Contactless smart card

Last updated May 02, 2024

A contactless smart card is a contactless credential whose dimensions are credit card size. Its embedded integrated circuits can store (and sometimes process) data and communicate with a terminal via NFC. Commonplace uses include transit tickets, bank cards and passports.

There are two broad categories of contactless smart cards. Memory cards contain non-volatile memory storage components, and perhaps some specific security logic. Contactless smart cards contain read-only RFID called CSN (Card Serial Number) or UID, and a re-writeable smart card microchip that can be transcribed via radio waves.

Overview

A contactless smart card is characterized as follows:

Dimensions are normally credit card size. The ID-1 of ISO/IEC 7810 standard defines them as 85.60 × 53.98 × 0.76 mm (3.370 × 2.125 × 0.030 in).^[1]
Contains a security system with tamper-resistant properties (e.g. a secure cryptoprocessor, secure file system, human-readable features) and is capable of providing security services (e.g. confidentiality of information in the memory).
Assets managed by way of a central administration systems, or applications, which receive or interchange information with the card, such as card hotlisting and updates for application data.
Card data is transferred via radio waves to the central administration system through card read-write devices, such as point of sales devices, doorway access control readers, ticket readers, ATMs, USB-connected desktop readers, etc.

Benefits

Contactless smart cards can be used for identification, authentication, and data storage.^[2] They also provide a means of effecting business transactions in a flexible, secure, standard way with minimal human intervention.

History

Contactless smart cards were first used for electronic ticketing in 1995 in Seoul, South Korea.^[3]^[4]

Since then, smart cards with contactless interfaces have been increasingly popular for payment and ticketing applications such as mass transit. Globally, contactless fare collection is being employed for efficiencies in public transit. The various standards emerging are local in focus and are not compatible, though the MIFARE Classic card from Philips has a large market share in the United States and Europe.

In more recent times, Visa and MasterCard have agreed to standards for general "open loop" payments on their networks, with millions of cards deployed in the U.S.,^[5] in Europe and around the world.

Smart cards are being introduced in personal identification and entitlement schemes at regional, national, and international levels. Citizen cards, drivers’ licenses, and patient card schemes are becoming more prevalent. In Malaysia, the compulsory national ID scheme MyKad includes 8 different applications and is rolled out for 18 million users. Contactless smart cards are being integrated into ICAO biometric passports to enhance security for international travel.

With the COVID-19 pandemic, demand for and usage of contactless credit and debit cards has increased, although coins and banknotes are generally safe and this technology will thus not reduce the spread of the virus.

Readers

Contactless smart card readers use radio waves to communicate with, and both read and write data on a smart card. When used for electronic payment, they are commonly located near PIN pads, cash registers and other places of payment. When the readers are used for public transit they are commonly located on fare boxes, ticket machines, turnstiles, and station platforms as a standalone unit. When used for security, readers are usually located to the side of an entry door.

Novosibirsk (Russia). Transport fare collection terminal CFT
Smart card being used to pay for public transportation in the Helsinki area
An electronic ticket machine used to read prepaid cards and issue tickets in Mumbai

Technology

RF smart card schematic RF-Smartcard.svg — RF smart card schematic

A contactless smart card is a card in which the chip communicates with the card reader through an induction technology similar to that of an RFID (at data rates of 106 to 848 kbit/s). These cards require only close proximity to an antenna to complete a transaction. They are often used when transactions must be processed quickly or hands-free, such as on mass transit systems, where a smart card can be used without even removing it from a wallet.

The standard for contactless smart card communications is ISO/IEC 14443. It defines two types of contactless cards ("A" and "B")^[6] and allows for communications at distances up to 10 cm (3.9 in)^{[ citation needed ]}. There had been proposals for ISO/IEC 14443 types C, D, E, F and G that have been rejected by the International Organization for Standardization. An alternative standard for contactless smart cards is ISO/IEC 15693, which allows communications at distances up to 50 cm (1.6 ft).

