Glossary of smart card terms
The organization (usually a merchant) which accepts a card (e.g. in payment).
ACB (Automated Clearing Bureau)
ACH (Automated Clearing House)
An organization that facilitates the electronic movement of money between parties. ACH is also used as a verb describing the movement of money.
The bank which processes a merchant's transactions and passes them into the clearing system.
A mathematical routine used to perform computations (often used for cryptography).
The program within a smart card which governs its external functions.
A card feature which protects the contents of memory if the card is removed before the end of the transaction.
ATM (Automated Teller Machine)
A device that can be placed in a public place allowing cardholders to conduct basic banking operations including cash withdrawal.
ATR (Answer To Reset)
The data sent by a card to the reader when the card is first powered up.
The process whereby a card, terminal or person proves who they are. A fundamental part of many cryptography systems.
The procedure used to authenticate the external world (e.g. terminal) to the card.
The procedure used to prove that the card is genuine by means of an algorithm, a random value and a secret key.
The authentication process can be further distinguished between passive authentication in which the same values are used each time (e.g. PIN) and active authentication in which an algorithm and variable values are used.
The process of granting permission for some action to be taken. The most common usage is relative to the authorisation of financial transactions. An authorisation service provider determines if a requested transaction may be completed. The process of granting access (read, write, update) to a file on a card as a result of correctly presenting the Secret Code(s).
A financial institution that processes and validates transaction requests for its cardholders.
Authorisation Service Provider
Any entity that is authorises requested monetary transactions, for example, stored value, credit, debit or ATM transactions. This could be a financial network or an individual financial institution.
Authentication techniques based on the physical characteristics of a person such as fingerprints, hand geometry, retina scan or voice print.
A fundamental unit of information having just two possible values, as either of the binary digits 0 or 1.
Used mainly in computer related terms. A blend of b(inary), and (dig)it.
CA (Certificate Authority)
The organization that issues certificates and takes liability associated with the validity of the holder's identity. These are often financial and institutional organizations.
See: Certificate, SSL, PKI, Registration Authority.
Generally the person to whom a nominative card is issued. The cardholder is usually the customer associated with the primary account (notably for bank cards).
CEPS (Common Electronic Purse Standard)
Designed as a standard for the many different e-purse systems worldwide to work together. Interoperability among these systems is vital and critical to the future success of the e-purse system.
A file, digitally signed by a Certification Authority. There are many different types of certificates (the most common being X.509 V3).
A form of authentication in which the system seeking authentication sends out a random "challenge". The object (e.g. the card or terminal) being authenticated performs a calculation on the challenge and responds with a result, from which the challenger can ascertain the authenticity or otherwise of the object. This method of authentication is much more secure than a simple password or other unvarying response.
A card which embodies a "chip" (an integrated circuit). Also commonly known as a smart card, but the term "chip card" is often used to include those types of card which are not really "smart", such as memory cards.
A smart card that combines both contact and contactless technology. This kind of card is great for supporting multiple functionality.
Contact Smart Card
A smart card that requires physical contact with a card reading device to exchange data.
Contactless Smart Card
A smart card that transmits and receives data using radio frequency (RF) technology; does not require physical contact with a card reading device.
Definition 1: The analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including cleartext.
Definition 2: Operations performed in converting encrypted messages to plain text without initial knowledge of the crypto-algorithm and/or key employed in the encryption.
Cryptographic Hash Function
See: Hash, SHA-1.
The result of a cryptographic operation.
The science of ensuring that messages are secure. Cryptographic systems are based on the concepts of authentication, integrity, confidentiality and non-repudiation.
See: Public Key, Secret Key, DES, RSA.
See: PKCS #11.
The science of codes and ciphers (used in encryption).
A processor optimized for cryptographic functions (e.g. variable-length arithmetic, modular exponentiation or DES encryption).
DES (Data Encryption Standard)
A cryptographic algorithm for the protection of unclassified data, published in Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the National Institute of Standards and Technology (NIST), is intended for public and government use.
This is the most widely used secret key encryption algorithm (56-bit key). A strengthened version of DES called triple DES (or 3DES) is commonly used in bank cards.
See: Secret Key.
