Smart Cards in E-payment ﺍﻟﺒﻄﺎﻗﺎﺕ ﺍﻟﺬﻛﻴﺔ ﻓﻲ ﺃﻨﻈﻤﺔ ﺍﻟﺸﺮﺍﺀ ﻭﺍﻟﺒﻴﻊ ﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ Dr Wasim Raad Computer Engineering Department King Fahad University Petroleum & Minerals Dhahran-Saudi Arabia Muhammad Wasim Raad 1
Entities of the Epayment System Identification Card Issuer (Corporate or Service Provider) Purse Charger (Bank or third party) Card Holder (User) Access Control/Epayment terminal • . Corporate secure Log in • . Retail POS • collecting Highway tax Corporate Information Center (Database) Muhammad Wasim Raad 2
System Requirements • Privacy • Security • Support multi-application Muhammad Wasim Raad 3
Muhammad Wasim Raad 4
EMV ﻳﻮﺭﻭ ﻣﺎﺳﺘﺮ ﻓﻴﺰﺍ • Established 1999 by Europay International, Mastercard International & VISA International • EMV IC card Spec for payment ensures Cross payment Interoperability between Cards and terminals • Latest version: EMV 2000 version 4. 0(support for lower voltage cards & contactless interface • Currently there are greater than 200 million Mastercard, Maestro & Cirrus Chip cards worldwide( more than 80 million of these support EMV) Muhammad Wasim Raad 5
Smart Card l Smart Card Market : VISA Smart Credit/Debit (CCCP) Magnetic Credit Authorization Terminal Smart Credit Authorization Terminal 2000. Stop manufacturing easy entry card and terminal as well Differentiate a commission rate for interchange : Chip Card versus M/S card 2002. All the card terminals should work on Visa Smart Credit/Debit new Recommendation of PIN Pad. 2000 2002 2005 2008 2005. Smart new cards should be equipped with Visa All the Credit/Debit card in functions. 2008. All the. Card. must be issued with functions of Visa Smart Credit/Debit Card All the terminals must work on Smart Raad Credit/Debit Card Muhammad Wasim 6
Authentication Scheme public key Card Data : - SDA Certificate - Issuer Public Key Certificate 1. Card Sends : - selected card data - card data certificate - issuer public-key certificate 2. Terminal decodes issuer public key using scheme public key. 3. Verifies card certificate using issuer public key 4. Compares with hashed form of the card data Static Data Authentication Muhammad Wasim Raad 7
Authentication (cont’d) • Dynamic Authentication – Challenge-based. – The terminal issues a challenge to the card, – The card signs the card serial number and this challenge. – The terminal verifies this signature. – The card must incorporate the public-key encryption functions. – The private key is permanently stored in the card and protected by physical security features. – Key management issue. Muhammad Wasim Raad 8
Authentication (cont’d) Reset card Answer to reset Select Application Send Application Data Auth. card & terminal Terminal risk management Request cryptogram EMV Transaction Model Card risk management Send cryptogram (Perform online Transaction) Send Results (Complete Transaction) Muhammad Wasim Raad 9
Electronic Cash ﺍﻟﻨﻘﺪ ﺍﻻﻟﻜﺘﺮﻭﻧﻲ • Electronic cash is a general term that describes the attempts of several companies to create a value storage and exchange system that operates online in much the same way that governmentissued currency operates in the physical world. • Concerns about electronic payment methods include: – Privacy – Security – Independence – Portability Muhammad Wasim Raad – Convenience 10
Electronic Cash Issues • Primary advantage is with purchase of items less than £ 5 • Credit card transaction fees make small purchases unprofitable • Facilitates Micropayments – eg for items costing less than £ 1 • Must be anonymous, just like regular currency • Safeguards must be in place to prevent counterfeiting • Must be independent and freely transferable regardless of nationality or storage mechanism Muhammad Wasim Raad 11
Electronic Cash Muhammad Wasim Raad 12
Electronic Cash Storage • Two methods – On-line • Individual does not have possession personally of electronic cash • Trusted third party, e. g. e-banking, bank holds customers’ cash accounts – Off-line • Customer holds cash on smart card or electronic wallet • Fraud and double spending require tamper-proof encryption Muhammad Wasim Raad 13
