Smart Cards Tutorial

by: Jay Gitomer and Sherry Kercher

Copyright 2001, Faulkner Information Services. All Rights Reserved.

Docid: 00017538

Publication Date: 0111

Publication Type: TUTORIAL

Preview
Smart cards provide several different functions that result in convenience and efficiency. Corporations
looking to implement a smart card strategy must consider both the developers and the users of this
technology.

Report Contents:

● Executive Summary
● Issues to Consider
● Analysis
● Recommendations
● Web Links

Executive Summary
[return to top of this report]

Smart cards are plastic cards embedded with computer chips that can hold a wide variety of data types,
including security access information, applications, and records. They offer several key advantages over
traditional magnetic stripe cards. They are more difficult to clone than traditional cards; the information
they hold can be considerably more complex; and they can be updated.

Interoperability between systems is key to the success of the smart card. The idea is not for businesses to
produce smart cards based on proprietary software as a turnkey product, but to produce applications that
will run on any card. In order for that to happen, technical standards must be in place to ensure
interoperability. Currently, three platforms are dominant -- Microsoft, Java, and MULTOS -- but no single
one of them has the lead. Microsoft is a new entry, but could become the dominant platform. The
company has, however, put further development of its Windows for Smart Cards operating system on
hold, and has decided to license the OS core to third-party developers. It also submitted the code to the
European Telecommunications Standards Institute (ETSI) to help promote an open software standard for
smart card manufacturers, software developers, and customers. This move could weaken the OS's
position as a standard smart-card platform, thereby making Java and MULTOS even stronger systems.

Consumer acceptance has been widespread in Europe, but smart cards have not had that same success
in the United States. Recently, however, leaps and bounds in encryption technology have rendered most
consumer concerns about privacy moot, and the current initiative by the US government to encourage
smart card use among operations groups and military base residents is likely to filter down to the general
public.

To be effective, a smart card must be truly portable and scalable. It is essential that multiple applications
can reside on a single card, and that every card can be read by every reader. Proprietary operating
systems and incompatible standards have hindered the growth of the smart card industry.

Analysts have forecasted that smart card revenue will grow to $3.4 billion by the end of this year. The
application that is most likely to bring smart cards into the public eye is electronic cash. Electronic cash
can be used to make payments online or elsewhere, both to organizations and to individuals. It allows
users to transfer funds directly from their bank accounts or other sources onto a replenishable card. The
key players in this area are the major credit card companies; MasterCard's entry, Mondex, has already
won franchises in 50 countries.

While significant developments in the smart card industry are being made, major players are still
jockeying for position, and to make an investment in a particular solution continues to be risky.
Organizations that see promise in the use of smart cards may be wise to delay investment until
Microsoft's OS has had a chance to penetrate the market. If there is an immediate need to move forward,
Java is a solid choice for a development platform, not only because it is an easily accessible technology,
but also because Microsoft asserts that its platform will integrate with Java applications.

Issues to Consider
[return to top of this report]

Consumers are increasingly aware of the implications that the digital age has brought to bear on personal
privacy. With a single card containing such a vast amount of personal information, it is no surprise that
security is a critical issue in the adaptation of smart cards. Corporations that wish to utilize smart cards,
whether as a product or to manage internal resources, must educate themselves on privacy issues in
order to create confidence among the user base.

Recent technologies such as advanced encryption and biometrics are just beginning to increase the
adoption of smart cards in the US, which lags behind Western Europe in acceptance. Data encryption and
digital signatures are now able to guarantee confidentiality.

Whether recorded on paper, on a mainframe computer, or on a computer network, information must be

protected from the time it collected until it is no longer needed and is securely destroyed. While smart
cards offer security benefits over traditional means of allowing access and storing data, the smart card is
only one piece of the puzzle and cannot ensure complete security through the life of a piece of data.

