Smart Card Standards 101 Agenda Is your bank account safe? What is a Smart Card? Standards for Interoperability Fraud prevention through Smart Cards Spring 2007 Property of the Smart Card Alliance © 2009 2 Why Are Smart Cards Needed? Smart cards significantly reduce fraud Headline: Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 3 Fraud growing out of control Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 4 How do we fix this? Historically Different Paths “Intelligence” Protection Europe US Host based Security •Neural Network •Card Present with Static data (CVC) •LUHN check •AVS, Zip code Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 Network edge using Smart Cards •User Authenticates to card •Card Authenticates to terminal •Card can make decisions 5 Smart Cards Defined What is a Smart Card? • • Embedded computer chip that is either a microprocessor with internal memory or memory chip alone Contact or contactless designs Memory Card • • • • Telephone card Stored value No RSA Crypto Limited memory addresses Contact Smart Card Microprocessor Card • • • • Large EEPROM Memory (up to 128K) On-card functions (encryption, digital signatures) Multi application Open Platform (Java, Multos) CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 6 Need for interoperability… International Organization for Standardization (ISO) Worldwide association of over 100 national standards agencies From Greek word “ISOS” meaning “equal” or “the same” The prefix iso-, is commonly used in the three official languages of ISO (English, French and Russian) International Electro technical Commission (IEC) Standards organization that cover the areas of electrical technology and electronics First to publish card standards Collaborates with ISO to insure alignment Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 7 ISO/IEC 7816 defines contact Smart Cards Spring 2007 7816-1: Physical characteristics 7816-2: Cards with contacts 7816-3: Cards with contacts 7816-4: Organization, security and commands for interchange 7816-5: Registration of application providers 7816-6: Inter-industry data elements for interchange 7816-7: Inter-industry commands for Structured Card Query Language (SCQL) 7816-8: Commands for security operations 7816-9: Commands for card management 7816-10: Electronic signals and answer to reset for synchronous cards 7816-11 Personal verification through biometric methods 7816-12 Cards with contacts -- USB electrical interface 7816-13: Commands for application management in multiapplication CTST2009 – Smart Card Technology and application 7816-15: Cryptographic information Payments Applications Workshop © 2009 8 ISO 14443 defines contactless proximity cards This Standard is described in 4 Parts: ISO 14443-1: Physical characteristics (Type A =Type B) ISO 14443-2: Radio Frequency power and Signal Interface (13,56 MHz) ISO 14443-3: Initialisation and Anti-collision Type A different from Type B. ISO 14443-4: Transmission Protocol Type A different from Type B. Contactless payment Mifare cards Biometric passports Smart Trip cards Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 9 Smart Cards Reduce Fraud Spring 2007 10 Smart cards secure many industries The Very Big Bank 1234 5678 9012 3456 NET Electronic Commerce Rich Wealthy Credit/ Debit Pay TV Health Care Access control network security Payphones Access Control 11 Parking Digital cellular phones Mass Transit CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 Microcomputer Chip can be programmed for each application Reset EEPROM, Application Memory ROM, Operating system ROM : Operating System EEPROM : Application Memory Input / Output CP U Cloc k RAM : Scratch Pad the smart card is the ultimate secure portable computer !! CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 …and secure •Hundreds of secure countermeasures RAM Public Key EEPROM CO-PROCESSOR TRIPLE-DES CO-PROCESSOR SECURITY SENSORS POWER ON RESET CRC IO2 IO3 MMU VOLTAGE REGULATOR CLOCK INPUT FILTER ISO Contacts Spring 2007 INTERRUPT SYSTEM CPU 80C51 RESET GENERATOR UART ISO 7816 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 USER ROM TIMERS 16 BIT 16 BIT TEST ROM T0 T1 TRUE RANDOM NUMBER GENERATOR 13 Smart card in payment How does this secure you? Mag Stripe transaction Payment application Contactless Transaction EMV Spring 2007 14 Anatomy of a typical Transaction Terminal Reads MSD and initiates transaction with the host Terminal can ask the cardholder for verification data (CVC, AVS) Terminal formats the authorization request and sends it to the Network/Issuer Issuer verifies and processes authorization Spring 2007 15 Smart card in payment How does this secure you? Mag Stripe transaction Payment application Contactless Transaction EMV Contactless Transaction adds security • Card updates Application Transaction Counter (ATC) • Terminal generates UN (unpredictable number) and asks card to generate dCVV or CVC3 and ATC and creates cryptogram using a secret key • Card calculates the proper cryptogram and appends the track data Spring 2007 17 Smart card in payment How does this secure you? Mag Stripe transaction Payment application Contactless Transaction EMV • Europay Mastercard Visa • EMV® is a global standard for credit and debit payment cards based on chip card technology • As of Q1 2008, there were more than 730 million EMV