Electronic Cash Advantages • Electronic cash transactions are more efficient and less costly than other methods. • The distance that an electronic transaction must travel does not affect cost. • The fixed cost of hardware to handle electronic cash is nearly zero. • Electronic cash does not require that one party have any special authorization. Disadvantages • Electronic cash provides no audit trail. • Because true electronic cash is not traceable, money laundering is a problem. • Electronic cash is susceptible to forgery. • So far, electronic cash is a commercial flop. Muhammad Wasim Raad 14
e. Payment by Smart Card • Replace cash • Cash is expensive to make and use – – Printing, replacement Anti-counterfeiting measures Transportation Security • Cash is inconvenient – not machine-readable – humans carry limited amount – risk of loss, theft • Additional smart card benefits Muhammad Wasim Raad 16
How does E-Purse Work? • E-purses are usually issued by banks to their customers • Money is loaded into the e-purse by transfer from cardholder’s bank account using: ATM, or public payphone, or a home smart phone, a mobile phone or through internet • Once cardholder has chosen goods, he inserts card into POS and money is debited Muhammad Wasim Raad 17
Examples Of E-Purse • Mondex • Visa Cash • Digi Cash • Cyber Coin Muhammad Wasim Raad 18
E-purse benefits • No need to carry loose change to buy newspaper or use vending machine • more convenient than checks and debit cards for small transactions • Offer user more privacy and freedom from recording expenditures in check book • Attractive to merchants: Saves time Muhammad Wasim Raad 19
Electronic Purse l EFT-POS Magnetic, Credit/Debit Card EMV Smart Card Electronic Purse : MONDEX, CEPS, KEP, Ministry of Commerce, Industry & Energy 1) KEP (Korean Electronic Purse) Korea Financial Telecommunications & Clearings Institute 2) Mondex Electronic Purse § Cheju Island (Resort) Project § ASEM Project Muhammad Wasim Raad 20
Muhammad Wasim Raad 21
Smart Cards & ecommerce ﺍﻻﻟﻜﺘﺮﻭﻧﻴﺔ ﺍﻟﺒﻄﺎﻗﺎﺕ ﺍﻟﺬﻛﻴﺔ ﻭﺍﻟﺘﺠﺎﺭﺓ 6 Multi Channel Access Muhammad Wasim Raad 22
Smart cards in ecommerce 13 Amex Blue Muhammad Wasim Raad 23
What Is The Octopus? • A pre-paid stored value card utilizing contactless smart card technology • Operates within wallet/purse for up to 10 cm • Less than 1/3 second transaction time Muhammad Wasim Raad 24
Octopus Applications • Public Transport and related – 3 railways, 6000 buses, ferries, Peak Tram, Tramways, public light bus – Car parks – Parking meters Muhammad Wasim Raad 25
Octopus in Off-Street Car Parks Muhammad Wasim Raad 26
Octopus Applications • Recreational facilities – Public swimming pools – Racecourses • Non-payment service – Access Control for residential estates – School Attendance Muhammad Wasim Raad 27
Octopus • Transaction time < 300 milliseconds • Transaction fees: HK$0. 02 + 0. 75% – $10 transaction costs $0. 095 (0. 95%) • Applications – – – Transit Telephones Road tolls Point-of-sale Access control • Anonymous / personalized • How does money get to service providers? Muhammad Wasim Raad – Net settlement system operated by Creative 28
M(obile)-Payments – the future? “Analysts believe that easy mobile payment is one of the main prerequisites for the success of m-commerce. When the mobile phone can function as an electronic wallet for mobile payments, including micropayments, application developers will find it attractive to introduce new mobile communication services to the market. Examples include mobile entertainment (downloads of music, mobile gambling, etc. ), information services (sports news, horoscopes, location-based services, etc. ), and real-world services (paying parking fees, buying train or concert tickets, etc. ). Network operators envision micropayments as an attractive business that does not compete with banks or credit card companies. For the end user, Pay. Circle will make m-commerce easy and secure and thus eliminate the major hurdles to widespread adoption and popularity. ” Pay. Circle. org Press release Jan 23 rd 2002 Muhammad Wasim Raad 29