Responsibility for the safe storage and use of data belongs to the organization that originally requested it
from the individual. The organization must recognize that the users are the owners of the personal data,
which must be protected. In order to help industries of all types adopt smart card technology safely, an
industry consortium called the Smart Card Forum has issued guidelines on data privacy for industry and
government issuers of smart cards. The guidelines include directives to:
● Recognize that consumers are the owners of their personal information.

● Identify how the consumer's information will be used.

● Adopt and utilize privacy protection practices.
● Communicate privacy policies to customers and solicit their feedback.
● Only collect personal information about customers that is necessary and relevant.
● Modify customer's personal information if it is incorrect.
● Do not rent or sell the data that has been collected without explicit consent from the consumer.
● Invest heavily in protecting the security of customers' personal data against loss, unauthorized use,
 alteration, disclosure, or destruction.
● Be careful that sharing information with business partners does not violate your privacy policy, and
that the partners themselves do not violate your policy if you do share information with them.

An organization should be careful to document its adherence to these or other guidelines, in order to
demonstrate that its smart card application (and its whole organization) is capable of protecting the
privacy of consumers.

Growth
Last year, smart-card vendors distributed 628 million cards. Analysts predict that, by 2005, approximately
30 percent of online transactions will be made using smart cards. MasterCard plans to launch several US
smart-card programs by the end of the year, expecting half of its transactions to be made via e-commerce
with smart cards by 2005.

The most rapid growth is in the gaming, identity, and retail/loyalty areas. Transportation, banking, and
vending are also showing high rates of growth, as are entertainment companies, online brokerages, and
dot-coms. Some companies are looking to provide electronic purse services, as well as incentive
programs, to their customers. Online brokerage firms are starting to use smart cards to provide
authorization, time-stamp trades, and set up customer accounts.

Smart cards are beginning to enter into several industries within the US. Through an alliance with Visa,
Target Corp. is now using this technology in its chain of retail stories. The fast-food and gasoline
industries are also adopting smart cards by trying radio-frequency identification (RFID) systems that let
customers wave a wand to pay for food and gas.

While growth rates in these industries are quite high -- as high as 280 percent in gaming -- the fact
remains that 280 percent of 100 corporations, for example, is still only 280 corporations. While the buzz is
growing about smart cards, in the US they remain an advanced technology that exists primarily in labs
and think tanks. While over a billion smart cards are in use in Europe, only about six million are being
used in the US today. This is changing, however, as both Visa and MasterCard heavily advertise their
cards.

Growth in the US will be spurred through several vendor-led initiatives. Compaq, for example, will soon
begin incorporating smart-card readers using Gemplus technology into its consumer PCs, making these
PCs the first ones deemed smart Visa Ready. Microsoft has also encouraged adoption by building smart
card functionality into Windows 2000.

In order to promote full adoption, however, credit card companies will have to pave the way. Visa has
responded to increasing demand for smart cards by launching its Visa Ready program to help meet the
need for standards among smart card hardware, software, and services vendors. Through this program,
vendors can put a Visa Ready logo on their product or product literature after meeting Visa's criteria. This
program is intended to help financial institutions, merchants, and customers more easily identify
compatible products. Visa has the support of three of the top ten card issuers: First USA, Providian
Financial, and Fleet Credit Card Services. Working with these banks, Visa expects that seven million
smart cards will be issued in the US by the end of 2001.

The industry also must find several applications that smart cards will be able to run. To accomplish this,
card companies have hosted several contests, offering programmers monetary rewards for developing
new uses for smart cards. American Express, for example, hosted a contest called Code Blue, offering
programmers $50,000 to come up with new uses for the Blue card. Visa also hosted a contest offering
two winners $75,000 each. In addition to gaining reward incentives, the winners will receive royalties and
see banks actually use their software.

