Market Overview - Smart Cards: Plastic Fantastic
Chris Long charts the evolution of the smart card, from its anti-fraud beginnings to multi-purpose payment card and tool of the state
In George Orwell?s book 1984, the state watched its people 24 hours a day. It?s ironic that after it was published a lot of people thought that simply because it existed, the sort of invasion of privacy it talked about would never happen. It is ironic because you only have to see the closed-circuit TV cameras in your local high street to know that although Orwell didn?t intend 1984 to be a prediction of the future, he was still on the money.
But you don?t have to actually see someone to monitor them. Watching their habits and living patterns can give you as much information about them as you want ? certainly if you are a business and aren?t too bothered about issues of state. Thus a 20-year-old technology is coming to the fore. And, despite the vague aroma of 1984 about it, it is going to be appearing in a wallet or handbag near you ? if it isn?t already there.
It is the smart card ? immediately raising the question what a dumb card is, or an untidy card for that matter. Its smartness is defined by its ability to ?do things?. These things range from doling out telephone units to being able to pay for goods, while storing data about its user and then intelligently controlling access to that data.
It was the banks that started the ball rolling. French banking association Cartes Bancaires started looking for a way to stop the huge losses that the French financial community was suffering from counterfeit magnetic bank cards. The weakness in the system was the traditional magnetic stripe card and the ease with which account information on legal cards was being copied on to counterfeit cards. As ever when money is involved, people immediately started looking for a solution and in 1977 the first smart card project was started. The idea was to put a processor and some Ram on a card instead of the magnetic stripe and use the processor to control access.
French company Bull worked with chip maker Motorola to design a processor for the card and the smart card adventure was off and away. In 1992, the French banks started to replace magnetic stripe cards with smart cards: they have since boasted a tenfold drop in card fraud.
Despite a variety of smart card projects in the 1980s, the industry did not really take off until the mid 1990s. Again it was the money people: in 1994, Visa and Mastercard announced that they planned to replace an estimated 1.5 billion magnetic stripe cards throughout the world with smart cards.
The announcement was just the interest that was needed to turn the smart card industry into overdrive. In the past three years, the number of smart card trials has gone through the roof. As well as the US and the UK, Spain, Germany, Portugal, Japan, Taiwan, South Africa and Russia are all having a go.
Dataquest estimates that the total market in 1996 was 173 million units, and predicts it will rise to 1.32 billion by 2001. Motorola is boasting that it alone will be producing more than 10 million smart card chips a week by 2000. And in terms of market value, Dataquest estimates that the 1996 smart card market was worth $384 million and by 2001 it will be more than $2.5 billion.
The size and shape of smart cards have been standardised for a while, but their electronic capabilities vary greatly. The simplest version is probably a phone card which has a 1Kb EPROM (erasable programmable Rom). At the other extreme, where most of the interesting applications are being developed, the cards contain an eight-bit processor, 256 bytes of Ram, 16Kb of Rom and an 8Kb EEPROM (electronically erasable programmable Rom).
The more advanced smart cards usually use a special processor that can be customised to perform special operations, such as encryption, faster than normal microprocessors. In addition to storing some kind of cash-related value, smart cards can include a digital certificate for identifying the bearer of the card and a private cryptographic key for signing electronic documents.
The smart card industry, presumably in an attempt to impress us, is saying that the processors in the top end smart cards are as powerful as the early PCs. Thus a smart card is capable of holding up to 500 times more data than a magnetic stripe card ? and will hold it more securely.
As you?d expect, the card is read in a card reader system. Traditionally, the transfer has been made via the connections that supply the power, but more and more devices are using miniature wireless modem systems. They still have to be put in a reader, but the problems of bad connectors interfering with the data transfer are eliminated.
According to a Frost & Sullivan report, just one smart card will be enough for us all: ?No more carrying five different types of credit card, three types of video store membership, and a driver?s licence; the smart card would contain all this information.? Idyllic for some and smaller wallets for all, although it also suggests that a fault on your smart card will bring the prospect of no credit cards, no membership to three types of video store and no driving licence.
But smart cards aren?t only for personal use. Given the amount of data a card can carry and its security system, it is ideal as a means of identifying a user to give or deny certain access privileges when hot seating on a company network, for example. A smart card can identify people on a network regardless of where they?re sitting and what computer they?re using.
According to Colin Croft, smart card partners program manager at Bull, a smart card makes the perfect authentication tool.
?It is used in exactly the same way as a Barclaycard or Visa card,? he says. ?It works in the same way in terms of authenticating you, but it does it in a more secure way because fraud is much harder to effect.?
Authentication is the watch word for Croft. ?If you combine your smart card with something that is unique to you ? whether it is a pin number or pass phrase or biometrics ? it is a very secure way of saying you are the person you are supposed to be,? he says.
The trick of the security is to have software on the card itself so that when the card is activated the system opens up a communication with the card when the reader system makes a request for data. And the access control software acts as a buffer between the outside world and the card, monitoring transfer requests and checking the security clearances of the data requests.