A digital signature (not to be confused with a digital certificate) is an electronic rather than a written signature that can be used by someone to authenticate the identity of the sender of a message.
See: Certificate, RSA.
Digital Signature Standard (DSS)
DSS is based on a type of public-key encryption method that uses the Digital Signature Algorithm (DSA). DSS is the format for digital signatures that has been endorsed by the U.S. government. The DSA algorithm consists of a private key, known only by the originator of the document (the signer), and a public key.
e-Cash (Electronic Cash)
Digital money, typically in the form of downloadable "digital coins" that can be stored in a bank account, on a PC or on a smartcard.
e-Purse (Electronic Purse)
A card which stores value in the form of digital cash. An electronic purse is normally issued by a bank and the value it holds is the strict counterpart of legal tender.
See: Stored Value Card.
e-Wallet (Electronic Wallet)
e-Wallets are generally used for low-value transactions.
EFT (Electronic Funds Transfer)
The electronic exchange of information between financial institutions, resulting in debits and credits.
EMV (Europay - Mastercard - Visa)
The Europay-Mastercard-Visa specifications for chip-based payment cards. Set of specifications defining the main structures for an international debit/credit smartcard. EMV part 1 corresponds with (and generally conforms with) ISO 7816 parts 1-5; the other parts of this specification cover the details of a standard credit/debit application and the requirements for terminals.
A cryptographic procedure whereby a legible message is encrypted and made illegible to all but the holder of the appropriate cryptographic key.
See: Cryptography, Key.
EPOS (Electronic Point Of Sale)
A networked and programmable electronic till (terminal).
Hardware Security Module (HSM)
The system within a smart card infrastructure that securely manages the encryption and transmission of data.
A smart card with both magnetic stripe and smart card technology. This kind of card is really useful for bridging between the two technologies.
Guarantee that a message has not been modified in transit. Integrity is an essential role of cryptography systems.
ISO (International Standards Organization)
The main international standards organization. ISO works to ensure that chip makers, software developers and smartcard companies comply with the same specifications.
Standards for the smartcard industry include:
- ISO/IEC 7816-1:1998 Physical Characteristics of IC cards.
- ISO/IEC 7816-2:1999 Position of Module and Contacts on IC cards.
- ISO/IEC 7816-3:1997 Exchange protocol with IC cards (i.e., communication between readers and cards).
- ISO/IEC 7816-4:1995 Command set for microprocessor cards.
- ISO/IEC 7816-5:1994 Numbering system and registration procedure for application identifiers.
- ISO/IEC 7816-6:1996 Inter-industry data elements.
- ISO/IEC 7816-7:1999 Inter-industry commands for Structured Card Query Language (SCQL).
- ISO/IEC DIS 7816-8 Security related inter-industry commands.
- ISO/IEC DIS 7816-9 Additional inter-industry commands and security attributes.
- ISO/IEC DIS 7816-10 Electronic signals and answer to reset for synchronous cards.
- ISO 14443 Proximity cards (contactless).
ISO 8583 (EMV Additional Fields)
One of the most widely used host protocol to transmit transaction details from a POS terminal to a host authorisation system is the ISO 85. The EMV specifications do not include how to communicate across this critical link. ISO 8583 is a bit map protocol and includes various discretionary fields that can be utilized to carry additional data within a transaction message.
A network-oriented programming language invented by Sun Microsystems. Java was specifically designed so that programs could be safely downloaded to remote devices (e.g. web pages, smartcards, etc.).
See: Java Card, Open OS.
A set of specifications for running a subset of Java on a smartcard.
See: Java, Open OS.
JCF (Java Card Forum)
An industry association devoted to the advancement of the Java Card specifications to serve the markets for Java card.
JCRE (Java Card Runtime Environment)
The runtime environment under which a Java Card executes. The JCRE is in charge of all the management operations, like loading and initializing the applications. It also keeps track of the current state of the card.
A distributed-computing product for the consumer market. The system enables devices that use Java to communicate and work with each other.
JVM (Java Virtual Machine)
An area (or dedicated hardware) on a remote computing device on which Java applets can be run. Most major Internet browsers have a JVM.
