Just about anything found in a person's wallet has the potential to be stored on a smart card, including a driver's license, insurance information, credit cards, and bank accounts. Some predict that one day all plastic cards will "meld into one universal, multifunctional smart card" [11]. More research on privacy and security is needed before such a card comes into being, since the more personal and varied the information stored on an individual's smart card, the greater the potential for privacy loss when that card is accessed. But even in their current incarnation, smart cards support an impressive variety of applications, and are expected to support more as they become smaller, cheaper and more powerful.
In this article, we discuss types of smart cards as well as current and emerging applications for the cards. We label as smart cards any credit card-sized card with more memory than the traditional magnetic stripe (the common technology of credit cards and debit cards), but technically speaking, the "true" smart card has an on-board embedded processor, or smart chip. (Related technologies that also utilize microprocessor miniaturization include Dallas Semiconductor's iButton and Java Ring; www.ibutton.com.) While our usage of the term is less than precise, this liberty is taken by many authors.
Smart cards appeared on the horizon when two German inventors, Jürgen Dethloff and Helmut Grötrupp, patented the idea of having plastic cards hold microchips in 1968 [6]. The Japanese patented another version of the smart card in 1970 [12] and former French journalist Roland Moreno filed for a patent on the IC card, later dubbed the "smart card," in 1974. Moreno received a first (that is, priority) patent in France in 1975 and a U.S. Patent (number 4,092,524) in 1978 (www.smartcard.co.uk/resources/articles/prop-rights.html; www.uspto.gov). The early smart card research was theoretical, since the technology to support this innovative thinking was not available until 1976 [6]. In 1977, Motorola Semiconductor, in conjunction with Bull, the French computer company, produced the first smart card microchip [5].
France was an early smart card proponent, and its investment in smart card research in the 1970s reflected a national effort to modernize its technological infrastructure. Because the technical infrastructure for the cards was limited, and consumers and retailers were unwilling to adopt the expensive and unreliable technology, France's first test of smart cards in 1980 was unsuccessful. But this early failure did not deter France. Like other European countries, France needed to reduce telecommunications transaction costs, and smart cards showed potential to achieve such a reduction, as most transactions could be processed offline [10].
French companies explored other potential uses of the cards. Cartes Bancaires, the French banking association, attempted to use smart card technology to reduce fraud by individuals who scanned traditional magnetic striped cards, and copied this data to counterfeit credit cards. Its investment proved profitable. Credit card fraud rates in France dropped tenfold once the cards were in service [5]. French financial institutions replaced magnetic stripe cards with smart cards in 1992. This resulted in a 75% reduction in credit card fraud over a five-year period (www.mastercardintl.com/newstechnology/smartcards/articles/article1.html). Table 1 presents a brief outline of the evolution of the smart card. In addition to this timetable, we must note special developments that have occurred post September 11, 2001:
A smart card can be categorized as either a memory card or a processing-enabled card (see Table 2 ). A memory card is the simplest form of a smart card. Such a card provides limited capability to securely store personal information. (According to a smart card manufacturer, the currently available memory for memory cards ranges from eight bytes to 2KB, while traditional magnetic stripe-based cards can store approximately 220 bytes of information.) The storage on a memory card is nonvolatile memory. Such cards are sometimes referred to as "asynchronous cards," since they are used offline and their associated flow of data is essentially one-directional: value on the card is moved to the reader (and/or the vendor's computer system). These are simple prepaid cards, which transfer the electronic equivalent of cash to a vendor's digital cash register. Transactions can then be directed to traditional bank account [3]. Europe's phone card was the predecessor of this type of smart card.
Smart cards support an impressive variety of applications presently, and this variety should expand as the cards become smaller, cheaper, and more powerful.
