Smart Card
Standards 101
Agenda
Is your bank account safe?
What is a Smart Card?
Standards for Interoperability
Fraud prevention through Smart Cards
Spring 2007
Property of the Smart Card Alliance © 2009
2
Why Are Smart Cards Needed?
Smart cards significantly reduce fraud
Headline:
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
3
Fraud growing out of control
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
4
How do we fix this?
Historically Different Paths
“Intelligence”
Protection
Europe
US
Host based Security
•Neural Network
•Card Present with
Static data (CVC)
•LUHN check
•AVS, Zip code
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Network edge using
Smart Cards
•User Authenticates to
card
•Card Authenticates to
terminal
•Card can make
decisions
5
Smart Cards Defined
What is a Smart Card?
•
•
Embedded computer chip that is either a microprocessor
with internal memory or memory chip alone
Contact or contactless designs
Memory Card
•
•
•
•
Telephone card
Stored value
No RSA Crypto
Limited memory addresses
Contact Smart Card
Microprocessor Card
•
•
•
•
Large EEPROM Memory (up to 128K)
On-card functions (encryption, digital signatures)
Multi application
Open Platform (Java, Multos)
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
6
Need for interoperability…
International Organization for Standardization (ISO)
 Worldwide
association of over 100 national standards agencies
 From Greek word “ISOS” meaning “equal” or “the same”
 The prefix iso-, is commonly used in the three official languages of
ISO
(English, French and Russian)
International Electro technical Commission (IEC)
 Standards
organization that cover the areas of electrical technology
and electronics
 First to publish card standards
 Collaborates with ISO to insure alignment
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
7
ISO/IEC 7816 defines contact Smart
Cards
Spring 2007
7816-1: Physical characteristics
7816-2: Cards with contacts
7816-3: Cards with contacts
7816-4: Organization, security and commands for
interchange
7816-5: Registration of application providers
7816-6: Inter-industry data elements for interchange
7816-7: Inter-industry commands for Structured Card Query
Language (SCQL)
7816-8: Commands for security operations
7816-9: Commands for card management
7816-10: Electronic signals and answer to reset for
synchronous cards
7816-11 Personal verification through biometric methods
7816-12 Cards with contacts -- USB electrical interface
7816-13: Commands for application management in multiapplication
CTST2009 – Smart Card
Technology and application
7816-15: Cryptographic
information
Payments Applications Workshop © 2009
8
ISO 14443 defines contactless
proximity cards
This Standard is described in 4 Parts:
ISO 14443-1: Physical characteristics (Type A =Type B)
 ISO 14443-2: Radio Frequency power and Signal Interface
(13,56 MHz)
 ISO 14443-3: Initialisation and Anti-collision

 Type A different from Type B.

ISO 14443-4: Transmission Protocol
 Type A different from Type B.
Contactless payment
Mifare cards
Biometric passports
Smart Trip cards
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
9
Smart Cards Reduce Fraud
Spring 2007
10
Smart cards secure many
industries
The Very Big Bank
1234 5678 9012 3456
NET
Electronic
Commerce
Rich Wealthy
Credit/ Debit
Pay TV
Health Care
Access control
network security
Payphones
Access Control
11
Parking
Digital cellular phones
Mass Transit
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Microcomputer Chip can be
programmed for each application
Reset
EEPROM,
Application
Memory
ROM,
Operating
system
ROM :
Operating
System
EEPROM :
Application
Memory
Input /
Output
CP
U
Cloc
k
RAM :
Scratch
Pad
the smart card is the ultimate secure portable computer !!
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
…and secure
•Hundreds of secure countermeasures
RAM
Public Key
EEPROM
CO-PROCESSOR
TRIPLE-DES
CO-PROCESSOR
SECURITY
SENSORS
POWER ON
RESET
CRC
IO2
IO3
MMU
VOLTAGE
REGULATOR
CLOCK
INPUT FILTER
ISO
Contacts
Spring 2007
INTERRUPT
SYSTEM
CPU 80C51
RESET
GENERATOR
UART
ISO 7816
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
USER ROM
TIMERS
16 BIT 16 BIT
TEST ROM
T0
T1
TRUE RANDOM
NUMBER
GENERATOR
13
Smart card in payment
How does this secure you?
Mag Stripe transaction
Payment application
Contactless Transaction
EMV
Spring 2007
14
Anatomy of a typical Transaction
 Terminal Reads MSD and initiates transaction with the
host
 Terminal can ask the cardholder for verification data
(CVC, AVS)
 Terminal formats the authorization request and sends it
to the Network/Issuer
 Issuer verifies and processes authorization
Spring 2007
15
Smart card in payment
How does this secure you?
Mag Stripe transaction
Payment application
Contactless Transaction
EMV
Contactless Transaction adds
security
•
Card updates Application Transaction Counter
(ATC)
•
Terminal generates UN (unpredictable number) and
asks card to generate dCVV or CVC3 and ATC and
creates cryptogram using a secret key
•
Card calculates the proper cryptogram and
appends the track data
Spring 2007
17
Smart card in payment
How does this secure you?
Mag Stripe transaction
Payment application
Contactless Transaction
EMV
• Europay
Mastercard Visa
• EMV® is a global standard for credit and debit payment cards
based on chip card
technology
• As of Q1 2008, there were more than 730 million EMV compliant
chip-based
payment cards in use worldwide.
EMV, the ultimate in transaction
security
• Card is programmed to make decisions within the parameters that the
bank gives it
–
Max offline transaction up to “X” dollars and transactions cumulatively
• Terminal provides information to the card and sets the guidelines for
risk management
– Cardholder Verification (pin)??
