A smart card is a small computer usually about the size of a business card. While it can come in any number of colors, embedded inside the card is at least one integrated circuit chip with some apps and space for memory. On the front, there is a circular metallic contact point by which it hooks up to a network and gets powered. At the moment, this computer does not include a terminal display, keyboard, or battery – but these details might change in the future. In this blog post we’ll give a detailed explanation on what smart cards are, how they work and what they can be used for.
Table of Contents
Who made the first smart card?
The smart card originated as a marriage of convenience between the popular credit card shape with the vast technical possibilities of an integrated chip.
The magnetic strip verification embedded into earlier credit cards were introduced by IBM in the early 1960s with the silicone chip itself invented in 1959.
A decade later, the rush of patent activity on what would become today’s smart card kicked off. In 1970, Kunitaka Arimura of Japan filed a patent for the concept of integrating a chip into a smart card followed by IBM filing its patent on the “Information Card” in 1971. In 1974, Roland Moreno of France filed a patent for a card with an embedded chip, later called the “Smart Card.” Honeywell Bull developed the first microprocessor card with two chips in 1977. By 1980, this company alone had 1,200 patents related to smart cards.
The first mass use of the new technology was in 1983 as payment cards for a French telephone network.
Standards for SIM cards were developed by the European Telecommunications Standards Institute. The cards were first produced by the Munich Giesecke & Devrient and sold to the Finish Radiolinja network operator in 1991. They are the most common type of smart card in use today.
EMV chips, the first unified technical specifications for smart cards were published by Europay, Mastercard, and Visa in 1995. Barclay and Orange launched the first contactless smart card that enabled users to merely tap the card against a reader in 2010.
How big is the global smart card market?
The total global market for smart cards – as defined by having an embedded chip with apps and memory – was estimated to be about 9.5 billion units in 2021 by EuroSmart, the digital security association.
Just over half of these smart cards, 4.9 billion units, were in Subscriber Identification Modules, better known as the SIM cards used in mobile phones. The second largest segment of smart cards, 34.2%, are used in the financial services sector. These 3.2 billion units go to market as credit, debit, and payment cards.
The public sector – government and health took a smaller – but still significant share – of just over 5% of the total or 490 million units. Smart cards are typically used for eIDs, health cards, and e-passports.
Equipment manufacturers also took a 5% share of smart cards are now directly incorporated into phones and wearable devices without a SIM application. Additional segments using smart cards included transport (2%) for parking and mass transit cards and other uses such as the Internet of Things(1%).
Are there physical size limits for smart cards?
Theoretically no, but practically yes. Smart cards can be made in a wide variety of shapes and sizes given their common elements of a chip, contact point, and often an antenna. However, they are almost exclusively made in two groups of standardized sizes.
SIM cards, which are technically considered smart cards, usually come in one of four standardized sizes. The largest is the full business-card sized SIM (formally called a 1FF), followed by the mini-SIM (2FF), the micro-SIM (3FF), and the nano-SIM (4FF). In addition, SIM cards can now be directly embedded into a device.
Apart from SIM cards, most smart cards come in the ID-1 size. This is defined by the ISO/IEC 7810 standard as being 85.60 mm × 53.98 mm with a thickness of 0.76 mm. This is a familiar size as ID-1 is also the standard used by most countries for driver’s licenses and ID cards.
What are the differences between a traditional payment card and a smart card
Traditional payment cards had raised account numbers on the front of the card and held static account information in an embedded magnetic strip. Unfortunately, this data was vulnerable to being read and copied onto other cards. The computer chip in a smart card, on the other hand, enables it to hold encrypted information and dynamic records of individual account operations – making the card both more useful and more secure. In addition, over two out of three smart cards can now make contactless transactions without having to be physically inserted into a card reader.
What is inside a smart card?
The typical smart card is much more complex than it appears – and can be constructed in multiple ways. Typically, a smart card has three basic physical elements – the chips, the contact point, and the antenna.
What are the differences between chips in a smart card?