More sophisticated cards are the processor-enabled smart cards some refer to as "true" smart cards, which are based on semiconductor technology [4]. These smart chip cards contain a chip with a few hundred bytes of RAM. However, a pilot program in Japan is testing a 1MB flash memory card at this time. These cards may also have special circuitry to perform cryptographic operations such as RSA public key encryption, signatures, and verification [1]. RSA public key encryption is named after its developers, Ronald Rivest, Adi Shamir and Leonard Adelman (www.rsasecurity.com/rsalabs/faq/3-1-1.html). The data stored on a smart card can be protected by active data encryption schemes along with biometric identification (fingerprints, for example), which can be used to uniquely identify the authorized user. Unlike magnetic stripe-based cards, which can be compromised for the purpose of criminal activity, such smart cards are difficult to duplicate. These cards are sometimes referred to as "synchronous cards," as the data flow is bi-directional: data is read from, as well as written to the card [6]. In general, smart cards support the storage of information that can be "read-only," "added-only," "updated-only," or not accessible (www.westcoast.com/ asiapacific/articles/2001_02/testc/testc.html).
To support on-board data processing and sophisticated applications, processor-enabled smart cards carry significantly more memory than their magnetic stripe-based card counterparts [5]. Current processor-enabled cards can hold a maximum of 64KB of user data, with a current capacity of 1MB flash memory. Nippon Telegraph & Telephone (NTT), Sharp, and the French smart card maker Gemplus developed and are currently using a multiapplication smart card with 1MB flash memory and the Nomadic Information sharing Network Architecture (NiNa) for application download/upload post issuance in Yokosuka City, Japan. It is the first 1MB flash memory card. Both Gemplus and Bull report that data contained on a processor-enabled card can be stored reliably for a maximum of 10 years. This beefed-up memory capacity allows a processor-enabled smart card to function as a multiapplication card, combining functions of:
[2]:
Some processor-enabled multiapplication cards can now support electronic downloading of new applications. These newer cards, called "white cards" by some, are more expensive than memory cards [1].
Examples of downloadable applications include:
Processor-enabled smart card software is stored in permanent nonvolatile, read-only memory. Application data stored on the card is kept in EEPROM, or Electronically Erasable Programmable Read-Only Memory. The contents of this memory can be erased and new data can be reloaded electronically (www.gemplus.com/smart/terms.html). Such cards have an embedded silicon-based 8-, 16-, or 32-bit processor, with even the 8-bit microprocessor-based smart card almost as powerful as the desktop PCs of the early 1980s [5]. A cut-away, side view of the component architecture of a processor-enabled smart card includes an electronic module (processor) and a silicon-based integrated circuit, which are set into the surface of the card. The stacking order, from top to bottom, is shown in Figure 1 [9].
Figure 2 [9] presents a breakdown of some of the possible components of an electronic module, which serves as the second (from top) layer of an embedded smart card processor chip (as shown in Figure 1). Depending on their intended capability, some chips may not include every possible type of memory. (For simplicity, an additional memory type, NVM, or nonvolatile memory is not shown in Figure 2.) Security is increased and card size is minimized by combining all the depicted elements into one integrated chip. [9]
Smart cards are generally placed in a special reading device for the duration of the transaction (reading from the card, processing, writing back to the card). While in the reader, the card's electrical contacts make contact with the reader's electric connectors, through which data is read from and written to the card's chip. Standards help ensure smart cards can be read by any retailer equipped with a smart card reader. The reader also serves to provide the power necessary to retrieve, process, and store information on the card.
From a backend transaction processing perspective, purchases or credits made with a credit card are generally handled through an electronic connection between a vendor and a credit card company. Purchases made through a smart card's magnetic stripe (if included) are processed much like a traditional credit card. However, due to the relative sophistication of a smart card's processor and memory chips, monetary value can be stored on, and distributed directly from, the card. There is no need for validation through an online connection to a centralized database. Transaction-related data can either be communicated to a organizational computer or simply gathered by the smart card reader, and later uploaded to a central computer as a batch process.