Examples of widely used contactless smart cards are Seoul's Upass (1996), Malaysia Touch 'n Go card (1997), Hong Kong's Octopus card, Shanghai's Public Transportation Card (1999), Paris's Navigo card, Japan Rail's Suica Card (2001), Singapore's EZ-Link, Taiwan's EasyCard, San Francisco Bay Area's Clipper Card (2002), London's Oyster card, Beijing's Municipal Administration and Communications Card (2003), South Korea's T-money, Southern Ontario's Presto card, India's More Card, Israel's Rav-Kav Card (2008), Melbourne's Myki card and Sydney's Opal card which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications.

A related contactless technology is RFID (radio frequency identification). In certain cases, it can be used for applications similar to those of contactless smart cards, such as for electronic toll collection. RFID devices usually do not include writeable memory or microcontroller processing capability as contactless smart cards often do.^{[ dubious – discuss ]}

There are dual-interface cards that implement contactless and contact interfaces on a single card with some shared storage and processing. An example is Porto's multi-application transport card, called Andante, that uses a chip in contact and contactless (ISO/IEC 14443 type B) mode.

Like smart cards with contacts, contactless cards do not have a battery. Instead, they use a built-in inductor, using the principle of resonant inductive coupling, to capture some of the incident electromagnetic signal, rectify it, and use it to power the card's electronics.

Communication protocols

Communication protocols
Name	Description
ISO/IEC 14443	APDU transmission via the protocol defined in ISO/IEC 14443-4^[7]

Applications

Transportation

Since the start of using the Seoul Transportation Card, numerous cities have moved to the introduction of contactless smart cards as the fare media in an automated fare collection system.^{[ citation needed ]}

In a number of cases these cards carry an electronic wallet as well as fare products, and can be used for low-value payments.

Contactless bank cards

Starting around 2005, a major application of the technology has been contactless payment credit and debit cards. Some major examples include:

ExpressPay – American Express
MasterCard Contactless (formerly PayPass) – MasterCard
Visa Contactless (formerly payWave) – Visa
QuickPass – UnionPay
JCB Contactless (formerly J/Speedy), QUICPay (not compatible with EMV Contactless/ISO/IEC 14443) – JCB
RuPay Contactless - RuPay
Zip – Discover

Roll-outs started in 2005 in the United States, and in 2006 in some parts of Europe and Asia (Singapore).^[9] In the U.S., contactless (non PIN) transactions cover a payment range of ~$5–$100.

In general there are two classes of contactless bank cards: magnetic stripe data (MSD) and contactless EMV.

Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the U.S. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer's systems.

Contactless EMV cards have two interfaces (contact and contactless) and work as a normal EMV card via their contact interface. The contactless interface provides similar data to a contact EMV transaction, but usually a subset of the capabilities (e.g. usually issuers will not allow balances to be increased via the contactless interface, instead requiring the card to be inserted into a device which uses the contact interface). EMV cards may carry an "offline balance" stored in their chip, similar to the electronic wallet or "purse" that users of transit smart cards are used to.

Identification

A quickly growing application is in digital identification cards. In this application, the cards are used for authentication of identity. The most common example is in conjunction with a PKI. The smart card will store an encrypted digital certificate issued from the PKI along with any other relevant or needed information about the card holder. Examples include the U.S. Department of Defense (DoD) Common Access Card (CAC), and the use of various smart cards by many governments as identification cards for their citizens. When combined with biometrics, smart cards can provide two- or three-factor authentication. Smart cards are not always a privacy-enhancing technology, for the subject carries possibly incriminating information about him all the time. By employing contactless smart cards, that can be read without having to remove the card from the wallet or even the garment it is in, one can add even more authentication value to the human carrier of the cards.

Other

The Malaysian government uses smart card technology in the identity cards carried by all Malaysian citizens and resident non-citizens. The personal information inside the smart card (called MyKad) can be read using special APDU commands.^[10]

Security

Smart cards have been advertised as suitable for personal identification tasks, because they are engineered to be tamper resistant. The embedded chip of a smart card usually implements some cryptographic algorithm. However, there are several methods of recovering some of the algorithm's internal state.

