Smart Card Standards 101 - …d3nrwezfchbhhm.cloudfront.net/media/ei_payments/gostkowski.pdfWhat is a Smart Card? Standards for Interoperability ... European Semiconductor Capital

Smart Card

Standards 101

Property of the Smart Card Alliance © 2009Spring 2007 2

Agenda

Is your bank account safe?

What is a Smart Card?

Standards for Interoperability

Fraud prevention through Smart Cards

CTST2009 – Smart Card Technology and

Payments Applications Workshop © 2009Spring 2007 3

Why Are Smart Cards Needed?

Smart cards significantly reduce fraud

Headline:



Fraud growing out of control



EuropeNetwork edge using

Smart Cards

•User Authenticates to

card

•Card Authenticates to

terminal

•Card can make

decisions

USHost based Security

•Neural Network

•Card Present with

Static data (CVC)

•LUHN check

•AVS, Zip code

“Intelligence”

Protection

How do we fix this?Historically Different Paths


Payments Applications Workshop © 2009 6

Smart Cards Defined

What is a Smart Card?• Embedded computer chip that is either a microprocessor

with internal memory or memory chip alone

• Contact or contactless designs

Memory Card• Telephone card

• Stored value

• No RSA Crypto

• Limited memory addresses

Microprocessor Card• Large EEPROM Memory (up to 128K)

• On-card functions (encryption, digital signatures)

• Multi application

• Open Platform (Java, Multos)

Contact Smart Card



Need for interoperability…

International Organization for Standardization (ISO) Worldwide association of over 100 national standards agencies

From Greek word “ISOS” meaning “equal” or “the same”

The prefix iso-, is commonly used in the three official languages of ISO (English, French and Russian)

International Electro technical Commission (IEC)Standards organization that cover the areas of electrical technology

and electronics

First to publish card standards

Collaborates with ISO to insure alignment



ISO/IEC 7816 defines contact Smart Cards

7816-1: Physical characteristics

7816-2: Cards with contacts

7816-3: Cards with contacts

7816-4: Organization, security and commands for interchange

7816-5: Registration of application providers

7816-6: Inter-industry data elements for interchange

7816-7: Inter-industry commands for Structured Card Query Language (SCQL)

7816-8: Commands for security operations

7816-9: Commands for card management

7816-10: Electronic signals and answer to reset for synchronous cards

7816-11 Personal verification through biometric methods

7816-12 Cards with contacts -- USB electrical interface

7816-13: Commands for application management in multi-application

7816-15: Cryptographic information application



This Standard is described in 4 Parts: ISO 14443-1: Physical characteristics (Type A =Type B)

ISO 14443-2: Radio Frequency power and Signal Interface (13,56 MHz)

ISO 14443-3: Initialisation and Anti-collision

Type A different from Type B.

ISO 14443-4: Transmission Protocol

Type A different from Type B.

Contactless payment

Mifare cards

Biometric passports

Smart Trip cards

ISO 14443 defines contactless

proximity cards

Spring 2007 10

Smart Cards Reduce Fraud


Payments Applications Workshop © 2009

11

Access control

network securityHealth Care

Mass Transit

Electronic

Commerce

Pay TV

Access Control

Parking

The Very Big Bank

Rich Wealthy

NET

1234 5678 9012 3456

Credit/ Debit

Payphones

Digital cellular phones

Smart cards secure many

industries



Cloc

k

Reset

Input /

Output

CP

U

RAM :

Scratch

Pad

ROM,

Operating

system

EEPROM,

Application

Memory

EEPROM :

Application

Memory

ROM :

Operating

System

the smart card is the ultimate secure portable computer !!

Microcomputer Chip can be programmed for each application



CPU 80C51MMUINTERRUPT

SYSTEM

RAMCO-PROCESSOR

EEPROM TRIPLE-DESCO-PROCESSOR

TRUE RANDOM

NUMBER

GENERATOR

CRC

UART

ISO 7816

TIMERS

16 BIT

T016 BIT

T1

USER ROM

TEST ROM

SECURITY

SENSORS

POWER ON

RESET

VOLTAGE

REGULATOR

CLOCK

INPUT FILTER

RESET

GENERATORISO

Contacts

IO2IO3

Public Key

…and secure

•Hundreds of secure countermeasures

Spring 2007 14

Payment application

EMV

Mag Stripe transaction

Contactless Transaction

Smart card in payment

How does this secure you?

Spring 2007 15

Terminal Reads MSD and initiates transaction with the host

Terminal can ask the cardholder for verification data (CVC, AVS)

Terminal formats the authorization request and sends it to the Network/Issuer

Issuer verifies and processes authorization

Anatomy of a typical Transaction

Payment application

EMV





Spring 2007 17

• Card updates Application Transaction Counter (ATC)

• Terminal generates UN (unpredictable number) and asks card to generate dCVV or CVC3 and ATC and creates cryptogram using a secret key

• Card calculates the proper cryptogram and appends the track data

Contactless Transaction adds security

Payment application

EMV



• Europay Mastercard Visa

• EMV® is a global standard for credit and debit payment cards

based on chip card

technology

• As of Q1 2008, there were more than 730 million EMV compliant

chip-based

payment cards in use worldwide.



Spring 2007 19

• Card is programmed to make decisions within the parameters that the bank gives it

– Max offline transaction up to “X” dollars and transactions cumulatively

• Terminal provides information to the card and sets the guidelines for risk management

– Cardholder Verification (pin)??– Offline authentication data (SDA/DDA)??