There are basically two types of integrated chips embedded in a smart card – memory and microcontroller. Memory chips work like a typical USB memory stick. Similar to the chip built into your passport, this can hold data, photos, tokens, and even be used for facial, iris, or fingerprint recognition. Microcontroller chips (MCU) are where the real action is. Powered via the contact point, the MCU functions as a tiny computer with its own operating system, apps, and secure storage systems.
Within these two basic chip categories, there are a number of additional variations – just like there in a home computer. These variable items include memory capacity, type of operating system, and encryption protocols.
Are smart cards more secure than traditional payment cards?
Smart cards are far more secure than traditional magstripe payment cards – and they can do a lot more than just remember your account data.
The computer chip in a smart card enables it to hold encrypted information and and dynamic records of individual transactions or operations. This makes a smart card both more secure and far more useful to both the end user and the organization issuing it.
Payment cards used to have embossed account numbers on the front and fixed data about you in the magnetic strip embedded on the back. These strips are vulnerable to being read by “skimmers” when the card is inserted into a card reader or ATM and the stolen account data used in a variety of criminal schemes
Chips provide the security
The two types of integrated chips embedded into smart cards – memory and microcontroller – provide security far beyond what a historical payment card can provide.
At the basic level, memory chips work like a USB stick with a limited memory capacity. This can be protected by security options such as a password or PIN code. But once this security gateway has been passed, the data can potentially be copied off the card.
Microcontroller chips (MCU) work with your data – not just remember it. The combination of a MCU with the smart card’s contact point creates a small computer with its own operating system, apps, hard disk, and – quite importantly – hard-wired security. MCU applets, essentially small apps, enable the card to authenticate itself to other devices and IT equipment. They generate the private and public keys needed for asymmetric encryption. In addition, the applet contains secure storage from which these newly generated private keys can’t be removed or copied.
Antennas boost your security
Over two thirds of new smart cards now come as contactless or with dual interface technology – and have an antenna integrated into them. The antenna is more than just convenience, this also means greater security as the card does not need to be physically inserted into a reader. This slashes exposure to skimmers, a piece of technology sometimes added by hackers to ATMs and fuel pumps to surreptitiously eavesdrop on account details and PIN codes.
Smart cards do secure PKI
Public key infrastructure or PKI is the basket of hardware, policies, processes, and software needed to work with today’s most secure encryption options. Some of these security elements include digital certificates, authentication, and public and private keys. Smart cards, because of their ability to securely generate keys and provide asymmetric encryption, are an integral part of many PKI packages.
Finance companies prefer smart cards
Finance companies have calculated that the risks from fraud are vastly greater from magnetic cards in comparison to smart cards. In America, payment card companies shifted liability and responsibility for card fraud over to merchants in 2015. If merchants use the older magnetic strip instead of the newly available chip capability, they are now responsible for any potential fraud from the transaction. It’s a strong incentive for merchants to use the most secure smart card option.
What does EMV have to do with smart cards?
EMV is basically a synonym for smart card. EMV stands for a set of payment methodologies and technical standards for smart cards, ATMs, and payment terminals. These standards cover cards that must be inserted into a reader and those using near-field communication technology. EVM payment cards also use several authentication technologies including PIN codes and digital signatures.
The term EMV originated from the first letter of the three companies that developed the original standards – Europay, Mastercard, and Visa – back in 1995. EMV has since developed into EMVCo, a privately held company owned by several major banks that develops and promotes these standards. An incredible 88.55% of all card transactions globally and 66.4% of all issued cards fall under the EMV umbrella.
Are smart cards fully developed and secure?
Standards for smart cards are continuing to be developed – and that is a good thing for your security. EVM’s initial set of standards have been updated several times since 1995 due to new technologies and the discovery of potential vulnerabilities. Some of these major updates have supported advances in contactless cards and Near Field Communication technologies. EMVCo, the company supporting EVM standards, regularly publishes new standards, reports on new technologies, and certifies both hardware and software for conformance to its security and operational standards.
