muhammad wasim raad1 smart cards in e-payment البطاقات الذكية في أنظمة...

Muhammad Wasim Raad 1

Smart Cards in E-paymentوالبيع الشراء أنظمة في الذكية البطاقات

االلكترونية

Dr Wasim RaadComputer Engineering DepartmentKing Fahad University Petroleum &

MineralsDhahran-Saudi Arabia


Entities of the E-payment System

Purse Charger

(Bank or third party)

Identification Card Issuer

(Corporate or Service Provider)

Card Holder

(User)

Access Control/E-payment terminal•.Corporate secure Log in

•.Retail POS

•collecting Highway tax

Corporate Information Center

(Database)


System Requirements

•Privacy•Security•Support multi-application


EMV فيزا ماستر يورو• Established 1999 by Europay International, Mastercard

International & VISA International

• EMV IC card Spec for payment ensures Cross payment Interoperability between Cards and terminals

• Latest version:EMV2000 version 4.0(support for lower voltage cards & contactless interface

• Currently there are greater than 200 million Mastercard, Maestro & Cirrus Chip cards worldwide( more than 80 million of these support EMV)


Smart Card Market : VISA Smart Credit/Debit (CCCP)Smart Card Market : VISA Smart Credit/Debit (CCCP) Magnetic Credit Authorization Terminal Magnetic Credit Authorization Terminal

Smart Credit Authorization TerminalSmart Credit Authorization Terminal

2000. Stop manufacturing easy entry card and terminal as well Differentiate a commission rate for interchange : Chip Card versus M/S card

2002. All the new terminals should work on Visa Smart Credit/Debit card Recommendation of PIN Pad.

2005. All the new cards should be equipped with Visa Smart Credit/Debit card in functions.

2008. All the Card must be issued with functions of Visa Smart Credit/Debit Card. All the terminals must work on Smart Credit/Debit Card

2000 2002 2005 2008

Smart Card


Authentication

Card Data :- SDA Certificate- Issuer Public Key Certificate

1. Card Sends : - selected card data - card data certificate - issuer public-key certificate

2. Terminal decodes issuer public key using scheme public key.3. Verifies card certificate using issuer public key4. Compares with hashed form of the card data

Scheme public key

Static Data Authentication


Authentication (cont’d)• Dynamic Authentication

– Challenge-based.– The terminal issues a challenge to the card,– The card signs the card serial number and this

challenge.– The terminal verifies this signature.– The card must incorporate the public-key

encryption functions.– The private key is permanently stored in the

card and protected by physical security features.– Key management issue.


Authentication (cont’d)Reset card

Answer to reset

Select Application

Send Application Data

Auth. card & terminal

Terminal risk management Request cryptogram

Card risk management Send cryptogram

(Perform online Transaction) Send Results

(Complete Transaction)

EMV Transaction Model


Electronic Cash النقدااللكتروني

• Electronic cash is a general term that describes the attempts of several companies to create a value storage and exchange system that operates online in much the same way that government-issued currency operates in the physical world.

• Concerns about electronic payment methods include:– Privacy– Security– Independence– Portability– Convenience


Electronic Cash Issues• Primary advantage is with purchase of items less

than £5• Credit card transaction fees make small purchases

unprofitable• Facilitates Micropayments – eg for items costing less

than £1

• Must be anonymous, just like regular currency• Safeguards must be in place to prevent

counterfeiting • Must be independent and freely transferable

regardless of nationality or storage mechanism


Electronic Cash


Electronic Cash Storage

• Two methods– On-line

• Individual does not have possession personally of electronic cash

• Trusted third party, e.g. e-banking, bank holds customers’ cash accounts

– Off-line• Customer holds cash on smart card or electronic

wallet• Fraud and double spending require tamper-proof

encryption


Electronic CashAdvantages• Electronic cash transactions are more efficient and less

costly than other methods.• The distance that an electronic transaction must travel

does not affect cost.• The fixed cost of hardware to handle electronic cash is

nearly zero.• Electronic cash does not require that one party have any

special authorization.

Disadvantages• Electronic cash provides no audit trail.• Because true electronic cash is not traceable, money

laundering is a problem.• Electronic cash is susceptible to forgery.• So far, electronic cash is a commercial flop.


ePayment by Smart Card• Replace cash• Cash is expensive to make and use

– Printing, replacement– Anti-counterfeiting measures– Transportation– Security

• Cash is inconvenient– not machine-readable– humans carry limited amount– risk of loss, theft

• Additional smart card benefits


How does E-Purse How does E-Purse Work?Work?

