muhammad wasim raad1 smart cards in e-payment البطاقات الذكية في أنظمة...
Post on 21-Dec-2015
214 views
TRANSCRIPT
Muhammad Wasim Raad 1
Smart Cards in E-paymentوالبيع الشراء أنظمة في الذكية البطاقات
االلكترونية
Dr Wasim RaadComputer Engineering DepartmentKing Fahad University Petroleum &
MineralsDhahran-Saudi Arabia
Muhammad Wasim Raad 2
Entities of the E-payment System
Purse Charger
(Bank or third party)
Identification Card Issuer
(Corporate or Service Provider)
Card Holder
(User)
Access Control/E-payment terminal•.Corporate secure Log in
•.Retail POS
•collecting Highway tax
Corporate Information Center
(Database)
Muhammad Wasim Raad 5
EMV فيزا ماستر يورو• Established 1999 by Europay International, Mastercard
International & VISA International
• EMV IC card Spec for payment ensures Cross payment Interoperability between Cards and terminals
• Latest version:EMV2000 version 4.0(support for lower voltage cards & contactless interface
• Currently there are greater than 200 million Mastercard, Maestro & Cirrus Chip cards worldwide( more than 80 million of these support EMV)
Muhammad Wasim Raad 6
Smart Card Market : VISA Smart Credit/Debit (CCCP)Smart Card Market : VISA Smart Credit/Debit (CCCP) Magnetic Credit Authorization Terminal Magnetic Credit Authorization Terminal
Smart Credit Authorization TerminalSmart Credit Authorization Terminal
2000. Stop manufacturing easy entry card and terminal as well Differentiate a commission rate for interchange : Chip Card versus M/S card
2002. All the new terminals should work on Visa Smart Credit/Debit card Recommendation of PIN Pad.
2005. All the new cards should be equipped with Visa Smart Credit/Debit card in functions.
2008. All the Card must be issued with functions of Visa Smart Credit/Debit Card. All the terminals must work on Smart Credit/Debit Card
2000 2002 2005 2008
Smart Card
Muhammad Wasim Raad 7
Authentication
Card Data :- SDA Certificate- Issuer Public Key Certificate
1. Card Sends : - selected card data - card data certificate - issuer public-key certificate
2. Terminal decodes issuer public key using scheme public key.3. Verifies card certificate using issuer public key4. Compares with hashed form of the card data
Scheme public key
Static Data Authentication
Muhammad Wasim Raad 8
Authentication (cont’d)• Dynamic Authentication
– Challenge-based.– The terminal issues a challenge to the card,– The card signs the card serial number and this
challenge.– The terminal verifies this signature.– The card must incorporate the public-key
encryption functions.– The private key is permanently stored in the
card and protected by physical security features.– Key management issue.
Muhammad Wasim Raad 9
Authentication (cont’d)Reset card
Answer to reset
Select Application
Send Application Data
Auth. card & terminal
Terminal risk management Request cryptogram
Card risk management Send cryptogram
(Perform online Transaction) Send Results
(Complete Transaction)
EMV Transaction Model
Muhammad Wasim Raad 10
Electronic Cash النقدااللكتروني
• Electronic cash is a general term that describes the attempts of several companies to create a value storage and exchange system that operates online in much the same way that government-issued currency operates in the physical world.
• Concerns about electronic payment methods include:– Privacy– Security– Independence– Portability– Convenience
Muhammad Wasim Raad 11
Electronic Cash Issues• Primary advantage is with purchase of items less
than £5• Credit card transaction fees make small purchases
unprofitable• Facilitates Micropayments – eg for items costing less
than £1
• Must be anonymous, just like regular currency• Safeguards must be in place to prevent
counterfeiting • Must be independent and freely transferable
regardless of nationality or storage mechanism
Muhammad Wasim Raad 13
Electronic Cash Storage
• Two methods– On-line
• Individual does not have possession personally of electronic cash
• Trusted third party, e.g. e-banking, bank holds customers’ cash accounts
– Off-line• Customer holds cash on smart card or electronic
wallet• Fraud and double spending require tamper-proof
encryption
Muhammad Wasim Raad 14
Electronic CashAdvantages• Electronic cash transactions are more efficient and less
costly than other methods.• The distance that an electronic transaction must travel
does not affect cost.• The fixed cost of hardware to handle electronic cash is
nearly zero.• Electronic cash does not require that one party have any
special authorization.
Disadvantages• Electronic cash provides no audit trail.• Because true electronic cash is not traceable, money
laundering is a problem.• Electronic cash is susceptible to forgery.• So far, electronic cash is a commercial flop.
Muhammad Wasim Raad 16
ePayment by Smart Card• Replace cash• Cash is expensive to make and use
– Printing, replacement– Anti-counterfeiting measures– Transportation– Security
• Cash is inconvenient– not machine-readable– humans carry limited amount– risk of loss, theft
• Additional smart card benefits
Muhammad Wasim Raad 17
How does E-Purse How does E-Purse Work?Work?