A symbol or sequence of symbols (or electrical or mechanical correlates of symbols) applied to text in order to encrypt, decrypt or sign data. The longer the key, the more secure the encryption.
See: Public Key, Secret Key, Cryptography.
Key Escrow (Trusted Third Party)
The system of giving a piece of a key to each of a certain number of trustees such that the key can be recovered with the collaboration of all the trustees, which can be revealed only upon court order.
See: Public Key.
Life Cycle Management
The processes required to update and track multi-application dynamic smart cards after they have been distributed to cardholders. Refers to the management of multi-application cards from issuance through end of service life.
A promotional program in which points are credited to a cardholder's card for various reasons, determined by the vendor or merchant instituting the loyalty program. "Frequent shopper" is one type of loyalty program. The points can then be redeemed by the cardholder at the vendor/merchant for goods or services.
Mobile commerce, the systems that allow people to conduct transactions anywhere, anytime, typically refers to use of mobile phones and other portable devices to conduct a variety of transactions.
Set of data or functions that are permanently loaded into the chip on the smart-card.
A smartcard containing a memory chip with read/write capability only and in some cases hardwired security functions (some people do not consider memory cards as smartcards).
Multi-Application Smart Card
A microprocessor smart card - typically with lots of memory and computing power - with more than one application residing on it.
Multihost Based Auditing
Audit data from multiple hosts may be used to detect intrusions.
Two or more machines interconnected for communications.
Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data.. Non-repudiation is an essential role of cryptography systems.
Memory chips that don't lose their data when power is switched off.
OCF (OpenCard Framework)
The framework that provides programmers with an interface for the development of smartcard applications in Java.
Open OS (Open Operating System)
An operating system that is not owned by a single card maker, such as Java Card or Windows Platform for Smart Cards.
A device that is capable of performing transactions (usually only debit or inquiry) locally at the device without any authorisation being required from a processing system, switch or other host. Typically refers to a device that does not support data communications.
A device is on-line when connected to a communications network. A point-of-sale device is an example of an on-line device.
On-line Device Collection
A function that transfers transactions, log files, and other pertinent data directly from on-line devices. It stores the collected data until it can be transferred to the processing system as part of the daily upload process. This function is invoked by either a call from the processing system or an entry in the scheduler.
A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
One or more bits appended to a message in order to ensure that it contains the required number of bits or bytes.
Process by which a smartcard is initialized, almost like a floppy disk, to contain information for a specific person. Graphical personalisation modifies the visual aspect of the card (holder's name, photograph). Digital personalisation modifies the information in the card's chip.
Personalisation Preparation Process (P3)
A software-based system that provides secure key management and data generation for the smart card issuance process.
PIN (Personal Identification Number)
The number or code that a cardholder must type in to confirm that he or she is the genuine cardholder.
PKCS (Public-Key Cryptography Standards)
Informal inter-vendor standards developed in 1991 under the impetus of RSA.
See: Public Key
PKI (Public Key Infrastructure)
The software and/or hardware components necessary to manage and enable the effective use of public key encryption technology, particularly on a large scale.
See: Public Key, Cryptography.
POS (Point Of Sale)
The physical location at which goods are sold to customers.
See: Point Of Sale Device.
Point Of Sale Device (POS Device)
A device used to capture purchase transactions at the point they occur (i.e. at the merchant location). The transaction may be immediately validated via a communications link to a financial institution network or may be recorded against a stored value card.
Post Issuance Management
A software-controlled process that allows the issuer to track cardholder activity such as the adding or deleting of applications from a smart card after it has been issued; also, the process used to replace lost or stolen smart cards.
A card permitting the holder to buy goods or services usually of a particular type up to the pre-paid value. Some pre-paid cards are reloadable, others are not.
Private Key Cryptography
An encryption methodology in which the encryptor and decryptor use the same key, which must be kept secret. This methodology is usually only used by a small group.
Contactless technology operating at a distance of approximately 10 cm.
See: Vicinity, Reading Distance.
A public key encryption algorithm is one in which one key is published and the other kept secret.
Public Key Cryptography
Type of cryptography in which the encryption process is publicly available and unprotected, but in which a part of the decryption key is protected so that only a party with knowledge of both parts of the decryption process can decrypt the cipher text.
