Applications
Home Public Transport Mobile Phones Stored Value Campus Cards Health Service Identification Library Cards

Smart Card Applications for Business and Public Service

The fundamental role of a smartcard is to store secret information that allows the card to be used as an authentication token. The card issuer or another other party can then challenge the card and, if the card is able to supply the correct response, the card is deemed as authentic. Often the card will require the cardholder to supply enabling code for example, a PIN or password.

The enabling code such a PIN is not the critical information used by the card, it is simply information that enables the card so that it will respond to challenges sent by an Internet network or POS terminal.

Corporate Identification, corporate ID cards
Mobile Communications - cell phone cards, mobile telephony
Communication - payphone payment cards, electronic value telephone card
Building Access
Computer security, network security, public key infrastructure, wireless LAN security
Biometrics, Secure ID
Loyalty
Student ID, meal programs, campus cards
Patient health cards, government health care cards
Driver's license 
Pharmacy
Retail
Ticketing
Catering and Food Concessions
Vending Machine Purchases
Parking Lot Access
Passports
Copying Machines
Travel
Public transit
Hospitality
Financial payments card
Online payments, e-commerce, Internet smartcard, home microbank secure financial transactions
Pay TV, satellite cards
Safety monitoring
Electronic Voting
Tourism Attraction Day Passes
Training applications. 

The major development in card markets today is the push to replace magnetic stripe cards with smart cards. In the financial world, this development is driven primarily by the EMV mandates from MasterCard and Visa. Smart cards are also being increasingly introduced in other market sectors like government, transportation and healthcare.

Smart cards can be used to carry med-alert information or for health insurance ID, ATM and related bank access, drivers licenses and credit cards. Other potential uses included prescriptions, money for small purchases, medical records, other ID, discount shopping, money for larger purchases, frequent flyer information and other membership cards.

Japanese corporations are developing company cards to serve as identification badges and time-and-attendance records.  Employees use the cards to withdraw cash, reconcile travel expenses, pay for purchases in the company cafeteria and stores, and manage resources like power, light, heat and air conditioning.

Many Japanese already flash their smart cards at station gates to get on commuter trains. New cell-phone models in Japan let people use the cards to buy soda at vending machines, pay restaurant bills and play games at a Tokyo arcade.

NTT, Japan's national telephone company, and Nissan Motors are placing Smartcards in automobiles in order to maintain a birth-to-death record of component part types and serial numbers, warranty conditions and maintenance.

For years people have looked at smart technology and its potential, but have hesitated due to the traditionally high cost. Historically, smart card applications were reserved for industries that had either high-margin businesses, a need for strict security, or products for which a one-time fee could be charged to cover the cost of the chip.

However, the cost of manufacturing smart technology has dropped significantly over the last few years. The reduction in cost has led managers in low-margin businesses to realistically consider the potential and applicability of smart card technology.

The use of smart technology across applications and industries will begin to create familiarity with the technology, not only among managers, but also consumers. This familiarity will come as an epiphany to some as they discover that they have been surrounded by the technology without realizing it.

Among the advanced services First National Bank Omaha will deliver at no extra cost to its customers is fileIt(SM), a "Convenience Storage" application that allows individuals to store personal data -- birthdays, a social security number or frequent flyer details, for example -- securely in the card's memory. In addition, the card can be updated online from First National Bank Omaha's web site, ensuring the customers have the latest, most secure smart card applications without having to receive a new card.

The Convenience Storage application is based upon smart Visa Framework, a comprehensive set of commands, data structures, security protocols and access methods developed by Visa U.S.A. and Oberthur to help manage personal data. The First National Bank Omaha program will be based on Oberthur's advanced CosmopolIC Lite smart card.

Public Transit Transportation Passes

see section on that topic

Mobile Communication Smart Cards - SIM Card

see section on that topic

Parking and Road Toll Collection Cards

Today, we are facing a global trend towards road tolling. The basic concept of all such schemes involves stopping at a toll booth, paying and driving on. More advanced freeflow systems do not require the driver to stop and these are often combined with 'stop and go' lanes in individual schemes.

