Smart card

The basis for the smart card is thesiliconintegrated circuit(IC) chip.^[4]It was invented byRobert NoyceatFairchild Semiconductorin 1959. The invention of the silicon integrated circuit led to the idea of incorporating it onto a plastic card in the late 1960s.^[4]

The idea of incorporating anintegrated circuitchip onto a plastic card was first introduced by the German engineerHelmut Gröttrup.In February 1967, Gröttrup filed the patents DE1574074^[5]and DE1574075^[6]inWest Germanyfor a tamper-proof identification switch based on asemiconductor deviceand described contactless communication via inductive coupling.^[7]Its primary use was intended to provide individual copy-protected keys for releasing the tapping process at unmanned gas stations. In September 1968, Gröttrup, together withJürgen Dethloffas an investor, filed further patents for this identification switch, first inAustria^[8]and in 1969 as subsequent applications in the United States,^[9][10]Great Britain, West Germany and other countries.^[11]

Independently, Kunitaka Arimura of the Arimura Technology Institute in Japan developed a similar idea of incorporating an integrated circuit onto a plastic card, and filed a smart card patent in March 1970.^[4][12]The following year, Paul Castrucci ofIBMfiled an American patent titled "Information Card" in May 1971.^[12]

In 1974Roland Morenopatented a secured memory card later dubbed the "smart card".^[13][14]In 1976, Jürgen Dethloff introduced the known element (called "the secret" ) to identify gate user as of USP 4105156.^[15]

In 1977, Michel Ugon fromHoneywell Bullinvented the firstmicroprocessorsmart card with twochips:one microprocessor and onememory,and in 1978, he patented the self-programmable one-chip microcomputer (SPOM) that defines the necessary architecture to program the chip. Three years later,Motorolaused this patent in its "CP8". At that time, Bull had 1,200 patents related to smart cards. In 2001, Bull sold its CP8 division together with its patents toSchlumberger,who subsequently combined its own internal smart card department and CP8 to createAxalto.In 2006, Axalto and Gemplus, at the time the world's top two smart-card manufacturers, merged and becameGemalto.In 2008, Dexa Systems spun off from Schlumberger and acquired Enterprise Security Services business, which included the smart-card solutions division responsible for deploying the first large-scale smart-card management systems based onpublic key infrastructure(PKI).

The first mass use of the cards was as atelephone cardfor payment in Frenchpayphones,starting in 1983.^[16]

After the Télécarte, microchips were integrated into all FrenchCarte Bleuedebit cardsin 1992. Customers inserted the card into the merchant'spoint-of-sale(POS) terminal, then typed thepersonal identification number(PIN), before the transaction was accepted. Only very limited transactions (such as paying smallhighway tolls) are processed without a PIN.

Smart-card-based "electronic purse"systems store funds on the card, so that readers do not need network connectivity. They entered European service in the mid-1990s. They have been common in Germany (Geldkarte), Austria (Quick Wertkarte),Belgium(Proton), France (Moneo^[17]), the Netherlands (ChipknipChipper (decommissioned in 2015)), Switzerland ( "Cash" ), Norway ( "Mondex"), Spain (" Monedero 4B "), Sweden (" Cash ", decommissioned in 2004), Finland (" Avant "), UK (" Mondex "), Denmark (" Danmønt ") and Portugal (" Porta-moedas Multibanco "). Private electronic purse systems have also been deployed such as the Marines corps (USMC) at Parris Island allowing small amount payments at the cafeteria.

Since the 1990s, smart cards have been thesubscriber identity modules(SIMs) used inGSMmobile-phone equipment. Mobile phones are widely used across the world, so smart cards have become very common.

Europay MasterCard Visa (EMV)-compliant cards and equipment are widespread with the deployment led by European countries. The United States started later deploying the EMV technology in 2014, with the deployment still in progress in 2019. Typically, a country's national payment association, in coordination withMasterCardInternational,VisaInternational,American ExpressandJapan Credit Bureau(JCB), jointly plan and implement EMV systems.

Historically, in 1993 several international payment companies agreed to develop smart-card specifications fordebitand credit cards. The original brands were MasterCard, Visa, andEuropay.The first version of the EMV system was released in 1994. In 1998 the specifications became stable.

EMVCo maintains these specifications. EMVco's purpose is to assure the various financial institutions and retailers that the specifications retain backward compatibility with the 1998 version. EMVco upgraded the specifications in 2000 and 2004.^[18]

EMV compliant cards were first accepted into Malaysia in 2005^[19]and later into United States in 2014. MasterCard was the first company that was allowed to use the technology in the United States. The United States has felt pushed to use the technology because of the increase inidentity theft.The credit card information stolen from Target in late 2013 was one of the largest indicators that American credit card information is not safe. Target made the decision on 30 April 2014 that it would try to implement the smart chip technology to protect itself from future credit card identity theft.

Before 2014, the consensus in America was that there were enough security measures to avoid credit card theft and that the smart chip was not necessary. The cost of the smart chip technology was significant, which was why most of the corporations did not want to pay for it in the United States. The debate finally ended when Target sent out a notice^[20]stating unauthorized access to magnetic strips^[21]costing Target over 300 million dollars along with the increasing cost of online credit theft was enough for the United States to invest in the technology. The adaptation of EMV's increased significantly in 2015when the liability shifts occurred in October by the credit card companies.^{[clarify][citation needed]}

Contactlesssmart cards do not require physical contact between a card and reader. They are becoming more popular for payment and ticketing. Typical uses include mass transit and motorway tolls. Visa and MasterCard implemented a version deployed in 2004–2006 in the U.S., with Visa's current offering calledVisa Contactless.Most contactless fare collection systems are incompatible, though theMIFAREStandard card fromNXP Semiconductorshas a considerable market share in the US and Europe.

Use of "Contactless" smart cards in transport has also grown through the use of low cost chips NXP Mifare Ultralight and paper/card/PET rather than PVC. This has reduced media cost so it can be used for low cost tickets and short term transport passes (up to 1 year typically). The cost is typically 10% that of a PVC smart card with larger memory. They are distributed through vending machines, ticket offices and agents. Use of paper/PET is less harmful to the environment than traditional PVC cards.

