Secure and Practical Smart Card Applications 

 
Download Article

Smart card technology is more than 30 years old. Two German inventors originally developed the card in 1967, but the first patent was granted in France in 1974. The first practical use of the card came in 1984 when the French telecom industry piloted a telephone card that was well received.

Today, smart cards are in widespread use in Asia and Europe. In the US, the use is growing, primarily as a prepayment service card. The common perception of a smart card is that it has an embedded chip. This type of card is just one among the three different smart card types. The other two types are memory cards and contactless cards. A discussion of the growth of smart cards and their potential applications in the accounting field, with emphasis on the controls and security aspects in handling the card, follows.

Types of Smart Cards

For a new technology to succeed, there should be a motivating force. In France, the telecom industry was experiencing significant loss of revenue due to fraud caused by lack of secure communications. The smart card provided the solution since it eliminated the need for a central database to do the verification whenever a card access was needed.

The smart card used in this application was the memory card.1 It is worth noting that one of the drawbacks of the familiar magnetic stripe card is that the cost of transaction processing outweighs the cost of goods and services if only a small monetary amount is involved. To overcome this difficulty, a stored-value card is used, since it minimizes the transaction-processing cost by carrying a monetary value directly in the card.

Adding security and reusability aspects to this type of card then leads to the smart card. The type of smart card described in the application above has an embedded memory, not in the magnetic stripe but in the card itself.

The cost of producing a smart card varies from about US $1 to nearly $30, whereas a magnetic stripe card costs as little as US $0.25 to produce.

Security is lax with regard to a magnetic stripe card since the device needed to change the content of the magnetic stripe is inexpensive and easy to obtain. On the other hand, a smart card provides much greater security since the chip embedded in the card is reprogrammable only with special card readers.

Further, the added memory in the smart card could be used to hold added information, such as the date of purchase, merchant ID, item purchased, amount, and an expense code for categories, including travel and supplies. At present there are no standards available for category codes, so this part of the card usage is specific to each organization. This is not a drawback. Since the card is programmable, the organization-specific codes can be stored on the card. The actual use of such codes will be for the organization's internal accounting and audit purposes.

Smart card technology uses International Organization for Standardization's (ISO) 7816 standard, thus enabling wider acceptance.2 One drawback of smart cards is their dependence on an external power source to utilize the chip on the card. However, smart cards enjoy a lower processing cost than standard credit cards. Another advantage is that they limit the loss liability. It is easy to implement minimal levels of card validation in a smart card, unlike a standard magnetic stripe card. When a smart card is lost or stolen, one does not lose even the face value of the card at that time. This contrasts significantly with the loss of a credit card where the card could be used to charge up to the credit limit of the card. A smart card should be rechargeable to accept additional monetary value. For security purposes, the recharging should be limited to facilities such as banks or ATMs, where additional authentication of the user can be performed.

Three recent applications of this type of card are worth examining for their operational advantage and ease of use. Several US state governments are switching to smart cards for driver's licenses. One primary reason is that driver's licenses are becoming an important form of identification for individuals. Studies have repeatedly shown that lawbreakers possess, on the average, two to six driver's licenses from the same state each using a different identy.3 Using smart cards, governments can store electronic fingerprints, iris scans and the like and compare them every time a new driver license is issued by any state that participates in the program. This method will help catch people trying to obtain multiple driver's licenses.

Utility companies have a difficult time dealing with delinquent customers. To overcome this problem, some utility commissions have authorized utilities such as gas and electricity to let customers use special meters that use smart cards. These smart cards carry a monetary value that the customer can add at ATM-like special devices.4 The goal of this smart card application is to let the customer control the utility expense, thereby avoiding the delinquency problem.

In addition to the US, several other countries are embracing the use of smart cards. For example, countries such as Canada, Australia, Finland, Saudi Arabia, Malaysia and Pakistan are currently exploring the use of smart cards as a national ID.

A chip card, which is more advanced than a memory card, carries more memory and programming capability.5 Memory capacities in the range of 8K to 64K are common. A single card can be used for multiple purposes. It can be used to interact with special devices in secure environments as a means of security authentication. The card has enough storage capacity to put personal and medical information on it.6 Before the information can be accessed, a sufficient authentication process, such as fingerprint validation, can take place to verify the identity of the person using the information stored within the card. Also, the cardholder may have to provide a four-digit security code, similar to the PINs used with ATM cards, for a two-level authentication. The card may have additional digits added to the security code, thus providing a security code longer than four digits. The idea behind the extra digits built into the card is to protect the card from being counterfeited. The additional digits should be encrypted in the card for added security.

