About Smart Cards : Introduction : Glossary
Edit this Page
Smart Card Industry Glossary
This glossary was developed by the Smart Card Alliance to define commonly used terms related to smart card technology and applications.
Quick Jump: 0-9
See Triple DES
The process of granting or denying specific requests to: 1) obtain and use information and related to information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).
Access control system format
The algorithm that specifies how data transmitted by the system is to be interpreted. The format specifies how many bits make up the data stream and which bits represent different types of information. For example, the first few bits might transmit the facility code, the next few the unique ID number, the next few parity, and so on.
The processes and technologies for controlling and monitoring access privileges to resources, consistent with governing policies. Access management includes authentication, authorization, trust, and security auditing.
The privilege or permission for an individual to access a controlled resource or entity (physical or logical).
Acquirer or acquiring bank
A financial institution that initiates and maintains contractual agreements with merchants for the purpose of accepting and processing credit and debit card transactions.
Advanced Encryption Standard (AES), also known as Rijndael. A block cipher adopted as an encryption standard by the U.S. government.
See application programming interface.
An individual applying for an identity card/credential. In context of the Federal Personal Identity Verification (PIV) card, the applicant may be a current or prospective Federal hire, a Federal employee, or a contractor.
A hardware/software system implemented to satisfy a particular set of requirements. In the context of FIPS 201, an application incorporates a system used to satisfy a subset of requirements related to the verification or identification of an end user’s identity so that the end user’s identifier can be used to facilitate the end user’s interaction with the system.
The entity that defines the rules of the application and attribute disclosure required from a subject to be disclosed in order to provide the service which may be delegated to a service provider.
Application programming interface (API)
A source code interface that a computer system or program library provides in order to support requests for services to be made of it by other computer programs, and/or to allow data to be exchanged.
Cryptography that uses two related operations: a public operation defined by public numbers or by a public key and a private operation defined by private numbers or by a private key (the two operations have the property that, given the public operation, it is computationally infeasible to derive the private operation).
Two related keys, a public key and a private key, that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
The degree of certainty that the user has presented an identifier (e.g., a credential) that refers to his or her identity. In the context of FIPS 201, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.
Techniques implemented to compromise the security of a smart card IC by discovering what information it holds.
A qualification, certification, or skill set associated with a credential holder.
To verify (guarantee) the identity of a person or entity. To ensure that the individual or organization is really who it says it is.
The process of electronically validating the identity and/or attribute of a person or other entity.
Pieces of information used to verify a person’s identity for security purposes. The three most commonly recognized factors are:
The assignment of a privilege or privileges (e.g., access to a building or network) verifying that a known person or entity has the authority to perform a specific operation. Authorization is provided after authentication. In the payments industry, authorization is the approval from the financial institution that issued the cardholder’s card to accept a transaction for a given amount.
A method which automatically loads a contactless smart card electronically with a transit fare product using a process which is usually transparent to the cardholder.
Automatic fare collection system
A fare collection system that provides a method of processing electronic fare media through computational devices to account for a ride or access onto a public transportation system. AFC systems were intended to require little or no operator interaction.
- Something you know, such as a password or personal identification number (PIN)
- Something you have, such as a credential, card or token
- Something you are, such as a fingerprint or other biometric.
A program possible with smart card-based AFC systems that uses an ongoing calculation to ensure that a participating passenger pays the lowest possible fare every time they travel.
A measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an individual. Facial images, fingerprints, and iris scan samples are all examples of biometrics.
Data encoding a feature or features used in biometric verification.
The stored electronic information pertaining to a biometric. This information can be in terms of raw or compressed pixels or in terms of some characteristic (e.g., patterns).
Biometric reference data
Data stored on the card for the purpose of comparison with the biometric verification data.
An automated system capable of the following:
The formatted digital record used to store an individual’s biometric attributes. This record typically is a translation of the individual’s biometric attributes and is created using a specific algorithm.
The process of verifying, using a one-to-one comparison, the biometric verification data against biometric reference data.
A document used as an original source of identity to apply for (or breed) other forms of identity credentials.
- Capturing a biometric sample from an end user
- Extracting biometric data from that sample
- Comparing the extracted biometric data with data contained in one or more references
- Deciding how well they match
- Indicating whether or not an identification or verification of identity has been achieved
The method of taking a biometric sample from an end user.
The organization or entity that issues cards.
Card management system (CMS)
A smart card/token and digital credential management solution that is used to issue, manage, personalize and support cryptographic smart cards and PKI certificates for identity-based applications throughout an organization.
Any device that reads encoded information from a card, token, or other identity device and communicates to a host such as a control panel/processor or database for further action.
Card serial number
An identifier which is guaranteed to be unique among all identifiers used for a specific purpose (see unique identifier).
Card Verification Value (CVV)/Card Verification Code (CVC)
Security codes used by the financial payment brands for credit and debit transactions to protect against credit card fraud.
An individual to whom an ID card is issued or assigned.
See digital certificate.
Certificate authority (CA)
A trusted third party that is responsible for issuing and revoking digital certificates within the public key infrastructure.
Certificate revocation list (CRL)
A list of certificates that have been revoked before their expiration by a certificate authority.
The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.
Chain of trust
An attribute of a secure ID system that encompasses all of the system’s components and processes and assures that the system as a whole is worthy of trust. A chain of trust should guarantee the authenticity of the people, issuing organizations, devices, equipment, networks, and other components of a secure ID system. The chain of trust must also ensure that information within the system is verified, authenticated, protected, and used appropriately.