Smart cards are also being introduced for identification and entitlement by regional, national, and international organizations. These uses include citizen cards, drivers’ licenses, and patient cards. InMalaysia,the compulsory national IDMyKadenables eight applications and has 18 million users. Contactless smart cards are part ofICAObiometric passportsto enhance security for international travel.

Complex Cards are smart cards that conform to theISO/IEC 7810standard and include components in addition to those found in traditional single chip smart cards. Complex Cards were invented by Cyril Lalo and Philippe Guillaud in 1999 when they designed a chip smart card with additional components, building upon the initial concept consisting of using audio frequencies to transmit data patented by Alain Bernard.^[22]The first Complex Card prototype was developed collaboratively by Cyril Lalo and Philippe Guillaud, who were working at AudioSmartCard^[23]at the time, and Henri Boccia and Philippe Patrice, who were working atGemplus.It was ISO 7810-compliant and included a battery, a piezoelectric buzzer, a button, and delivered audio functions, all within a 0.84mm thickness card.

The Complex Card pilot, developed by AudioSmartCard, was launched in 2002 byCrédit Lyonnais,a French financial institution. This pilot featured acoustic tones as a means of authentication. Although Complex Cards were developed since the inception of the smart card industry, they only reached maturity after 2010.

Complex Cards can accommodate various peripherals including:

• One or more buttons,
• A digital keyboard,
• An alphabetic keyboard,
• A touch keyboard,
• A small display, for a dynamicCard Security Code (CSC)for instance,
• A larger digital display, for OTP or balance, QR code
• An alphanumeric display,
• Afingerprint sensor,
• A LED,
• A buzzer or speaker.

While first generation Complex Cards were battery powered, the second generation is battery-free and receives power through the usual card connector and/or induction.

Sound, generated by a buzzer, was the preferred means of communication for the first projects involving Complex Cards. Later, with the progress of displays, visual communication is now present in almost all Complex Cards.

Complex Cards support all communication protocols present on regular smart cards: contact, thanks to a contact pad as definedISO/IEC 7816standard, contactless following theISO/IEC 14443standard, and magstripe.

Developers of Complex Cards target several needs when developing them:

• One Time Password,
• Provide account information,
• Provide computation capabilities,
• Provide a means of transaction security,
• Provide a means of user authentication.

A Complex Card can be used to compute a cryptographic value, such as aOne-time password.The One-Time Password is generated by acryptoprocessorencapsulated in the card. To implement this function, the crypto processor must be initialized with a seed value, which enables the identification of the OTPs respective of each card. The hash of seed value has to be stored securely within the card to prevent unauthorized prediction of the generated OTPs.

One-Time Passwords generation is based either on incremental values (event based) or on a real time clock (time based). Using clock-based One-Time Password generation requires the Complex Card to be equipped with aReal-time clock.

Complex Cards used to generate One Time Password have been developed for:

• Standard Chartered,^[24]Singapore,
• Bank of America,^[25]USA,
• Erste Bank, Croatia,
• Verisign,^[26]USA,
• RSA Security.^[27]

A Complex Card with buttons can display the balance of one or multiple account(s) linked to the card. Typically, either one button is used to display the balance in the case of a single account card or, in the case of a card linked to multiple accounts, a combination of buttons is used to select a specific account's balance.

For additional security, features such as requiring the user to enter an identification or a security value such as aPINcan be added to a Complex Card.

Complex Cards used to provide account information have been developed for:

• Getin Bank, Poland,^[28]
• TEB, Turkey.

The latest generation of battery free, button free, Complex Cards can display a balance or other kind of information without requiring any input from the card holder. The information is updated during the use of the card. For instance, in a transit card, key information such as the monetary value balance, the number of remaining trips or the expiry date of a transit pass can be displayed.

A Complex Card being deployed as a payment card can be equipped with capability to provide transaction security. Typically,online paymentsare made secure thanks to theCard Security Code (CSC),also known as card verification code (CVC2), or card verification value (CVV2). The card security code (CSC) is a 3 or 4 digits number printed on a credit or debit card, used as a security feature forcard-not-present (CNP)payment card transactions to reduce the incidence of fraud.

The Card Security Code (CSC) is to be given to the merchant by the cardholder to complete a card-not-present transaction. The CSC is transmitted along with other transaction data and verified by the card issuer. ThePayment Card Industry Data Security Standard (PCI DSS)prohibits the storage of the CSC by the merchant or any stakeholder in the payment chain. Although designed to be a security feature, the static CSC is susceptible to fraud as it can easily be memorized by a shop attendant, who could then use it for fraudulent online transactions or sale on the dark web.

This vulnerability has led the industry to develop a Dynamic Card Security Code (DCSC) that can be changed at certain time intervals, or after each contact or contactless EMV transaction. This Dynamic CSC brings significantly better security than a static CSC.

The first generation of Dynamic CSC cards, developed by NagraID Security required a battery, a quartz and Real Time Clock (RTC) embedded within the card to power the computation of a new Dynamic CSC, after expiration of the programmed period.

The second generation of Dynamic CSC cards, developed by Ellipse World, Inc., does not require any battery, quartz, or RTC to compute and display the new dynamic code. Instead, the card obtains its power either through the usual card connector or by induction during every EMV transaction from the Point of Sales (POS) terminal or Automated Teller Machine (ATM) to compute a new DCSC.

The Dynamic CSC, also called dynamic cryptogram, is marketed by several companies, under different brand names:

• MotionCode, first developed by NagraID Security, a company later acquired byIDEMIA,
• DCV, the solution offered byThales,
• EVC (Ellipse Verification Code) by Ellipse, a Los Angeles, USA based company.

The advantage of the Dynamic Card Security Code (DCSC) is that new information is transmitted with the payment transactions, thus making it useless for a potential fraudster to memorize or store it. A transaction with a Dynamic Card Security Code is carried out exactly the same way, with the same processes and use of parameters as a transaction with a static code in a card-not-present transaction. Upgrading to a DCSC allows cardholders and merchants to continue their payment habits and processes undisturbed.