A contactless version of a smart card presented quite a technical challenge, but was developed in 1998 in response to the need for cards to be read extremely rapidly, such as when paying a highway toll fare. A contactless card contains none of the electrical contacts found on a contact-based card. Instead of being slid through a reader, contactless cards access/transmit information through a transmission, such as a radio frequency, which originates from a special remote reading device. In addition, this transmission supplies the card with the power necessary to run the card's microprocessor [5]. These cards, which contain an internal antenna coil, can be read through an external antenna (part of the remote reader) at a maximum distance of 10 centimeters. According to smart card manufacturer, Gemplus (www.gemplus.com), contactless cards can reduce the necessary transaction processing time by a factor of between 20 and 30, as compared to the contact version, which must be placed in and out of a reader.
The smart card chip is located near the edge of the card, both to protect the chip if the card is twisted or bent, and to accommodate institutions that require a magnetic stripe on the backside of the card for backward compatibility to their credit/debit card systems [4]. The Switzerland-based International Organization For Standardization (ISO; www.iso.ch) defines several specifications for smart card manufacturing, communication protocols and application/backend computer system. [6] Among these are the following:
Incidentally, smart cards are not limited to credit card-sized pieces of plastic, although that form is the focus of this article. According to Gemplus, the two most common materials for manufacturing smart cards are Polyvinyl Chloride (PVC), and Acrylonitrile Butadiene Styrene (ABS), but smart card technology could also be applied to items such as key chains, decorative pins, lockets, or belt buckles. Any such application that includes a smart chip must be integrated with existing readers to be economically feasible. ATMs are not designed to read key tags, for example, but could accept PVC or ABS-based, credit-card sized cards.
While by no means an exhaustive list, we have identified three categories of smart card applications: authentication, authorization, and transaction processing.
Potentially, new traffic offenses could be updated to a person's smart card within minutes of the offense, although such an application could present some interesting legal issues, depending on which country or state issued the license.
Authentication. Smart cards provide ample information to authenticate an individual's claim of personal identification using either token-based or knowledge-based authentication approaches. Token-based systems use an item such as a passport, driver's license, credit card, or key for identification, whereas knowledge-based systems tend to rely on memorized information such as PIN numbers or passwords [7]. High-tech smart card-based drivers' licenses not only serve as a means of identification, but can also contain driving records and unpaid traffic fines. Potentially, new traffic offenses could be updated to a person's smart card within minutes of the offense, although such an application could present some interesting legal issues, depending on which country or state issued the license.
Authorization. As mentioned previously, smart cards offer data encryption and the ability to store biometric information for the purpose of authenicating the cardholder. Smart cards have potential to facilitate storage of demographic information for voting purposes, and they are playing a growing role in healthcare industry, which is experiencing a technological overhaul as electronic data management becomes more widespread and sophisticated. The Smart Card Industry Association (www.scia.org/knowledgebase) reports that over 80 million smart cards are currently used in Germany's healthcare system. France's Sésam-Vitale program includes 10 million cards in its family plan and some 35 million individual cards. Smart cards could help automate and standardize patient demographic information on medical records, including those of insurance carriers. Smart cards with optical storage could store and transfer both text and image-based medical records between patient and healthcare providers. These cards can also assist patients whose care depends on complicated equipment, such as kidney dialysis machines. Configuration for dialysis equipment, as well as medication information, could be stored on smart cards and inserted into a smart card-enabled dialysis machine anywhere in the world. [3]. Of course, privacy, technology, legal, and cost issues must be addressed before such health-related applications become widespread.
Smart cards could also facilitate drug prescription fulfillment. Prescriptions information could be loaded onto a smart card at the physician's office, and read by the pharmacist's reader for patient and physician information, and dosage and refill specifications. With proper encryption, prescriptions could also sent electronically from the physician's office. Again, patients could have their card swept at the pharmacy for fulfillment. Payment terms could also be arranged through the card.
