About Smart Cards : Frequently Asked Questions

Smart Card FAQ

What is a smart card?

A smart card is a device that includes an embedded integrated circuit that can be either a secure microcontroller or equivalent intelligence with internal memory or a memory chip alone. The card connects to a reader with direct physical contact or with a remote contactless radio frequency interface. With an embedded microcontroller, smart cards have the unique ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and mutual authentication) and interact intelligently with a smart card reader. Smart card technology conforms to international standards (ISO/IEC 7816 and ISO/IEC 14443) and is available in a variety of form factors, including plastic cards, key fobs, watches, subscriber identification modules used in GSM mobile phones, and USB-based tokens.

For the purposes of this FAQ, “card” is used as the generic term to describe any device in which smart card technology is used.

What are the ISO/IEC 14443 and ISO/IEC 7816 standards?

ISO/IEC 14443 is the international standard for contactless smart chips and cards that operate (i.e., can be read from or written to) at a distance of less than 10 centimeters (4 inches). This standard operates at 13.56 MHz and includes specifications for the physical characteristics, radio frequency power and signal interface, initialization and anticollision protocols and transmission protocol.

ISO/IEC 7816 is the international standard for contact smart cards. ISO/IEC 7816 Parts 4 and above are used by both contact and contactless smart card applications for security operations and commands for interchange.

What is a contactless smart card?

A contactless smart card includes an embedded smart card secure microcontroller or equivalent intelligence, internal memory and a small antenna and communicates with a reader through a contactless radio frequency (RF) interface. Contactless smart card technology is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Example applications using contactless smart card technology include:

Contactless smart cards have the ability to securely manage, store and provide access to data on the card, perform on-card functions (e.g., encryption and mutual authentication) and interact intelligently with a contactless smart card reader. Contactless smart card technology and applications conform to international standards (ISO/IEC 14443 and ISO/IEC 7816). Contactless smart card technology is available in a variety of forms – in plastic cards, watches, key fobs, documents and other handheld devices (e.g., built into mobile phones).

How do contactless smart cards work?

Contactless smart card systems are closely related to contact smart card systems. Like contact smart card systems, information is stored on a chip embedded within the contactless smart card. However, unlike the contact smart card, the power supplied to the card as well as the data exchanged between the card and the reader are achieved without the use of contacts, using magnetic or electromagnetic fields to both power the card as well as to exchange data with the reader.

The contactless smart card contains an antenna embedded within the plastic body of the card (or within a key fob, watch or other document). When the card is brought into the electromagnetic field of the reader, the chip in the card is powered on. Once the chip is powered on, a wireless communication protocol is initiated and established between the card and the reader for data transfer.

The following four functions describe at a high level the sequence of events that happen when a contactless smart card is brought near a card reader:

Hence, once the card is brought within range of an electromagnetic field of the required frequency, the card will be powered up, ready to communicate with the reader. Since the contactless smart cards described in this FAQ are based on the ISO/IEC 14443 standard, this frequency is 13.56 MHz and a reader that complies with the standard would have an activation field (range) of about 4 inches (approximately 10 centimeters). In other words, the card needs to be within 10 centimeters of a reader for it to be effectively powered; however, the effective range for communications for the card to be read will depend on a number of factors like the power of the reader, the antenna of the reader and the antenna of the card.

What is contactless payment?

Contactless payment is a change to the way debit or credit payment is handled when making a purchase. Contactless payment transactions require little to no physical connection between the card and the checkout device. Instead of “swiping” or “inserting” a card, the contactless card or fob is tapped on or held within an inch of a machine that reads the card, with the payment information is sent to the merchant wirelessly. Contactless credit and debit cards include a smart card chip.

In the U.S., contactless credit or debit cards or small keychain devices are being issued by a number of financial issuers (American Express, Chase, MBNA, Citibank, HSBC Bank, Keybank, Wells Fargo, Citizens Bank). For additional information on contactless payment, see the Smart Card Alliance Contactless Payments Resources.

How do smart cards help to protect privacy?

Smart cards offer a number of features that can be used to provide or enhance privacy protection in systems. The following is a brief description of some of these features and how they can be used to protect privacy.