All this built-in security points to an obvious development: the purse card. Just like a phone card, a number of units are programmed into the card ? but this time money. And because it monitors and records its transactions, the purse card is perfectly placed to be used in a shop loyalty scheme, says Croft.
?There is a lot of activity now where you can accumulate points or whatever with your supermarket or club,? he says. ?It works well for organisations that want to market better to their client base.?
That?s assuming, of course, that the client base wants to be better marketed to.
Croft also believes that the smart card will help the burgeoning area of electronic commerce: with a smart card you have the ability to ensure that a person making the purchase is the person that should be making it.
When this finally happens it is likely to cause a revolution in e-commerce over the internet as more powerful processors enable more sophisticated encryption to be performed, making it possible to use digital signatures during transactions. These signatures confirm that a sender is genuine and that data has not been tampered with during a transaction.
?This way the seller can verify that the purchaser is the right person, but also the purchaser can be sure that the seller is who they are supposed to be and isn?t someone spoofing,? says Croft.
Another possible use is as a medical card, containing, say, your blood group plus current prescriptions and prescription history plus allergies. Your GP would have complete access to the card with the facility to add information (and update the prescriptions data). The pharmacist, though, would only have read access to the prescriptions, and the emergency services would have complete access but read only.
Motorola makes many of the processors that go on to smart cards and it is currently working on making them more sophisticated ? and, of course, more powerful. John Letham, worldwide marketing manager for smart cards at Motorola, says that they are now turning into multifunction cards.
?Most smart cards have been single applications card, GSM card, an ID card, an electronic purse, a health card,? he says. ?But now we are seeing a trend to putting more than one application on the card, so perhaps you can have a GSM card that is preloaded with money so you are travelling around the world without the user having to have a credit check.?
Surprisingly, the UK lags behind other countries in the take-up of smart cards and both Germany and France are in front. But Letham doesn?t think that will get in the way of the UK market. ?Once people understand the advantages of security and functionality it will take off, and I think it will probably be introduced by the banks,? he says.
Having said that, Letham is at pains to point out that the UK is by no means at the bottom of the take-up league. ?I should say that the US is even further behind the UK,? he says. He explains that the US banking service is probably more efficient than ours and certainly more efficient than that of France, which started the whole thing to tie up the loose ends in its system. Letham says Europe accounts for 90 per cent of the smart card market.
If all this is to happen then the cost of the card has to come down considerably ? processor prices currently range from $1 to $10. But Letham thinks that isn?t a problem if it is thought through properly.
?Smart cards are more expensive than magnetic stripe cards, so you have to have a business model that works,? he says. ?Do the benefits to the customer justify the expense? You have to put a dollar figure on it, because even though it is unlimited in what it can do, the application has to be of benefit.? Advice which may seem obvious in black and white but isn?t always followed.
Although there are two main processor manufacturers ? Motorola and Siemens Nixdorf ? and their processors are not compatible, Letham insists that compatibility isn?t a problem. ?When companies work on big projects they tend to use more than one supplier,? he says. ?They may go to Siemens and us and port their code to both cards. It only takes a matter of a few weeks. From a business point of view it makes sense, and so far it hasn?t been an issue.?
But software is always an issue, although it looks like Sun is going to attempt to save the day with Java. It has developed the Java Card API which will, with a bit of luck, enable developers to write applications for smart cards. Because Java is meant to be platform independent, it means that it doesn?t matter which card is used. On the Web, small Java applications are called applets; on smart cards, small Java applications are called cardlets ? who?d have guessed.
Rob Bamforth, Java enterprise computing market development manager at Sun, thinks that Java Card is making opportunities for developers. ?The great thing for smart card vendors,? he says, ?is they can sell their card to people who want to implement a service and they can say ?look you can use off-the-shelf Java programmers? and don?t have to write specialised code for the cards.?
And, he says, testing the software is so much easier too. ?When you have written the program in Java you can test it on a desktop computer and then move it across.? Which ? if it works ? will revolutionise software development.
Whatever the technical case there is still the lingering doubt that despite the potential advantages of the cards, there is a good chance that this will be another way for business and the state to gather data about us all. Interestingly, and perhaps not too surprisingly, the smart card industry is taking an ?it?s nothing to do with us, we just make them? approach.
Croft defends the point that these cards are going to be a repository of information that we want to keep to ourselves. ?Only if they are designed for that application,? he says.
But if the industry is developing the system and the system can become a liability to its users, doesn?t the industry have a responsibility to police it? ?I don?t necessarily agree that is what the industry is pushing for, and I would further say that it is once again back to the applications,? says Croft.
Motorola takes a similar approach. Letham says: ?If Access or Visa or Mastercard wanted to look at what you were buying, they could simply look at your statement. The smart cards can do all sorts of things and it really depends on the application.?
Bamforth adds: ?We aren?t limiting what people use the cards for, or even how they should use them. We are just providing an infrastructure for potential use.?
Next time you come across a smart card, listen very carefully ? any hollow laughter you hear is likely to be from George Orwell himself.