Complex Cards can be equipped with biometric sensors allowing for stronger user authentication. In the typical use case, fingerprint sensors are integrated into a payment card to bring a higher level of user authentication than a PIN.

To implement user authentication using a fingerprint enabled smart card, the user has to authenticate himself/herself to the card by means of the fingerprint before starting a payment transaction.

Several companies^[29]offer cards with fingerprint sensors, including:

• Thales:Biometric card,
• IDEMIA:F.Code, originally developed by NagraID Security,
• IDEX Biometrics,
• NXP Semiconductors

Complex Cards can incorporate a wide variety of components. The choice of components drives functionality, influences cost, power supply needs, and manufacturing complexity.

Depending on Complex Card types, buttons have been added to allow an easy interaction between the user and the card. Typically, these buttons are used to:

• Select one action, such as which account to obtain the balance, or the unit (e.g.currency or number of trips) in which the information is displayed,
• Enter numeric data via the addition of a digital keypad,
• Enter text data via the addition of an alphanumeric keyboard.

Whileseparate keyshave been used on prototypes in the early days, capacitive keyboards are the most popular solution now, thanks to technology developments by AudioSmartCard International SA.^[30]

The interaction with a capacitive keyboard requires constant power, therefore a battery and a mechanical button are required to activate the card.

The first Complex Cards were equipped with a buzzer that made it possible to broadcast sound. This feature was generally used over the phone to send identification data such as an identifier and one-time passwords (OTPs). Technologies used for sound transmission include DTMF (dual-tone multi-frequency signaling) or FSK (frequency-shift keying).

Companies that offered cards with buzzers include:

• AudioSmartCard,
• nCryptone,^[31]
• Prosodie,
• Société d'exploitation du jeton sécurisé – SEJS.

Displaying data is an essential part of Complex Card functionalities. Depending on the information that needs to be shown, displays can be digital or alphanumeric and of varying lengths. Displays can be located either on the front or back of the card. A front display is the most common solution for showing information such as a One-Time Password or an electronic purse balance. A rear display is more often used for showing a Dynamic Card Security Code (DCSC).

Displays can be made using two technologies:

• Liquid-crystal display(LCD): LCDs are easily available from a wide variety of suppliers, and they are able to display either digits or alphabetical data. However, to be fitted in a complex smart card, LCDs need to have a certain degree of flexibility. Also, LCDs need to be powered to keep information displayed.
• Bistable displays,also known asFerroelectric liquid crystal displays,are increasingly used as they only require power to refresh the displayed information. The displayed data remains visible, without the need for of any power supply. Bistable displays are also available in a variety of specifications, displaying digits or pixels. Bistable displays are available from E Ink Corporation^[32]among others.

If a Complex smart Card is dedicated to making cryptographic computations (such as generating a one-time password) it may require asecure cryptoprocessor.

As Complex Cards contain more components than traditional smart cards, their power consumption must be carefully monitored.

First generation Complex Cards require a power supply even in standby mode. As such, product designers generally included a battery in their design. Incorporating a battery creates an additional burden in terms of complexity, cost, space and flexibility in an already dense design. Including a battery in a Complex Card increases the complexity of the manufacturing process as a battery cannot be hot laminated.

Second generation Complex Cards feature a battery-free design. These cards harvest the necessary power from external sources; for example when the card interacts in a contact orcontactlessfashion with a payment system or an NFC-enabled smartphone. The use of a bistable display in the card design ensures that the screen remains legible even when the Complex Card is unconnected to the power source.

Complex Card manufacturing methods are inherited from the smart card industry and from the electronics mounting industry. As Complex Cards incorporate several components while having to remain within 0.8 mm thickness and be flexible, and to comply with theISO/IEC 7810,ISO/IEC 7811andISO/IEC 7816standards, renders their manufacture more complex than standard smart cards.

One of the most popular manufacturing processes in the smart card industry is lamination. This process involves laminating an inlay between two card faces. The inlay contains the needed electronic components with an antenna printed on an inert support.

Typically battery-powered Complex Cards require a cold lamination manufacturing process. This process impacts the manufacturing lead time and the whole cost of such a Complex Card.

Second generation, battery-free Complex Cards can be manufactured by existing hot lamination process. This automated process, inherited from traditional smart card manufacturing, enables the production of Complex Cards in large quantities while keeping costs under control, a necessity for the evolution from a niche to a mass market.

As with standard smart cards, Complex Cards go through a lifecycle comprising the following steps:

• Manufacturing,
• Personalization,
• User enrollment, if needed by the application,
• Provisioning,
• Active life,
• Cancellation,
• Recycling / destruction.

As Complex Cards bring more functionalities than standard smart cards and, due to their complexity, their personalization can take longer or require more inputs. Having Complex Cards that can be personalized by the same machines and the same processes as regular smart cards allows them to be integrated more easily in existing manufacturing chains and applications.

First generation, battery-operated Complex Cards require specificrecyclingprocesses, mandated by different regulatory bodies. Additionally, keeping battery-operated Complex Cards in inventory for extended periods of time may reduce their performance due tobattery ageing.

Second-generation battery-free technology ensures operation during the entire lifetime of the card and eliminates self-discharge, providingextended shelf life,and is more eco-friendly.

Since the inception of smart cards, innovators have been trying to add extra features. As technologies have matured and have been industrialized, several smart card industry players have been involved in Complex Cards.

The Complex Card concept began in 1999 when Cyril Lalo and Philippe Guillaud, its inventors, first designed a smart card with additional components. The first prototype was developed collaboratively by Cyril Lalo, who was the CEO of AudioSmartCard at the time, and Henri Boccia and Philippe Patrice, from Gemplus. The prototype included a button and audio functions on a 0.84mm thick ISO 7810-compliant card.

Since then, Complex Cards have been mass-deployed primarily by NagraID Security.

AudioSmartCard International SA^[33]was instrumental in developing the first Complex Card that included a battery, a piezoelectric buzzer, a button, and audio functions all on a 0.84mm thick, ISO 7810-compatible card.

