Smart card-enabled applications are becoming more prevalent in many of today’s businesses. The financial payments industry has moved to smart cards. The majority of the regional financial organizations worldwide have mandated that financial credit and debit cards must be smart card-enabled by a specified date. Plus, there has been rapid acceptance of
contactless smart card technology for fast, convenient and secure credit and debit payment. The United States Federal government has adopted smart card technology for its major credentialing initiatives. The Department of Defense
Common Access Card uses smart card technology for the credentialing of all military and civilian personnel. The Department of State uses contactless smart card technology for the electronic passport. Smart card-based identity credentials are now being issued to all Federal government employees to meet Homeland Security Presidential Directive 12. Enterprises are issuing smart ID badges to employees to secure physical and logical access. Plus, many government identity programs around the world are issuing smart card-based identity credentials to citizens.
All of these deployments see the use of smart card technology as an essential element for the integrity of their credentialing schemes. Smart cards are portable, personal security devices that can securely carry sensitive information, enable secure transactions, validate an individual’s identity within a secure system, and verify that an information requestor is authorized to access the information carried on the card. Smart cards not only maintain the integrity of the information stored on the card, but also make it available for secure interactions with the overall system.
A smart card includes an embedded secure
integrated circuit (IC) that can be either a secure microcontroller with internal memory or a secure memory IC alone. The card connects to a reader with direct physical contact or with a remote contactless radio frequency (RF) interface. With an embedded microcontroller, smart cards have built-in tamper resistance and have the unique ability to securely store large amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures), and interact intelligently with a smart card reader.
The smart card itself is only one component in a smart card-based system implementation. Security mechanisms are typically implemented in the card and at the operating system (OS), software, and system levels, providing layers of security to protect the system and information within the system from unauthorized access. In any smart card system implementation, the issuer needs to determine the risks that the system will be exposed to and implement the security measures necessary throughout the system to address those risks.
The government and financial payments industries have also led the way in establishing security evaluation and certification programs for the various layers of smart card security. Standardized evaluations and certifications use trusted third party labs to empirically verify that specific threats are prevented to a defined level of effectiveness, providing issuers with the confidence that certified products meet specified security requirements.
By placing a secure smart card in the hands of the user, organizations can implement a layered security architecture that addresses the expected risk of security breaches and implements an end-to-end chain of trust.
This white paper was developed by the Smart Card Alliance Contactless and Mobile Payment Council Security Work Group to provide an educational overview of the security measures designed into the smart card secure IC and of the use of these features and other system-level security measures to enhance the integrity of the overall system that is being deployed. It is intended to provide a basis of information on security considerations in smart card-based systems for those organizations that are intending to deploy smart card technology for payment, security or identity applications. The white paper answers the following questions:
- What is a secure IC and what types of secure ICs are used in smart cards?
- What security features are designed into secure memory ICs and secure microcontrollers that protect data and thwart attempted attacks?
- What is the impact of contact and contactless interfaces on security?
- What are the advantages of hardware vs. software in implementing cryptography on smart cards? How do the operating system and IC hardware countermeasures function together to enhance the overall security of the smart card IC? What levels of cryptographic algorithms are currently used in smart card deployments?
- How do smart cards fit into overall system security? How is the financial industry using smart cards to improve the security of credit and debit payments?
- What industry certifications and evaluations are available that organizations can use to gain confidence in the security implemented in various smart card products and in the interoperability of the technology among various component suppliers?
While the white paper focuses on the financial payments industry when discussing overall system security, the discussion of secure ICs, interfaces and cryptography applies to all industries and applications. Examples from other industries are included, with references provided for additional detail.
About the Contactless and Mobile Payments Council
The Contactless and Mobile Payments Council is one of several Smart Card Alliance technology and industry councils. The Council was formed to focus on facilitating the adoption of contactless and mobile payments in the U.S. through education programs for consumers, merchants and issuers. The group is bringing together financial payments industry leaders, merchants and suppliers. The Council’s primary goal is to inform and educate the market about the value of contactless and mobile payment and work to address misconceptions about the capabilities and security of contactless technology. Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.