• Card also performs risk management, generates necessary cryptograms, and responds with transaction data and decision:

• Process online• Offline approve or decline• Terminate and use other interface

• Terminal sends EMV authorization request and ARQC cryptogram

EMV, the ultimate in transaction security

20

For additional information

Contact:

Bill Gostkowski

Gemalto

[email protected]

(512) 257-3898

www.smartcardalliance.org

Spring 2007 21

Contactless

Two Chips Dual Interface

Antenna

Contactless

chip

module

Contact/contactless chip module

Contact chip module

Antenna

Contactless

chip

module

Single Chip Dual Interface

Basic Card Definitions

22

Issuers deploy EMV… for fraud reduction

0

100

200

300

400

500

2004 2005 2006 2007

UK fraud

Fraud abroad

UK retailer (face-to-face transactions)

UK cash machine

in m£ Credit and debit card fraud losses on UK-issued cards

UK fraud includes:

Source: APACS



PVC Overlay (thermal printable)

Polycarbonate (PC)

Filling layer

Inlet (etched antenna)

CARD BODY

LAMINATION

MODULE INSERTION

DIE PROBING SAWING AND CUTTING

PVC Overlay (thermal printable)

Polycarbonate (PC)

DIE BONDING

Micro

Module8 or 6 Contacts

Chip

with

antenna

Hologram

Brand Stamp

Magnetic Stripe

Expanded view of Smart Card



Standard for "Vicinity Cards", i.e. cards which can be read from a greater distance as compared to Proximity cards.

ISO 15693 systems operate at the 13.56 MHz frequency, and offer maximum read distance of 1 meters.

>10 cm for ISO 14443

~ 1m for ISO 15695

iCLASS family of cards and tags by HID Global.

Maximum read range 45 cm / 18 inches.

ISO 15693 defines contactless

vicinity

25

Payment fraud is a global concern

New EMV mass deployments in all regions (e.g. Spain, Thailand, Brazil, Canada…)

+ 41% volume growth in H1’08 vs H1’07*

+24% volume growth in 2007*

SPA

Shipments of

EMV cards

Per Quarter

(in ku)

Source: SPA (Smart

Payment

Association)

* Source: SPA

(Smart Payment

Association)

26

EMV adoption is global

EMV deployed

EMV to be deployed (est. in the next 24 months)

Source: Eurosmart, MasterCard, Gemalto No EMV

Dual-interface adoption gets global, too

Mass deployment in 2008 Pre-deployment in 2008 At pilot/small program stage in 2008















Fraud Reduced with EMV



Conductive adhesive)

Antenna (etched copper)

Contactless Cross-Section

Spring 2007 36

* Chemical Mechanical Polishing (CMP) Source: European Semiconductor Capital Equipment, 1/9/01, Robertson Stephens

Input

Sand

(quartz)

Manufacturing Process (Simplified)Output

Si-Ingot Si-Wafers

(dicing)

Grinding Wet Etch

15-25 Cycles

Deposition Cleaning Doping

CMP* Stripping

Litho Dry Etch

Wet Etch

Decontamination

Particle Removal

Wet Etch

Automation & Process Control

Bare Wafer

Wafer with

ChipsBare Wafer

Wafer with

ChipsSemiconductor

Device

(microchip)

Wafer

Processing

Wafer

Manufacturi

ng

Testing

Assembly &

Packaging

Wafer

Manufacturing

Deposition

Lithography

Removal

Process

Doping

Automation &

Control

Testing

Assembly &

Packaging

Probe

Test

Dic

ing

Dice

Bon

ding

Wir

e

Bon

ding

Pac

k-

agin

g

Fina

l

Test

Smart Card Manufacturing

Spring 2007 37

Features 14443 15693 125 kHz

Standards ISO 14443 ISO 15693 125 kHz

Frequency 13.56 MHz 13.56 MHz 125 kHz

Read Range ~10 centimeters

(~3-4 inches)

~1 meter

(~3.3 feet)

~1 meter

(~3.3 feet)

Chip types supported Memory, Wired Logic,

Microcontroller

Memory, Wired Logic, Memory, Wired Logic,

Encryption and

authentication functions

MIFARE, DES/3DES, AES,

RSA, ECCSupplier specific Supplier specific

Memory capacity range 64 to 72K bytes 256 and 2K bytes 8 to 256 bytes

Read/write ability Read/write Read/write Read/write

Data transfer rate

(Kb/sec)

Up to 106 (ISO)

Up to 848

(available)

Up to 26.6 Up to 4

Anti-collision Yes Yes Optional

Card-to-reader

authentication

Challenge/Response Challenge/Response Password

Hybrid card capability Yes Yes Yes

Contact interface

support

Yes No No

Contactless Tech Comparison



ISO 7816-1

Dimensions and

physical

constraints

(bending, torsion

strength)

ISO 7816-2

Contact Locations

Electrical interface

ISO 7816-3

Communication

protocol

ISO 7816-4 ...

Memory management and

inter industry commands

ISO/IEC 7816


Payments Applications Workshop © 20095/12/2009 39

Sawing Die bonding

Wire bonding

Coating

Probing

Micro-module

Electrical Test

Wafers from

the Foundry

Micro Module Process

Documents

Smart Card Standards 101 - …d3nrwezfchbhhm.cloudfront.net/media/ei_payments/gostkowski.pdfWhat is a Smart Card? Standards for Interoperability ... European Semiconductor Capital