Identification products which may be used in road tolling applications include smart card ICs and contact controller ICs for e-purse cards and On-Board Units (OBUs) or transponders.

02/05 - Bangkok's notorious traffic problems could be in for some much needed help, with the Bangkok Metropolitan Administration (BMA) planning to introduce a number of projects as part of an intelligent traffic system.

While mass transportation systems such as the BTS and MRT have already made the daily commute easier for some, poor parking facilities are another source of hold-ups and traffic snarls, particularly in areas that were not designed for cars.

As a result, the BMA will introduce two so-called intelligent parking buildings, that will accommodate around 100 cars.

The parking lots will have a computer control system that works in conjunction with smart card technology and does not require the use of security guards acting as parking attendants.

"Once a driver enters the ground floor of the building with their smart card and gets out of the car, the parking system will lift the car automatically and locate an empty parking space," Dr Samart explained.

"When the car owner wants to retrieve the car, they use the smart card again and the car will be brought down by an electro-hydraulic lift system," he added.

While the concept of the BMA's intelligent parking building sounds promising, some have questioned whether an electro-hydraulic lift system is feasible because the machines are expensive and the BMA would have to pass on the cost to drivers in the form of higher parking fees.

Piya Chindapradist, CEO of Smart Traffic, a system integrator of toll collection systems, said that technology for parking systems had two major functions: revenue collection and for safety and traffic management.

Stored Value Reducing Amount Smart Cards

see section on that topic

Access Management - Controlling entry to buildings and facilities

Smart cards protect against unauthorised entry into high security zones, or as a spare key for forgetful hotel guests.  Cards both with and without contacts can be used to ensure that only those people can enter a building or room who are positively identified. When read-only cards are used, it is not even necessary for the user to show his identity card, as long as he is within one metre of the reading device. However, this is when the problem of tailgating can occur. Other badges or cards in the vicinity are not picked up by the reader; therefore, the system doesn't know there are other people entering at the same time — whether or not they actually possess a badge or card.

At the same time, the chips can be used as a reliable way of recording employees work times. Students or workers can use contact or contactless media to gain access to buildings, facilities, computers and networks. This provides protection against unauthorised access to places and data.

Conventional access point security systems employ high-frequency RFID (Radio Frequency IDentification) badges or smart cards to allow authorized people to open doors and enter secure zones.

Tailgating: denotes a breach by which one individual closely follows another through a door or other access point secured by the use of electronic identification cards.

Access Control Articles

Employee Management

The Accsys Peopleware Time Manager (APTM) solution from South Africa was designed to allow access control and shop floor data collection for employee time and attendance management.

While many companies already have clocking systems in place, biometrics provides a more secure and reliable option because with a normal card or PIN-based option, employees are able to bypass the system by, say, allowing a colleague to clock in for them. With a biometrics solution, there is no way of someone getting around it.

Computer Network Security

The smart card can be used for login, digital signing and decryption of email, digital signing of documents, web authentication, secure login for corporate LANs as well remote login for branch offices, field service and customers along with other work flow applications which need secure identification and strong authentification for the protection of network resources.

In the business customer sector there are also solutions which are designed to increase security. The user of a computer keyboard can be identified by means chip programmed with a biometric key, while he is logging on to the computer or shopping in the Internet. And the reading device mounted in or near the keyboard checks the identity of the business partner who is requesting entry into the protected area of the intranet. The user's biometric data, such as his fingerprint, can also be stored on a card, thus preventing its use by any other card holders. This represents a considerable increase in security.

Used for securing the desktop, remote network access and access to web services, via digital signatures stored upon a smartcard or security token.  A network security application that provides strong (two-factor) authentication for remote, VPN and web access.

Potential use of the associated chip cards could range from simple intranet/internet secure login, to a full blown certificate-based enterprise deployment for local and remote access, physical access control and other related applications.