Payment Cards • 8 -128 Kb • Data rate 115 Kb/sec • ISO 7816 compliant EMV = EUROPAY INT’L, MASTERCARD, VISA MPCOS = MULTI PAYMENT CHIP OPERATING SYSTEM • Visa-certified • PIN management and verification • 3 DES algorithm for authentication, secure messaging • Epurse with payment command set (debit, SOURCE: credit, balance, floor limit management) GEMPLUS Muhammad Wasim Raad 30
Can Smart Cards Support Multi-Applications? • Capability to download independent Applets, securely Isolated(Java Card) • Example: A card may contain Individual’s driver’s license, multiple credit card & bank accounts, stored value for company cafeteria, & health records • A police officer’s card reader can read driver’s license info, but not bank account Muhammad Wasim Raad 31
The Java Simtoolkit • Since 3 KB SIM memory has increased to 8 KB, 32 KB and lately to 64 KB • SIM Application toolkit explores full potential smart cards • Spec defines commands and proceduresfor running handset independent SIMtoolkit applications • Produces extra revenue through ( mobile banking, stock trading, games, emails, …) Muhammad Wasim Raad 32
France Telecom first launch of Sim toolkit developped by Gemplus • Operators can give end-users access to many on screen services • Fast user-friendly access to the latest news, weather report or practical details on traffic finance and leasure • Subscribers can update their selection and gain access to new services • Java applets can be downloaded using SMS or internet Muhammad Wasim Raad 33
Muhammad Wasim Raad 34
Providing Value Added services • GSM Cellnet and Barclaycard developped wireless finantial service smart card • SIM activates user’s Cellnet GSM phone • Provides a Barclay services menu Muhammad Wasim Raad 35
Swedish Bank Utility Bill Payment • SIM card allows users to access service by menu navigation • Users can pay their utility bills away from home by keying information such as origin and destination bank account numbers Muhammad Wasim Raad 36
Hong Kong Smart Cards • Octopus – 8 million cards, 9000 readers – 7 million transactions/day • • • Visacash Com. Pass Visa (VME) Mondex GSM SIM e. Park Muhammad Wasim Raad 37
Mondex • Smart-card-based, stored-value card (SVC) • Subsidiary of Master. Card • Nat. West (National Westminister Bank, UK) et al. • Secret chip-to-chip transfer protocol • Value is not in strings alone; must be on Mondex card • Loaded through ATM – ATM does not know transfer protocol; connects with secure. Wasim Raad at bank Muhammad device 38
Mondex • • • Subsidiary of Master. Card Smart-card-based, stored-value card (SVC) Nat. West (National Westminister Bank, UK) et al. Secret chip-to-chip transfer protocol Value is not in strings alone; must be on Mondex card • Loaded through ATM –ATM does not know transfer protocol; connects with secure device at bank • Spending at merchants having a Mondex value transfer terminal Muhammad Wasim Raad 39
Mondex Smart Card • Holds and dispenses electronic cash • Developed by Master. Card International • Requires specific card reader for merchant or customer to use card over Internet • Supports micropayments as small as 2 p and works both online and off-line at stores or over the telephone Muhammad Wasim Raad 40
Mondex Smart Card Muhammad Wasim Raad 41
Mondex Overview SOURCES: OKI, MONDEX USA Muhammad Wasim Raad 42
Mondex Security • Active and dormant security software –Security methods constantly changing –ITSEC E 6 level (military) • VTP (Value Transfer Protocol) –Globally unique card numbers –Globally unique transaction numbers –Challenge-response user identification –Digital signatures • MULTOS operating system –firewalls on the chip Muhammad Wasim Raad 43