The demand for disclosure of one or more attributes related to a subject made by service authority.
A family of protocols in which one party (e.g., a reader) presents a question (“challenge”) and another party (e.g., a credential) must provide a valid answer (“response”) in order to be authenticated.
A computed value that depends on the contents of a message. The checksum is transmitted with the message. The receiving party can then recompute the checksum to verify that the message was not corrupted during transmission.
Electronic component that performs logic, processing and/or memory functions.
Cardholder Unique Identifier. Part of the standardized data model for cardholder identification data for FIPS 201.
An assertion by a subject about the value of an attribute.
The operating conditions for IC cards with contacts that use a 5 volt supply, as defined in ISO/IEC 7816-3:1997.
The operating conditions for IC cards with contacts that can successfully use either a 3 volt or a 5 volt supply, as defined in ISO/IEC 7816-3:1997.
The operating conditions for IC cards with contacts that use a 3 volt supply, as defined in ISO/IEC 7816-3:1997.
The process of creating an identical copy of something.
Common Access Card (CAC)
The identification card issued by the Department of Defense to all employees and contractors.
Common Criteria (CC)
An internationally approved security evaluation framework that provides a clear and reliable evaluation of the security capabilities of IT products, including secure ICs, smart card operating systems, and application software.
An element of a larger system. In the FIPS 201 context, a component can be an identity card, PIV issuer, PIV registrar, card reader, or identity verification support, within the PIV system.
The degree of likelihood that an identifier refers to a specific individual.
Contact smart card
A smart card that connects to the reading device through direct physical contact between the smart card chip and the smart card reader. (See ISO/IEC 7816.)
Contactless Fare Media System (CFMS) standard
A standard published by APTA that describes the data format on smart cards used for fare payment, as well as the messages used between an agency central computer and a regional computer for processing fare transactions.
Payment transactions that require no physical contact between the consumer payment device and the physical point-of-sale (POS) terminal. In a contactless payment transaction, the consumer holds the contactless card, device or mobile phone in close proximity (less than 2-4 inches) to the merchant POS terminal and the payment account information is communicated wirelessly (via radio frequency (RF)).
Contactless smart card
A smart card that communicates with a reader through a radio frequency interface.
The access control system component that connects to all door readers, door locks and the access control server. The control panel validates the reader and accepts data. Depending on the overall system design, the control panel may next send the data to the access control server or may have enough local intelligence to determine the user’s rights and make the final access authorization. The control panel can be called the controller or panel.
Any device which is controlled by a physical access system (for example, doors, turnstiles, gates, lights, cameras, elevators). There may be multiple control points for a single access requirement.
- A type of physical form factor designed to carry electronic information and/or human readable data.
- Under FIPS 201, a dual interface smart card-based ID badge for both physical and logical access that contains within it an integrated circuit chip.
Cryptographic smart cards
Advanced smart cards that are equipped with specialized cryptographic hardware that lets algorithms such as RSA be used on the card. Today’s cryptographic smart cards are also able to generate key pairs on the card, to avoid the risk of having more than one copy of the key (since by design (usually) there isn’t a way to extract the keys from a smart card). Cryptographic smart cards are often used for digital signatures and secure identification.
- Evidence attesting to one’s rights, privileges or evidence of authority.
- In FIPS 201, the PIV card and data elements associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual. A smart card can store multiple digital credentials.
The condition in which data is identically maintained during any operation, such as transfer, storage, and retrieval.
Data Encryption Standard. A method for encrypting information. (See related term Triple DES.)
Differential power analysis (DPA)
A class of attacks that extracts secret information from smart cards through power consumption analysis.
Digital certificate (or public key certificate)
Digital documents (e.g., information such as the name of the person or an organization and their address) attesting to the binding of a public key to an individual or other entity. Digital certificates allow verification of the claim that a specific public key does in fact belong to a specific individual.
Digital information used for the purpose of identification of an electronic message or documents. Digital signatures provide a way of authenticating the identity of creators or producers of digital information.
Discretionary access control (DAC)
Access restriction based solely on an individual’s identity.
The device on each door that communicates with a card or credential and sends data from the card to the controller for decision on access rights.
The electronic lock on each door that is connected to the controller.
Digital Signature Algorithm.
Dual interface card
A smart card that has a single smart card chip with two interfaces – a contact and a contactless interface – using shared memory and chip resources.
Dynamic data authentication (DDA)
One technique used by the EMV specification to determine that an EMV credit or debit card is authentic. DDA requires a unique certificate per card. Other authentication options are SDA (static data authentication) which incorporates a single certificate across all cards and CDA (combined data authentication).
The interception of communications between a reader and a credential during transmission by unintended recipients. Messages can be protected against eavesdropping by employing a security service usually implemented by encryption.
Elliptic Curve Cryptography
Electronic fare payment
Systems that allow electronic debit or credit processing of fares.
A payment card that stores prepaid monetary value in an embedded smart card chip.
Emergency Support Function (ESF)
Primary mechanism at the operational level used to organize and provide assistance. Defined by FEMA as part of the National Response Framework (NRF).
Europay MasterCard Visa. Specifications developed by Europay, MasterCard and Visa that define a set of requirements to ensure interoperability between payment chip cards and terminals.
