Title: EMV cards with additional Functions
1EMV cards with additional Functions
2Presentation Objectives
- Orientation
- Who Ecebs are and what we do
- Explore the possibilities of
- Using other functions with EMV
- Orthogonal applications
- Complimentary applications (Payment aware)
- Other Payment
- Using EMV for other functions
- Non Payment I.e. Authentication and PKI
- Payment EMV beyond Credit/Debit
3Who are Ecebs?
- Based in East Kilbride, Scotland
- Advanced technology company
- Experts in Smartcard based projects
- Dedicated to building long term business
relationships
4What is our background ?
- gt 100 person years experience in smartcard and
related secure IT systems development - Motorola, Apple, CESG(UK Govt) Oracle,
MasterCard/MXI, Unisys.. - Engaged with blue chip clients
- I.e.MasterCard Intl, Austria Card (Central Bank
of Austria), ITSO (UK Govt Dept of Transport),
Capita (FTSE 100) - and others..
5What do we do?
- Provide World Class Software Products and
Services - Develop Smartcard Software On and Off card
- Card Operating Systems
6What are we about ?
- OUR MISSION.. is to enable your Smartcard
solutions in minimum time, with minimum overhead,
for maximum return. - OUR VISION.. think up a Smartcard application in
the morning, watch it working in the afternoon. - OUR STRATEGY.. Deliver superior innovative
technology, products and systems, based on best
of breed methodologies and architectures.
7Presentation Objectives
- Orientation
- Who Ecebs are and what we do
- Explore the possibilities of
- Using other functions with EMV
- Orthogonal applications
- Complimentary applications (Payment aware)
- Other Payment
- Using EMV for other functions
- Non Payment I.e. Authentication and PKI
- Payment EMV beyond Credit/Debit
8What is a SmartCard?
- The crucial, consumer-side component in the
provision of value-added services via electronic
infrastructures.
What is a SmartCard System?
The electronic infrastructure used to deliver a
service, valuable enough to require protection
from fraud and misuse. Smartcards and smartcard
systems must be built with security features and
attributes to enable correct service provision
namely Integrity, Authenticity, Confidentiality,
Non Repudiation
9Applications vs. Functions
- Definition of an Application
- Technologists view - A set of code and data
running on certain platform(s) designed to behave
as required. -
- Business Analysts view A set of behaviours
designed to provide a specific service running on
various platforms(s) using whatever code and/or
data is required. - General You dont need necessarily need separate
code and data to provide separate applications - Cards You dont need a MAOS to provide multiple
applications
10Orthogonal Applications
- Case Study EMV with Health Records
- No interaction between applications beyond common
data set management - Cardholder ID
- Common infrastructure opportunity limited to
Multi-app Terminal platforms - Display health records at ATM ?
11EMV Non Payment
- Degree of interaction/interoperability depends on
commonality of shared data and logic case by
case - Payment aware Applications
- Use EMV to pay for application specific services
- Tickets and Tolls
- Govt benefits Managed Payment
12Payment aware Apps
- Case Study EMV ITSO
- Integrated Transport Smartcard Organisation
- Open Standard for Interoperable Mass Transit
Ticketing - Includes Stored Value travel rights purse
- Card must be contactless for ITSO, contact for
EMV - Interaction is when paying for a ticket with EMV.
- Terminal manages both apps independent of each
other, with no interaction required. - Scheme infrastructures can peacefully
co-exists I.e. no interdependencies - Issues relate to Card Issuance and Management
- Who issues card ? Who certifies card?
- Solution based on a co-branding framework
13 EMV Other App
14EMV Other Payment
- Degree of interaction depends on functionality
similarities. If Other App is - Legacy Credit/Debit
- Shared common data and parameters should enable
close interaction and interoperability - Legacy E-Purse
- Degree of interaction(shared data) depends on
compatibility case by case - Interoperability Opportunities
- Reload e-Purse through EMV Infrastructure
- Spend e-Purse funds with EMV Debit
15Presentation Objectives
- Orientation
- Who Ecebs are and what we do
- Explore the possibilities of
- Using other functions with EMV
- Orthogonal applications
- Complimentary applications (Payment aware)
- Other Payment
- Using EMV for other functions
- Non Payment I.e. Authentication and PKI
- Payment EMV beyond Credit/Debit
16Functionality overlap ?
- Card Multi-Functionality
- Commonalities in data management and processing.
- Scheme Architectures
- Commonalities in Customer database(s) Key and App
Management - Markets Overlap
- Payment cards
- Ticketing cards
- Club cards
- Medical cards
- Citizen ID Cards
- SIM Cards
17EMV Sequence Diagram
Time
18EMV Functional Overview
- Transaction sequence of events
- Card Authentication
- Cardholder Authentication (CVM)
- Terminal Action Analysis
- Card Action Analysis
- Off line/On line
- Script Processing
19EMV and Authentication
- Card Holder Verification needs two-factor
- CHV is local Person to Card
- What you have
- What you know
- What you are
- PIN is one form of Card Holder Verification
- What you know
- Biometric
- What you are
- Acoustic
- What you have remote over out of band channel
20EMV based ID Authentication
21EMV based Authentication
- Advantages
- Technically feasible with lower investment than
other architectures - Re-use of EMV based functions
- Re-use/enhancement of Customer Database
- Personal details
- Keys ?
- Disadvantages
- Market confusion with other Digital ID schemes
- PKI, X.509
- Liability?
- More secure with DDA cards
22Lite with Dual Brand EMV
- Compliant with EMV 96 and 2000
- Specifications reviewed by Visa and EPI.
- Meets EPI/ MCI M/Chip Lite product
specifications - Also meets VISA VSDC 1.3.2 product specifications
- Includes Powerful Secure File System
- Personalize-able Security and File Structures
- Penetration Resistant 3DES
- All functions configurable at Personalisation
- Based on low cost Silicon
- ATMEL AT05SC1604R
- Available NOW !
23 Lite with Dual Brand EMV
- Configure at personalisation
- VSDC or MChip Lite
- Protocol
- Terminal Risk Management
- Card Action Analysis
EMV features configured at Personalisation
Security Config at Perso
CONFIGURED AT PERSO
EEPROM
EMV specific Logic
Secure File System Cmds and Logic
SDA, No PSE, Clear PIN, Issuer Auth, Card Risk
Management, Script Processing
Application Layer Fixed in ROM
VSDC
MCHIP Lite
FIXED AT SILICON MANFACTURE
API
Command Parser / Router
Comms T0 T1
EEPROM Driver Module
Crypto Lib DPA/SPA DES 3DES
Life Cycle Manager
HAL Service Layer
ROM
24EMV based Managed Payment
- Case study Demo Govt benefits
- Stage one Benefits load and management
- Stage two redemption (permitted spend)
- Stage three redemption expired
- Stage four Disallowed merchant
25Revisit Alternative Authentication
- Acoustic based card demo
- Browser based
- Can also function with telephony
26Multi Function Open Issues
- Commercial
- Who issues the card, owns the customer
relationship - Co-branding
- Liability
- Operational
- Issuance
- Card, App,Key, and Infrastructure Management
27Conclusion
- Integrating other functionality to EMV cards is
highly feasible - Level of interaction of EMV with other functions
is highly case dependant - Level of complexity is highly case dependant
- Many opportunities exist to significantly enhance
the EMV business case by integrating other
functions
28Thank You
BarryHochfield_at_Ecebs.com
www.Ecebs.com