Differential power analysis

Differential power analysis^[11] involves measuring the precise time and electric current ^{[ dubious – discuss ]} required for certain encryption or decryption operations. This is most often used against public key algorithms such as RSA in order to deduce the on-chip private key, although some implementations of symmetric ciphers can be vulnerable to timing or power attacks as well.

Physical disassembly

Smart cards can be physically disassembled by using acid, abrasives, or some other technique to obtain direct, unrestricted access to the on-board microprocessor. Although such techniques obviously involve a fairly high risk of permanent damage to the chip, they permit much more detailed information (e.g. photomicrographs of encryption hardware) to be extracted.

Eavesdrop on NFC communication

Short distance (≈10 cm. or 4″) is required for supplying power. The radio frequency, however, can be eavesdropped within several meters once powered-up.^[12]

Concerns

Failure rate: The plastic card in which the chip is embedded is fairly flexible, and the larger the chip, the higher the probability of breaking. Smart cards are often carried in wallets or pockets — a fairly harsh environment for a chip. However, for large banking systems, the failure-management cost can be more than offset by the fraud reduction. A card enclosure may be used as an alternative to help prevent the smart card from failing.
Privacy: Using a smart card for mass transit presents a risk for privacy, because such a system enables the mass transit operator, the banks, and the authorities, to track the movement of individuals. The same argument can be made for banks tracking retail payments. Such information was used in the investigation of the Myyrmanni bombing.
Theft and fraud: Contactless technology does not necessarily prevent use of a PIN for authentication of the user, but it is common for low value transactions (bank credit or debit card purchase, or public transport fare payment) not to require a PIN. This may make such cards more likely to be stolen, or used fraudulently by the finder of someone else's lost card.
Use abroad: Inland data networks quickly convey information between terminals and central banking systems, such that contactless payment limits may be monitored and managed. This may not be possible with use of such cards when abroad.^{[ citation needed ]}
Multiple cards detection: When two or more contactless cards are in close proximity the system may have difficulty determining which card is intended to be used. The card-reader may charge the incorrect card or reject both.^[13] This is generally only an issue where a service provider uses a payment card to facilitate access - eg a wallet containing a parking lot access card, an apartment building entry card and various contactless payment cards can usually be used on entry to a car park or whatever - the car park entry system can detect its own card in the wallet and open the barrier. In a retail shop, however, it is advisable to remove the individual contactless card from the wallet when making a payment. At the very least this gives the cardholder the opportunity to communicate which card they intend to be used to make payment. It is an issue of the card identifying a subscription -v- payment by transaction.^{[ clarification needed ]}

Notes

↑ "ISO/IEC 7810:2003 Identification cards — Physical characteristics". Archived from the original on 2012-05-24. Retrieved 2012-11-03.
↑ Multi-application Smart Cards. Cambridge University Press.
↑ Ugo, Chirico (2014-05-21). Smart card programming : a comprehensive guide to smart card programming in C/C++, Java, C#, VB.NET (Second ed.). [Place of publication not identified]. ISBN 978-1291610505. OCLC 922633321.{{cite book}}: CS1 maint: location missing publisher (link)
↑ "4th Asian Transport Revenue Collection Forum". Asia Pacific Smart Card Association. 2010. Archived from the original on 2018-07-23. Retrieved 2013-04-10.
↑ "Smartcard Alliance FAQ on contactless bank cards". Archived from the original on 2013-02-02. Retrieved 2011-11-14.
↑ "ISO/IEC 14443-2:2001 Identification cards – Contactless integrated circuit(s) cards – Proximity cards – Part 2: Radio frequency power and signal interface". Archived from the original on 2016-08-17. Retrieved 2012-11-03.
↑ "ISO/IEC 14443-4:2008 Identification cards – Contactless integrated circuit cards – Proximity cards – Part 4: Transmission protocol". Archived from the original on 2016-10-14. Retrieved 2012-11-03.
↑ Zankl, Andreas (March 2014). Security and Privacy in an RFID-based Electronic Payment System. Graz University of Technology. Archived from the original on 2 January 2020. Retrieved 16 September 2019.
↑ "ComfortDelgro introduces contactless credit card payment". contactless credit card payment. Archived from the original on 2011-06-28. Retrieved 2011-08-18.
↑ "MyKad website". Archived from the original on 2019-07-12. Retrieved 2011-03-17.
↑ Power Analysis Attacks. Springer.
↑ Werner Koch (13 December 2018). "Smart cards". gnupg-users (Mailing list). Archived from the original on 15 December 2018. Retrieved 13 December 2018.
↑ "Watch out for card clash". Transport for London . Mayor of London. Archived from the original on 6 July 2017. Retrieved 18 July 2014.