The concept of the Smart Login is simple enough. The user creates one or more aliases, each of which is associated with a specific user name and password to be used to access a service. These user name and password pairs are stored on the chip card accordingly. Smart Login may then be configured to automatically login to the service, to automatically fill in the user name and password in the service login dialog, or revert to a manual drag and drop method of completing the login information.

For corporations whose intranet plays a large part in day-to-day operations, the use of such a token would be very pertinent, as would it be for remote access across VPNs, secure email communications and a host of other situations where personal identity verification and data encryption are considered valuable.

Smartcards offer an alternative to one-time passwords, providing a less bullet-proof but more flexible authentication solution. Using a Java platform, the card can be loaded with multiple identities or custom applications, keyed to specific users and providing strong authentication. The flexibility also extends to physical security, with smartcards well suited for integration into physical access control or ID badges.

Identity Tokens

The big problem with smart cards has been the hassle of installing a reader and related software. Two kinds of hardware tokens that avoid those problems are being used by financial institutions: USB tokens and one-time password generators.

USB tokens are inserted into one of the USB slots now standard on personal computers for authorization along with a logon and password. That requires the user to have a token, as well as knowing the user name and password. RSA Security Inc. and Aladdin Knowledge Systems are among the providers of these tokens.

A security token device combines the functions of a Smart Card and its reader, allowing you to generate and store safely your digital certificates. These certificates, which guarantee the digital identity of users, are extremely secure and portable and  provide “double factor” authentication of users within the corporate domain and support Smart Card Logon by Microsoft or Novell authentication solutions. 

The USB Smart key, also known as a key-shaped Token, contains a cryptographic chip for securely storing a user's personal ID. The USB form factor is technologically identical to Smart Cards, with the exception of the interface to the computer. USB Smart Keys are about the size of a house key and are designed to interface with the universal standard bus (USB) ports found on millions of computers and peripheral devices.

USB-based two-factor authentication tokens provide a very cost-effective and easy-to-use control for multiple applications and network services, as in Virtual Private Networks (VPN), and can control Intranet, Extranet, and Internet access. Some variants can also be used in Public Key Infrastructure (PKI) environments.

The Windows 2000 Active Directory supports Public Key Infrastructure using Digital Certificates. Security tokens can store these Certificates which are then used for Secure Windows Logon, Secure Web Authentication/Access and Secure eMail.

Up until the release of Windows 2000, Interactive Logon used Windows Basic, or Windows NT Challenge-Response mechanisms, with Username and Password based authentication. Now with Windows 2000 Active Directory networks, a 'smart-card' logon can be deployed, enabling smart tokens to be used for User certificates and private keys.

In operation, Windows recognizes the insertion of an token into the USB port as an alternative to the standard 'CTRL+ALT+DEL' attention sequence to initiate a Logon. The user is then prompted for the token User PIN code, which controls access to public-private key data stored on the USB token. Because the PKI credentials are stored on the smart token the user can roam within the network (use any other workstation), providing scope for a very flexible deployment of systems and users.

This allows for deployment of one or more Certificate Authorities (CA) These may be Microsoft CA's or third Party CA's; (e.g. Baltimore or Entrust). These CA's support issuing and revocation of Digital Certificates. The Certificate Service is integrated with Windows Active Directory.

The Windows 2000 integration of PKI does not replace existing Windows Domain trust-authorization mechanisms. However, it does enable the managing of Public Key applications to all Windows workstations and servers connected to a Windows 2000 Active Directory network; (e.g. including Windows NT and Windows 98 systems used as workstations).

Some handle digital signing features and generation of the public/private keys directly on-board which ensures the integrity and non-rejection of information subject to digital signing (single files or e-mail messages).

They allow you to store the encryption keys used to secure the confidential information through file and disk encryption which protect the information from being accessed by unauthorized persons.

You can also secure e-mail exchanges thanks to the encryption functions and digital signing of messages available in the most common applications (Outlook, Lotus Notes and Netscape).