• E-purses are usually issued by banks to their customers

• Money is loaded into the e-purse by transfer from cardholder’s bank account using: ATM, or public payphone, or a home smart phone, a mobile phone or through internet

• Once cardholder has chosen goods, he inserts card into POS and money is debited


Examples Of E-Purse• Mondex

• Visa Cash

• Digi Cash

• Cyber Coin


E-purse benefits• No need to carry loose change to buy

newspaper or use vending machine• more convenient than checks and debit

cards for small transactions• Offer user more privacy and freedom

from recording expenditures in check book

• Attractive to merchants: Saves time


Magnetic, Credit/Debit Card

EMV Smart Card

Electronic Purse : MONDEX, CEPS, KEP,

Ministry of Commerce, Industry & Energy

Electronic Purse

EFT-POS

1) KEP (Korean Electronic Purse)

Korea Financial Telecommunications & Clearings Institute

2) Mondex Electronic Purse

Cheju Island (Resort) Project

ASEM Project


6Smart Cards & ecommerceااللكترونية والتجارة الذكية البطاقات

Multi Channel Access


13Smart cards in ecommerce

Amex Blue


What Is The Octopus?

• A pre-paid stored value card utilizing contactless smart card technology

• Operates within wallet/purse for up to 10cm

• Less than 1/3 second transaction time


Octopus Applications• Public Transport and related

– 3 railways, 6000 buses, ferries, Peak Tram, Tramways, public light bus

– Car parks

– Parking meters


Octopus in Off-Street Car Parks


Octopus Applications• Recreational facilities

– Public swimming pools– Racecourses

• Non-payment service– Access Control for residential estates– School Attendance


Octopus• Transaction time < 300 milliseconds• Transaction fees: HK$0.02 + 0.75%

– $10 transaction costs $0.095 (0.95%)

• Applications– Transit– Telephones– Road tolls– Point-of-sale– Access control

• Anonymous / personalized• How does money get to service providers?

– Net settlement system operated by Creative Star


M(obile)-Payments – the future?

“Analysts believe that easy mobile payment is one of the main prerequisites for the success of m-commerce. When the mobile phone can function as an electronic wallet for mobile payments, including micropayments, application developers will find it attractive to introduce new mobile communication services to the market. Examples include mobile entertainment (downloads of music, mobile gambling, etc.), information services (sports news, horoscopes, location-based services, etc.), and real-world services (paying parking fees, buying train or concert tickets, etc.). Network operators envision micropayments as an attractive business that does not compete with banks or credit card companies. For the end user, PayCircle will make m-commerce easy and secure and thus eliminate the major hurdles to widespread adoption and popularity.”

PayCircle.org Press release Jan 23rd 2002


Payment Cards

• 8-128 Kb• Data rate 115 Kb/sec

• ISO 7816 compliant • Visa-certified• PIN management and verification

• 3DES algorithm for authentication, secure messaging

• Epurse with payment command set (debit,credit, balance, floor limit management)

SOURCE: GEMPLUS

EMV =EUROPAY INT’L,MASTERCARD,VISA

MPCOS =MULTI PAYMENT CHIPOPERATING SYSTEM


Can Smart Cards Support Multi-Applications?

• Capability to download independent Applets, securely Isolated(Java Card)

• Example: A card may contain Individual’s driver’s license, multiple credit card & bank accounts, stored value for company cafeteria, & health records

• A police officer’s card reader can read driver’s license info, but not bank account


The Java Simtoolkit • Since 3KB SIM memory has increased

to 8KB, 32KB and lately to 64KB• SIM Application toolkit explores full

potential smart cards• Spec defines commands and

proceduresfor running handset independent SIMtoolkit applications

• Produces extra revenue through ( mobile banking, stock trading, games, emails,…)


France Telecom first launch of Sim toolkit

developped by Gemplus

• Operators can give end-users access to many on screen services

• Fast user-friendly access to the latest news, weather report or practical details on traffic finance and leasure

• Subscribers can update their selection and gain access to new services

• Java applets can be downloaded using SMS or internet


Providing Value Added services

• GSM Cellnet and Barclaycard developped wireless finantial service smart card

• SIM activates user’s Cellnet GSM phone• Provides a Barclay services menu


Swedish Bank Utility Bill Payment

• SIM card allows users to access service by menu navigation

• Users can pay their utility bills away from home by keying information such as origin and destination bank account numbers