Europeans have been using smart cards for over a decade to access health programs and perform
banking functions. Several other global regions have adopted the technology as well. HSBC Hong Kong &
Shanghai Banking, in collaboration with Cable & Wireless HK Telecom and SecureNet in Melbourne,
Australia, introduced the i.Life card. It is based on a 16K-byte MULTOS platform and contains SecureNet
digital ID technology and Mondex e-cash services. In Canada, G&D Security Card Systems launched
i.banking, an online banking service based on a smart card powered by PKI. It was developed to improve
the processing of online banking transactions made via mobile and Internet-enabled computing devices.

Americans have been less accepting than these countries, possibly due to concerns about privacy and
security, or possibly due to an older technical structure that has been in place from earlier advancements
in the computing industry, and has not been compatible with smart card technology. Currently, analysts
report that US banks are looking to model their future smart card offerings on American Express's Blue
Card, which has been marketed with several successful incentive programs. Visa is now starting to
heavily advertise its Visa Smart Card in both print and television spots.

Because smart cards can offer more security than magnetic stripe cards for online transactions and
remote access to bank accounts, analysts are strongly encouraging widespread US adoption of the
technology. The smart card movement received a significant boost in August 2000 when MasterCard
formed a coalition of smart card developers, terminal vendors, and security providers to create standard
procedures for establishing, issuing, and revoking digital user identification. The group is working to
migrate its member banks, which total over 22,000, to digital ID-based smart cards designed to include
identifying codes, personal identification numbers, or biometrics data for security and authorization. One
very large organization that has adopted the use of smart cards is the US government. Today it is the
leader in technology development of smart cards.

Currently, the military is the largest user of smart cards. It uses them as portable devices that allow
people to securely logon to networks, to log on to secure sites from any computer, and to carry security
applications such as digital signatures. The Navy was designated as the lead agency for the Department
of Defense's smart card program, and received $30 million for technology development. This year the
Navy is planning to issue more than 100,000 cards among its operational groups.

While security needs have caused the government to adopt smart cards early, it is electronic commerce
that will propel the technology into use by the general public. With a population already accustomed to
using debit cards and magnetic access cards, through which a visit to the cash register of a major grocery
chain may begin with the swipe of a loyalty card, unfamiliarity with the concept will not be a barrier to
entry. The primary barrier to entry is concern over smart card security, concerns that have been largely
neutralized by the development done by the government. Smart cards are being positioned as a more
secure tool than traditional means of commerce, allowing people to make secure electronic commerce
purchases around the world. What this means is that a smart card will actually carry electronic proof of its
owner's identity, in contrast to online transactions, in which the hard drive holds proof of identity that is
validated by a bank at the time of purchase.

Electronic Cash
The application that is likely to bring smart cards into the consciousness of consumers in the US is called
electronic cash, which is in the early stages of introduction.

MasterCard, for instance, is offering a product called Mondex, which is a payment system that offers an
alternative to paying cash for goods and services. A Mondex smart card can store and dispense cash
electronically, making bills and coins less necessary. It can transfer funds over phone lines, replenishing
the card on demand. Versions of Mondex will allow person-to-person payments and can link to
telephones or the Internet to make such payments anywhere in the world. Mondex franchises have been
sold in more than 50 countries on five continents, with a potential cardbase of three billion people.

MasterCard's second chip application is MasterCard Chip Payment Application (MCPA), a chip-based
payment application that supports MasterCard-, Maestro-, and Cirrus-branded transactions. MCPA is
designed to further MasterCard's plans for developing specifications to deploy chip-based payment cards
and terminals that are globally interoperable and support EMV standards.
Visa offers a product similar to Mondex, as well as disposable cash cards that can be purchased in the
same manner as today's pre-paid long distance cards.

Analysis
[return to top of this report]

Similar to a credit card, a smart card is a plastic card with an embedded computer chip instead of a
magnetic stripe. The chip can contain varying levels of information that can be accessed by different
applications, enabling a single card to serve multiple purposes. Most cards are capable of allowing new
information and applications to be added on demand. Smart cards are more secure, flexible, and reliable
than traditional cards, and can hold a large amount of personal information.