AudioSmartCard was founded in 1993 and specialized in the development and marketing of acoustic tokens incorporating security features. These acoustic tokens exchanged data in the form of sounds transmitted over a phone line. In 1999, AudioSmartCard transitioned to a new leadership under Cyril Lalo and Philippe Guillaud, who also became major shareholders. They made AudioSmartCard evolve towards the smart card world. In 2003 Prosodie,^[34]a subsidiary ofCapgemini,joined the shareholders of AudioSmartCard.

AudioSmartCard was renamed nCryptone,^[35]in 2004.

CardLab Innovation,^[36]incorporated in 2006 in Herlev, Denmark, specializes in Complex Cards that include a switch, a biometric reader, an RFID jammer, and one or more magstripes. The company works with manufacturing partners in China and Thailand and owns a card lamination factory in Thailand.

Coin was a US-based startup^[37]founded in 2012 by Kanishk Parashar.^[38]It developed a Complex Card capable of storing the data of several credit and debit cards. The card prototype was equipped with a display^{[39][full citation needed]}and a button that enabled the user to switch between different cards. In 2015, the original Coin card concept evolved into Coin 2.0 adding contactless communication to its original magstripe emulation.^[40]

Coin was acquired byFitbitin May 2016^[41]and all Coin activities were discontinued in February 2017.^[42]

Ellipse World, Inc.^[43]was founded in 2017 by Cyril Lalo and Sébastien Pochic, both recognized experts in Complex Card technology. Ellipse World, Inc. specializes in battery-free Complex Card technology.

The Ellipse patented technologies enable smart card manufacturers to use their existing dual interface payment card manufacturing process and supply chain to build battery-free, second generation Complex Cards with display capabilities. Thanks to this ease of integration, smart card vendors are able to address banking, transit and prepaid cards markets.

EMue^[44]Technologies, headquartered in Melbourne, Australia, designed and developed authentication solutions for the financial services industry from 2009 to 2015.^[45]The company's flagship product, developed in collaboration with Cyril Lalo and Philippe Guillaud, was the eMue Card, a Visa CodeSure^[46]credit card with an embedded keypad, a display and a microprocessor.

Feitian Technologies,a China-based company created in 1998, provides cyber security products and solutions. The company offers security solutions based on smart cards as well as other authentication devices. These include Complex Cards, that incorporate a display,^[47]a keypad^[48]or a fingerprint sensor.^[49]

Fingerprint CardsAB (or Fingerprints^[50]) is a Swedish company specializing in biometric solutions. The company sells biometric sensors and has recently introduced payment cards incorporating a fingerprint sensor^[51]such as the Zwipe card,^[52]a biometric dual-interface payment card using an integrated sensor from Fingerprints.

Giesecke & Devrient,also known as G+D,^[53]is a German company headquartered in Munich that provides banknotes, security printing, smart cards and cash handling systems. Its smart card portfolio includes display cards, OTP cards, as well as cards displaying aDynamic CSC.

Gemalto,a division ofThales Group,is a major player in the secure transaction industry. The company's Complex Card portfolio includes cards with a display^[54]or a fingerprint sensor.^[55]These cards may display an OTP^[56]or a Dynamic CSC.^[57]

IDEMIAis the product of the 2017^[58]merger of Oberthur Technologies and Morpho. The combined company has positioned itself as a global provider of financial cards, SIM cards, biometric devices as well as public and private identity solutions. Due to Oberthur's acquisition of NagraID Security in 2014, Idemia's Complex Card offerings include the F.CODE^[59]biometric payment card that includes a fingerprint sensor, and its battery-powered Motion Code^[60]card that displays a Dynamic CSC.

IDEX BiometricsASA, incorporated in Norway, specializes in fingerprint identification technologies for personal authentication. The company offers fingerprint sensors^[61]and modules^[62]that are ready to be embedded into cards.^[63]

Founded in 2002, by Alan Finkelstein, Innovative Card Technologies developed and commercialized enhancements for the smart card market. The company acquired the display card assets of nCryptone^[64]in 2006. Innovative Card Technologies has ceased its activities.

Nagra ID, now known as NID,^[65]was a wholly-owned subsidiary of theKudelski Groupuntil 2014. NID can trace its history with Complex Cards back to 2003 when it collaborated on development with nCryptone. Nagra ID was instrumental in developing the cold lamination process for Complex Cards manufacturing.

Nagra ID manufactures Complex Cards^[66]that can include a battery, buttons, displays or other electronic components.

Nagra ID Security began in 2008 as a spinoff of Nagra ID to focus on Complex Card development and manufacturing. The company was owned byKudelski Group(50%), Cyril Lalo (25%) and Philippe Guillaud (25%).

NagraID Security quickly became a leading player in the adoption of Complex Cards due, in large part, to its development of MotionCode cards that featured a small display to enable aCard Security Code (CVV2).

NagraID Security was the first Complex Cards manufacturer to develop a mass market for payment display cards. Their customers included:

• ABSA,^[67]South Africa,
• Banco Bicentenario, Venezuela,
• Banco MontePaschi, Belgium,
• Erste Bank, Croatia,
• Getin Bank, Poland,
• Standard Chartered Bank, Singapore.

NagraID Security also delivered One-Time Password cards to companies including:

• Bank of America,
• HID Security,
• PayPal,
• RSA Security,
• Verisign.

In 2014, NagraID Security was sold toOberthur Technologies(nowIDEMIA).

nCryptone emerged in 2004 from the renaming of AudioSmartCard. nCryptone was headed by Cyril Lalo and Philippe Guillaud^[68]and developed technologies around authentication servers and devices.

nCryptone display card assets were acquired by Innovative Card Technologies in 2006.^[69]

Oberthur Technologies,nowIDEMIA,is one of the major players in the secure transactions industry. It acquired the business of NagraID Security in 2014. Oberthur then merged with Morpho and the combined entity was renamed Idemia in 2017.

Major references in the Complex Cards business include:

• BPCE Group,^[70]France,
• Orange Bank,^[71]France,
• Société Générale,^[72]France.