Related Research Articles

A smart card (SC), chip card, or integrated circuit card, is a card used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

ISO/IEC 7816 is an international standard related to electronic identification cards with contacts, especially smart cards, and more recently, contactless mobile devices, managed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 14443Identification cards -- Contactless integrated circuit cards -- Proximity cards is an international standard that defines proximity cards used for identification, and the transmission protocols for communicating with it.

A proximity card or prox card also known as a key card or keycard is a contactless smart card which can be read without inserting it into a reader device, as required by earlier magnetic stripe cards such as credit cards and contact type smart cards. The proximity cards are part of the contactless card technologies. Held near an electronic reader for a moment they enable the identification of an encoded number. The reader usually produces a beep or other sound to indicate the card has been read.

Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 centimetres (1.6 in) or less. NFC offers a low-speed connection through a simple setup that can be used for the bootstrapping of capable wireless connections. Like other proximity card technologies, NFC is based on inductive coupling between two electromagnetic coils present on a NFC-enabled device such as a smartphone. NFC communicating in one or both directions uses a frequency of 13.56 MHz in the globally available unlicensed radio frequency ISM band, compliant with the ISO/IEC 18000-3 air interface standard at data rates ranging from 106 to 848 kbit/s.

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

MIFARE is a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards.

FeliCa is a contactless RFID smart card system from Sony in Japan, primarily used in electronic money cards. The name stands for Felicity Card. First utilized in the Octopus card system in Hong Kong, the technology is used in a variety of cards also in countries such as Singapore, Japan, Indonesia, Macau, the Philippines and the United States.

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer with a payment terminal and access automated teller machines (ATMs). Such cards are known by a variety of names, including bank cards, ATM cards, client cards, key cards or cash cards.

A card reader is a data input device that reads data from a card-shaped storage medium and provides the data to a computer. Card readers can acquire data from a card via a number of methods, including: optical scanning of printed text or barcodes or holes on punched cards, electrical signals from connections made or interrupted by a card's punched holes or embedded circuitry, or electronic devices that can read plastic cards embedded with either a magnetic strip, computer chip, RFID chip, or another storage medium.

CEPAS, the Specification for Contactless e-Purse Application, is a Singaporean specification for an electronic money smart card. The specification was prepared by the Cards and Personnel Identification Technical Committee (CPITC), under the purview of the IT Standard Committee of Singapore (ITSCS). It has been gazetted as Singapore Standard SS 518 by Enterprise Singapore. CEPAS has been deployed island-wide, replacing the previous original EZ-Link card effective 1 October 2009.

Contactless payment systems are credit cards and debit cards, key fobs, smart cards, or other devices, including smartphones and other mobile devices, that use radio-frequency identification (RFID) or near-field communication (NFC) for making secure payments. The embedded integrated circuit chip and antenna enable consumers to wave their card, fob, or handheld device over a reader at the Point-of-sale terminal. Contactless payments are made in close physical proximity, unlike other types of mobile payments which use broad-area cellular or Wi-Fi networks and do not involve close physical proximity.

A datacard is an electronic card for data operations.

Calypso is an international electronic ticketing standard for microprocessor contactless smart cards, originally designed by a group of transit operators from 11 countries including Belgium, Canada, France, Germany, Italy, Latvia, México, Portugal and others. It ensures multi-sources of compatible products, and allows for interoperability between several transport operators in the same area.

