)
International Electro technical Commission (IEC)Standards organization that cover the areas of electrical technology
and electronics
First to publish card standards
Collaborates with ISO to insure alignment
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 8
ISO/IEC 7816 defines contact Smart Cards
7816-1: Physical characteristics
7816-2: Cards with contacts
7816-3: Cards with contacts
7816-4: Organization, security and commands for interchange
7816-5: Registration of application providers
7816-6: Inter-industry data elements for interchange
7816-7: Inter-industry commands for Structured Card Query Language (SCQL)
7816-8: Commands for security operations
7816-9: Commands for card management
7816-10: Electronic signals and answer to reset for synchronous cards
7816-11 Personal verification through biometric methods
7816-12 Cards with contacts -- USB electrical interface
7816-13: Commands for application management in multi-application
7816-15: Cryptographic information application
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 9
This Standard is described in 4 Parts: ISO 14443-1: Physical characteristics (Type A =Type B)
ISO 14443-2: Radio Frequency power and Signal Interface (13,56 MHz)
ISO 14443-3: Initialisation and Anti-collision
Type A different from Type B.
ISO 14443-4: Transmission Protocol
Type A different from Type B.
Contactless payment
Mifare cards
Biometric passports
Smart Trip cards
ISO 14443 defines contactless
proximity cards
Spring 2007 10
Smart Cards Reduce Fraud
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
11
Access control
network securityHealth Care
Mass Transit
Electronic
Commerce
Pay TV
Access Control
Parking
The Very Big Bank
Rich Wealthy
NET
1234 5678 9012 3456
Credit/ Debit
Payphones
Digital cellular phones
Smart cards secure many
industries
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Cloc
k
Reset
Input /
Output
CP
U
RAM :
Scratch
Pad
ROM,
Operating
system
EEPROM,
Application
Memory
EEPROM :
Application
Memory
ROM :
Operating
System
the smart card is the ultimate secure portable computer !!
Microcomputer Chip can be programmed for each application
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 13
CPU 80C51MMUINTERRUPT
SYSTEM
RAMCO-PROCESSOR
EEPROM TRIPLE-DESCO-PROCESSOR
TRUE RANDOM
NUMBER
GENERATOR
CRC
UART
ISO 7816
TIMERS
16 BIT
T016 BIT
T1
USER ROM
TEST ROM
SECURITY
SENSORS
POWER ON
RESET
VOLTAGE
REGULATOR
CLOCK
INPUT FILTER
RESET
GENERATORISO
Contacts
IO2IO3
Public Key
…and secure
•Hundreds of secure countermeasures
Spring 2007 14
Payment application
EMV
Mag Stripe transaction
Contactless Transaction
Smart card in payment
How does this secure you?
Spring 2007 15
Terminal Reads MSD and initiates transaction with the host
Terminal can ask the cardholder for verification data (CVC, AVS)
Terminal formats the authorization request and sends it to the Network/Issuer
Issuer verifies and processes authorization
Anatomy of a typical Transaction
Payment application
EMV
Mag Stripe transaction
Contactless Transaction
Smart card in payment
How does this secure you?
Spring 2007 17
• Card updates Application Transaction Counter (ATC)
• Terminal generates UN (unpredictable number) and asks card to generate dCVV or CVC3 and ATC and creates cryptogram using a secret key
• Card calculates the proper cryptogram and appends the track data
Contactless Transaction adds security
Payment application
EMV
Mag Stripe transaction
Contactless Transaction
• Europay Mastercard Visa
• EMV® is a global standard for credit and debit payment cards
based on chip card
technology
• As of Q1 2008, there were more than 730 million EMV compliant
chip-based
payment cards in use worldwide.
Smart card in payment
How does this secure you?
Spring 2007 19
• Card is programmed to make decisions within the parameters that the bank gives it
– Max offline transaction up to “X” dollars and transactions cumulatively
• Terminal provides information to the card and sets the guidelines for risk management
– Cardholder Verification (pin)??– Offline authentication data (SDA/DDA)??