The organization formed in February 1999 by Europay International, MasterCard International, and Visa International to manage, maintain, and enhance the EMV Integrated Circuit Card Specifications for Payment Systems. With the acquisition of Europay by MasterCard in 2002 and with JCB joining the organization in 2004, EMVCo is currently operated by JCB International, MasterCard Worldwide, and Visa, Inc.
The process of translating information into a code that can only be read if the reader has access to the key that was used to encrypt it. There are two main types of encryption – asymmetric (or public key) and symmetric (or secret key).
End point products
As defined in NIST SP 800-73, products that employ a unified card edge interface that is technology independent and compliant with current international standards.
The process of entering the appropriate identity data for an individual into a system and associating the identity with the privileges being granted by the system.
Enterprise single sign-on (ESSO)
A system designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The E-SSO solution automatically logs users in and acts as a password filler where automatic login is not possible. Each client is typically given a token that handles the authentication; in other E-SSO solutions each client has E-SSO software stored on their computer to handle the authentication. An E-SSO authentication server is also typically implemented into the enterprise network.
A travel document that contains an integrated circuit chip based on international standard ISO/IEC 14443 and that can securely store and communicate the ePassport holder’s personal information to authorized reading devices.
EPC Generation 2 (EPC Gen 2)
The specification developed by EPCglobal for the second-generation RFID air-interface protocol. EPC Gen 2 was developed to support supply chain applications (e.g., tracking inventory). The current ratified standard operates in the ultra-high-frequency (UHF) range (860-960 MHz), supports operation at long distances (e.g., 25-30 feet), and has minimal support for security (e.g., static passwords to access or kill information on the RFID device).
The not-for-profit organization establishing and supporting “the EPCglobal Network™ as the global standard for real-time, automatic identification of information in the supply chain of any company, anywhere in the world” and “leading the development of industry-driven standards for the Electronic Product Code™ (EPC) to support the use of Radio Frequency Identification (RFID) in today’s fast-moving, information rich, trading networks.” Additional information can be found at http://www.epcglobalinc.org.
Erasable programmable read-only memory. A type of memory that can only be changed once.
Electrically erasable programmable read-only memory. A type of memory that can be changed up to 100,000 times.
Evaluation assurance level (EAL)
A measure used with Common Criteria for the depth of engineering review and evaluation of the product lifecycle.
The RF field or electromagnetic field constantly transmitted by a contactless door reader. When a contactless card is within range of the excite field, the internal antenna on the card converts the field energy into electricity that powers the chip. The chip then uses the antenna to transmit data to the reader.
Fair Information Practices
The basis for privacy best practices, both online and offline. The Practices originated in the Privacy Act of 1974, the legislation that protects personal information collected and maintained by the U.S. government. The Fair Information Practices include notice, choice, access, onward transfer, security, data integrity, and remedy.
An enclosure formed by conducting material, or by a mesh of such material, that blocks out external static electrical fields. Any electric field will cause the charges to rearrange so as to completely cancel the field’s (RF signal) effects in the cage’s interior.
Fare media (electronic)
Electronic portable media used to gain access to public transportation system services.
Federal Agency Smart Credential Number. The data element that is the main identifier on the PIV card and that is used by a physical access control system.
An attack that alters the IC’s internal workings to induce an error in the operation of the IC.
Federal Information Processing Standard (FIPS)
A standard for adoption and use by Federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST, a part of the U.S. Department of Commerce. A FIPS publication covers some topic in information technology to achieve a minimum level of quality or interoperability.
In information technology (IT), federated identity has two general meanings:
Ferroelectric random access memory (FRAM)
A type of fast, low power memory technology that uses the material to hold and change polarity for data storage over 100 trillion times.
A combination of specialized hardware and software designed to keep unauthorized users from accessing information within a networked computer system.
FIPS 140-2 / FIPS 140-3
Security Requirements for Cryptographic Modules. The U.S. government security standard for cryptographic modules.
Federal Information Processing Standard Publication 201, Personal Identity Verification (PIV) of Federal Employees and Contractors. FIPS 201 is the standard that defines the identity vetting, enrollment, and issuance requirements for a common government identity credential and the technical specifications for a U.S. government Executive Branch employee and contractor ID card—the PIV card.
Term describing an entity that meets all of the requirements of the FIPS 201 standards. By definition, only Federal agencies from the Executive Branch of the government to which HSPD-12 applies can issue FIPS 201-compliant credentials.
FRAC (First Responder Authentication Credential)
A smart card-based credential that provides first responders from across the National Capital Region with the ability to quickly and easily access government buildings and reservations in the event of a terrorist attack or other disaster. The FRAC is part of the Office of National Capital Region Coordination’s initiative to develop a smart identity card system for emergency responders.
A type of EEPROM that is erased and programmed in large blocks.
An ID card that is shown (or flashed) to a person who visually verifies that the cardholder is the person who owns the card.
The physical device that contains the smart card chip. Smart chip-based devices can come in a variety of form factors, including plastic cards, key fobs, wristbands, wristwatches, PDAs, and mobile phones.
- The virtual reunion, or assembled identity, of a person’s user information (or principal), stored across multiple distinct identity management systems. Data is joined together by use of the common token, usually the user name.
- The process of a user’s authentication across multiple IT systems or even organizations.
The Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act), enacted to facilitate affiliation among banks, securities firms, and insurance companies. The Act includes provisions to protect consumers’ personal financial information held by financial institutions.
Global System for Mobile Communications
The act of gaining illegal or unauthorized access to a computer system or network.
A software algorithm that computes a value (hash) from a particular data unit in a manner that enables detection of intentional/unauthorized or unintentional/accidental data modification by the recipient of the data.
The physical access control server, software and database(s) used in a physical access control system.
High frequency (HF)
Radio frequencies (RF) in the range of 3 MHz to 30 MHz. When used in an RF-based identification system, the high frequency used is typically 13.56 MHz.
Health Insurance Portability and Accountability Act of 1996. HIPAA was passed to protect health insurance coverage for workers and their families and to encourage the development of a health information system by establishing standards and requirements for the secure electronic transmission of certain health information. HIPAA mandates that the design and implementation of the electronic systems guarantee the privacy and security of patient information gathered as part of providing health care.
Homeland Security Presidential Directive 12. The primary objective of HSPD-12 is the development and deployment of a Federal government-wide common and reliable identification verification system that will be interoperable among all government agencies and serve as the basis for reciprocity among those agencies.
A smart card that contains two smart card chips – both contact and contactless chips – that are not interconnected.
Government Smart Card Interagency Advisory Board.
Integrated circuit card. ICC typically refers to a plastic (or other material) card containing an integrated circuit which is compatible to ISO/IEC 7816.
ID-1 card type
An identification card, usually made of PVC, PVCA or similar material, having the dimensions usually associated with “credit cards,” and having other physical properties conforming to ISO/IEC 7810:1995.
Card identifying its holder and issuer which may carry data required as input for the intended use of the card and for transactions based thereon.
Unique data used to represent a person’s identity and associated attributes. Names and card numbers are examples of identifiers.
The subset of physical and/or behavioral characteristics by which an individual is uniquely recognizable. Identity is information concerning the person, not the actual person.
Identity and access management (IAM)
The combination of processes, technologies, and policies to manage digital identities and specify how digital identities are used to access resources.
The data associated with an individual’s identity within a specific system and used by that system to verify the individual’s identity.
A piece of documentation designed to verify aspects of a person’s identity. (See also breeder document.)
In information systems, the management of the identity life cycle of entities. Identity management is sometimes used in conjunction with authorization in the IT industry. Within the life cycle:
- The process of using claimed or observed attributes of an entity to deduce who the entity is.
- The evidence of identity or fact of proof showing the attributes of the individual presenting the identification.
Identity management system (IDMS)
System composed of one or more computer systems or applications that manage the identity registration, verification, validation, and issuance process, as well as the provisioning and deprovisioning of identity credentials.
The process of providing sufficient information (e.g., breeder documents, identity history, credentials, documents) to establish an identity to an organization that can issue identity credentials.
The process of making a person’s identity known to a system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.
The appropriation of another’s personal information to commit fraud, steal the person’s assets, or pretend to be the person.
The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in an ID card or system and associated with the identity being claimed.
International Electrotechnical Commission
International Civil Aviation Organization (ICAO) MRTD
International Civil Aviation Organization Machine Readable Travel Documents. ICAO establishes international standards for travel documents. An MRTD is an international travel document (e.g., a passport or visa) containing eye- and machine-readable data. ICAO Document 9303 is the international standard for MRTDs.
Electronic component(s) designed to perform processing and/or memory functions. See also chip.
- The identity is established: a name (or number) is connected to the subject.
- The identity is re-established: a new or additional name (or number) is connected to the subject.
- The identity is described: one or more attributes which are applicable to this particular subject may be assigned to the identity.
- The identity is newly described: one or more attributes which are applicable to this particular subject may be changed.
- The identity is destroyed.
Attacks that use intrusive means to access the information on the IC. Also known as hardware attacks.
International Organization for Standardization. An agency of the United Nations concerned with international standardization, including stored value and other bank cards. Some of the pertinent standards for contactless payment cards are ISO/IEC 7810, 7811, 7816, 9992, 10202, and 14443.
Independent sales organizations. Specialist companies that provide payment equipment and services to merchants.
The series of international standards describing the characteristics of identification cards, including physical characteristics, sizes, thickness, dimensions, construction, materials and other requirements.
The governing international standard for magnetic stripe identification cards, such as door entry cards, automated teller machine (ATM) cards, and credit cards.
The international standard for integrated circuit cards (i.e., smart cards) with contacts, as well as the command set for all smart cards.
ISO/IEC standard “Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards.” The international standard for contactless smart chips and cards that operate (i.e., can be read from or written to) at a distance of less than 10 centimeters (4 inches). This standard operates at 13.56 MHz.
ISO/IEC 14443 Type A card
A contactless card compliant with the ISO/IEC 14443 standard that uses 100% ASK modulation of the RF carrier and Miller Pulse Position coding to send data from the reader to the card. For the return link the carrier frequency is loaded to generate an 847 kHz sub-carrier. Type A uses On/Off Keying of the sub carrier with Manchester bit coding.
ISO/IEC 14443 Type B card
A contactless card compliant with the ISO/IEC 14443 standard that uses 10% ASK modulation of the RF carrier and NRZ coding to send data from the coupling device to the card. For the return link the carrier frequency is loaded to generate an 847KHz sub-carrier. Type B uses Binary Phase Shift Keying of the sub-carrier with NRZ bit coding.