Set up in 2009, Plastc announced a single card that could digitally hold the data of up to 20 credit or debit cards. The company succeeded in raising US$9 million through preorders but failed to deliver any product.^[73]Plastc was then acquired^[74]in 2017 by Edge Mobile Payments,^[75]a Santa Cruz-based Fintech company. The Plastc project continues as the Edge card,^[76]a dynamic payment card that consolidates several payment cards in one device. The card is equipped with a battery and an ePaper screen and can store data from up to 50 credit, debit, loyalty and gift cards.

Stratos^[77]was created in 2012 in Ann Arbor, Michigan, USA. In 2015, Stratos developed the Stratos Bluetooth Connected Card,^[78]which was designed to integrate up to three credit and debit card in a single card format and featured a smartphone app used to manage the card. Due to its Lithium ion thin film battery, the Stratos card was equipped with LEDs and communicated in contactless mode and in Bluetooth low Energy.

In 2017 Stratos was acquired^[79]by CardLab Innovation, a company headquartered in Herlev, Denmark.

SWYP^[80]was the brand name of a card developed by Qvivr, a company incorporated in 2014 in Fremont, California. SWYP was introduced in 2015 and dubbed the world's first smart wallet. SWYP was a metal card with the ability to combine over 25 credit, debit, gift and loyalty cards. The card worked in conjunction with a smartphone app used to manage the cards. The Swyp card included a battery, a button and a matrix display that showed which card was in use. The company registered users in its beta testing program, but the product never shipped on a commercial scale.

Qvivr raised US$5 million in January 2017^[81]and went out of business in November 2017.

Complex Cards have been adopted by numerous financial institutions worldwide. They may include different functionalities such as payment cards (credit, debit, prepaid),One-time password,mass-transit, and dynamicCard Security Code (CVV2).

Complex Card technology is used by numerous financial institutions including:

• ABSA,^[82]South Africa,
• Banca MontePaschi Belgio,^[83]
• Bank of America,^[84]USA,
• BPCE Group,^[85]France,
• Carpatica Bank,^[86]Romania,
• Credit Europe Bank,^[87]Romania,
• Erste&Steiermärkische Bank,^[88]Croatia
• Getin Bank,^[89]Poland,
• Newcastle Banking Society,^[90]UK,
• Orange Bank, France,
• PayPal,^[91]USA,
• Sinopac,^[92]Taiwan,
• Société Générale,^[93]France,
• Standard Chartered Bank,^[94][95]Singapore,
• Symantec,^[96]
• TEB,^[97]Turkey.

A smart card may have the following generic characteristics:

• Dimensions similar to those of a credit card. ID-1 of theISO/IEC 7810standard defines cards as nominally 85.60 by 53.98 millimetres (3.37 in × 2.13 in). Another popular size is ID-000, which is nominally 25 by 15 millimetres (0.98 in × 0.59 in) (commonly used in SIM cards). Both are 0.76 millimetres (0.030 in) thick.
• Contains atamper-resistantsecurity system (for example asecure cryptoprocessorand a securefile system) and provides security services (e.g., protects in-memory information).
• Managed by an administration system, which securely interchanges information and configuration settings with the card, controlling cardblacklistingand application-data updates.
• Communicates with external services through card-reading devices, such as ticket readers,ATMs,Dip reader,etc.
• Smart cards are typically made of plastic, generallypolyvinyl chloride,but sometimespolyethylene-terephthalate-basedpolyesters,acrylonitrile butadiene styreneorpolycarbonate.

Since April 2009, a Japanese company has manufactured reusable financial smart cards made from paper.^[98]

As mentioned above, data on a smart card may be stored in afile system(FS). In smart card file systems, the root directory is called the "master file" ( "MF" ), subdirectories are called "dedicated files" ( "DF" ), and ordinary files are called "elementary files" ( "EF" ).^[99]

The file system mentioned above is stored on anEEPROM(storage or memory) within the smartcard.^[99]In addition to the EEPROM, other components may be present, depending upon the kind of smartcard. Most smartcards have one of three logical layouts:

• EEPROMonly.
• EEPROM, ROM, RAM, and microprocessor.
• EEPROM, ROM, RAM, microprocessor, andsecure element.^[99]

In cards with microprocessors, the microprocessor sits inline between the reader and the other components. The operating system that runs on the microprocessor mediates the reader's access to those components to prevent unauthorized access.^[99]

Contact smart cards have a contact area of approximately 1 square centimetre (0.16 sq in), comprising several gold-platedcontact pads.These pads provide electrical connectivity when inserted into areader,^[102]which is used as a communications medium between the smart card and a host (e.g., a computer, a point of sale terminal) or a mobile telephone. Cards do not containbatteries;power is supplied by the card reader.

TheISO/IEC 7810andISO/IEC 7816series of standards define:

• physical shape and characteristics,
• electrical connector positions and shapes,
• electrical characteristics,
• communications protocols,including commands sent to and responses from the card,
• basic functionality.

Because the chips in financial cards are the same as those used insubscriber identity modules(SIMs) in mobile phones, programmed differently and embedded in a different piece ofPVC,chip manufacturers are building to the more demanding GSM/3G standards. So, for example, although the EMV standard allows a chip card to draw 50 mA from its terminal, cards are normally well below the telephone industry's 6 mA limit. This allows smaller and cheaper financial card terminals.

Communication protocols for contact smart cards include T=0 (character-level transmission protocol, defined in ISO/IEC 7816-3) and T=1 (block-level transmission protocol, defined in ISO/IEC 7816-3).

Contactless smart cardscommunicate with readers under protocols defined in theISO/IEC 14443standard. They support data rates of 106–848 kbit/s. These cards require only proximity to an antenna to communicate. Like smart cards with contacts, contactless cards do not have an internal power source. Instead, they use aloop antennacoil to capture some of the incident radio-frequency interrogation signal,rectifyit, and use it to power the card's electronics. Contactless smart media can be made with PVC, paper/card and PET finish to meet different performance, cost and durability requirements.

APDU transmission by a contactless interface is defined inISO/IEC 14443-4.

Hybrid cards implement contactless and contact interfaces on a single card with unconnected chips including dedicated modules/storage and processing.