compliant chip-based payment cards in use worldwide. EMV, the ultimate in transaction security • Card is programmed to make decisions within the parameters that the bank gives it – Max offline transaction up to “X” dollars and transactions cumulatively • Terminal provides information to the card and sets the guidelines for risk management – Cardholder Verification (pin)?? – Offline authentication data (SDA/DDA)?? • Card also performs risk management, generates necessary cryptograms, and responds with transaction data and decision: • Process online • Offline approve or decline • Terminate and use other interface • Terminal sends EMV authorization request and ARQC cryptogram Spring 2007 19 For additional information Contact: Bill Gostkowski Gemalto [email protected] (512) 257-3898 www.smartcardalliance.org 20 Basic Card Definitions Contactless Single Chip Dual Interface Antenna Contactless chip module Contact/contactless chip module Two Chips Dual Interface Antenna Contactless chip module Contact chip module Spring 2007 21 Issuers deploy EMV… for fraud reduction Credit and debit card fraud losses on UK-issued cards in m£ 500 Source: APACS 400 UK fraud Fraud abroad 300 UK retailer (face-to-face transactions) UK cash machine 200 UK fraud includes: 100 0 2004 2005 2006 2007 22 Expanded view of Smart Card PVC Overlay (thermal printable) Polycarbonate (PC) Filling layer Inlet (etched antenna) Polycarbonate (PC) PVC Overlay (thermal printable) DIE PROBING SAWING AND CUTTING Chip with antenna Micro Module CARD BODY LAMINATION 8 or 6 Contacts Hologram Brand Stamp Magnetic Stripe CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 MODULE INSERTION DIE BONDING ISO 15693 defines contactless vicinity Standard for "Vicinity Cards", i.e. cards which can be read from a greater distance as compared to Proximity cards. ISO 15693 systems operate at the 13.56 MHz frequency, and offer maximum read distance of 1 meters. >10 cm for ISO 14443 ~ 1m for ISO 15695 iCLASS family of cards and tags by HID Global. Maximum read range 45 cm / 18 inches. Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 24 Payment fraud is a global concern SPA Shipments of EMV cards Per Quarter (in ku) Source: SPA (Smart Payment Association) New EMV mass deployments in all regions (e.g. Spain, Thailand, Brazil, Canada…) + 41% volume growth in H1’08 vs H1’07* * Source: SPA (Smart Payment +24% volume growth in 2007* Association) 25 EMV adoption is global EMV deployed EMV to be deployed (est. in the next 24 months) Source: Eurosmart, MasterCard, Gemalto No EMV 26 Dual-interface adoption gets global, too Mass deployment in 2008 Pre-deployment in 2008 At pilot/small program stage in 2008 Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 28 Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 29 Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 30 Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 31 Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 32 Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 33 Fraud Reduced with EMV Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 34 Contactless Cross-Section Antenna (etched copper) Conductive adhesive) Spring 2007 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 35 Smart Card Manufacturing Wafer Manufacturing Manufacturing Process (Simplified) Input Wafer Manufacturi ng Sand (quartz) Si-Ingot Si-Wafers (dicing) Doping Deposition Automation & Control Lithography Testing Removal Process Assembly & Bare Wafer Packaging Grinding Output Wet Etch Automation & Process Control Particle Removal Bare Wafer Deposition Cleaning Doping Wafer Processing Wafer with Chips Wet Etch Wet Etch 15-25 Cycles CMP* Stripping Decontamination Litho Dry Etch Wafer with Chips Testing Probe Test Dic ing Dice Bon ding Wir e Bon ding Pac kagin g Fina l Test Semiconductor Device (microchip) Assembly & Packaging * Chemical Mechanical Polishing (CMP) Source: European Semiconductor Capital Equipment, 1/9/01, Robertson Stephens Spring 2007 36 Contactless Tech Comparison Features 14443 15693 125 kHz Standards ISO 14443 ISO 15693 125 kHz Frequency 13.56 MHz 13.56 MHz 125 kHz ~10 centimeters (~3-4 inches) ~1 meter (~3.3 feet) ~1 meter (~3.3 feet) Memory, Wired Logic, Microcontroller Memory, Wired Logic, Memory, Wired Logic, Encryption and authentication functions MIFARE, DES/3DES, AES, RSA, ECC Supplier specific Supplier specific Memory capacity range 64 to 72K bytes 256 and 2K bytes 8 to 256 bytes Read/write ability Read/write Read/write Read/write Data transfer rate (Kb/sec) Up to 106 (ISO) Up to 848 (available) Up to 26.6 Up to 4 Yes Yes Optional Challenge/Response Challenge/Response Password Hybrid card capability Yes Yes Yes Contact interface support Yes No No Read Range Chip types supported Anti-collision Card-to-reader authentication Spring 2007 37 ISO/IEC 7816 ISO 7816-1 Dimensions and physical constraints (bending, torsion strength) ISO 7816-2 Contact Locations Electrical interface ISO 7816-3 Communication protocol ISO 7816-4 ... Memory management and inter industry commands CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 Micro Module Process Probing Sawing Die bonding Wafers from the Foundry Electrical Test Wire bonding Coating Micro-module 5/12/2009 CTST2009 – Smart Card Technology and Payments Applications Workshop © 2009 39
© Copyright 2025 Paperzz