Home Contact Us
Reference - Articles

 Plastic with Brain: Smartcard
This article was the front page story for the May 1994 issue of CMA. CMA a national magazine to address the needs and interests of the management accounting profession and to foster the development of Certified Management Accountants in management.

Prepared By Dr. Mir F. Ali

The plastic card has entered a new era. With a powerful combination of on-board intelligence and increased memory capacity, the Smartcard has arrived. Its potential is unbounded. It can help businesses generate more revenue, including financial institutions that can market it as a sophisticated payment instrument. Better equipped than plastic cards to control data integrity, the Smartcard can improve control through fewer losses and greater security. And because it can handle multi-applications without jeopardizing data integrity, it can improve productivity and functionality.

The Smartcard looks like a common credit card, but the resemblance ends there. Hidden in the thickness of the plastic, a powerful brain controls the card's functions and opens access to networks and computers. It allows the card to capture, verify, store and transmit information (transactions) in a way that can be directed to mainframe computers for further processing. It can also validate the identity of the cardholder through network access. In effect, the Smartcard is a portable data storage device. It can process information to authenticate the card, identify the cardholder, encrypt and decrypt messages, and generate electronic signatures. Thus, it provides an automated form of user accountability, as it maintains a log that keeps track of such things as who used the card, when the transaction took place, and what merchandise was bought. The magnetic strip card lacks this capability.

The contemporary contact or passive Smartcard have undergone a number of changes resulting in better performance at lower cost. These cards all lacked the benefit of a self-authenticating feature: The ability to independently accept a PIN (personal identification number) plus associated data. Cards now incorporating this feature are called active or Contactless”Smartcard. Unlike a passive card, which required a card-reader as an interface between the card and the merchant's terminal, the Contactless Smartcard works without an independent, physically separate card-reader.

Cards of all kinds:
The Smartcard is also known as an integrated circuit (IC) card. It can be categorized into three groups by interface type:
  • Contactless: The interfaces for this type communicate through radio frequency, inductive or infrared methods. They are particularly useful in rapid transit systems and for goods distribution when a physical contact device might be too slow or cumbersome. “Some Smartcard” can be included within this group. Rather than use an external device, a super Smartcard has a display embedded into it. Super Smartcard are used for high-security applications or for applications in which the card reader does not or cannot support a keypad and display;
  • Non-ISO Contact: Interfaces include cards developed either for a specific purpose or before the ISO (International Standards Organization) 7816 standards were established. These standards redefine the Identification Physical Characteristics, and define a number of physical, mechanical, electrical and other properties of the contact and chip; and
  • ISO Contact: The interface is defined in the ISO 7816 standard, which describes the position, dimension and function of the contacts embedded on the card's face. (There are eight such contacts on the card, six of which are presently utilized.) ISO contact is the most common interface method for smart financial transaction cards. These cards include both memory-only and microprocessor cards.

    Memory-only cards store programs or data. They replace transaction vouchers, magnetic media or currency. As they contain no processing capabilities or significant security, they are often used as a stored-value card or “electronic purse” for relatively inexpensive transactions like telephone tolls, rapid-transit fares, and road tolls. Microprocessor cards, by contrast, can process data. They often replace magnetic-stripe cards, transaction vouchers, identity cards and currency. This card processes data based on procedures stored within it, including cryptographic procedures for security purposes.

    Microprocessor cards themselves come in two kinds, distinguished by their memory. Information in EPROM (erasable programmable read only memory) can be erased, and the memory can be reused, without complex processes. Once EEPROM (electrically erasable programmable read only memory) has been used, it cannot be reused without going through a process to erase the information utilizing an electronic tool. Choosing between the two kinds for use in a Smartcard comes down to economics. The EPROM card is more expensive. But the EEPROM card must reissue once its memory has been used up.

