The properties and benefits of smartcard technology lend themselves to applications with the following features:
• ‘Offline’ electronic transaction environments where business rules can be enforced by the card without connection to back end systems, for example, daily transaction limits with credit cards, entitlements with social security cards. This eases the burden on the back-end and on the network, and improves flexibility, for example, in retail environments. Note too that PIN match-on-card improves systemic security by reducing the extraneous personal information sent over the network.
• Where identity theft is a significant risk. Well-designed and manufactured smartcards for all intents and purposes cannot be skimmed, cloned from intercepted transaction data or counterfeited (hence the EMV scheme).
• Online transactions with relatively high-risk profiles where active mutual authentication is important to prevent website fraud through man-in-the-middle attack (refer, for example, to authentication Levels 3 and 4 in the National e-Authentication Framework published by AGIMO and Levels 3 and 4 in the United States National Institute of Standards and Technology (NIST) SP800-63: Electronic Authentication Guideline).
• Public key infrastructure (PKI). Smartcards with on-chip key generation and digital signature functions are the ideal key storage medium in a wide range of emerging PKI applications, especially e-health and the professions, e.g. legal , medical, engineering.
• Biometric systems, especially with one-to-one verification and match-on-card.
• Multi-application settings, where it is useful to offer multiple functions through the one card or to upgrade cards over time. The financial sector has, to date, offered most examples in this category, where sophisticated banking products have been launched which can roll together electronic purse and public transport ticketing with debit/credit offerings.
• Smartcards can serve as credit, debit or stored-value payment and/or payment token instruments, and can provide improved online authentication to underpin access to financial accounts, funds transfers, payment instructions and so on.
• Information storage and management tools. Depending on the memory size of the integrated circuit card, smartcards can store and manage data to assist with various applications; for example, summarised medical information stored on a smartcard could, in principle, be made accessible by an authorised medical official in the event of an emergency or on a routine medical visit, subject, of course, to careful privacy design and appropriate consent mechanisms being
The remainder of this section lists major applications seen to date.
10.2 Financial applications
• Credit and/or debit accounts, replicating what is currently on the magnetic stripe bank card, but with greater protection against counterfeiting and skimming; and
• Securing payment across the Internet as part of electronic commerce to potentially reduce fraud in remote transactions.
• Electronic purse/stored-value cards to replace coins for small purchases in vending machines and over-the counter transactions or even prepaid telephone cards (electronic purses have proven most practicable so far in tightly closed and temporary populations, such as holiday resorts and cruise ships).
10.3 Communications applications
• Mobile telephony – global system for mobile (GSM) communications SIMs are smartcards that identify the subscriber to the telephone system, for billing purposes, to control global roaming, and to manage keys for voice and data encryption. They can also store personal information such as frequently called numbers. SIM cards may be moved from telephone to telephone.
• Subscriber activation of programming on pay television; and
• Cards that allow set-top boxes on televisions to remain secure from piracy.
10.4 Government programs
• Electronic benefits transfer using smartcards.
• Cards may be used for a range of specific public sector applications, such as library cards or learning cards.
• Official documents may be issued in the form of smartcards, as a secure alternative to paper documents, for example, drivers licences, electronic passports.
• Digital credentials or business licences can be carried by smartcard.
• Identification cards may be used to identify either government employees or members of the public and provide access to buildings or computer systems.
For example, the city of Pusan, Republic of Korea has implemented a multi-application
e-currency biometrics smartcard that is used as an e-government ID card, a payment card for mass transportation, as well as for banking transactions, point-of-sale transactions, Internet activity and other financial dealings. Other examples include the Smartcities initiative in the United Kingdom, ConneXions and electronic IDs (eIDs) as implemented on the Belgian eID card.
10.5 Information security
• Employee access card with secured passwords and the potential to employ biometrics to protect access to computer systems.
• An individual or an organisation may use cards to digitally sign electronic messages, thereby providing proof of authenticity and integrity (digital certificate included on chip).
10.6 Physical access
• Employee access card with secured ID and the potential to employ biometrics to protect physical access to facilities
• Drivers licences
• Mass transit fare collection systems
• Electronic toll collection systems
10.8 Retail and loyalty
• Consumer reward/redemption tracking on a smart loyalty card that is marketed to specific consumer profiles and linked to one or more specific retailers serving that profile set.
