Smart Cards in E-payment

Dr Wasim Raad Computer Engineering Department King Fahad University Petroleum & Minerals Dhahran-Saudi Arabia

Muhammad Wasim Raad

Entities of the Epayment System

Identification Card Issuer
(Corporate or Service Provider)

Purse Charger
(Bank or third party)

Card Holder
(User)

Access Control/Epayment terminal

.Corporate secure Log in

.Retail POS
collecting Highway tax

Corporate Information Center

(Database) Muhammad Wasim Raad 2

System Requirements Privacy Security Support multiapplication

Muhammad Wasim Raad 3

EMV
Established 1999 by Europay International, Mastercard International & VISA International EMV IC card Spec for payment ensures Cross payment Interoperability between Cards and terminals Latest version:EMV2000 version 4.0(support for lower voltage cards & contactless interface Currently there are greater than 200 million Mastercard, Maestro & Cirrus Chip cards worldwide( more than 80 million of these support EMV)

Muhammad Wasim Raad

Smart Card


Smart Card Market : VISA Smart Credit/Debit (CCCP) Magnetic Credit Authorization Terminal Smart Credit Authorization Terminal

2000. Stop manufacturing easy entry card and terminal as well Differentiate a commission rate for interchange : Chip Card versus M/S card 2002. All the new terminals should work on Visa Smart Credit/Debit card Recommendation of PIN Pad. 2000 2002 2005 2008

2005. All the new cards should be equipped with Visa Smart Credit/Debit card in functions. 2008. All the Card must be issued with functions of Visa Smart Credit/Debit Card. All the terminals must work on Smart Credit/Debit Card
Muhammad Wasim Raad 5

Authentication
Card Data : - SDA Certificate - Issuer Public Key Certificate

Scheme public key

1. Card Sends : - selected card data - card data certificate - issuer public-key certificate

2. Terminal decodes issuer public key using scheme public key. 3. Verifies card certificate using issuer public key 4. Compares with hashed form of the card data

Static Data Authentication

Muhammad Wasim Raad 6

Authentication (contd)
Dynamic Authentication
Challenge-based. The terminal issues a challenge to the card, The card signs the card serial number and this challenge. The terminal verifies this signature. The card must incorporate the public-key encryption functions. The private key is permanently stored in the card and protected by physical security features. Key management issue.
Muhammad Wasim Raad 7

Authentication (contd)
Reset card Answer to reset Select Application Send Application Data Auth. card & terminal Terminal risk management Request cryptogram

EMV Transaction Model

Card risk management Send cryptogram (Perform online Transaction) Send Results (Complete Transaction)

Muhammad Wasim Raad

Electronic Cash
Electronic cash is a general term that describes the attempts of several companies to create a value storage and exchange system that operates online in much the same way that governmentissued currency operates in the physical world. Concerns about electronic payment methods include: Privacy Security Independence Portability Muhammad Wasim Raad Convenience

Electronic Cash Issues

Primary advantage is with purchase of items less than 5
Credit card transaction fees make small purchases unprofitable Facilitates Micropayments eg for items costing less than 1

Must be anonymous, just like regular currency Safeguards must be in place to prevent counterfeiting Must be independent and freely transferable regardless of nationality or storage mechanism
Muhammad Wasim Raad 10

Electronic Cash

Muhammad Wasim Raad

11

Electronic Cash Storage

Two methods
On-line
Individual does not have possession personally of electronic cash Trusted third party, e.g. e-banking, bank holds customers cash accounts

Off-line
Customer holds cash on smart card or electronic wallet Fraud and double spending require tamper-proof encryption
Muhammad Wasim Raad 12

Electronic Cash
Advantages
Electronic cash transactions are more efficient and less costly than other methods. The distance that an electronic transaction must travel does not affect cost. The fixed cost of hardware to handle electronic cash is nearly zero. Electronic cash does not require that one party have any special authorization.

Disadvantages
Electronic cash provides no audit trail. Because true electronic cash is not traceable, money laundering is a problem. Electronic cash is susceptible to forgery. So far, electronic cash is a commercial flop.
Muhammad Wasim Raad 13

Disadvantages of Electronic Cash

Electronic cash provides no audit trail. Because true electronic cash is not traceable, money laundering is a problem. Electronic cash is susceptible to forgery. So far, electronic cash is a commercial flop.
Muhammad Wasim Raad 14

ePayment by Smart Card

Replace cash Cash is expensive to make and use
Printing, replacement Anti-counterfeiting measures Transportation Security

Cash is inconvenient
not machine-readable humans carry limited amount risk of loss, theft

Additional smart card benefits

Muhammad Wasim Raad 15

Electronic Purse
 EFT-POS

Magnetic, Credit/Debit Card EMV Smart Card Electronic Purse : MONDEX, CEPS, KEP, Ministry of Commerce, Industry & Energy 1) KEP (Korean Electronic Purse) Korea Financial Telecommunications & Clearings Institute 2) Mondex Electronic Purse   Cheju Island (Resort) Project ASEM Project
Muhammad Wasim Raad 16

Smart Cards & ecommerce

Multi Channel Access

Muhammad Wasim Raad

17

What Is The Octopus?