    Besides EPROM and EEPROM, a basic Smartcard contains RAM (random access memory) and ROM (read only memory). RAM stores data temporarily during Smartcard operation; ROM contains the procedures and data required for the Smartcard to work.

    What a Smartcard can do:
    The Smartcard generic functions include the following:
    • Data protection: Data protected against unauthorized access code;
    • Identification of the cardholder or device: Capable of validating the PIN and storing the card-reader identification in the log file;
    • Mutual authentication: Both parties - merchant and buyer- will attest to the transaction;
    • Secure writing: a log keeps track of background information on each transaction;
    • Certification or signature: PIN will serve as proof of certification or signature; and
    • Encryption: Will allow validation of PIN and identification for card-reader.

    Smartcards can be used in a number of services, including financial services; medical profile and services; government licensees; travel services; employment access and reporting; military skills and training; electronic diagnosis; automobile routing; workstation personalization; and software loading and protection.

    Among the applications for the Smartcard, the three most common kinds are the following:

    • Data carrier: The card is a convenient, portable and secure way to store data;
    • Conditional access for security: The card ensures that only authorized people enter or use a site, computer, software package or service: and
    • Financial: The card replaces credit cards, cheque books or money.

    A card is not restricted to one application, and might accommodate several functions across all three kinds of applications. Smartcard systems are either private or public. A closed user group, such as an organization's employees, uses private systems. The public uses public systems like banks or pay phones.

    A single Smartcard can support multiple functions and multiple issuers. For example, the card might be issued by a financial institution for use as a credit card, a debit card, and a means to enter an account through a home banking terminal. The financial institution might also sell the use of the card to various groups, including:

    • A retailer to support private label and frequent buyer services;
    • A rapid transit authority as a stored-value card to pay for transit fares;
    • A telecommunications supplier for phone access and charging purposes; and
    • An employer to permit employee access to secure areas.

    Using a personal identification number (PIN) along with the Smartcard means that other people might gain access through guesswork or theft. One way to prevent such unauthorized access is by using “biometrics” techniques. Here, a measurement is made of a personal trait of the authorized cardholder, and then compared with an authenticated card-stored reference. It's like making and eyeball comparison of a customer's signature and the master signature on a conventional credit card. A number of physical characteristics are being investigated for automatic personal identification (API), including: Facial features; full face and profile; fingerprints; palm prints; footprints; hand geometry (shape); ear (pinna) shape; retinal blood vessels; striation of the iris; surface blood vessels (in the wrist); and Electrocardiac waveforms. Looking to the future: Japanese corporations are developing company cards to serve as identification badges and time-and-attendance records. Employees use the cards to withdraw cash, reconcile travel expenses, pay for purchases in the company cafeteria and stores, and manage resources like power, light, heat and air conditioning. NTT, Japan's national telephone company, and Nissan Motors are placing Smartcards in automobiles in order to maintain a birth-to-death record of component part types and serial numbers, warranty conditions and maintenance.

    Canada and the United States have been slower to adopt Smartcards. Canada attempted to use the cards to pay unemployment insurance benefits. Instead of completing weekly reports and receiving cheques in the mail, UI recipients might have used a Smartcard in an automated teller machine that would have dispensed amounts onto the card for use in stores. Authorities also considered using Smartcards to allow consumers to pay for entry, camping and use of other facilities in Canada's national parks. Both of these potential applications failed. But one successful implementation was a pilot project in northwestern Ontario, in which the provincial health ministry tested the Smartcard for storing medical history, diagnosis and prescription information. In the United States, Smartcard applications will likely develop slowly; more education and a major corporate advocate for Smartcards are the primary requirements there.

    How will Smartcards evolve in the future? What Smartcards will not do is improve ill-conceived business procedures or fix poorly designed systems. Organizations need to fix these problems before implementing the cards. At the same time, managers must recognize that Smartcards hold the promise of raising productivity and proficiency.

    Return to

    Copyright 2003 - Automated Information Management Corporation