Alliance Activities : Publications : Smart Card Security
What Makes a Smart Card Secure?
Smart card-enabled applications are becoming more prevalent in many of today’s businesses. The financial payments industry has moved to smart cards. The majority of the regional financial organizations worldwide have mandated that financial credit and debit cards must be smart card-enabled by a specified date. Plus, there has been rapid acceptance of contactless smart card technology for fast, convenient and secure credit and debit payment. The United States Federal government has adopted smart card technology for its major credentialing initiatives. The Department of Defense Common Access Card uses smart card technology for the credentialing of all military and civilian personnel. The Department of State uses contactless smart card technology for the electronic passport. Smart card-based identity credentials are now being issued to all Federal government employees to meet Homeland Security Presidential Directive 12. Enterprises are issuing smart ID badges to employees to secure physical and logical access. Plus, many government identity programs around the world are issuing smart card-based identity credentials to citizens.
All of these deployments see the use of smart card technology as an essential element for the integrity of their credentialing schemes. Smart cards are portable, personal security devices that can securely carry sensitive information, enable secure transactions, validate an individual’s identity within a secure system, and verify that an information requestor is authorized to access the information carried on the card. Smart cards not only maintain the integrity of the information stored on the card, but also make it available for secure interactions with the overall system.
A smart card includes an embedded secure integrated circuit (IC) that can be either a secure microcontroller with internal memory or a secure memory IC alone. The card connects to a reader with direct physical contact or with a remote contactless radio frequency (RF) interface. With an embedded microcontroller, smart cards have built-in tamper resistance and have the unique ability to securely store large amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures), and interact intelligently with a smart card reader.
The smart card itself is only one component in a smart card-based system implementation. Security mechanisms are typically implemented in the card and at the operating system (OS), software, and system levels, providing layers of security to protect the system and information within the system from unauthorized access. In any smart card system implementation, the issuer needs to determine the risks that the system will be exposed to and implement the security measures necessary throughout the system to address those risks.
The government and financial payments industries have also led the way in establishing security evaluation and certification programs for the various layers of smart card security. Standardized evaluations and certifications use trusted third party labs to empirically verify that specific threats are prevented to a defined level of effectiveness, providing issuers with the confidence that certified products meet specified security requirements.
By placing a secure smart card in the hands of the user, organizations can implement a layered security architecture that addresses the expected risk of security breaches and implements an end-to-end chain of trust.
This white paper was developed by the Smart Card Alliance Payments Council Security Work Group to provide an educational overview of the security measures designed into the smart card secure IC and of the use of these features and other system-level security measures to enhance the integrity of the overall system that is being deployed. It is intended to provide a basis of information on security considerations in smart card-based systems for those organizations that are intending to deploy smart card technology for payment, security or identity applications. The white paper answers the following questions:
- What is a secure IC and what types of secure ICs are used in smart cards?
- What security features are designed into secure memory ICs and secure microcontrollers that protect data and thwart attempted attacks?
- What is the impact of contact and contactless interfaces on security?
- What are the advantages of hardware vs. software in implementing cryptography on smart cards? How do the operating system and IC hardware countermeasures function together to enhance the overall security of the smart card IC? What levels of cryptographic algorithms are currently used in smart card deployments?
- How do smart cards fit into overall system security? How is the financial industry using smart cards to improve the security of credit and debit payments?
- What industry certifications and evaluations are available that organizations can use to gain confidence in the security implemented in various smart card products and in the interoperability of the technology among various component suppliers?
While the white paper focuses on the financial payments industry when discussing overall system security, the discussion of secure ICs, interfaces and cryptography applies to all industries and applications. Examples from other industries are included, with references provided for additional detail.
About the Payments Council
The Payments Council is one of several Smart Card Alliance technology and industry councils. The Council was formed to focus on facilitating the adoption of chip-enabled payments and payment applications in the U.S. through education programs for consumers, merchants, issuers, acquirers/processors, government regulators, mobile telecommunications providers and payments service providers. The group is bringing together payments industry stakeholders, including payments industry leaders, merchants and suppliers, and is working on projects related to implementing EMV, contactless payments, NFC-enabled payments and applications, mobile payments, and chip-enabled e-commerce. The Council’s primary goal is to inform and educate the market about the value of chip-enabled payments in improving the security of the payments infrastructure and in enhancing the value of payments and payment-related applications for industry stakeholders. Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.