10.9 Health card
The limited memory capacity of even the most sophisticated smartcards means they are not able to store a great deal of healthcare related information. In any case, the dynamic and decentralised nature of longitudinal personal health information means most shared electronic health record architectures today do not envisage using smartcards as more than security keys to access data.
• Consumer health card containing insurance eligibility and other entitlements.
• A patient’s smartcard can act as a key which healthcare professionals can use to access electronic health records, with the patient’s consent.
• Emergency medical data (medic alerts, allergies, drug reactions).
• Electronic prescriptions may be issued by doctors to a patient’s smartcard (though probably in summary form rather than in their entirety) and thus conveyed to dispensaries7.
10.10 Campus cards
• All-purpose multi-function student ID card, containing a variety of applications such as electronic purse (for vending and laundry machines), library card, record attendance at classes, concession card and logical access control for network logon
• Similar multi-function cards have been deployed for employees at large commercial businesses, for access control and cafeteria use
11 Developing the business case for smartcard deployments
This section summarises issues an agency should address and/or consider when developing a business case for a smartcard deployment. The Project Design Guide will assist agencies with many of the issues that will arise when designing and implementing a smartcard deployment.
Agencies should bear in mind that before starting to develop a smartcard business case, a detailed risk analysis, based on the NeAF, should be undertaken to determine whether a smartcard is the appropriate technology for the proposed applications.
Each Australian jurisdiction should develop its own business case methodology to use when developing smartcard deployments.
11.1 What is a business case?
A business case provides the basis for taking an informed decision on whether to proceed with a new initiative or proposal. It defines the scope of the project, outlines the costs, benefits, budget and timeframes for delivery.
A business case should provide:
• an outline of the business requirements
• a concise statement of the benefits of implementing a smartcard program for service delivery for government, business, the community and individuals
• an outline of important background issues that contextualise the investment
• an outline of how the investment aligns with whole-of-government and/or agency policy
• an evaluation of viable alternative options for delivering the desired outcome
• a robust estimate of whole-of-life costs of the investment
• a robust estimate of financial benefits of the investment
• an estimate of non-financial benefits of the investment
• a rigorous assessment of inherent risks, including how they are likely to impact on the investment and strategies for mitigating them
• an evaluation of the likely extent and cost of business process changes needed to realise the full benefits of introducing smartcards (and indeed to avoid project disappointments) including:
- designing, planning and introducing new positions, policies and processes required for issuing and managing smartcard and any associated applications; and
- eliminating old positions, policies and processes rendered unnecessary by smartcard
• migration processes required from legacy applications; and
• an indicative implementation schedule, timeframe and resourcing plan.
12 When should agencies consider implementing smartcards?
The salient characteristics of a smartcard deployment that can help evaluate the practicality and potential business benefits of this new technology for agencies are discussed below.
12.1 Specific capability required
Smartcards have specific unique capabilities that other technologies do not provide, including security features that help to thwart identity theft and card fraud.
One of the most fundamental smartcard characteristics is its data portability. By adopting smartcards, an agency can maintain data in a form that can be transported to any physical location. The smartcard portability allows data to move with the client between providers. Data on the card can be accessed wherever and whenever it is needed. Privacy can be an important consideration; privacy can be enhanced in some cases when smartcards are used to convey sensitive data, removing it from exposure from back-end systems.
Having said that, a major constraint is imposed by the limited EEPROM capacity of smartcards today. While the EEPROM capacity is continually improving, it comes at a significant price premium. This memory needs to be shared amongst card applications and application data. Furthermore, some important card applications which might not be apparent to the end user (or even the card issuer) can be required to meet underlying technical requirements of standards such as ISO/IEC 24727-3 and FIPS 201, or FIPS 140 Level 3 where applicable. Digital certificates, too, typically require
2 KB or more each. The net result is that the memory remaining available for use by user applications can turn out to be only a very few kilobytes.
Smartcards can provide various levels of security to ensure data integrity. When considering the portability of data, also consider how the data is going to be protected from illicit interception, modification or substitution. Smartcards are designed to address all these concerns.
12.3 Identity authentication/information security
It is becoming increasingly important to verify the identity of the transaction originator and receiver in today’s environment of increased agency use of electronic commerce and/or electronic service delivery, growing use of web-based applications, and the ongoing problem of identify theft.
By providing a mechanism for secure identity authentication (through a variety of means, including symmetric cryptography, digital certificate and/or biometric), the smartcard provides a means for cardholders to identify themselves in cyberspace8.