Dual-interface

Dual-interface cards implement contactless and contact interfaces on a single chip with some shared storage and processing. An example isPorto's multi-application transport card, calledAndante,which uses a chip with both contact andcontactless(ISO/IEC 14443 Type B) interfaces. Numerous payment cards worldwide are based on hybrid card technology allowing them to communicate in contactless as well as contact modes.

TheCCID(Chip Card Interface Device) is a USB protocol that allows a smart card to be interfaced to a computer using a card reader which has a standard USB interface. This allows the smart card to be used as a security token for authentication and data encryption such asBitlocker.A typical CCID is a USB dongle and may contain a SIM.

Different smart cards implement one or more reader-side protocols. Common protocols here include CT-API andPC/SC.^[99]

Smartcard operating systems may provide application programming interfaces (APIs) so that developers can write programs ( "applications" ) to run on the smartcard. Some such APIs, such asJava Card,allow programs to be uploaded to the card without replacing the card's entire operating system.^[99]

Smart cards serve as credit orATM cards,fuel cards,mobile phoneSIMs,authorization cards for pay television, household utility pre-payment cards, high-security identification andaccess badges,and public transport and public phone payment cards.

Smart cards may also be used aselectronic wallets.The smart card chip can be "loaded" with funds to pay parking meters, vending machines or merchants.Cryptographic protocolsprotect the exchange of money between the smart card and the machine. No connection to a bank is needed. The holder of the card may use it even if not the owner. Examples areProton,Geldkarte,ChipknipandMoneo.The German Geldkarte is also used to validate customer age atvending machinesfor cigarettes.

These are the best known payment cards (classic plastic card):

• Visa: Visa Contactless, Quick VSDC, "qVSDC", Visa Wave, MSD, payWave
• Mastercard: PayPass Magstripe, PayPass MChip
• American Express: ExpressPay
• Discover: Zip
• Unionpay: QuickPass

Roll-outs started in 2005 in the U.S. Asia and Europe followed in 2006. Contactless (non-PIN) transactions cover a payment range of ~$5–50. There is anISO/IEC 14443PayPass implementation. Some, but not all, PayPass implementations conform to EMV.

Non-EMV cards work likemagnetic stripe cards.This is common in the U.S. (PayPass Magstripe and Visa MSD). The cards do not hold or maintain the account balance. All payment passes without a PIN, usually in off-line mode. The security of such a transaction is no greater than with a magnetic stripe card transaction.^{[citation needed]}

EMV cards can have either contact or contactless interfaces. They work as if they were a normal EMV card with a contact interface. Via the contactless interface they work somewhat differently, in that the card commands enabled improved features such as lower power and shorter transaction times. EMV standards include provisions for contact and contactless communications. Typically modern payment cards are based on hybrid card technology and support both contact and contactless communication modes.

Thesubscriber identity modulesused in mobile-phone systems are reduced-size smart cards, using otherwise identical technologies.

Smart-cards canauthenticateidentity. Sometimes they employ apublic key infrastructure(PKI). The card stores an encrypted digital certificate issued from the PKI provider along with other relevant information. Examples include theU.S. Department of Defense(DoD)Common Access Card(CAC), and other cards used by other governments for their citizens. If they include biometric identification data, cards can provide superior two- or three-factor authentication.

Smart cards are not always privacy-enhancing, because the subject may carry incriminating information on the card. Contactless smart cards that can be read from within a wallet or even a garment simplify authentication; however, criminals may access data from these cards.

Cryptographic smart cards are often used forsingle sign-on.Most advanced smart cards include specialized cryptographic hardware that uses algorithms such asRSAandDigital Signature Algorithm(DSA). Today's cryptographic smart cards generate key pairs on board, to avoid the risk from having more than one copy of the key (since by design there usually isn't a way to extract private keys from a smart card). Such smart cards are mainly used fordigital signaturesand secure identification.

The most common way to access cryptographic smart card functions on a computer is to use a vendor-providedPKCS#11library.^{[citation needed]}OnMicrosoft WindowstheCryptographic Service Provider(CSP) API is also supported.

The most widely used cryptographic algorithms in smart cards (excluding the GSM so-called "crypto algorithm" ) areTriple DESandRSA.The key set is usually loaded (DES) or generated (RSA) on the card at the personalization stage.

Some of these smart cards are also made to support theNational Institute of Standards and Technology(NIST) standard forPersonal Identity Verification,FIPS 201.

Turkey implemented the first smart card driver's license system in 1987. Turkey had a high level of road accidents and decided to develop and use digital tachograph devices on heavy vehicles, instead of the existing mechanical ones, to reduce speed violations. Since 1987, the professional driver's licenses in Turkey have been issued as smart cards. A professional driver is required to insert his driver's license into a digital tachograph before starting to drive. The tachograph unit records speed violations for each driver and gives a printed report. The driving hours for each driver are also being monitored and reported. In 1990 the European Union conducted a feasibility study through BEVAC Consulting Engineers, titled "Feasibility study with respect to a European electronic drivers license (based on a smart-card) on behalf of Directorate General VII". In this study, chapter seven describes Turkey's experience.

Argentina's Mendoza province began using smart card driver's licenses in 1995. Mendoza also had a high level of road accidents, driving offenses, and a poor record of recovering fines.^{[citation needed]}Smart licenses hold up-to-date records of driving offenses and unpaid fines. They also store personal information, license type and number, and a photograph. Emergency medical information such as blood type, allergies, and biometrics (fingerprints) can be stored on the chip if the card holder wishes. The Argentina government anticipates that this system will help to collect more than $10 million per year in fines.

In 1999Gujaratwas the first Indian state to introduce a smart card license system.^[103]As of 2005, it has issued 5 million smart card driving licenses to its people.^[104]

In 2002, the Estonian government started to issue smart cards namedID Kaartas primary identification for citizens to replace the usual passport in domestic and EU use. As of 2010 about 1 million smart cards have been issued (total population is about 1.3 million) and they are widely used in internet banking, buying public transport tickets, authorization on various websites etc.