Smart cards can be used for many purposes. Health cards holding a user's medical records allow instant
access to patient history in case of an emergency. As parking cards, they ensure that users are only
charged for time actually used. Social services organizations will appreciate the fact that smart cards are
more difficult to counterfeit than food stamps. Smart cards can control building access on an as-needed
basis throughout an entire organization, eliminating the need to issue and track keys and codes.

The development of the smart card industry in the US has closely mirrored that of the PC industry. In the
early days of PCs, a wide variety of proprietary operating systems, which only ran proprietary software,
prevented the sharing of applications between computing environments. Compounding (and in turn, being
compounded by) the problem was the cost of hardware.

The breakthrough operating systems that could run third-party software easily and inexpensively opened
the possibilities of computing to non-technical businesses and consumers. In the same way, operating
systems that run on smart card chips and allow diverse applications from unlimited sources have led to a
growing acceptance of the technology in the US.

The breakthrough operating systems that could run third-party software easily and inexpensively opened
the possibilities of computing to non-technical businesses and consumers. In the same way, operating
systems that run on smart card chips and allow diverse applications from unlimited sources have led to a
growing acceptance of the technology in the US.

Smart Card Technology

Smart cards can be read either by direct contact, such as being inserted into a reader, or by being placed
in close proximity to a card reader, similar to the bar code readers used in groceries or at tollbooths.
Contact cards contain embedded microprocessors with gold contacts and offer better security, while
contactless cards contain antennae and reduce transaction time. Most cards feature a blend of the
technologies and can be read in either manner, regardless of whether they contain one of each type of
chip or a combination chip that fulfills both functions.

Cards can also be offline, online, or hybrid. Offline cards hold data physically with no computer backup.
Online cards allow access to external data bases rather than holding data themselves. Most cards are a
combination of both types.

Platform-independent operating systems are becoming the standard for smart cards. To date, the
skirmish for market share has been dominated by Java and MULTOS, both of which enable developers to
write applications founded on a common base of code. Microsoft's entry into the market, Windows Card,
however, threatens to overtake both Java and MULTOS to become the primary provider of smart card
operating systems.

Microsoft Windows Card. Microsoft's platform is well-positioned to become the dominant language due
to a number of factors. Strengths include:
 ● Microsoft has numerous ISV partners who can distribute the product.
● The dominance of the Windows platform, which will support smart cards, is likely to accelerate the
acceptance of the Microsoft platform.
● Microsoft is able to leverage the existing base of C++ , Visual Basic, and other object-oriented
developers to create an immediate demand for its platform.
● The Microsoft platform will be tightly integrated with other Microsoft architectures, such as
Windows NT and Internet Explorer.
● Microsoft has already included a smart card reader as a recommended component in the PC99
specification.
● Microsoft has demonstrated a commitment to smart card technology, which indicates that they are
likely to improve the platform through multiple revisions.

The value to Microsoft in making this commitment to a new market is two-fold. First, the need for secure
digital signatures is increasing as the demand for network access identification and electronic commerce
solutions grows. Second, participation is justified in order to stake a claim in an industry that is predicted
to reach $700 million by the year 2003.

The entry is, however, not without risks. Two older platforms exist which have already been adopted by
the main card associations, such as MasterCard and Visa; they are Java and MULTOS. These platforms
have been the focus of important developments in technical standards for smart cards, which are crucial
to widespread acceptance.

Java. Java-based smart cards are capable of running multiple applications and are considered secure. As
a widely used programming language, Java is accessible to a large pool of developers. While Java has
simplified the development of card applets, secure distribution of those applets has not been tested on a
diverse network of cards issued by multiple providers. The fact that Java allows users to download
executable code onto the card means that the contents of a card can be modified after issuance,
increasing flexibility but also increasing the likelihood that a virus or hostile applet might be loaded. This
risk can be mitigated if certain precautions are taken when downloading.