The international standard, “Identification Cards - Contactless Integrated Circuit(s) Cards - Vicinity Cards,” for cards operating at the 13.56 MHz frequency which can be read from a greater distance as compared to proximity cards. (See ISO/IEC 14443.)
A set of programming interfaces for interactions between integrated circuit cards and external applications to include generic services for multi-sector use.
Issuer (or issuing authority)
The organization that issues an identity card to an individual after identity proofing, background checks and related approvals have been completed. Typically this is an organization for which the individual is working.
The bank that provides the credit card to the cardholder.
- The ability of two or more systems or components to exchange information and to use the information that has been exchanged.
- For the purposes of FIPS 201, the ability for any government facility or information system, regardless of the PIV issuer, to verify a cardholder’s identity using the credentials on the PIV card.
In encryption and digital signatures, a value used in combination with a cryptographic algorithm to encrypt or decrypt data.
Access to online resources (e.g., networks, files, computers, databases).
Low frequency (LF)
Radio frequencies (RF) in the range of 30 to 300 kHz. When used in an RF-based identification system, the low frequency is typically 125 kHz.
Promotional programs in which value is credited to a cardholder’s card for various reasons, determined by the vendor or merchant instituting the program. The accumulated awards can then be redeemed by the cardholder by purchasing products and services at the participating providers.
Machine readable travel documents
ICAO establishes international standards for travel documents. An MRTD is an international travel document (e.g., a passport or visa) containing eye- and machine-readable data. ICAO Document 9303 is the international standard for MRTDs.
An attack on an authentication protocol in which the attacker is positioned between the individual seeking authentication and the system verifying the authentication. In this attack, the attacker attempts to intercept and alter data traveling between the parties.
Mandatory access control (MAC)
An access control technique that assigns a security level to all resources (e.g., information, parts of a building), assigns a clearance level to all potential users requiring access, and ensures that only users with the appropriate clearance level can access a requested resource.
The process of comparing biometric information against previously stored biometric data and scoring the level of similarity.
One of the most popular hashing algorithms, developed by Professor Ronald L. Rivest of MIT, which produces a 128-bit hash from any input.
Typically a smart card or any pocket-sized card with an embedded integrated circuit or circuits containing non-volatile memory storage components and perhaps some specific security logic.
Message authentication code (MAC)
A short piece of information used to support authentication of a message. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag or checksum). The MAC value protects both a message’s integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content. MACs are computed and verified with the same key, unlike digital signatures.
A highly integrated computer chip that contains all of the components comprising a controller. Typically this includes a CPU, RAM, some form of ROM, I/O ports, and timers. Unlike a general purpose computer used in IT, a microcontroller is designed to operate in a restricted environment.
Typically a smart card or any pocket-sized card with an embedded integrated circuit or circuits containing memory and microprocessor components.
A proprietary contactless card, developed by Philips Semiconductor (now NXP), that has been widely deployed in transportation. The technology meets ISO/IEC standards 14443, Type A for contactless smart cards.
Use of mobile device to connect to a financial institution to conduct customer self-service (CSS) financial business, including but not limited to, viewing account balances, transferring funds between accounts, paying bills or receiving account alerts.
The mobile telecommunications company that has the relationship with the end user.
Use of a mobile device to make a purchase or other payment-related transaction. Such payments can be initiated in the physical or virtual worlds, and can be conducted in a variety of ways including SMS/MMS, mobile Internet, downloaded application and contactless chip (e.g., NFC technology). Examples of mobile payments include ring tone downloads billed to the mobile phone bill, purchases/payments via the mobile Internet, tap-n-go purchases using a contactless chip embedded in the mobile device, and person-to-person transfers. Mobile payments may also include the use of many other novel methods under development.
A software application that is loaded onto a mobile phone for the purpose of managing payments made from the mobile phone. A mobile wallet application can also be used to hold and control a number of other applications (for example, payment and loyalty), in much the same way as a physical wallet holds a collection of physical cards.
A detailed description or scaled representation of one component of a larger system that can be created, operated, and analyzed to predict actual operational characteristics of the final produced component.
Mobile network operator. The mobile telecommunications company that has the relationship with the end user.
A payment initiated from a mobile phone.
A smart card that runs multiple applications – for example, physical access, logical access, data storage and electronic purse – using a single card.
The use of multiple techniques to authenticate an individual’s identity. This usually involves combining two or more of the following: something the individual has (e.g., a card or token); something the individual knows (e.g., a password or personal identification number); something the individual is (e.g., a fingerprint or other biometric measurement).
A smart card reader that includes a PIN pad, biometric reader, or both to allow multi-factor authentication.
An ID card that has two or more ID technologies that are independent and that don’t interact or interfere with one another. An example is a card that contains a smart card chip and a magnetic stripe.
A card reader/writer that can accommodate more than one card technology in the same reader (e.g., both ISO/IEC 14443 and ISO/IEC 15693 contactless smart card technologies or both 13.56 MHz and 125 kHz contactless technologies).
For applications requiring secure access, the process that is used for the smart card-based device to verify that the reader is authentic and to prove its own authenticity to the reader before starting a secure transaction.
National Infrastructure Protection Plan (NIPP)
A coordinated approach to critical infrastructure and key resources (CIKR) protection roles and responsibilities for federal, state, local, tribal, and private sector security partners. Defined by DHS, the NIPP sets national priorities, goals, and requirements for effective distribution of funding and resources which will help ensure that our government, economy, and public services continue in the event of a terrorist attack or other disaster.