By the start of 2009, the entire population ofBelgiumwas issued eID cards that are used for identification. These cards contain two certificates: one for authentication and one for signature. This signature is legally enforceable. More and more services in Belgium use eID forauthorization.^[105]

Spain started issuing national ID cards (DNI) in the form of smart cards in 2006 and gradually replaced all the older ones with smart cards. The idea was that many or most bureaucratic acts could be done online but it was a failure because the Administration did not adapt and still mostly requires paper documents and personal presence.^{[106][107][108][109]}

On 14 August 2012, the ID cards inPakistanwere replaced. The Smart Card is a third generation chip-basedidentity documentthat is produced according to international standards and requirements. The card has over 36 physical security features and has the latest^{[clarification needed]}encryption codes. This smart card replaced the NICOP (the ID card foroverseas Pakistani).

Smart cards may identify emergency responders and their skills. Cards like these allow first responders to bypass organizational paperwork and focus more time on the emergency resolution. In 2004, TheSmart Card Allianceexpressed the needs: "to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification".^[110]emergency responsepersonnel can carry these cards to be positively identified in emergency situations.WidePoint Corporation,a smart card provider toFEMA,produces cards that contain additional personal information, such as medical records and skill sets.

In 2007, theOpen Mobile Alliance(OMA) proposed a new standard defining V1.0 of the Smart Card Web Server (SCWS), anHTTP serverembedded in a SIM card intended for asmartphoneuser.^[111]The non-profit trade associationSIMalliancehas been promoting the development and adoption of SCWS. SIMalliance states that SCWS offers end-users a familiar,OS-independent, browser-based interface to secure, personal SIM data. As of mid-2010, SIMalliance had not reported widespread industry acceptance of SCWS.^[112]The OMA has been maintaining the standard, approving V1.1 of the standard in May 2009, and V1.2 was expected to be approved in October 2012.^[113]

Smart cards are also used to identify user accounts on arcade machines.^[114]

Smart cards, used astransit passes,andintegrated ticketingare used by many public transit operators. Card users may also make small purchases using the cards. Some operators offer points for usage, exchanged at retailers or for other benefits.^[115]Examples include Singapore'sCEPAS,Malaysia'sTouch n Go,Ontario'sPresto card,Hong Kong'sOctopus card,Tokyo'sSuicaandPASMOcards, London'sOyster card,Ireland'sLeap Card,Brussels'MoBIB,Québec'sOPUS card,Boston'sCharlieCard,San Francisco'sClipper card,Washington, D.C.'sSmarTrip,Auckland'sAT Hop,Brisbane'sgo card,Perth'sSmartRider,Sydney'sOpal cardand Victoria'smyki.However, these present aprivacyrisk because they allow the mass transit operator (and the government) to track an individual's movement. In Finland, for example, the Data ProtectionOmbudsmanprohibited the transport operatorHelsinki Metropolitan Area Council(YTV) from collecting such information, despite YTV's argument that the card owner has the right to a list of trips paid with the card. Earlier, such information was used in the investigation of theMyyrmanni bombing.^{[citation needed]}

The UK'sDepartment for Transportmandated smart cards to administer travel entitlements for elderly and disabled residents. These schemes let residents use the cards for more than just bus passes. They can also be used for taxi and other concessionary transport. One example is the "Smartcare go" scheme provided by Ecebs.^[116]The UK systems use theITSO Ltdspecification. Other schemes in the UK include period travel passes, carnets of tickets or day passes and stored value which can be used to pay for journeys. Other concessions for school pupils, students and job seekers are also supported. These are mostly based on theITSO Ltdspecification.

Many smart transport schemes include the use of low cost smart tickets for simple journeys, day passes and visitor passes. Examples include GlasgowSPT subway.These smart tickets are made of paper or PET which is thinner than a PVC smart card e.g. Confidex smart media.^[117]The smart tickets can be supplied pre-printed and over-printed or printed on demand.

In Sweden, as of 2018–19, the old SL Access smart card system has started to be phased out and replaced by smartphone apps.The phone apps have less cost, at least for the transit operators who don't need any electronic equipment (the riders provide that). The riders are able buy tickets anywhere and don't need to load money onto smart cards. New NFC smart cards are still in use for foreseeable future (as of 2024).

In Japaneseamusement arcades,contactless smart cards(usually referred to as "IC cards" ) are used by game manufacturers as a method for players to access in-game features (both online likeKonamiE-AmusementandSegaALL.Netand offline) and as a memory support to save game progress. Depending on a case by case scenario, the machines can use a game-specific card or a "universal" one usable on multiple machines from the same manufacturer/publisher. Amongst the most widely used there areBanapassportbyBandai Namco,E-amusement passbyKonami,AimebySegaandNesicabyTaito.

In 2018, in an effort to make arcade game IC cards more user friendly,^[118]Konami, Bandai Namco and Sega have agreed on a unified system of cards namedAmusement IC.Thanks to this agreement, the three companies are now using a unified card reader in their arcade cabinets, so that players are able to use their card, no matter if a Banapassport, an e-Amusement Pass or an Aime, with hardware and ID services of all three manufacturers. A common logo forAmusement ICcards has been created, and this is now displayed on compatible cards from all three companies. In January 2019, Taito announced^[119]that their Nesica card was also joining theAmusement ICagreement with the other three companies.

Smart cards can be used as asecurity token.

Mozilla'sFirefoxweb browsercan use smart cards to storecertificatesfor use in secure web browsing.^[120]

Somedisk encryption systems,such asVeraCryptand Microsoft'sBitLocker,can use smart cards to securely hold encryption keys, and also to add another layer of encryption to critical parts of the secured disk.

GnuPG,the well known encryption suite, also supports storing keys in a smart card.^[121]

Smart cards are also used forsingle sign-ontolog onto computers.