Another downside to Java is its vague specification, which has allowed proprietary implementations by
manufacturers. Proprietary implementations do not necessarily communicate with each other, so a Java
platform is not guaranteed interoperable.

MULTOS. MULTOS was the first platform-independent operating system for smart cards. As the most
mature technology, it has an infrastructure in place to guarantee interoperability. While it is supported by
the financial industry, MULTOS has not been well-received by other types of industries. It also is limited
by the use of a low-level programming language called MEL, which does not have a large base of
developers programming in it. MasterCard reports that Mondex has been sold in over 50 countries on five
continents, with implementations in Canada, Hong Kong, New Zealand, the US, and Australia.

Smart Card Strategy

A successful smart card strategy must allow smart cards to function as an extension of the PC
environment, not only for users, but also for developers. Developers need access to widely available
software development tools with which they have some familiarity. And consumers want the ability to
select which applications are loaded onto their cards. While the technology is not at the stage to allow a la
carte applications, it logically could move in that direction.

As electronic commerce becomes an increasingly integral part of daily life in the US, the desire of
consumers to easily perform secure transactions will outweigh concerns that have held back smart card
technology in previous years. As indicated by acceptance of electronic commerce, magnetic stripe cards,
and Internet data-gathering technologies such as cookies, it seems that the US public is ready to embrace
smart cards for the convenience and security they offer.
While it is likely that Java will continue to hold a market share as a platform provider due to its widespread
base of development expertise, Microsoft can be expected to ascend based on multiple strengths,
including its strong positioning, powerful distribution model, and large slice of mindshare. MULTOS had a
headstart and has been accepted by some major card issuers, but because it unfamiliar to most
developers, it is likely to become the platform that supports the narrowest variety of applications --
perhaps rendering it only of interest to large institutions that can afford to develop proprietary software.

It seems certain that, within a few years, smart cards will be as common as are credit cards today.
Corporations wishing to save money on internal expenses, maintain reliable security, or simplify
purchasing by consumers should expect to be part of the smart card wave.

Recommendations
[return to top of this report]

For organizations that are concerned with complex security or information management, smart cards can
offer a comprehensive solution. The choices are to throw in with a large provider, like Schlumberger or
Gemplus, and hope that the technology employed today will not be obsolete before it has achieved a cost
benefit, or to roll out a phase-one implementation with limited functionality at a lower level of investment. If
the latter option is taken, then another decision must be made -- whether to outsource the solution or
develop it in-house on an accessible platform such as Java.

Depending on the technology and level of security employed, smart cards cost between $0.80 and $15
dollars each. A large user base requiring complex functions can be a costly investment, so in order to gain
maximum return on investment, it is wise to plan out all the potential uses for smart cards in an enterprise
and then build a scalable solution.

It is almost guaranteed that a solution rolled out now will soon be outmoded by more elegant, and
perhaps less costly, methods. Internet applications exploded once the technology became pervasive
enough to capture the imagination of developers from many industries and skill levels. Smart cards likely
will follow a similar path.
About the Author

Jay Gitomer is Senior Editor on the Web site of a large Application Service Provider, managing all content
on the site. Previously, she was on the marketing staff of Silicon Graphics, where she was responsible for
creating an online presence for the Silicon Graphics Federal Marketing Division. Ms. Gitomer has a B.A.
from Sarah Lawrence College and an M.A. from New York University, and is a regular contributor to
Faulkner Information Services.

Sherry Kercher, a graduate of Gettysburg College in Gettysburg, PA, is a regular contributor to Faulkner
Information Services, covering key issues in data networking, telecom, and Internet-related
developments.

Web Links
[return to top of this report]

Compaq: http://www.compaq.com/
Gemplus: http://www.gemplus.com/
JavaSoft: http://www.javasoft.com/
MasterCard: http://www.mastercard.com/
Microsoft: http://www.microsoft.com/
Schlumberger: http://www.schlumberger.com/
Sun Microsystems: http://www.sun.com/
Visa: http://www.visa.com/

[return to top of this report]