EMV cards with additional Functions

1
EMV cards with additional Functions
2
Presentation Objectives

• Orientation
• Who Ecebs are and what we do
• Explore the possibilities of
• Using other functions with EMV
• Orthogonal applications
• Complimentary applications (Payment aware)
• Other Payment
• Using EMV for other functions
• Non Payment I.e. Authentication and PKI
• Payment EMV beyond Credit/Debit

3
Who are Ecebs?

• Based in East Kilbride, Scotland
• Advanced technology company
• Experts in Smartcard based projects
• Dedicated to building long term business
  relationships

4
What is our background ?

• gt 100 person years experience in smartcard and
  related secure IT systems development
• Motorola, Apple, CESG(UK Govt) Oracle,
  MasterCard/MXI, Unisys..
• Engaged with blue chip clients
• I.e.MasterCard Intl, Austria Card (Central Bank
  of Austria), ITSO (UK Govt Dept of Transport),
  Capita (FTSE 100)
• and others..

5
What do we do?

• Provide World Class Software Products and
  Services
• Develop Smartcard Software On and Off card
• Card Operating Systems

6
What are we about ?

• OUR MISSION.. is to enable your Smartcard
  solutions in minimum time, with minimum overhead,
  for maximum return.
• OUR VISION.. think up a Smartcard application in
  the morning, watch it working in the afternoon.
• OUR STRATEGY.. Deliver superior innovative
  technology, products and systems, based on best
  of breed methodologies and architectures.

7
Presentation Objectives

• Orientation
• Who Ecebs are and what we do
• Explore the possibilities of
• Using other functions with EMV
• Orthogonal applications
• Complimentary applications (Payment aware)
• Other Payment
• Using EMV for other functions
• Non Payment I.e. Authentication and PKI
• Payment EMV beyond Credit/Debit

8
What is a SmartCard?

• The crucial, consumer-side component in the
  provision of value-added services via electronic
  infrastructures.

What is a SmartCard System?
The electronic infrastructure used to deliver a
service, valuable enough to require protection
from fraud and misuse. Smartcards and smartcard
systems must be built with security features and
attributes to enable correct service provision
namely Integrity, Authenticity, Confidentiality,
Non Repudiation
9
Applications vs. Functions

• Definition of an Application
• Technologists view - A set of code and data
  running on certain platform(s) designed to behave
  as required.
• Business Analysts view A set of behaviours
  designed to provide a specific service running on
  various platforms(s) using whatever code and/or
  data is required.
• General You dont need necessarily need separate
  code and data to provide separate applications
• Cards You dont need a MAOS to provide multiple
  applications

10
Orthogonal Applications

• Case Study EMV with Health Records
• No interaction between applications beyond common
  data set management
• Cardholder ID
• Common infrastructure opportunity limited to
  Multi-app Terminal platforms
• Display health records at ATM ?

11
EMV Non Payment

• Degree of interaction/interoperability depends on
  commonality of shared data and logic case by
  case
• Payment aware Applications
• Use EMV to pay for application specific services
• Tickets and Tolls
• Govt benefits Managed Payment

12
Payment aware Apps

• Case Study EMV ITSO
• Integrated Transport Smartcard Organisation
• Open Standard for Interoperable Mass Transit
  Ticketing
• Includes Stored Value travel rights purse
• Card must be contactless for ITSO, contact for
  EMV
• Interaction is when paying for a ticket with EMV.
• Terminal manages both apps independent of each
  other, with no interaction required.
• Scheme infrastructures can peacefully
  co-exists I.e. no interdependencies
• Issues relate to Card Issuance and Management
• Who issues card ? Who certifies card?
• Solution based on a co-branding framework

13
EMV Other App
14
EMV Other Payment

• Degree of interaction depends on functionality
  similarities. If Other App is
• Legacy Credit/Debit
• Shared common data and parameters should enable
  close interaction and interoperability
• Legacy E-Purse
• Degree of interaction(shared data) depends on
  compatibility case by case
• Interoperability Opportunities
• Reload e-Purse through EMV Infrastructure
• Spend e-Purse funds with EMV Debit

15
Presentation Objectives

• Orientation
• Who Ecebs are and what we do
• Explore the possibilities of
• Using other functions with EMV
• Orthogonal applications
• Complimentary applications (Payment aware)
• Other Payment
• Using EMV for other functions
• Non Payment I.e. Authentication and PKI
• Payment EMV beyond Credit/Debit

16
Functionality overlap ?

• Card Multi-Functionality
• Commonalities in data management and processing.
• Scheme Architectures
• Commonalities in Customer database(s) Key and App
  Management
• Markets Overlap
• Payment cards
• Ticketing cards
• Club cards
• Medical cards
• Citizen ID Cards
• SIM Cards

17
EMV Sequence Diagram
Time
18
EMV Functional Overview

• Transaction sequence of events
• Card Authentication
• Cardholder Authentication (CVM)
• Terminal Action Analysis
• Card Action Analysis
• Off line/On line
• Script Processing

19
EMV and Authentication

• Card Holder Verification needs two-factor
• CHV is local Person to Card
• What you have
• What you know
• What you are
• PIN is one form of Card Holder Verification
• What you know
• Biometric
• What you are
• Acoustic
• What you have remote over out of band channel

20
EMV based ID Authentication
21
EMV based Authentication

• Advantages
• Technically feasible with lower investment than
  other architectures
• Re-use of EMV based functions
• Re-use/enhancement of Customer Database
• Personal details
• Keys ?
• Disadvantages
• Market confusion with other Digital ID schemes
• PKI, X.509
• Liability?
• More secure with DDA cards

22
Lite with Dual Brand EMV

• Compliant with EMV 96 and 2000
• Specifications reviewed by Visa and EPI.
• Meets EPI/ MCI M/Chip Lite product
  specifications
• Also meets VISA VSDC 1.3.2 product specifications
• Includes Powerful Secure File System
• Personalize-able Security and File Structures
• Penetration Resistant 3DES
• All functions configurable at Personalisation
• Based on low cost Silicon
• ATMEL AT05SC1604R
• Available NOW !

23
Lite with Dual Brand EMV

• Configure at personalisation
• VSDC or MChip Lite
• Protocol
• Terminal Risk Management
• Card Action Analysis

EMV features configured at Personalisation
Security Config at Perso
CONFIGURED AT PERSO
EEPROM
EMV specific Logic
Secure File System Cmds and Logic
SDA, No PSE, Clear PIN, Issuer Auth, Card Risk
Management, Script Processing
Application Layer Fixed in ROM
VSDC
MCHIP Lite
FIXED AT SILICON MANFACTURE
API
Command Parser / Router
Comms T0 T1
EEPROM Driver Module
Crypto Lib DPA/SPA DES 3DES
Life Cycle Manager
HAL Service Layer
ROM
24
EMV based Managed Payment

• Case study Demo Govt benefits
• Stage one Benefits load and management
• Stage two redemption (permitted spend)
• Stage three redemption expired
• Stage four Disallowed merchant

25
Revisit Alternative Authentication

• Acoustic based card demo
• Browser based
• Can also function with telephony

26
Multi Function Open Issues

• Commercial
• Who issues the card, owns the customer
  relationship
• Co-branding
• Liability
• Operational
• Issuance
• Card, App,Key, and Infrastructure Management

27
Conclusion

• Integrating other functionality to EMV cards is
  highly feasible
• Level of interaction of EMV with other functions
  is highly case dependant
• Level of complexity is highly case dependant
• Many opportunities exist to significantly enhance
  the EMV business case by integrating other
  functions

28
Thank You
BarryHochfield_at_Ecebs.com
www.Ecebs.com