The adoption of an all-in-one device for the secure distribution of digital certificates issued by the PKI provide integration with security applications functions which support encryption technology based on public/private keys and distribution of digital certificates (Entrust, Baltimore, Microsoft, Cryptomathic, Novell, VeriSign and others).

“Double factor” authentication (something you have + something you know) is extremely secure in comparison to just username & password features.

Organizations implementing security tokens can enable their users to simply plug in the token and enter one password to securely log on to the company network, VPN, or any other application, including customized and home-grown applications. The use of the identity token adds an additional security level to the authentication process – requiring the physical presence of the token device as well as the token password to allow access for strong two-factor authentication.

In a future scenario in which mobility will be an essential component in the information technology users' activities, and where an insufficient spread of readers is still very much the norm, results have demonstrated that Smart Cards prove to be strongly penalized in terms of usability, costs, mobility and usage security, as compared with USB tokens.

Those with built-in storage capabilities appear to be the best device to use to get a back-up of confidential data as they are easy to use and guarantee the reserved nature of confidential information.  They also allow for safe management of encrypted files protected by password as well as the ability to save, archive and transfer data making them perfect for handling accounting data, images, CAD files and other documents.

CryptoIdentity Security Token Demo Kit Order Form

SafeNet iKey was merged with Rainbow Technologies

SafeNet Canada
One Chrysalis Way
Ottawa, ON, CANADA, K2G 6P9
Tel: +1 613 723 5077 FAX: +1 613 723 5078

Aladdin eToken

About the size of an average house key, the award-winning Aladdin eToken is easy to use and highly portable, providing users with powerful authentication by requiring something they have, the tamper-proof eToken, and something they know, a PIN. It is used for secure network logon, secure VPN, Web Sign On, Simple Sign On, secure email, and numerous other applications. eToken is available in smart card and USB form factors featuring proximity capabilities and one-time password technology.

KoolSpan, Inc.

KoolSpan, Inc. (Bethesda, MD) develops easy-to-install and operate network-device independent solutions for user authentication, network security and remote access over wired and wireless networks. KoolSpan's standards-compliant products leverage the tried and true, tamper-resistant Smart Card used in more than half a billion mobile phones worldwide.

Secure Remote Access

Ensuring secure access to enterprise information is essential as companies continue to move their business processes online and extend the enterprise boundary beyond the corporate firewalls.

Unfortunately, many enterprises today still rely on static, reusable passwords, thereby exposing enterprise information to access by unauthorised users. An alternative to these static passwords is a solution that leverages robust multifunction smart cards or USB keys or a combination thereof, depending on specific end user's requirements.

"Two factor" authentication is a method of strong authentication, which requires at least two identifying components from:

1. What you know (such as a PIN),
2. What you have (such as a digital certificate and/or smart card) and
3. What you are (e.g., biometrics, such as a fingerprint or retina pattern). 

Based on two-factor authentication technology, more comprehensive authentication solutions use USB keys and smart card devices to protect your network perimeter and application and information access.

Replacing static passwords with strong two-factor authentication is an essential step for securing corporate networks, applications, and information assets. ActivCard® delivers this capability in the form of easy-to-use tokens.

Computer Network Smartcard / Token Technology Security Product Review

Two Token Evaluation Pack from Activcard

ActivCard Canada
38 Auriga Drive, Suite 210
Nepean, Ontario K2E 8A5
TEL: 613.738.5275
FAX: 613.248.0102

Hotel Electronic Door Locks

According to CISA of Italy, their SmartKeys issued by Hilton hotels are nearly impossible to duplicate, and the technology allows owners to maintain a unique record of anyone who enters a room. Some guests already possess a multifunction Smartcard that will be presented upon check-in for encoding to be used as their guestroom key.

Thousands of travelers are holders of credit and/or affinity cards with Smartcard technology that can be utilized at the Hilton New York Towers. These cards include: the American Express(R) Corporate Card, Hilton Optima(R) Card and Hilton HHonors(R) Worldwide Diamond VIP member cards.