Another security concern is the threat posed by existing employees. Several surveys have shown that one of the common types of fraud occurs from internal sources within an organization.7 By providing the built-in digits in the smart card, the cardholder cannot share the authorized security code with a counterfeited card. Another security aspect worth exploring is that the data captured by the card during any transaction are encrypted. Since the level of encryption can vary, the space limitation on the card allows only a simple encryption. This is preferable to no encryption at all.

It is a reasonable concern for people when they realize that sensitive information such as their health care history is on the smart card. Simple encryption methods available today could be used to encrypt the data so the information is not kept in plaintext form. One such health care application is planned in Germany where each citizen will be provided a chip card embedded with basic medical and insurance information.

From an acceptance perspective for smart cards, Europe and Asia are far ahead of the US. Within the last few years, two major trials were held in the US to see how the public would view smart cards. The Atlanta and New York trials did not show appreciable interest in the cards. Today, however, acceptance seems to be increasing in the US, as can be observed from the spate of advertisements to attract users to smart cards.

The third type of smart card is the contactless card.8 The growth of this card is directly related to improvements in wireless communications. By definition, a contactless card is used without inserting the card into a card reader, as the previous two types of cards require. The principal application planned for the contactless card is used in the transportation industry to collect tolls and fares from daily users of the system.9 Initially the contactless card was designed for use within a short distance from which a scanner could detect the card identity. This technology has improved significantly, whereby commuters can have the card attached to an automobile moving at speeds of around 60 mph and the scanner will be able to detect the card's identity.

Recently such cards were introduced in Japan for use in the railway system. These cards, known as SUICA (super urban intelligent card) cards, have been a tremendous success, with over 5.6 million cards in use today.10 Daily travelers need not scan the card using a card reader; they just pass by the usual gates where the card readers are attached and the readers sense the cards carried by the travelers in their wallets, briefcases or pockets. Monetary value has to be added to the SUICA cards using special ATM-like machines. Sony introduced these cards with a much wider application in mind.

Sony has also introduced a related service known as Edy (euro-dollar-yen) using a similar card. Edy lets the cardholders use the card in many other businesses, such as restaurants, using the same contactless feature. These contactless cards carry a monetary value that can be augmented using a web application without actually inserting the card in a special device. Since the card is issued to an individual, a lost or stolen card can be tracked. The current method of enforcing proper use of contactless cards in fast-moving vehicles is to capture the license plate information of the violators. The same method could be used when a contactless card is reported lost or stolen. Thus, if the card is stolen, it becomes useless since the card can be easily tracked. This provides the necessary security for the safe use of the contactless card.

Tables 1, 2 and 3 summarize the type of smart cards in use, their cost and the cost of smart card readers.

Table 1
Table 2
Table 3

Applications

The most common applications for the memory card concern prepayment services. Since a memory card has limited storage and processing capability and lacks the power source to run the system, it can be used only with devices that supply the necessary power. There are many types of devices that can accept a memory card, including the public telephone, a copier, a printer, a vending machine and a fare-collection machine in a public transportation terminal. When the memory card is used in these machines, no user authentication takes place. The card carries a limited value. Once the card is inserted for a product or service, the device has the capability to rewrite the new monetary value of the card after deducting the cost for the product or service provided. Likewise, the card can be replenished by adding monetary value to the card. No new device is needed for this purpose. This can be accomplished by using any of the aforementioned devices. The advantage of this approach is the ability of this card to limit the loss in the event of a lost or stolen card. No personal information is carried on the card. The biggest advantage for the consumer is the ability to use the same card in a variety of places, just like a credit card. In this context, it is worth noting that there are over five million credit card readers in the US, whereas there are only 13,000 smart card readers in US.11

The following scenario could serve a dual purpose for added security: the memory card could be incorporated in a magnetic stripe card. This would facilitate funding the memory card by means of the user using the credit card with proper authentication. This can be accomplished at an ATM. In this way, the user would need to carry only one card instead of three.

The chip card provides greater authentication capabilities, but at this time it lacks adequate card readers. A new trend emerging will make it easy to have simple readers attached to personal computers. Microsoft has set the goal of equipping all PCs with card readers by 2005. Once these readers come into widespread use it will significantly enhance e-commerce.