• E-purses are usually issued by banks to their customers
• Money is loaded into the e-purse by transfer from cardholder’s bank account using: ATM, or public payphone, or a home smart phone, a mobile phone or through internet
• Once cardholder has chosen goods, he inserts card into POS and money is debited
Muhammad Wasim Raad 19
E-purse benefits• No need to carry loose change to buy
newspaper or use vending machine• more convenient than checks and debit
cards for small transactions• Offer user more privacy and freedom
from recording expenditures in check book
• Attractive to merchants: Saves time
Muhammad Wasim Raad 20
Magnetic, Credit/Debit Card
EMV Smart Card
Electronic Purse : MONDEX, CEPS, KEP,
Ministry of Commerce, Industry & Energy
Electronic Purse
EFT-POS
1) KEP (Korean Electronic Purse)
Korea Financial Telecommunications & Clearings Institute
2) Mondex Electronic Purse
Cheju Island (Resort) Project
ASEM Project
Muhammad Wasim Raad 22
6Smart Cards & ecommerceااللكترونية والتجارة الذكية البطاقات
Multi Channel Access
Muhammad Wasim Raad 24
What Is The Octopus?
• A pre-paid stored value card utilizing contactless smart card technology
• Operates within wallet/purse for up to 10cm
• Less than 1/3 second transaction time
Muhammad Wasim Raad 25
Octopus Applications• Public Transport and related
– 3 railways, 6000 buses, ferries, Peak Tram, Tramways, public light bus
– Car parks
– Parking meters
Muhammad Wasim Raad 27
Octopus Applications• Recreational facilities
– Public swimming pools– Racecourses
• Non-payment service– Access Control for residential estates– School Attendance
Muhammad Wasim Raad 28
Octopus• Transaction time < 300 milliseconds• Transaction fees: HK$0.02 + 0.75%
– $10 transaction costs $0.095 (0.95%)
• Applications– Transit– Telephones– Road tolls– Point-of-sale– Access control
• Anonymous / personalized• How does money get to service providers?
– Net settlement system operated by Creative Star
Muhammad Wasim Raad 29
M(obile)-Payments – the future?
“Analysts believe that easy mobile payment is one of the main prerequisites for the success of m-commerce. When the mobile phone can function as an electronic wallet for mobile payments, including micropayments, application developers will find it attractive to introduce new mobile communication services to the market. Examples include mobile entertainment (downloads of music, mobile gambling, etc.), information services (sports news, horoscopes, location-based services, etc.), and real-world services (paying parking fees, buying train or concert tickets, etc.). Network operators envision micropayments as an attractive business that does not compete with banks or credit card companies. For the end user, PayCircle will make m-commerce easy and secure and thus eliminate the major hurdles to widespread adoption and popularity.”
PayCircle.org Press release Jan 23rd 2002
Muhammad Wasim Raad 30
Payment Cards
• 8-128 Kb• Data rate 115 Kb/sec
• ISO 7816 compliant • Visa-certified• PIN management and verification
• 3DES algorithm for authentication, secure messaging
• Epurse with payment command set (debit,credit, balance, floor limit management)
SOURCE: GEMPLUS
EMV =EUROPAY INT’L,MASTERCARD,VISA
MPCOS =MULTI PAYMENT CHIPOPERATING SYSTEM
Muhammad Wasim Raad 31
Can Smart Cards Support Multi-Applications?
• Capability to download independent Applets, securely Isolated(Java Card)
• Example: A card may contain Individual’s driver’s license, multiple credit card & bank accounts, stored value for company cafeteria, & health records
• A police officer’s card reader can read driver’s license info, but not bank account
Muhammad Wasim Raad 32
The Java Simtoolkit • Since 3KB SIM memory has increased
to 8KB, 32KB and lately to 64KB• SIM Application toolkit explores full
potential smart cards• Spec defines commands and
proceduresfor running handset independent SIMtoolkit applications
• Produces extra revenue through ( mobile banking, stock trading, games, emails,…)
Muhammad Wasim Raad 33
France Telecom first launch of Sim toolkit
developped by Gemplus
• Operators can give end-users access to many on screen services
• Fast user-friendly access to the latest news, weather report or practical details on traffic finance and leasure
• Subscribers can update their selection and gain access to new services
• Java applets can be downloaded using SMS or internet
Muhammad Wasim Raad 35
Providing Value Added services
• GSM Cellnet and Barclaycard developped wireless finantial service smart card
• SIM activates user’s Cellnet GSM phone• Provides a Barclay services menu
Muhammad Wasim Raad 36
Swedish Bank Utility Bill Payment
• SIM card allows users to access service by menu navigation
• Users can pay their utility bills away from home by keying information such as origin and destination bank account numbers
Muhammad Wasim Raad 37
Hong Kong Smart Cards• Octopus
–8 million cards, 9000 readers–7 million transactions/day
• Visacash• ComPass Visa (VME)• Mondex• GSM SIM• ePark
Muhammad Wasim Raad 38
Mondex