A list of issued cards that are to be prevented from normal use if presented to any applicable card reader in a system. (See also hot list.)
NFC – Near Field Communication
A standards-based wireless communication technology that allows data to be exchanged between devices that are in close proximity (less than 2-4 inches). NFC-enabled mobile phones incorporate smart chips that allow them to be used for payment. NFC payment transactions between a mobile phone and a POS terminal use the same standard contactless communication protocol used by contactless credit and debit cards (ISO/IEC 14443).
National Institute of Standards and Technology
The ability to ensure and have evidence that a specific action occurred in an electronic transaction (e.g., that a message originator cannot deny sending a message or that a party in a transaction cannot deny the authenticity of their signature).
Memory that holds data even after its power source is removed.
Online Certificate Status Protocol. An online protocol used to determine the status of a public key certificate.
Refers to data that is not stored on the ID card or to a computation that is not performed by the integrated circuit on the ID card.
Not connected to a communications network; an environment in which events are not processed in real time, but rather in batch mode.
Refers to data that is stored on the ID card or to a computation that is performed by the integrated circuit chip on the ID card.
Connected to a communications network.
Passwords that are used once and then discarded. Each time the user authenticates to a system, a different password is used, after which that password is no longer valid. The password is computed either by software on the logon computer or by OTP hardware tokens in the user’s possession that are coordinated through a trusted system.
A decentralized digital identity system, in which any user’s online identity is given by, for example, a URL (such as for a blog or a home page) and can be verified by any server running the protocol. Users are able to clearly control what pieces of information can be shared such as their name, address, or phone number.
The maximum distance between a contactless smart card reader and a contactless smart card.
See physical access control system.
Physical Access Interagency Interoperability Working Group
A form of secret authentication data that is used to control access to a resource. The password is kept secret from those not allowed access, and those wishing to gain access are tested on whether or not they know the password and are granted or denied access accordingly. Typically referred to as “something you know” for single factor authentication.
Personal Computer/Smart Card. The PC/SC specification defines how to integrate smart card readers and smart cards with the computing environment and how to allow multiple applications to share smart card devices.
Personal Computer/Smart Card Lite. PCSC Lite is open source software that implements the PC/SC specification for Linux.
Personal identification number (PIN)
A secret that an individual memorizes and uses to authenticate his or her identity or to unlock certain information stored on an ID card (e.g., the biometric information). PINs are generally only decimal digits.
Personally identifiable information (PII)
In information security and privacy, any piece of information which can potentially be used to uniquely identify, locate, or contact a person or steal the identity of a person.
A cyber attack that directs people to a fraudulent website by poisoning the domain name system server.
A cyber attack that directs people to a fraudulent website to collect personal information for identity theft.
Access to facilities (e.g., buildings, rooms, airports, warehouses).
Physical access control system (PACS)
A system composed of hardware and software components that control access to physical facilities (e.g., buildings, rooms, airports, warehouses).
Personal identification number. A numeric code that is associated with an ID card and that adds a second factor of authentication to the identity verification process.
PIV card(Personal identity verification card)
The dual-interface smart card that is being issued to all Executive Branch Federal employees and contractors and that will be used for both physical and logical access.
A card that meets the FIPS 201 technical specifications. PIV infrastructure elements such as card readers are capable of working with such cards, but the credential itself has not been issued in a way that assures it is trustworthy by Federal relying parties.
A card that meets the FIPS 201 technical standards and is issued in a way that allows Federal relying parties to trust the credentials.
Public Key Cryptography Standard #11. This standard defines the interface for cryptography operations with hardware tokens.
Public key infrastructure. See public key infrastructure.
The set of users for an application.
Point of sale.
Point-of-sale (POS) device or terminal
A device used to capture purchase transactions at the point they occur (i.e., at the merchant location). The transaction may be immediately validated via a communications link to a financial institution network or may be recorded against a stored value card.
A payment card that provides access to a prepaid value, rather than a line of credit. The card is used until the value is gone and the card is discarded or reloaded.
The ability of an individual or group to keep their lives and personal affairs out of public view, or to control the flow of information about themselves.
The secret part of an asymmetric key pair that is used to create digital signatures and, depending upon the algorithm, to decrypt messages, files or other information encrypted (for confidentiality) with the corresponding public key.
Authorization or access granted to credential holders based on the authentication of their identity and attributes.
A standard set of security requirements for a specific type of product that is used for the CC evaluation.
A generic name for contactless integrated circuit devices typically used for security access or payment systems. It can refer to 125 kHz RFID devices or 13.56 MHz contactless smart cards. (See ISO/IEC 14443.)
Proximity mobile payments
A payment to a physical merchant that is initiated from an NFC-enabled mobile phone held in close proximity (less than 2-4 inches) to the rmerchant’s point-of-sale equipment.
The public part of an asymmetric key pair that is used to verify signatures created with its corresponding private key. Depending on the algorithm, public keys are also used to encrypt messages, files, or other information that can then be decrypted with the corresponding private key. The user releases this key to the public who can use it to encrypt messages to be sent to the user and to verify the user’s digital signature. Compare with private key.
Public key certificate
A digital document that is issued and digitally signed by the private key of a certificate authority (CA) and that binds an attribute of a subject to a public key.