E-Commerce

The Internet and e-commerce are the emerging drivers for smartcard use. What is the logic behind issuance of these cards? Online transactions are perceived as a higher risk than traditional physical transactions.

The smart chip will simplify online shopping, it can digitally encrypt every transaction for enhanced security. When you use a "regular" credit card, you have to give out your card number every time you place an order online. With a smart chip equipped card, however, each and every transaction is done by transferring a unique code from your smart chip equipped credit card to the merchant. That unique code contains your card information in an encrypted form. One such code is only good for one purchase. So even if someone somehow intercepted the communications between you and the merchant, they cannot re-use this code to make fraudulent purchases. Smart chip assisted shopping is only available at merchants who accept this payment form.

The reason that the EMV smart card is not already used within consumer e-transactions is the difficulty in including the card within the transaction process. The solution for this, an unconnected reader, is not new. However, the barrier has always been around cost. In other words, is it more cost effective for the bank to accept low levels of fraud rather than the expense of rolling out millions of unconnected readers to consumers? The continuing rise of CNP fraud is beginning to tilt the argument in favour of the rollout option.

The shift in liability associated with EMV is driving many banks to issue smart cards. Under many EMV rules, responsibility for liability fraud that could have been prevented by chip technology will fall on the party that has not made the upgrade. Aside from the threat of increased liability, merchants and banks are being incentivized by lower or higher interchange rates for transactions made with chip cards or POS systems.

The Canadian Bankers Association report that $44-million (U.S.) in unauthorized debit card transactions was reimbursed to consumers in 2003, a mere drop in the ocean to financial institutions, and no incentive for a costly migration to the more secure smartcard (chip and PIN) system up and running in the UK and much of Europe — and not likely to be seen in Canada before 2010 when Visa Canada have committed to rolling it out.

As online revenues become a significant part of overall revenue, concerns about Internet fraud are growing. The accepted wisdom is that simply entering credit or debit card details on a PC in a browser is not sufficiently secure. One solution to securing online transactions is the smartcard.

American Express Blue Card in the USA is a leading example. AMEX introduced the BLUE card primarily as a marketing exercise.

In 1996, Europay, MasterCard and Visa first released flexible specifications for smart card-based debit and credit payments. In 1999, the three card associations founded EMVCo, an independent organization, to manage and enhance EMV specifications as technology advances and the implementation of chip card programs become more prevalent.

Since then, EMVCo has published specification updates that factor in advancements in smart card technology, such as faster chip speeds. EMVCo also established a single approval process for POS terminals and ATMs to ensure cross-payment system interoperability.

Internet fraud rates are very unclear and there are statements from anywhere from zero to 50%.

The reality is that transactions on the internet are very fast and currently not well secured and, if this situation is not changed, it will definitely be exploited for fraud. Identifying parties and securing the exchange of data and money becomes crucial in the world of e-commerce where there are no physical or traditional means of ensuring the legitimacy of the exchange.

A smartcard strongly authenticates a card holder, as card duplication is not feasible. Internet revenues are yet still a relatively low proportion of total card revenues.

The majority of consumers are still more than hesitant when it comes to online shopping. Most people are very unsure about passing on credit card details online. The solution is the integration of a smart card plus a reading device, whereby the customer is identified positively at the so called point of entry, with the card reader which is coupled to the computer. Since the encrypted data is stored inside the reading device and the latter is accessed off-line, there is no risk of unauthorised persons coming in contact with the data.

The Smart Card Reader uniquely identifies you as the Card member by connecting to your PC's serial or Universal Serial BUS (USB) port, depending on which Reader you choose. The same Reader will also be able to load new applications to the Smart Chip as technology is developed in the near future.

Readers currently allow you to take advantage of a higher level of security when shopping on the Internet and using Smart Chip you can protect your Card information when shopping online by using a secure, temporary transaction number instead of your actual Card account number. If you choose to have a Smart Card Reader installed on your PC, you can "lock" access to Private Payments, so only you can use it to shop online from your PC. The Smart Chips hold a unique certificate of authenticity that is read by your Smart Card Reader. This certificate identifies you to Private Payments and helps ensure that you and you alone have access on your PC.