A pre-paid stored value card utilizing contactless smart card technology Operates within wallet/purse for up to 10cm Less than 1/3 second transaction time
Muhammad Wasim Raad 18

Octopus Applications
Public Transport and related
3 railways, 6000 buses, ferries, Peak Tram, Tramways, public light bus Car parks Parking meters
Muhammad Wasim Raad 19

Octopus in Off-Street Car Parks

Muhammad Wasim Raad

20

Octopus Applications
Recreational facilities
Public swimming pools Racecourses

Non-payment service
Access Control for residential estates School Attendance
Muhammad Wasim Raad 21

Octopus
Transaction time < 300 milliseconds Transaction fees: HK$0.02 + 0.75%
$10 transaction costs $0.095 (0.95%)

Applications
Transit Telephones Road tolls Point-of-sale Access control

Anonymous / personalized How does money get to service providers?

Muhammad Wasim Raad Net settlement system operated by Creative Star 22

M(obile)-Payments the future?

Analysts believe that easy mobile payment is one of the main prerequisites for the success of m-commerce. When the mobile phone can function as an electronic wallet for mobile payments, including micropayments, application developers will find it attractive to introduce new mobile communication services to the market. Examples include mobile entertainment (downloads of music, mobile gambling, etc.), information services (sports news, horoscopes, location-based services, etc.), and real-world services (paying parking fees, buying train or concert tickets, etc.). Network operators envision micropayments as an attractive business that does not compete with banks or credit card companies. For the end user, PayCircle will make m-commerce easy and secure and thus eliminate the major hurdles to widespread adoption and popularity. PayCircle.org Press release Jan 23rd 2002
Muhammad Wasim Raad 23

Payment Cards
8-128 Kb Data rate 115 Kb/sec ISO 7816 compliant Visa-certified PIN management and verification 3DES algorithm for authentication, secure messaging Epurse with payment command set (debit, SOURCE: credit, balance, floor limit management) GEMPLUS
Muhammad Wasim Raad 24
EMV = EUROPAY INTL, MASTERCARD, VISA MPCOS = MULTI PAYMENT CHIP OPERATING SYSTEM

Can Smart Cards Support Multi-Applications?

Capability to download independent Applets, securely Isolated(Java Card) Example: A card may contain Individuals drivers license, multiple credit card & bank accounts, stored value for company cafeteria, & health records A police officers card reader can read drivers license info, but not bank account
Muhammad Wasim Raad 25

The Java Simtoolkit

Since 3KB SIM memory has increased to 8KB, 32KB and lately to 64KB SIM Application toolkit explores full potential smart cards Spec defines commands and proceduresfor running handset independent SIMtoolkit applications Produces extra revenue through ( mobile banking, stock trading, games, emails,)
Muhammad Wasim Raad 26

France Telecom first launch of Sim toolkit developped by Gemplus

Operators can give end-users access to many on screen services Fast user-friendly access to the latest news, weather report or practical details on traffic finance and leasure Subscribers can update their selection and gain access to new services Java applets can be downloaded using SMS or internet
Muhammad Wasim Raad 27

Muhammad Wasim Raad

28

Providing Value Added services

GSM Cellnet and Barclaycard developped wireless finantial service smart card SIM activates users Cellnet GSM phone Provides a Barclay services menu
Muhammad Wasim Raad 29

Swedish Bank Utility Bill Payment

SIM card allows users to access service by menu navigation Users can pay their utility bills away from home by keying information such as origin and destination bank account numbers
Muhammad Wasim Raad 30

Hong Kong Smart Cards

Octopus
8 million cards, 9000 readers 7 million transactions/day

Visacash ComPass Visa (VME) Mondex GSM SIM ePark

Muhammad Wasim Raad

31

Mondex
Smart-card-based, stored-value card (SVC) Subsidiary of MasterCard NatWest (National Westminister Bank, UK) et al. Secret chip-to-chip transfer protocol Value is not in strings alone; must be on Mondex card Loaded through ATM ATM does not know transfer protocol; connects with secureWasim Raad at bank Muhammad device 32
Spending at merchants having a Mondex value

Mondex
Subsidiary of MasterCard Smart-card-based, stored-value card (SVC) NatWest (National Westminister Bank, UK) et al. Secret chip-to-chip transfer protocol Value is not in strings alone; must be on Mondex card Loaded through ATM ATM does not know transfer protocol; connects with secure device at bank Spending at merchants having a Mondex value transfer terminal Muhammad Wasim Raad