Public (asymmetric) key cryptography
A type of cryptography that uses a pair of mathematically related cryptographic keys. The public key can be made available to anyone and can encrypt information or verify a digital signature. The private key is kept secret by its holder and can decrypt information or generate a digital signature.
Public key infrastructure (PKI)
The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. There are four basic components to the PKI: the certificate authority (CA) responsible for issuing and verifying digital certificates, the registration authority (RA) which provides verification to the CA prior to issuance of digital certificates, one or multiple directories to hold certificates (with public keys), and a system for managing the certificates. Also included in a PKI are the certificate policies and agreements among parties that document the operating rules, procedural policies, and liabilities of the parties operating within the PKI.
Radio frequency (RF)
Any frequency within the electromagnetic spectrum associated with radio wave propagation. Many wireless communications technologies are based on RF, including radio, television, mobile phones, wireless networks and contactless payment cards and devices.
Radio frequency identification (RFID)
Technology that is used to transmit information about objects wirelessly, using radio waves. RFID technology is composed of 2 main pieces: the device that contains the data and the reader that captures such data. The device has a silicon chip and an antenna and the reader also has an antenna. The device is activated when put within range of the reader. The term RFID has been most commonly associated with tags used in supply chain applications in the manufacturing and retail industries.
Random access memory. Computer memory that can be read from and written to in arbitrary sequence and that requires power to retain its data.
Any device that communicates information or assists in communications from a card, token or other identity document and transmits the information to a host system, such as a control panel/processor or database for further action.
REAL ID Act
The REAL ID Act of 2005. Legislation intended to deter terrorism by establishing national standards for state-issued driver’s licenses and non-driver’s identification cards in addition to other key executables.
See identity registration.
A body given the responsibility of maintaining lists of codes under international standards and issuing new codes to those wishing to register them.
A smart card that is capable of being loaded with value multiple times during the life of the card.
Remote mobile payments
A payment initiated from a mobile phone to a recipient (person or device) where the recipient is not in the immediate vicinity.
A message returned by the integrated circuit chip to the terminal after the processing of a command message received by the chip.
RFID tag (labels)
Simple, low-cost and disposable electronic devices that are used to identify animals, track goods logistically and replace printed bar codes at retailers. RFID tags include an integrated circuit that typically stores a static number (an ID) and an antenna that enables the chip to transmit the stored number to a reader. When the tag comes within range of the appropriate RF reader, the tag is powered by the reader’s RF field and transmits its ID to the reader. There is little to no security on the RFID tag or during communication with the reader. Typical RFID tags can be easily read from distances of several inches (centimeters) to several yards (meters) to allow easy tracking of goods.
The actions and activities assigned to or required or expected of a person or group.
Role-based access control (RBAC)
Access to resources based on a user’s assigned role. Access permissions, which determine which resources can be accessed and the privileges in the context of that resource, are administratively associated with roles, and users are administratively assigned appropriate roles. Roles can be granted new permissions as new resources are incorporated, permissions can be revoked from roles as needed, and role assignments for users can be modified or removed as needed. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning the appropriate roles to the user, which simplifies common operations such as adding a user, or changing a user’s department.
Public/private key encryption technology that uses an algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman and that is owned and licensed by RSA Security.
The Sarbanes-Oxley Act of 2002, which introduced changes to regulations that apply to financial practice and corporate governance for public companies. The Act introduced new rules that were intended “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.”
Easily expanded to suit future requirements. Applies to hardware or software.
A key used with symmetric cryptographic techniques by a set of specified entities.
The location of the security components within the mobile phone. This can be the SIM, a separate secure chip in the phone, or an external plug-in card.
Secure hash algorithm (SHA)
One of the most popular hashing algorithms, designed for use with the Digital Signature Standard by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). SHA-1 produces a 160-bit hash.
The verifiable and exclusive right to use the identity information being presented by an individual to access a set of privileges.
Condition of use of objects in the ID card including stored data and data processing functions, expressed as a data element containing one or more access rules.
A random sequence of bits that is used in a cryptographic algorithm as the input to generate other, longer pseudo-random bit sequences.
A host computer that stores information (e.g., Web sites) and responds to requests for information (e.g., links to another Web page).
Attacks based on information gained from the physical implementation of a cryptosystem.
Subscriber Identity Module. A SIM is the smart card that is included in GSM (Global System for Mobile Communications) mobile phones. SIMs are configured with information essential to authenticating a GSM mobile phone, thus allowing a phone to receive service whenever the phone is within coverage of a suitable network.
Simple power analysis (SPA)
A class of attacks that extracts secret information from smart cards through power consumption analysis.
The practice of obtaining information from a data storage device without the owner’s knowledge. Skimming is typically associated with magnetic stripe-based credit cards.
A device that includes an embedded secure integrated circuit that can be either a secure microcontroller or equivalent intelligence with internal memory or a secure memory chip alone. The card connects to a reader with direct physical contact or with a remote contactless radio frequency interface. With an embedded microcontroller, smart cards have the unique ability to securely store large amounts of data, carry out their own on-card functions (e.g., encryption and mutual authentication) and interact intelligently with a smart card reader. Smart card technology conforms to international standards (ISO/IEC 7816 and ISO/IEC 14443) and is available in a variety of form factors, including plastic cards, subscriber identification modules (SIMs) used in GSM mobile phones, and USB-based tokens.