Transaction processing. There are also numerous ways smart cards have potential to assist in goods and service transactions, both in Web-based and traditional "bricks and mortar" establishments. The cards could be reloaded with cash value in ATM machines and used as a credit card [11]. The currency carried on a smart card could be utilized in different countries, as an electronic, multinational traveler's check. Smart card technology also provides a secure Internet-based payment mechanism through data encryption. The contactless version of a smart card is now used in situations requiring short transaction times, including issuing driving tickets and paying toll fares (www1.slb.com/smartcards/ news/02/sct_trends1803.html).
We believe smart card technological advances are likely to outpace legal and ethical concerns, although more research on privacy and security is needed before universal cards come into use.
Smart cards are helping to expand the application of Global System For Mobile Communications (GSM) phones in regions such as Asia, Europe, and South America. Using a smart card equipped with a Subscriber Identity Modules (SIM) chip, an individual subscriber can be identified and charged for services by his or her telecommunication system. The card can facilitate this identification through any GSM phone. (The SIM chip can also store a subscriber's personalized electronic phonebook.) Such an application represents a rapidly expanding segment of the smart card industry [8]. Some GSM phones have two smart card slots, with the second slot allocated for an electronic wallet, thereby permitting the mobile terminal to also serve as a "pocket ATM machine" [4].
Voting is another type of transaction, but instead of having a basis in commerce, it is based in authorization (as previously mentioned) and information exchange. Smart cards have the capability of biometric-based voter registration, using fingerprints, for example, which can help prevent voter fraud [7].
Smart cards have to the potential to contribute greatly to the "integration of commercial transactions, data warehousing and data mining" [12]. These cards support an impressive variety of applications presently, and this variety should expand as the cards become smaller, cheaper, and more powerful. At least for the foreseeable future, we believe smart card technological advances are likely to outpace legal and ethical concerns, although more research on privacy and security is needed before universal cards come into use. (We know of one senior scientist with extensive expertise in smart card technology who has indicated his serious reservations about combining varied information, such as financial, health, and employment information on a single card.) As with other technologies that facilitate electronic information exchange, including the Web, email, and organizational network-based communications, issues involving privacy, legality, and ethics must be fully addressed before smart cards can truly take off.
1. Berinato, S. Smart cards: The intelligent way to security. Network Computing 9, 9 (May 15, 1998), 168.
2. Cross, R. Smart cards for the intelligent shopper. Direct Marketing 58, 12 (Apr. 1996), 3034.
3. Fancher, C. Smart cards. Scientific American [online]. (August 1996); www.sciam.com/0896issue/0896fancher.html.
4. Fletcher, P. Europe holds a winning hand with smart cards. Electronic Design 47, 1 (Jan. 11, 1999), 106.
5. Flohr, U. The smart card invasion. Byte 23, 1 (Jan. 1998) 76.
6. Husemann, D. The smart card: don't leave home without it. IEEE Concurrency 7, 2 (AprilJune 1999), 2427.
7. Jain, A., Hong, L. and Pankanti, S. Biometric identification. Commun. ACM 43, 2 (Feb. 2000), 9098.
8. Kutler, J. Java gets pats on back from card businesses in Belgium and France. American Banker 164, 61 (Mar. 31, 1999), 16.
9. Leung, A. Smart cards seem a sure bet. InfoWorld.com [online]. (March 8, 1999); unix.idg.net/crd_smart_69240.html.
10. Priisalu, J. Frequently Asked Questions List. Estonian Institute of Cybernetics [online]. (July 4, 1995); www.ioc.ee/atsc/faq.html.
11. Schacklett, M. These business trends will shape the future of e-commerce. Union Magazine (Jan. 2000), 1415.
12. Shelfer, K. The Intersection of Knowledge Management and Competitive Intelligence: Smart Cards and Electronic Commerce. Knowledge Management For The Information Professional. Information Today, Inc. Medford, New Jersey. 1999.
©2002 ACM 0002-0782/02/0700 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2002 ACM, Inc.
No entries found