In addition, the smartcard’s on-board computing power plus commonplace cryptographic processing allows users to perform active verification of websites to be sure of the identity of the receiver of sensitive transaction data before it is sent.
12.4 Automatic forms population
Most government agencies spend substantial amounts of time processing an abundance of paper forms. Moving to electronic form submission could save significant staff time. The smartcard provides the capability to populate forms with agreed data carried on the card, with privacy parameters reducing the redundant capture of data for government and individuals.
12.5 Multi-application enabler
Because of their basic technical limitations, plastic card platforms have traditionally supported single applications. By leveraging the intelligence associated with smartcards, more than one application can reside on the card platform.
12.6 Updatable applications
Other card technologies entail static applications. Once a card is issued, any changes require traditional plastic cards to be re-issued. Smartcards on the other hand, built on an openly programmable platform, are dynamic and can accept new applications and data structures even after the card has been issued.
12.7 Hybridising card technologies
Smartcard technology need not be implemented in a chip-only device, especially over transitional periods where interim support for legacy card systems might be important; multiple technologies can be hybridised on the one piece of plastic. Hybrid cards are inevitably more expensive on an item-cost basis, but total cost of ownership and deployment may be lower with a hybrid card if back-end and card reader sub-systems can be phased in more gradually, or if a more highly functional single device can take the place of two or more cards. Without trying to be exhaustive, there are two major scenarios that can be worth considering when developing a smartcard concept and business case:
• Chip plus magnetic stripe - deploying a card with both conventional (or legacy) magnetic stripe and a new chip is attractive in such settings as banking and health cards, where not all retail terminal equipment can be swapped over at once (or at a reasonable cost).
• Contact plus contactless interfaces - especially where both physical and logical accesses are desired to be controlled with maximum convenience, a smartcard with two interfaces can deliver net benefits. Elsewhere in the Framework, alternative implementation strategies are discussed, including the hybrid card where two independent chip sub-systems are packaged in the one card, and the more sophisticated ‘dual interface’ card where the same core processor supports both contact and contactless channels.
12.8 Cost sharing
Agencies have the potential to experience substantial economies of scale when implementing multi-programmable cards. Rather than have each program pay for card issuance, management and customer service, multiple programs can share these fixed costs. The cost of the applications residing on the chip card platform can also be shared among the programs using the application. Although smartcards themselves are more expensive than other types of cards, the total implementation cost, can potentially be reducing through multiple applications or shared services.
1 Recall that the scope of this Framework is multi-programmable smartcards. Other types of cards, such as memory-only devices, are not so smart in the sense meant here.
2 The head of cryptography at NIST has stated that, for Level 4 authentication in the PIV (that is, the highest level, where resistance to man-in-the-middle attack is required), the ‘only practical solution today uses PKI [and hard tokens]’, viz smartcards. Ref: Electronic Authentication in the US Federal Government, Bill Burr, Asia PKI Forum Tokyo, February 2005.
3 One particular scenario of concern for denial of service is where an attacker with a relatively high-powered transmitter might be able to send repeated bogus PIN entry attempts to all contactless chips within range, causing the chips to block themselves and, in effect, shut down.
4 Any government smartcard deployment that incorporates digital certificates must ensure it uses digital certificates issued by a Gatekeeper accredited or recognised service provider
5 For more information see Java Card Forum at www.javacardforum.org and MAOSCO at www.multos.com
6 For more information see www.globalplatform.org
7 It is noteworthy that smartcards can support several different e-prescription architectures. One option is for a script to be written to the smartcard more or less in its entirety, and carried in that form to the dispensary. In this case, the smartcard acts as a direct replacement for the paper script. For disaster recovery and usability reasons, a copy of the script would typically be saved in the back-end somewhere. Given that reality, alternative e-prescription architectures save relatively little data on the smartcard and instead use the card as a key to access the script from a repository, and to prove the cardholder’s legitimacy and entitlements. Various e-prescription implementations are now using smartcards in Austria, Germany and Taiwan.
8 There are different identification and access control design requirements that can be supported with assistance from smartcards, such as one-to-one, one-to-few and one-to-many. Business rules that pre-determine the appropriate access control checks must be developed at the time the smartcard system is designed, and care taken to analyse the infrastructure that supports access control, including key management rules and the most appropriate form of cryptography to deploy