The chip cards are excellent candidates for privacy cards. Personal information such as social security number, medical insurance information, type of coverage, and critical data like blood type and known allergies can all be incorporated in the device. These data can be differentially encrypted so that what a medical facility can view cannot be viewed by others for whom the data are not relevant. At the same time, it can speed up the data capture for medical facilities. The data can be password-protected, so users, at their discretion, can make the information embedded in the card available to potential providers in need of it. Medical providers will be the biggest beneficiaries of chip card technology because it will enable them to capture clean data. The rest of the details on the patient's coverage can be gleaned from his/her records. Both France and Germany have invested heavily in this area, and it is only a matter of time before others see the benefits of such cards and adopt them.

Another use for chip cards is in providing security. Many private sector companies are moving toward the use of smart cards for facility access and other company-related businesses. Multiple applications are possible because the chip cards have enough storage to hold identifying biometrics information like iris scan or fingerprint. In a secure environment, the chip card can then be used as an identity card.12 For example, frequent airline travelers can clear immigration formalities at the airports quickly, with a chip card. The speedy processing comes from the fact that the frequent traveler needs only to scan the chip card and provide a fingerprint or iris scan on the go. The system can match the two pieces of information and clear the traveler quickly. This is a big plus in Europe where there are many countries that need to identify the traveler. In the US, the Transportation Security Administration could use this for better identification, offering an incentive for frequent travelers to acquire a smart card for faster airport clearance.

Accounting Applications

A valuable corporate use for smart cards would involve employee identification and expense control. A card could identify an employee, and hence his/her department, so the card, when used as a credit card, would track expense by functional area. Then, when the card is used, the employee would key in a code indicating the type of expense (e.g., travel, meals, supplies) for tracking by this additional dimension. Each corporation could define its own expense coding system, or a business could adopt the XBRL schema to facilitate compatibility and interoperability. Periodically, the credit card issuer would send a file of charges for billing, and periodically each employee would swipe his/her card through a reader at a corporate office for uploading into the transaction history audit trail. These two data sets would be reconciled to detect any attempts at tampering.

The opportunities for controls here are abundant, compared with a more traditional memory card. Not only could there be a total limit on spending for each card, but there could be particular limits for each type of expense. Moreover, there could be limits for the total number of charges per time period (e.g., only three meals in a 24-hour period) as well as limits on the time of day (e.g., no use on entertainment between midnight and 6 a.m.) and on certain days of the week (e.g., no weekends). Corporations should find that the benefits of these strengthened controls exceed the cost of the card system. Six percent of revenues were lost in 2002 due to occupational fraud and abuse. This translates to US $600 billion in the US, a 50 percent increase since 1996.13 Making matters more difficult, the typical perpetrator is a first-time offender, and the average scheme lasts 18 months before it is detected.

The contactless card has seen its applications grow in the transportation industry. An example of this use was described earlier in this paper. Many states in the US are noticing that the contactless cards are not only facilitating rapid movement of traffic, but also helping reduce pollution and gasoline consumption.

Hybrid Cards

The three major types of cards and several applications for these cards have been described. The smart card industry is now looking for ways to combine these different types of cards to develop hybrid cards. Major beneficiaries of hybrid cards could be governments and large companies. The hybrid in this context is the combination of the memory card and the chip card. Authorized purchasers in these organizations could be given a hybrid card. Using the chip card feature, the user could be authenticated. Using the memory card feature, the user could use the card for purchases up to preauthorized limits. Providers of products or services could electronically communicate the information to the organizations that participate in the program, thereby providing speed as well as security. This would eliminate significant processing costs at various levels.

Future of Smart Cards

The US government is also getting into the smart card business. At present, the US federal government uses smart cards as a "common access card" (CAC) in several federal facilities. Thousands of CACs are in use at present, with full implementation planned by 2005.

Further, a database called SmartData has been created by the government to centralize information about all smart card projects and their applications. This US government initiative is spearheaded by the General Services Administration (GSA) office. The goal is to have smart cards used for digital signatures, travel, small purchases and building access.14 The US government uses memory cards to deposit monthly payments, such as veterans' benefits, to members who are homeless. These members, who often distrust bureaucracy, routinely get their cards credited every month at the post offices. The government is also working on providing visas using smart cards, so visitors can be tracked better.