– Offline authentication data (SDA/DDA)??
• Card also performs risk management, generates
necessary cryptograms, and responds with transaction
data and decision:
• Process online
• Offline approve or decline
• Terminate and use other interface
• Terminal sends EMV authorization request and ARQC cryptogram
Spring 2007
19
For additional information
Contact:
Bill Gostkowski
Gemalto
William.gostkowski@gemalto.com
(512) 257-3898
www.smartcardalliance.org
20
Basic Card Definitions
Contactless
Single Chip Dual Interface
Antenna
Contactless
chip
module
Contact/contactless chip module
Two Chips Dual Interface
Antenna
Contactless
chip
module
Contact chip module
Spring 2007
21
Issuers deploy EMV… for fraud
reduction
Credit and debit card fraud losses on UK-issued cards
in m£
500
Source: APACS
400
UK fraud
Fraud abroad
300
UK retailer (face-to-face transactions)
UK cash machine
200
UK fraud includes:
100
0
2004
2005
2006
2007
22
Expanded view of Smart Card
PVC Overlay (thermal printable)
Polycarbonate (PC)
Filling layer
Inlet (etched antenna)
Polycarbonate (PC)
PVC Overlay (thermal printable)
DIE PROBING SAWING AND CUTTING
Chip
with
antenna
Micro
Module
CARD BODY
LAMINATION
8 or 6 Contacts
Hologram
Brand Stamp
Magnetic
Stripe
CTST2009 – Smart
Card Technology
and
Payments Applications Workshop © 2009
MODULE INSERTION
DIE BONDING
ISO 15693 defines contactless
vicinity
Standard for "Vicinity Cards", i.e. cards which
can be read from a greater distance as compared
to Proximity cards.
ISO 15693 systems operate at the 13.56 MHz
frequency, and offer maximum read distance of 1
meters.
 >10 cm for ISO 14443
 ~ 1m for ISO 15695
iCLASS family of cards and tags by HID Global.
 Maximum read range 45 cm / 18 inches.
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
24
Payment fraud is a global
concern
SPA
Shipments of
EMV cards
Per Quarter
(in ku)
Source: SPA (Smart
Payment
Association)
 New EMV mass deployments in all regions (e.g.
Spain, Thailand, Brazil, Canada…)
 + 41% volume growth in H1’08 vs H1’07*
* Source: SPA
(Smart Payment
 +24% volume growth in 2007*
Association)
25
EMV adoption is global
EMV deployed
EMV to be deployed (est. in the next 24 months)
Source: Eurosmart, MasterCard, Gemalto
No EMV
26
Dual-interface adoption gets
global, too
Mass deployment in 2008
Pre-deployment in 2008
At pilot/small program stage in 2008
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
28
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
29
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
30
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
31
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
32
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
33
Fraud Reduced with EMV
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
34
Contactless Cross-Section
Antenna (etched copper)
Conductive adhesive)
Spring 2007
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
35
Smart Card Manufacturing
Wafer
Manufacturing
Manufacturing Process (Simplified)
Input
Wafer
Manufacturi
ng
Sand
(quartz)
Si-Ingot
Si-Wafers
(dicing)
Doping
Deposition
Automation &
Control
Lithography
Testing
Removal
Process
Assembly &
Bare Wafer
Packaging
Grinding
Output
Wet Etch
Automation & Process Control
Particle Removal
Bare Wafer
Deposition
Cleaning
Doping
Wafer
Processing
Wafer with
Chips
Wet Etch
Wet Etch
15-25 Cycles
CMP*
Stripping
Decontamination
Litho
Dry Etch
Wafer with
Chips
Testing
Probe
Test
Dic
ing
Dice
Bon
ding
Wir
e
Bon
ding
Pac
kagin
g
Fina
l
Test
Semiconductor
Device
(microchip)
Assembly &
Packaging
* Chemical Mechanical Polishing (CMP)
Source: European Semiconductor Capital Equipment, 1/9/01, Robertson Stephens
Spring 2007
36
Contactless Tech Comparison
Features
14443
15693
125 kHz
Standards
ISO 14443
ISO 15693
125 kHz
Frequency
13.56 MHz
13.56 MHz
125 kHz
~10 centimeters
(~3-4 inches)
~1 meter
(~3.3 feet)
~1 meter
(~3.3 feet)
Memory, Wired Logic,
Microcontroller
Memory, Wired Logic,
Memory, Wired Logic,
Encryption and
authentication functions
MIFARE, DES/3DES, AES,
RSA, ECC
Supplier specific
Supplier specific
Memory capacity range
64 to 72K bytes
256 and 2K bytes
8 to 256 bytes
Read/write ability
Read/write
Read/write
Read/write
Data transfer rate
(Kb/sec)
Up to 106 (ISO)
Up to 848
(available)
Up to 26.6
Up to 4
Yes
Yes
Optional
Challenge/Response
Challenge/Response
Password
Hybrid card capability
Yes
Yes
Yes
Contact interface
support
Yes
No
No
Read Range
Chip types supported
Anti-collision
Card-to-reader
authentication
Spring 2007
37
ISO/IEC 7816
ISO 7816-1
Dimensions and
physical
constraints
(bending, torsion
strength)
ISO 7816-2
Contact Locations
Electrical interface
ISO 7816-3
Communication
protocol
ISO 7816-4 ...
Memory management and
inter industry commands
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
Micro Module Process
Probing
Sawing
Die bonding
Wafers from
the Foundry
Electrical Test
Wire bonding
Coating
Micro-module
5/12/2009
CTST2009 – Smart Card Technology and
Payments Applications Workshop © 2009
39