Why are smart cards better than other ID token technologies?

Smart cards are widely acknowledged as one of the most secure and reliable forms of an electronic identification (ID) token. A smart card includes an embedded integrated circuit chip that can be either a microcontroller chip with internal memory or a secured memory chip alone. The card communicates with a reader either through direct physical contact or with a remote contactless electromagnetic field that energizes the chip and transfers data between the card and the reader. With an embedded microcontroller, smart cards have the unique ability to store large amounts of data, carry out their own on-card functions (e.g., data storage and management, encryption, decryption, and digital signature calculations) and interact intelligently with a smart card reader.

A smart card ID can combine several ID technologies, including the embedded chip, visual security markings, magnetic stripe, barcode and/or an optical stripe. By combining these various technologies into a smart card ID token, the resulting ID can support both future and legacy physical and logical access applications. They can also support other applications that have traditionally required separate ID processes and tokens.

How can smart cards be used to help assure privacy in a biometrics-based system?

Biometrics are used in many new identity management systems to improve the accuracy of identifying individuals. How can smart cards be used to help assure privacy in a biometrics-based system?

Smart cards provide a highly effective mechanism to protect the privacy of an individual that has a requirement to use a biometric identity system.

In a non-smart-card-based application, the password or PIN and biometric would be stored in an online database outside the control of the individual and the biometric information would be captured and passed to an application for matching.

What is an RFID tag?

Radio frequency identification (RFID) tags are used in a wide range of applications such as: identifying animals, tracking goods through the supply chain, tracking assets such as gas bottles and beer kegs, and controlling access into buildings. RFID tags include a chip that typically stores a static number (an ID) and an antenna that enables the chip to transmit the stored number to a reader. Some RFID tags contain read/write memory to store dynamic data. When the tag comes within range of the appropriate RF reader, the tag is powered by the reader’s RF field and transmits its ID to the reader.

RFID tags are simple, low-cost and commonly disposable, although this is not always the case such as reusable laundry tags. There is little to no security on the RFID tag or during communication with the reader. Any reader using the appropriate RF frequency (low frequency: 125/134 KHz; high frequency: 13.56 MHz; and ultra-high frequency: 900MHz) and protocol can get the RFID tag to communicate its contents. (Note that this is not true of car keys which contain a secure RFID tag.) Passive RFID tags (i.e., those not containing a battery) can be read from distances of several inches (centimeters) to many yards (meters), depending on the frequency and strength of the RF field used with the particular tag. RFID tags have common characteristics, including:

Is contactless smart card technology the same as RFID technology?

No. There is significant confusion in discussions of RF-enabled applications, with contactless smart card technology often incorrectly categorized as ‘RFID.’ There are a wide range of RF technologies used for a variety of applications – each with different operational parameters, frequencies, read ranges and capabilities to support security and privacy features. For example, the RFID technologies that are used to add value in manufacturing, shipping and object-related tracking operate over long ranges (e.g., 25 feet), were designed for that purpose alone and have minimal built-in support for security and privacy. Contactless smart cards, on the other hand, use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip.

What security capabilities do contactless smart cards support?

Contactless smart cards use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip (see below). Contactless smart cards and readers conform to international standards, ISO/IEC 14443 and ISO/IEC 7816, and can implement a variety of industry-standard cryptographic protocols (e.g., AES, 3DES, RSA, ECC).

The contactless smart chip includes a smart card secure microcontroller and internal memory and has unique attributes RFID tags lack – i.e., the ability to securely manage, store and provide access to data on the card, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF with a contactless reader. Applications using contactless smart cards support many security features that ensure the integrity, confidentiality and privacy of information stored or transmitted, including the following:

It is important to note that information privacy and security must be designed into an application at the system level by the organization issuing the contactless device, card or document. It is critical that issuing organizations have the appropriate policies in place to support the security and privacy requirements of the application being deployed and then implement the appropriate technology that delivers those features. The ability of contactless smart card technology to support a wide array of security features provides organizations with the flexibility to implement the level of security that is commensurate with the risk expected in the application.