Many organizations and academic institutions are discovering the usefulness of smart cards. Currently, individuals use their ID card for identification within the organization and as an electronic door key. They carry other credit type cards for purchases, phone calls, etc. The smart card can incorporate several applications on one card. Another promising aspect is the involvement of Microsoft in developing open standards for the interoperability of smart cards. Java support is another crucial tool for the development of new applications. A novel feature of smart cards is the ability for individual owners to create their own personalized applications and load them onto the smart card using appropriate devices.

Most contact cards use a single integrated circuit chip. Tests are underway with two integrated circuit chips for enhanced security. Even though smart cards are not in widespread use in the US, the US standard chip is used in these cards because of its wide availability at a lower cost. This enables the card issuers such as Visa to keep the cost of a smart card as low as US $1.

The ability of smart cards to contain differentially encrypted data offers the opportunity for the same card to provide access to multiple applications. A corporate employee could use a card for storing information about a health plan and other benefits, for gaining physical or virtual entry to different rooms or programs, and for controlling expenditures.

A different type of concern is prevalent among national banking authorities. Smart cards introduce a new type of currency that is invisible. However, one need not be overly alarmed since the monetary value carried by the smart card is still a form of the national currency. Smart card issuers and backers will have to set up reliable systems to fund the smart cards, using a national currency such as the US dollar or the euro.15

Conclusion

Smart cards are here to stay. They have found widespread acceptance in Europe and Asia, and they are slowly finding acceptance in the US. While the current significant use has been in the communications and transportation industries, once the card readers become commonplace in personal computers, smart cards will significantly enhance e-commerce.

International standards for smart cards are emerging rapidly. The EMV standard developed by Europay, MasterCard and Visa is a dominant standard. The GSM is another major standard that addresses the wireless aspects of communication with the smart card. Another fast-moving area of development in smart cards is the Java card. These and other applications suggest that there are attractive opportunities for empowering employees while strengthening financial control. The ability to program multiple levels of control into the card, using open as well as proprietary standards, could expand the card's adoption. All these trends point to tremendous possibilities in the future for smart card technology.

Endnotes

1 Cagliostro, C.; Smart Card Primer, Smart Card Industry Association, Princeton, New Jersey, USA, 1999
2 www.smartcardalliance.org (accessed on 14 May 2003)
3 Atick, J.; CNSS Conference, Williamsburg, Virginia, USA, 8-10 April 2003, p.10
4 Courier-Journal, Louisville, Kentucky, USA, 29 March 2003
5 Cagliostro, C.; Smart Card Primer, Smart Card Industry Association, Princeton, New Jersey, USA, 1999
6 Fancher, C. H.; "Smart Cards," Scientific American, August 1996
7 www.gocsi.com (accessed on 14 May 2003)
8 Op. cit. Cagliostro
9 Di Giorgio, R.; "Smart Cards: A Primer," Java World, December 1997; Everett, D. B.; "Introduction to Smart Cards," Smart Card News Ltd., April 1999
10 Op. cit. Courier-Journal, 14 February 2003.
11 http://members.aol.com/pjsmart (accessed on 14 May 2003)
12 SmartGov; http://estrategy.gov/smartgov/smart_card.cfm (accessed on 14 May 2003)
13 "2002 Report to the Nation: Occupational Fraud and Abuse," Association of Certified Fraud Examiners, Austin, Texas, USA, 2002
14 Op. cit. SmartGov
15 Naccache, D., and D. M'Raihi; "Cryptographic Smart Cards," IEEE Micro, 16, #3, 1996, pp. 14-24

S. Srinivasan, Ph.D.,
is a professor of computer information systems in the College of Business and Public Administration at the University of Louisville (Kentucky, USA). His research interests are in telecommunications security, and he has published several papers on mathematics and computer science. He has performed IT consulting work for major businesses and government. He spent his most recent sabbatical year (2000-2001) at UPS in Louisville, working on a large database project. Currently he concentrates his teaching in telecommunications and databases. He is a senior member of the Institute of Electrical and Electronics Engineers.

Alan S. Levitan, CPA, DBA
is a professor of accountancy at the College of Business and Public Administration at the University of Louisville (Kentucky, USA), where he specializes in accounting information systems. He has published many articles in that area and frequently conducts training sessions and consults. Previously, he worked in the industry for 10 years, first as a consultant with a Big Four CPA firm, and then as corporate controller. He is a member of the American Institute of CPAs, the Institute of Management Accountants, the American Accounting Association and the Kentucky Society of CPAs.