Store your Certificates on a physical card or USB token! Smart cards or tokens allow you to take your Verisign certificate with you. As well as being portable, smart cards and tokens enhance security as they - and hence the certificate - can be securely stored (eg. locked in a safe) rather than just being left installed on an individual PC.

Verisign Australia Gatekeeper Digital Certificate Smartcard USB Token and Reader - purchase

Health Service Cards

see section on that topic

Payment Cards

Smart card based credit cards work along similar lines to the traditional credit cards with magnetic strips. However they possess greatly improved security against credit card fraud. For this reason, smart card based credit cards are set to replace magnetic strip based cards in future, since the former type is technically superior. The USA is the country in which the credit card is the most widespread, however the smart card is virtually unknown.

Smart cards provide banks with very high security; enabling additional services such as e-purse and Internet payment as well as a credit or debit facility, allowing secure access to e-commerce and online transactions.

Ironically, CNP (card not present) fraud is on the increase because of the advent of EMV smart cards – a technology that was introduced to tackle counterfeit fraud. The major advantage of smart cards is the increased security they provide. The chip technology uses sophisticated processing techniques to identify authentic cards and make counterfeiting extremely difficult and expensive. Combining this with a PIN is a proven system for combating fraud as it provides the two-factor authentication of ‘something you have’ (the smart card) and ‘something you know’ (the PIN). This makes the probability of fraudulent transactions taking place in an ordinary retail environment extremely low.

By making cardholder present fraud so difficult through the introduction of smart cards, it is predicted that CNP fraud will increase further, along with other forms of fraud such as advanced internet fraud techniques like phishing. At the same time, levels of e-Commerce and internet banking continue to rise and more and more transactions are performed without the physical presence of the user or card.

Airline Passenger Ticketing

Electronic Ticketing is a radical step towards introducing new processes that will help to relieve airport congestion. However to be successful, these must be aligned with common airport practices and technology. Smart card technology can play a part in this process provided that all parties in the chain are integrated. Contactless smart cards can be used for passenger tracking, boarding passes, access cards, loyalty functions at airports and airlines.

Smartcard Student Campus Cards

see section on that topic

Automobile Vehicle Access

Around the world, more than 100 million transponder-based keys are protecting vehicles against car theft using immobilizer technology. Since they were first introduced to the market, car immobilization systems have helped reduce car theft by more than 90%. 

The transponder is embedded into the car key. It is powered by the RF field generated by the reader in the car, so does not require a battery in the key. The transponder sends an authorization code to the car's RFID reader which will immobilize the car if it does not find or does not accept the transmitted authorization code.

However, the transponder's future is not limited to immobilizer security. In addition to providing authorization for Remote Keyless Entry and Passive Entry/Keyless Go systems, future transponders will hold additional information such as the drivers preferred seat and steering position, in-car temperature and entertainment requirements.

Philips transponder-based immobilizers

Passports and Entry Visas

see section on that topic

ID Cards

see section on that topic

Tourism Attraction Daily Pass Smart Cards

02/05 - Smart Destinations, a provider of all-inclusive unlimited admission attraction passes in top U.S. travel destinations, has announced its newest offering: the Go Chicago Card, available to people interested in Chicago tourism with over 20 top Chicago attractions participating.

The Go Chicago Card will be available for an introductory price starting at $39.00 for a one-day pass. 1, 2, 3, 5 and 7-day passes are available.

It provides visitors with an easy way to explore the city and to move freely from attraction to attraction without worrying about the cost of admission fees. People actually do and see more because it’s easy.

The Go Chicago Card is a single, easy-to-carry smart card used as a ticket for unlimited admissions to Chicago attractions that eliminates paperwork and coupons.

 

 
Google
Web www.smartcardscanada.com