Secure Multipurpose Internet Mail Extensions. A protocol for exchanging digitally signed and/or encrypted mail.
The act of auditing or watching computer network traffic. Hackers may use sniffing programs to capture data that is being communicated on a network (e.g., usernames and passwords).
A set of documentation that reflects agreements on products, practices, or operations produced by one or more organizations (or groups of cooperating entities), some for internal usage only, others for use by groups of people, groups of companies, or an entire industry.
Secure Sockets Layer. SSL is a protocol used to transmit information on the Internet in encrypted form. SSL also ensures that the transmitted information is only accessible by the server that was intended to receive the information.
Specifications produced by accredited associations, such as ANSI, ISO, SIA, ETSI or NIST. In the United States the use of standards is typically optional and multiple standards can be developed on the same subject. In some countries, the use of existing standards may be required by law and the development of multiple standards on the same subject may be restricted.
Static data authentication (SDA)
One technique used by the EMV specifications to determine that an EMV credit or debit card is authentic.
Stored value card
A smart card containing one or more purses which can be loaded and reloaded with value and used to make purchases.
The use of two or more factors of authentication to prove an individual’s identity. Factors would include some combination of something you know (a password or personal identification number that only you know), something you have (a physical item or token in your possession) and something you are (a unique physical quality or behavior that differentiates you from all other individuals).
A person, system or object with associated attributes.
Cryptography using the same secret key for both the originator’s and the recipient’s operation. (Without the secret key, it is computationally infeasible to compute either operation.)
Keys that are used for symmetric (secret) key cryptography. In a symmetric cryptographic system, the same secret key is used to perform both the cryptographic operation and its inverse (for example to encrypt and decrypt, or to create a message authentication code and to verify the code).
Biometric data after it has been processed from its original representation (using a biometric feature extraction algorithm) into a form that can be used for automated matching purposes (using a biometric matching algorithm). Biometric data stored in a template format cannot be reconstructed into the original output image.
A physical device that carries an individual’s credentials. The device is typically small (for easy transport) and usually employs a variety of physical and/or logical mechanisms to protect against modifying legitimate credentials or producing fraudulent credentials. Examples of tokens include picture ID cards (e.g., state driver’s licenses), smart cards, and USB devices.
Information on a payment card that usually contains all of the information on Track 2 plus the name of the person to whom the card was issued. It may also contain other discretionary data.
Information on a payment card that contains the Primary Account Number (PAN) of the card, its expiration date, and other discretionary data (sometimes used for PIN verification). The first 2 to 8 digits of the PAN usually identify the issuing institution for settlement and authorization processing.
One of the tracks on a debit or credit card’s magnetic stripe that contains information defined by ANSI and ISO/IEC standards. It can be written to (updated) by devices such as ATMs and airline reservation terminals.
As defined in NIST SP 800-73, products that meet the “Transitional” interface specification. Transitional products can be used as part of a migration strategy by Federal agencies that have already initiated a large-scale deployment of smart cards as identity badges.
A wireless communications device that detects and responds to an RF signal.
A block cipher formed from the Data Encryption Standard (DES) cipher by using it three times.
Trusted service manager (TSM)
A neutral third party service provider that provides a single integration point to all mobile operators for financial institutions, transit authorities and retailers that want to provide a payment, ticketing or loyalty application to their customers with NFC-enabled mobile phones. The TSM provides services to manage the secure download and life-cycle management of the mobile NFC applications on behalf of the financial institutions, transit authorities and retailers. The TSM does not participate in the transaction stage of the service, allowing existing business models to be implemented.
TWIC (Transportation Worker Identification Credential)
A common smart card-based identification credential for all personnel requiring unescorted access to secure areas of Maritime Transportation Security Act-regulated facilities and vessels, and all mariners holding Coast Guard-issued credentials.
Ultra-high frequency (UHF)
Radio frequencies (RF) between 300 MHz and 3 GHz. When used in an RF-based identification system, the UHF frequency range is typically from 860 to 960 MHz.
Any element or value which is guaranteed to be unique among a given group.
Universal Serial Bus. A serial bus standard to interface devices.
The process of demonstrating that the system under consideration meets in all respects the specification of that system.
A count (or amount) that is retained for a card or account by a switch, processing system or other host in order to limit the amount of activity in a given period of time. It is a way of limiting the effects of possible fraud.
The process by which the question “is this person who the person claims to be?” is answered. This function requires a one-to-one match between presented identity information and identity information that is known to a system. See identity verification.
The process of inspection, evaluation and adjudication of claims ensuring that people are who they claim to be before giving them authorization or rights to do something.
See ISO/IEC 15693.
Web access management (WAM)
Systems that replace the sign-on process on various web applications, typically using a plug-in on a front-end web server. The systems authenticate users once, and maintain that user’s authentication state even as the user navigates between applications. These systems normally also define user groups and attach users to privileges on the managed systems. These systems provide effective access management and single sign-on to web applications. They do not, in general, support effective (or any) management of ‘legacy’ systems such as network operating systems, mainframes, client/server applications, and e-mail systems.
Technology widely used for physical access applications. The technology includes an interface, a signal, a 26-bit format, an electromagnetic effect, and a card technology. A Wiegand strip is the implementation of Wiegand technology on an ID credential.
A contactless card that has an electronic circuit that is designed for a specific function (e.g., security, authentication) without an embedded MCU.