Can a smart card be cloned?
In almost all most circumstances, a smart card cannot be copied or cloned like its magnetic card predecessor. There are some card formats such as an older type of MIFARE cards which have a UID or card serial number (CSN) which can be read and copied to another device such as a card or phone. Just remember, the secure storage part of a modern smart card with an MCU, the place where your private keys are kept, cannot be copied.
There are variations between chips – and differences in how they are wired
Just like computers vary in regards to their computing capacity, memory, and operating systems, so do the microcontroller chips embedded in smart cards. In addition, there are variations in cards are internally wired as dual interface/usage smart cards are set up for insertion in a contact card reader or with a contactless NFC reader. Hybrid smart cards have two chips, but interconnected wiring.
The contact pad
The gold-colored oval on the front of a smart card is the contact pad. It connects the embedded chip to the card reader, enabling the smart card to connect with a network and, also quite important, receive electrical power. The design of the contact pad is set out in the ISO/IEC 7810 and 7816 sets of standards which cover the pad’s shape, basic functionality, and communication protocols.
Thanks to the increasing popularity of contactless or dual interface smart cards, an antenna is now integrated into the majority of new cards. As part of Near Field Communication standards, the antenna enables the card to communicate when placed within 10 centimeters of a reader. Precise placement of the antenna and chips within the card can vary, making it important to not to punch holes through the card.
What are MIFARE cards
MIFARE is a trademark for a basket of contactless chips and smart card solutions owned by NXP Semiconductors. Within this basket, there are the basic memory-only cards and also smart cards with much more advanced encryption capabilities. MIFARE originated as a system for travel cards and was spun off from Philips Electronics in 2006. The older type of MIFARE cards have a UID or card serial number (CSN) which can be read and copied to another device such as a card or phone.
What are the main differences between card readers?
The two primary distinctions between card readers are whether they require the smart card to be physically inserted into the provided slot or if they are equipped for NFC where the smart card just needs to be within 10 cm of the reader. This is not an either/or distinction as many readers combine both NFC with a physical contact reader. A hybrid capability is important because NFC transactions do not require a PIN code so often the size or frequency of transactions is limited. For larger transactions – or when the weekly threshold has been crossed – a PIN or a direct insertion is needed.
All card readers – regardless of whether they are contactless or require the card be physically inserted – have two essential functions. First, the card reader enables the card to connect to a network in order to make the transaction – whether this is a financial purchase or simply allowing entry into a secured building. Second, the card reader supplies the 3V or 1.8 volts of energy needed to power the computer chip built into the card.
Card readers can be as small as a SIM card
Some card readers are designed to take a smaller version of a smart card about the size of the classic phone SIM card. The card is inserted into the device and plugged it into the USB C port on a computer or laptop or even a lightning connector for use with mobile phones.
Card readers can be super secure – and convenient
Card readers can also be part of a secure authentication system. For example, the Yubikey, is a USB-connected device that generates a unique pass code every time the button is pressed. While a Yubikey is often seen as synonymous with the FIDO set of 2FA standards, this model also actually holds a chip for users with a smart card and works as a combined smart card reader as well as a smart card. The same goes with a Gemalto token– it is a physical USB token with room for a chip.
Card readers can go in your pocket
Card readers are also quite convenient like the butterfly reader which you can just close and carry it around with you, open and connect it to your machine via the USB.
Some readers go wireless with Bluetooth
Some readers use the Bluetooth wireless standard, freeing the user from directly connecting the device to their phone or computer. They can require the card be physically inserted, NFC only, or have both options together. The Certgate card reader, as an example, looks like a car key fob but uses Bluetooth with an encrypted channel communication where the chip is inside. It communicates with a PC or any other Bluetooth capable device.
Readers can be built into other technology
Card readers can also be built directly into components like a keyboard or laptop body. The Lenevo ThinkPad laptop, as an example, contains the TPM chip – trusted platform module – which means there is combined chip reader capacity built into the machine.