• Card also performs risk management, generates necessary cryptograms, and responds with transaction data and decision:
• Process online• Offline approve or decline• Terminate and use other interface
• Terminal sends EMV authorization request and ARQC cryptogram
EMV, the ultimate in transaction security
20
For additional information
Contact:
Bill Gostkowski
Gemalto
(512) 257-3898
www.smartcardalliance.org
Spring 2007 21
Contactless
Two Chips Dual Interface
Antenna
Contactless
chip
module
Contact/contactless chip module
Contact chip module
Antenna
Contactless
chip
module
Single Chip Dual Interface
Basic Card Definitions
22
Issuers deploy EMV… for fraud reduction
0
100
200
300
400
500
2004 2005 2006 2007
UK fraud
Fraud abroad
UK retailer (face-to-face transactions)
UK cash machine
in m£ Credit and debit card fraud losses on UK-issued cards
UK fraud includes:
Source: APACS
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
PVC Overlay (thermal printable)
Polycarbonate (PC)
Filling layer
Inlet (etched antenna)
CARD BODY
LAMINATION
MODULE INSERTION
DIE PROBING SAWING AND CUTTING
PVC Overlay (thermal printable)
Polycarbonate (PC)
DIE BONDING
Micro
Module8 or 6 Contacts
Chip
with
antenna
Hologram
Brand Stamp
Magnetic Stripe
Expanded view of Smart Card
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 24
Standard for "Vicinity Cards", i.e. cards which can be read from a greater distance as compared to Proximity cards.
ISO 15693 systems operate at the 13.56 MHz frequency, and offer maximum read distance of 1 meters.
>10 cm for ISO 14443
~ 1m for ISO 15695
iCLASS family of cards and tags by HID Global.
Maximum read range 45 cm / 18 inches.
ISO 15693 defines contactless
vicinity
25
Payment fraud is a global concern
New EMV mass deployments in all regions (e.g. Spain, Thailand, Brazil, Canada…)
+ 41% volume growth in H1’08 vs H1’07*
+24% volume growth in 2007*
SPA
Shipments of
EMV cards
Per Quarter
(in ku)
Source: SPA (Smart
Payment
Association)
* Source: SPA
(Smart Payment
Association)
26
EMV adoption is global
EMV deployed
EMV to be deployed (est. in the next 24 months)
Source: Eurosmart, MasterCard, Gemalto No EMV
Dual-interface adoption gets global, too
Mass deployment in 2008 Pre-deployment in 2008 At pilot/small program stage in 2008
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 28
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 29
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 30
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 31
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 32
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 33
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 34
Fraud Reduced with EMV
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009Spring 2007 35
Conductive adhesive)
Antenna (etched copper)
Contactless Cross-Section
Spring 2007 36
* Chemical Mechanical Polishing (CMP) Source: European Semiconductor Capital Equipment, 1/9/01, Robertson Stephens
Input
Sand
(quartz)
Manufacturing Process (Simplified)Output
Si-Ingot Si-Wafers
(dicing)
Grinding Wet Etch
15-25 Cycles
Deposition Cleaning Doping
CMP* Stripping
Litho Dry Etch
Wet Etch
Decontamination
Particle Removal
Wet Etch
Automation & Process Control
Bare Wafer
Wafer with
ChipsBare Wafer
Wafer with
ChipsSemiconductor
Device
(microchip)
Wafer
Processing
Wafer
Manufacturi
ng
Testing
Assembly &
Packaging
Wafer
Manufacturing
Deposition
Lithography
Removal
Process
Doping
Automation &
Control
Testing
Assembly &
Packaging
Probe
Test
Dic
ing
Dice
Bon
ding
Wir
e
Bon
ding
Pac
k-
agin
g
Fina
l
Test
Smart Card Manufacturing
Spring 2007 37
Features 14443 15693 125 kHz
Standards ISO 14443 ISO 15693 125 kHz
Frequency 13.56 MHz 13.56 MHz 125 kHz
Read Range ~10 centimeters
(~3-4 inches)
~1 meter
(~3.3 feet)
~1 meter
(~3.3 feet)
Chip types supported Memory, Wired Logic,
Microcontroller
Memory, Wired Logic, Memory, Wired Logic,
Encryption and
authentication functions
MIFARE, DES/3DES, AES,
RSA, ECCSupplier specific Supplier specific
Memory capacity range 64 to 72K bytes 256 and 2K bytes 8 to 256 bytes
Read/write ability Read/write Read/write Read/write
Data transfer rate
(Kb/sec)
Up to 106 (ISO)
Up to 848
(available)
Up to 26.6 Up to 4
Anti-collision Yes Yes Optional
Card-to-reader
authentication
Challenge/Response Challenge/Response Password
Hybrid card capability Yes Yes Yes
Contact interface
support
Yes No No
Contactless Tech Comparison
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
ISO 7816-1
Dimensions and
physical
constraints
(bending, torsion
strength)
ISO 7816-2
Contact Locations
Electrical interface
ISO 7816-3
Communication
protocol
ISO 7816-4 ...
Memory management and
inter industry commands
ISO/IEC 7816
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 20095/12/2009 39
Sawing Die bonding
Wire bonding
Coating
Probing
Micro-module
Electrical Test
Wafers from
the Foundry
Micro Module Process
Top Related