Smart cards are being provided to students at some schools and colleges.^{[122][123][124]}Uses include:

• Tracking student attendance
• As anelectronic purse,to pay for items at canteens, vending machines, laundry facilities, etc.
• Tracking and monitoring food choices at the canteen, to help the student maintain a healthy diet
• Tracking loans from the school library
• Access controlfor admittance to restricted buildings,dormitories,and other facilities. This requirement may be enforced at all times (such as for a laboratory containing valuable equipment), or just during after-hours periods (such as for an academic building that is open during class times, but restricted to authorized personnel at night), depending on security needs.
• Access to transportation services

Smart health cards can improve thesecurityandprivacyof patient information, provide a secure carrier for portablemedical records,reducehealth care fraud,support new processes for portable medical records, provide secure access to emergency medical information, enable compliance with government initiatives (e.g.,organ donation) and mandates, and provide the platform to implement other applications as needed by thehealth care organization.^[125][126]

Smart cards are widely used toencryptdigital television streams.VideoGuardis a specific example of how smart card security worked.

The Malaysian government promotesMyKadas a single system for all smart-card applications. MyKad started as identity cards carried by all citizens and resident non-citizens. Available applications now include identity, travel documents, drivers license, health information, an electronic wallet, ATM bank-card, public toll-road and transit payments, and public key encryption infrastructure. The personal information inside the MYKAD card can be read using special APDU commands.^[127]

Smart cards have been advertised as suitable for personal identification tasks, because they areengineeredto betamper resistant.The chip usually implements somecryptographicalgorithm. There are, however, several methods for recovering some of the algorithm's internal state.

Differential power analysisinvolves measuring the precise time andelectric currentrequired for certain encryption or decryption operations. This can deduce the on-chip private key used by public key algorithms such asRSA.Some implementations ofsymmetric cipherscan be vulnerable to timing orpower attacksas well.

Smart cards can be physically disassembled by using acid, abrasives, solvents, or some other technique to obtain unrestricted access to the on-board microprocessor. Although such techniques may involve a risk of permanent damage to the chip, they permit much more detailed information (e.g.,photomicrographsof encryption hardware) to be extracted.

The benefits of smart cards are directly related to the volume of information and applications that are programmed for use on a card. A single contact/contactless smart card can be programmed with multiple banking credentials, medical entitlement, driver's license/public transport entitlement, loyalty programs and club memberships to name just a few. Multi-factor and proximity authentication can and has been embedded into smart cards to increase the security of all services on the card. For example, a smart card can be programmed to only allow a contactless transaction if it is also within range of another device like a uniquely paired mobile phone. This can significantly increase the security of the smart card.

Governments and regional authorities save money because of improved security, better data and reduced processing costs. These savings help reduce public budgets or enhance public services. There are many examples in the UK, many using a common openLASSeOspecification.

Individuals have better security and more convenience with using smart cards that perform multiple services. For example, they only need to replace one card if their wallet is lost or stolen. The data storage on a card can reduce duplication, and even provide emergency medical information.

The first main advantage of smart cards is their flexibility. Smart cards have multiple functions which simultaneously can be an ID, a credit card, a stored-value cash card, and a repository of personal information such as telephone numbers or medical history. The card can be easily replaced if lost, and, the requirement for aPIN(or other form of security) provides additional security from unauthorised access to information by others. At the first attempt to use it illegally, the card would be deactivated by the card reader itself.

The second main advantage is security. Smart cards can be electronic key rings, giving the bearer ability to access information and physical places without need for online connections. They are encryption devices, so that the user can encrypt and decrypt information without relying on unknown, and therefore potentially untrustworthy, appliances such as ATMs. Smart cards are very flexible in providing authentication at different level of the bearer and the counterpart. Finally, with the information about the user that smart cards can provide to the other parties, they are useful devices for customizing products and services.

Other general benefits of smart cards are:

• Portability
• Increasingdata storagecapacity
• Reliability that is virtually unaffected by electrical and magnetic fields.

Smart cards can be used inelectronic commerce,over the Internet, though the business model used in current electronic commerce applications still cannot use the full feature set of the electronic medium. An advantage of smart cards for electronic commerce is their use customize services. For example, for the service supplier to deliver the customized service, the user may need to provide each supplier with their profile, a boring and time-consuming activity. A smart card can contain a non-encrypted profile of the bearer, so that the user can get customized services even without previous contacts with the supplier.

The plastic or paper card in which the chip is embedded is fairly flexible. The larger the chip, the higher the probability that normal use could damage it. Cards are often carried in wallets or pockets, a harsh environment for a chip and antenna in contactless cards. PVC cards can crack or break if bent/flexed excessively. However, for large banking systems, failure-management costs can be more than offset by fraud reduction.^{[citation needed]}

The production, use and disposal of PVC plastic is known to be more harmful to the environment than other plastics.^[128]Alternative materials including chlorine free plastics and paper are available for some smart applications.

If the account holder's computer hostsmalware,the smart card security model may be broken. Malware can override the communication (both input via keyboard and output via application screen) between the user and the application.Man-in-the-browsermalware (e.g., the TrojanSilentbanker) could modify a transaction, unnoticed by the user. Banks likeFortisandBelfiusin Belgium andRabobank( "random reader") in the Netherlands combine a smart card with an unconnected card reader to avoid this problem. The customer enters a challenge received from the bank's website, a PIN and the transaction amount into the reader. The reader returns an 8-digit signature. This signature is manually entered into the personal computer and verified by the bank, preventingpoint-of-sale-malwarefrom changing the transaction amount.

Smart cards have also been the targets of security attacks. These attacks range from physical invasion of the card's electronics, to non-invasive attacks that exploit weaknesses in the card's software or hardware. The usual goal is to expose private encryption keys and then read and manipulate secure data such as funds. Once an attacker develops a non-invasive attack for a particular smart card model, he or she is typically able to perform the attack on other cards of that model in seconds, often using equipment that can be disguised as a normal smart card reader.^[129]While manufacturers may develop new card models with additionalinformation security,it may be costly or inconvenient for users to upgrade vulnerable systems.Tamper-evidentand audit features in a smart card system help manage the risks of compromised cards.

Another problem is the lack of standards for functionality and security. To address this problem, the Berlin Group launched the ERIDANE Project to propose "a new functional and security framework for smart-card based Point of Interaction (POI) equipment".^[130]

• Smart cardatCurlie