<span class="mw-page-title-main">OPUS card</span>

OPUS is a rechargeable, dual interface (contact/contactless) stored-value smart card using the Calypso Standard and is used by major public transit operators in Greater Montreal and Quebec City, Quebec, Canada. It complies with the ISO/IEC 14443 standard for smartcards and can be read by smartphones with an NFC antenna.

CIPURSE is an open security standard for transit fare collection systems. It makes use of smart card technologies and additional security measures.

Istanbulkart is a contactless smart card for fare payment on public transport in Istanbul, Turkey. It was introduced on March 23, 2009 in addition to the Akbil, an integrated electronic ticket system which was eventually phased out in 2015. The card was developed and put into practice by the information technology company Belbim of the Metropolitan Municipality.

The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose: Identity Management, Credit card, Debit card or driver license. A non-physical digital card, unlike a Magnetic stripe card can emulate (imitate) any kind of card.

Hop Fastpass is a contactless smart card for public transit fare payment on most transit modes in the Portland, Oregon, metropolitan area including MAX Light Rail, WES commuter rail, Portland Streetcar, The Vine, and all TriMet and C-TRAN buses. An initial release to the general public began on July 5, 2017, with the official launch on July 17. The program is managed by TriMet.

On Track Innovations Ltd. (OTI) founded in 1990, is a global company that focuses on creating contactless payment solutions. OTI does this through the use of NFC technologies.

References

Rankl, W.; W. Effing (1997). Smart Card Handbook. John Wiley & Sons. ISBN 0-471-96720-3.
Guthery, Scott B.; Timothy M. Jurgensen (1998). SmartCard Developer's Kit . Macmillan Technical Publishing. ISBN 1-57870-027-2.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "ISO/IEC 7810:2003 Identification cards — Physical characteristics". Archived from the original on 2012-05-24. Retrieved 2012-11-03.

[2] Multi-application Smart Cards. Cambridge University Press.

[3] Ugo, Chirico (2014-05-21). Smart card programming : a comprehensive guide to smart card programming in C/C++, Java, C#, VB.NET (Second ed.). [Place of publication not identified]. ISBN 978-1291610505. OCLC 922633321.{{cite book}}: CS1 maint: location missing publisher (link)

[4] "4th Asian Transport Revenue Collection Forum". Asia Pacific Smart Card Association. 2010. Archived from the original on 2018-07-23. Retrieved 2013-04-10.

[5] "Smartcard Alliance FAQ on contactless bank cards". Archived from the original on 2013-02-02. Retrieved 2011-11-14.

[14443-2-6] "ISO/IEC 14443-2:2001 Identification cards – Contactless integrated circuit(s) cards – Proximity cards – Part 2: Radio frequency power and signal interface". Archived from the original on 2016-08-17. Retrieved 2012-11-03.

[14443-4-7] "ISO/IEC 14443-4:2008 Identification cards – Contactless integrated circuit cards – Proximity cards – Part 4: Transmission protocol". Archived from the original on 2016-10-14. Retrieved 2012-11-03.

[8] Zankl, Andreas (March 2014). Security and Privacy in an RFID-based Electronic Payment System. Graz University of Technology. Archived from the original on 2 January 2020. Retrieved 16 September 2019.

[9] "ComfortDelgro introduces contactless credit card payment". contactless credit card payment. Archived from the original on 2011-06-28. Retrieved 2011-08-18.

[10] "MyKad website". Archived from the original on 2019-07-12. Retrieved 2011-03-17.

[11] Power Analysis Attacks. Springer.

[12] Werner Koch (13 December 2018). "Smart cards". gnupg-users (Mailing list). Archived from the original on 15 December 2018. Retrieved 13 December 2018.

[TFL-13] "Watch out for card clash". Transport for London . Mayor of London. Archived from the original on 6 July 2017. Retrieved 18 July 2014.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[9]

[10]

[11]

[12]

[13]