Hong Kong Smart Cards• Octopus

–8 million cards, 9000 readers–7 million transactions/day

• Visacash• ComPass Visa (VME)• Mondex• GSM SIM• ePark


Mondex

• Smart-card-based, stored-value card (SVC)• Subsidiary of MasterCard• NatWest (National Westminister Bank, UK) et al.• Secret chip-to-chip transfer protocol• Value is not in strings alone; must be on Mondex

card• Loaded through ATM

– ATM does not know transfer protocol; connects with secure device at bank

• Spending at merchants having a Mondex value transfer terminal


Mondex

• Subsidiary of MasterCard• Smart-card-based, stored-value card (SVC)• NatWest (National Westminister Bank, UK) et al.• Secret chip-to-chip transfer protocol• Value is not in strings alone; must be on Mondex

card• Loaded through ATM

–ATM does not know transfer protocol; connects with secure device at bank

• Spending at merchants having a Mondex value transfer terminal


Mondex Smart Card• Holds and dispenses electronic cash• Developed by MasterCard International• Requires specific card reader for

merchant or customer to use card over Internet

• Supports micropayments as small as 2p and works both online and off-line at stores or over the telephone


Mondex Smart Card


Mondex Overview

SOURCES: OKI, MONDEX USA


Mondex Security• Active and dormant security software

–Security methods constantly changing–ITSEC E6 level (military)

• VTP (Value Transfer Protocol)–Globally unique card numbers–Globally unique transaction numbers–Challenge-response user identification–Digital signatures

• MULTOS operating system–firewalls on the chip


Mondex Smart Card• Disadvantages

– Card carries real cash in electronic form, creating the possibility of theft

– No deferred payment as with credit cards -cash is dispensed immediately

– Trialled in Swindon but not taken up


Mondex Components (Hitachi)

Cashless ATM Electronic Cash RegisterPCMCIA Reader/Writer

ElectronicWallet

Key FobBalanceReader

SOURCE: HITACHI


E-payment smart cards


E-payment smart cards continued


Proximity Solutions for MULTOS

2 types of MULTOS “Dual-Interface” cards – supporting communication with the chip via both the contact plate and the contactless interface based on Proximity Standard - ISO 14443

Hitachi/DNP Contactless MULTOS: 36K EEPROM, Type B contactless interface, Available now

Supports both versions of Paypass transaction (contactless M/Chip 4, or Contactless Track 2 data) and in fact can execute ANY existing MULTOS application over the contactless interface.

Keycorp / Philips Contactless MULTOS, 16K EEPROM, MIFARE Type A contactless interface, Prototypes available now

Supports Mifare ticketing only. Full contactless MULTOS application execution planned for Q3 2004

250K issued for 250K issued for Japan Residential Japan Residential

ID cardID card


Visa Wave• First Commercial

Visa contact less card Global Platform EMV

• Visa debit/credit for more than 2000 consumer


Electronic Payment Evolution in the U.S.

Credit card acceptance by retailers

Zip zap machine

Negative card list

First plastic First plastic credit card was credit card was

introducedintroduced

Online Authorization

Draft capture

Electronic settlement

Online credit & debit

2004 Results:

Electronic Payment – 36%

Cash & Checks – 64%

Magnetic Stripe Magnetic Stripe card was card was

IntroducedIntroduced


Speed, convenience, & reward to drive cash replacement faster

Differentiating payment services

Enriched consumer shopping experience

Possible Objective by 2010:



Contactless payment solution Contactless payment solution was introduced in 2002was introduced in 2002


Electronic Payment Evolution in the U.S.

Credit card acceptance by retailers

Zip zap machine

Negative card list

First plastic First plastic credit card was credit card was

introducedintroduced

Online Authorization

Draft capture

Electronic settlement


2004 Results:



Magnetic Stripe Magnetic Stripe card was card was

IntroducedIntroduced


Speed, convenience, & reward to drive cash replacement faster

Differentiating payment services

Enriched consumer shopping experience

Possible Objective by 2010:



Contactless payment solution Contactless payment solution was introduced in 2002was introduced in 2002


ViVOpay Contactless Readers for POS

• ViVOtech has shipped 100,000 contactless readers in last 18 months. Mostly in the U.S.

ViVOpay 3000 ViVOpay Drive ThruViVOpay 4000

Box Office Window


ViVOwallet Software for NFC Phone

ViVOwallet is a Software Utility that turns an NFC-enabled Mobile Phone into a Payment Device

Supports a standard credit card in form of a “soft card”.

Provisioning via OTA (Over The Air) transmission

Makes it work with 10’s of thousands of contactless readers being deployed


Wireless Card Authorization

SOURCE: SAMSUNG


Multi-application smart card example


Case Studies


Smart Cards Will Play an Important Role In

Ecommerce:• Provide a secure storage for digital

certificates and personal identification• Convenience-Multifunction Card like the JAVA

Card and very portable• Log recent activities• Can Provide automatic Logins to designated

websites without having to remember passwords and login procedures

• Suitable for payment over the internet


Conclusionالخالصة

– With EMV expected to move to Smart Cards by 2007, huge boom expected.

– Cards will become truly multifunctional.

– Application Downloading.– Interoperability issue solved

muhammad wasim raad1 smart cards in e-payment البطاقات الذكية في أنظمة...

Documents