33

Mondex Smart Card

Holds and dispenses electronic cash Developed by MasterCard International Requires specific card reader for merchant or customer to use card over Internet Supports micropayments as small as 2p and works both online and off-line at stores or over the telephone
Muhammad Wasim Raad 34

Mondex Smart Card

Muhammad Wasim Raad

35

Mondex Overview

SOURCES: OKI, MONDEX USA

Muhammad Wasim Raad

36

Mondex Security
Active and dormant security software
Security methods constantly changing ITSEC E6 level (military)

VTP (Value Transfer Protocol)

Globally unique card numbers Globally unique transaction numbers Challenge-response user identification Digital signatures

MULTOS operating system

firewalls on the chip
Muhammad Wasim Raad 37

Mondex Smart Card

Disadvantages
Card carries real cash in electronic form, creating the possibility of theft No deferred payment as with credit cards -cash is dispensed immediately Trialled in Swindon but not taken up

Muhammad Wasim Raad

38

Mondex Components (Hitachi)

Cashless ATM

PCMCIA Reader/Writer

Electronic Cash Register

Electronic Wallet

Key Fob Balance Reader

SOURCE: HITACHI

Muhammad Wasim Raad

39

E-payment smart cards

Muhammad Wasim Raad

40

E-payment smart cards continued

Muhammad Wasim Raad

41

Muhammad Wasim Raad

42

Muhammad Wasim Raad

43

Smart cards in ecommerce

Amex Blue

13

Muhammad Wasim Raad

44

Muhammad Wasim Raad

45

Proximity Solutions for MULTOS

2 types of MULTOS Dual-Interface cards supporting communication with the chip via both the contact plate and the contactless interface based on Proximity Standard - ISO 14443 Hitachi/DNP Contactless MULTOS: 36K EEPROM, Type B contactless interface, Available now
 

Supports both versions of Paypass transaction 250K issued for 250K (contactless M/Chip 4, or Contactless Track 2 Japan Residential data) and in fact can execute ANY existing ID card MULTOS application over the contactless interface.

Keycorp / Philips Contactless MULTOS, 16K EEPROM, MIFARE Type A contactless interface, Prototypes available now


Supports Mifare ticketing only. Full contactless Muhammad Wasim MULTOS application execution planned for Q3 Raad 2004

46

Visa Wave
First Commercial Visa contact less card Global Platform EMV Visa debit/credit for more than 2000 consumer

Muhammad Wasim Raad

47

Electronic Payment Evolution in the U.S.

Contactless payment solution was introduced in 2002 Magnetic Stripe card was Introduced

First plastic credit card was introduced

Online credit & debit Speed, convenience, & reward to drive cash replacement faster Differentiating payment services Online Authorization Draft capture Electronic settlement Online credit & debit Enriched consumer shopping experience Possible Objective by 2010: Electronic Payment 70% Cash & Checks 30%

Credit card acceptance by retailers Zip zap machine Negative card list

2004 Results: Electronic Payment 36% Cash & Checks 64%

Muhammad Wasim Raad

48

ViVOpay Contactless Readers for POS

ViVOpay 3000

ViVOpay 4000

ViVOpay Drive Thru

ViVOtech has shipped 100,000 contactless readers in last 18 months. Mostly in the U.S.

Muhammad Wasim Raad

Box Office Window

49

ViVOwallet Software for NFC Phone

ViVOwallet is a Software Utility that turns an NFC-enabled Mobile Phone into a Payment Device
Supports a standard credit card in form of a soft card. Provisioning via OTA (Over The Air) transmission Makes it work with 10s of thousands of contactless readers being deployed

Muhammad Wasim Raad

50

Wireless Card Authorization

SOURCE: SAMSUNG

Muhammad Wasim Raad

51

Multi-application smart card example

Muhammad Wasim Raad

52

Case Studies

Muhammad Wasim Raad

53

 Provide a secure storage for digital certificates and personal identification Convenience-Multifunction Card like the JAVA Card and very portable Log recent activities Can Provide automatic Logins to designated websites without having to remember passwords and login Muhammad Wasim Raad procedures

Smart Cards Will Play an Important Role In Ecommerce:

54

Conclusion
With EMV expected to move to Smart Cards by 2007, huge boom expected. Cards will become truly multifunctional. Application Downloading. Interoperability issue solved

Muhammad Wasim Raad

55

References
www.smartcardbasics.com www.gemplus.com http://www.acs.com.hk/ http://www.smartcardcentral.com/ http://www.cardtechnology.com/

Muhammad Wasim Raad

56