The distance between the antenna of a reader and a tag over which the read function can be effectively performed.
See: Proximity, Vicinity.
The organization that receives individual users to verify their credentials prior to emission of a certificate.
See: CA, Public Key.
RFID (Radio Frequency Identification)
Automatic identification and data capture system comprising readers and tags. Data is transferred using modulated inductive or radiating electromagnetic carriers.
See: Tag, Reading Distance, Contactless Smart Card.
The most widely used public key encryption algorithm, named after its creators.
See: Public Key.
SAM (Security Access Module)
A dedicated microprocessor unit that conducts active authentication with a memory or microprocessor card.
Security modules are smart cards which provide cryptographic services at various points in a stored value network. They are designed to facilitate the secure distribution of secret keys and security-related functionality. Security modules are used to control the execution of transactions, create cryptographic signatures, generate authorisation certificates, and other security related requirements. The security functions are loaded as filters on security modules. Every device in the network requires a security module to enforce the security.
A cryptographic system that uses a single key for encrypting and signing data.
See: Public Key, DES.
A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon which performs a service for the requester, which often runs on a computer other than the one which the server runs.
Period of time between two card resets, or between power up and a power down.
SET (Secure Electronic Transaction)
MasterCard and Visa's protocol for sending encrypted credit card numbers over the Internet. The merchant never gets to know the customer's card number, thus limiting fraud.
SHA-1 (Secure Hash Algorithm Revsion 1)
A hash algorithm developed by the National Institute of Standards and Technology and the National Security Agency.
See: Certificate, Digital Signature.
A technique of adding a digital signature to an applet to prove that it came from a particular trusted author.
SIM (Subscriber Identification Module)
A smartcard for GSM systems holding the subscriber's ID number, security information and memory for a personal directory of numbers thus allowing him to call from any GSM device.
Single-Application Smart Card
A smart card issued by a single organization for a singular purpose.
Also called IC card, chip card or memory card (for certain types). A plastic card the size of a standard credit card with a chip (or module) embedded in a special cavity.
Smart Card Operating System
The software on a smart card that controls the operation of a card; manages the applications and provides services, such as secure segregation, memory management, input/output and access to cryptographic primitives.
See: SCW, Java Card.
SSL (Secure Sockets Layer)
A protocol designed by Netscape Communications to enable encrypted, authenticated communications across the Internet (e.g., sites beginning with https://).
See: Certificate, Cryptography.
A standard is a set of specifications defining the physical, electrical or logical properties of a device.
Stored Value Card
A card which is used to store value such as loyalty points or credit for canteen meals. In Europe, the term is used to denote a card which is issued and redeemed within a closed circuit, in contrast with an electronic purse, which can be used to buy goods and services in the open market. In the USA, the term "stored value card" is used more widely, and can denote an electronic purse.
Television-based commerce; systems that allow people to conduct business securely through Internet-enabled television.
See: e-Commerce, m-Commerce.
Term for a transponder commonly used by AIM. A contactless electronic device that can communicate with a reader by means of a radio frequency signal. A tag is not really a smartcard but rather a "smart device".
Any device that can communicate with a smartcard (e.g., reader, coupler). Certain terminals can operate in standalone mode, while others must be connected to a central information system to access an application.
TLS (Transport Layer Security)
The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. It is an extension of SSL.
An electronic transmitter/responder, commonly referred to as a Tag.
TTP (Trusted Third Party)
See: Key Escrow.
Contactless technology operating at a distance of approximately 50 cm.
See: Proximity, Reading Distance.
Visa Open Platform
A comprehensive system architecture allowing fast development of globally interoperable smartcard systems. (Open Platform is a variant of this architecture that is not restricted to the banking industry).
VLT (Value Load Terminal)
A kiosk-type device, at which a cardholder can transfer value to their smart card from their bank account.
WAN (Wide Area Network)
A physical or logical network that provides capabilities for a number of independent devices to communicate with each other over a common transmission-interconnected topology in geographic areas larger than those served by local area networks.
WPfSC (Windows Platform for Smart Cards)
Microsoft's operating system for smart cards.
See: Open OS.
The XOR algorithm is a very simple form of encryption that offers little protection against intrusion.