• Smart-card-based, stored-value card (SVC)• Subsidiary of MasterCard• NatWest (National Westminister Bank, UK) et al.• Secret chip-to-chip transfer protocol• Value is not in strings alone; must be on Mondex
card• Loaded through ATM
– ATM does not know transfer protocol; connects with secure device at bank
• Spending at merchants having a Mondex value transfer terminal
Muhammad Wasim Raad 39
Mondex
• Subsidiary of MasterCard• Smart-card-based, stored-value card (SVC)• NatWest (National Westminister Bank, UK) et al.• Secret chip-to-chip transfer protocol• Value is not in strings alone; must be on Mondex
card• Loaded through ATM
–ATM does not know transfer protocol; connects with secure device at bank
• Spending at merchants having a Mondex value transfer terminal
Muhammad Wasim Raad 40
Mondex Smart Card• Holds and dispenses electronic cash• Developed by MasterCard International• Requires specific card reader for
merchant or customer to use card over Internet
• Supports micropayments as small as 2p and works both online and off-line at stores or over the telephone
Muhammad Wasim Raad 43
Mondex Security• Active and dormant security software
–Security methods constantly changing–ITSEC E6 level (military)
• VTP (Value Transfer Protocol)–Globally unique card numbers–Globally unique transaction numbers–Challenge-response user identification–Digital signatures
• MULTOS operating system–firewalls on the chip
Muhammad Wasim Raad 44
Mondex Smart Card• Disadvantages
– Card carries real cash in electronic form, creating the possibility of theft
– No deferred payment as with credit cards -cash is dispensed immediately
– Trialled in Swindon but not taken up
Muhammad Wasim Raad 45
Mondex Components (Hitachi)
Cashless ATM Electronic Cash RegisterPCMCIA Reader/Writer
ElectronicWallet
Key FobBalanceReader
SOURCE: HITACHI
Muhammad Wasim Raad 52
Proximity Solutions for MULTOS
2 types of MULTOS “Dual-Interface” cards – supporting communication with the chip via both the contact plate and the contactless interface based on Proximity Standard - ISO 14443
Hitachi/DNP Contactless MULTOS: 36K EEPROM, Type B contactless interface, Available now
Supports both versions of Paypass transaction (contactless M/Chip 4, or Contactless Track 2 data) and in fact can execute ANY existing MULTOS application over the contactless interface.
Keycorp / Philips Contactless MULTOS, 16K EEPROM, MIFARE Type A contactless interface, Prototypes available now
Supports Mifare ticketing only. Full contactless MULTOS application execution planned for Q3 2004
250K issued for 250K issued for Japan Residential Japan Residential
ID cardID card
Muhammad Wasim Raad 53
Visa Wave• First Commercial
Visa contact less card Global Platform EMV
• Visa debit/credit for more than 2000 consumer
Muhammad Wasim Raad 54
Electronic Payment Evolution in the U.S.
Credit card acceptance by retailers
Zip zap machine
Negative card list
First plastic First plastic credit card was credit card was
introducedintroduced
Online Authorization
Draft capture
Electronic settlement
Online credit & debit
2004 Results:
Electronic Payment – 36%
Cash & Checks – 64%
Magnetic Stripe Magnetic Stripe card was card was
IntroducedIntroduced
Online credit & debit
Speed, convenience, & reward to drive cash replacement faster
Differentiating payment services
Enriched consumer shopping experience
Possible Objective by 2010:
Electronic Payment – 70%
Cash & Checks – 30%
Contactless payment solution Contactless payment solution was introduced in 2002was introduced in 2002
Muhammad Wasim Raad 55
Electronic Payment Evolution in the U.S.
Credit card acceptance by retailers
Zip zap machine
Negative card list
First plastic First plastic credit card was credit card was
introducedintroduced
Online Authorization
Draft capture
Electronic settlement
Online credit & debit
2004 Results:
Electronic Payment – 36%
Cash & Checks – 64%
Magnetic Stripe Magnetic Stripe card was card was
IntroducedIntroduced
Online credit & debit
Speed, convenience, & reward to drive cash replacement faster
Differentiating payment services
Enriched consumer shopping experience
Possible Objective by 2010:
Electronic Payment – 70%
Cash & Checks – 30%
Contactless payment solution Contactless payment solution was introduced in 2002was introduced in 2002
Muhammad Wasim Raad 56
ViVOpay Contactless Readers for POS
• ViVOtech has shipped 100,000 contactless readers in last 18 months. Mostly in the U.S.
ViVOpay 3000 ViVOpay Drive ThruViVOpay 4000
Box Office Window
Muhammad Wasim Raad 57
ViVOwallet Software for NFC Phone
ViVOwallet is a Software Utility that turns an NFC-enabled Mobile Phone into a Payment Device
Supports a standard credit card in form of a “soft card”.
Provisioning via OTA (Over The Air) transmission
Makes it work with 10’s of thousands of contactless readers being deployed
Muhammad Wasim Raad 61
Smart Cards Will Play an Important Role In
Ecommerce:• Provide a secure storage for digital
certificates and personal identification• Convenience-Multifunction Card like the JAVA
Card and very portable• Log recent activities• Can Provide automatic Logins to designated
websites without having to remember passwords and login procedures
• Suitable for payment over the internet