Mondex Smart Card • Disadvantages – Card carries real cash in electronic form, creating the possibility of theft – No deferred payment as with credit cards -cash is dispensed immediately – Trialled in Swindon but not taken up Muhammad Wasim Raad 44
Mondex Components (Hitachi) Cashless ATM PCMCIA Reader/Writer Electronic Cash Register Key Fob Balance Reader Electronic Wallet SOURCE: HITACHI Muhammad Wasim Raad 45
E-payment smart cards Muhammad Wasim Raad 46
E-payment smart cards continued Muhammad Wasim Raad 47
Muhammad Wasim Raad 48
Muhammad Wasim Raad 49
Muhammad Wasim Raad 50
Muhammad Wasim Raad 51
Proximity Solutions for MULTOS 2 types of MULTOS “Dual-Interface” cards – supporting communication with the chip via both the contact plate and the contactless interface based on Proximity Standard - ISO 14443 Hitachi/DNP Contactless MULTOS: 36 K EEPROM, Type B contactless interface, Available now l 250 K issued for Japan Residential ID card Supports both versions of Paypass transaction (contactless M/Chip 4, or Contactless Track 2 data) and in fact can execute ANY existing MULTOS application over the contactless interface. l Keycorp / Philips Contactless MULTOS, 16 K EEPROM, MIFARE Type A contactless interface, Prototypes available now l Supports Mifare ticketing only. Muhammad Wasim Raad Full contactless MULTOS application execution planned for Q 3 l 52
Visa Wave • First Commercial Visa contact less card Global Platform EMV • Visa debit/credit for more than 2000 consumer Muhammad Wasim Raad 53
Electronic Payment Evolution in the U. S. Contactless payment solution was introduced in 2002 Magnetic Stripe card was Introduced First plastic credit card was introduced Online credit & debit Speed, convenience, & reward to drive cash replacement faster Differentiating payment services Online Authorization Draft capture Electronic settlement Online credit & debit Credit card acceptance by retailers Zip zap machine Negative card list 2004 Results: Electronic Payment – 36% Cash & Checks – 64% Enriched consumer shopping experience Possible Objective by 2010: Electronic Payment – 70% Cash & Checks – 30% Muhammad Wasim Raad 54
Electronic Payment Evolution in the U. S. Contactless payment solution was introduced in 2002 Magnetic Stripe card was Introduced First plastic credit card was introduced Online credit & debit Speed, convenience, & reward to drive cash replacement faster Differentiating payment services Online Authorization Draft capture Electronic settlement Online credit & debit Credit card acceptance by retailers Zip zap machine Negative card list 2004 Results: Electronic Payment – 36% Cash & Checks – 64% Enriched consumer shopping experience Possible Objective by 2010: Electronic Payment – 70% Cash & Checks – 30% Muhammad Wasim Raad 55
Vi. VOpay Contactless Readers for POS Vi. VOpay 3000 Vi. VOpay 4000 Vi. VOpay Drive Thru • Vi. VOtech has shipped 100, 000 contactless readers in last 18 months. Mostly in the U. S. Muhammad Wasim Raad Box Office Window 56
Vi. VOwallet Software for NFC Phone Vi. VOwallet is a Software Utility that turns an NFC-enabled Mobile Phone into a Payment Device üSupports a standard credit card in form of a “soft card”. üProvisioning via OTA (Over The Air) transmission üMakes it work with 10’s of thousands of contactless readers being deployed Muhammad Wasim Raad 57
Wireless Card Authorization SOURCE: SAMSUNG Muhammad Wasim Raad 58
Multi-application smart card example Muhammad Wasim Raad 59
Case Studies Muhammad Wasim Raad 60
Smart Cards Will Play an Important Role In Ecommerce: • Provide a secure storage for digital certificates and personal identification • Convenience-Multifunction Card like the JAVA Card and very portable • Log recent activities • Can Provide automatic Logins to designated websites without having to remember passwords and login Muhammad Wasim Raad 61
Conclusion ﺍﻟﺨﻼﺻﺔ – With EMV expected to move to Smart Cards by 2007, huge boom expected. – Cards will become truly multifunctional. – Application Downloading. – Interoperability issue solved Muhammad Wasim Raad 62
Скачать презентацию Smart Cards in E-payment ﺍﻟﺒﻄﺎﻗﺎﺕ ﺍﻟﺬﻛﻴﺔ ﻓﻲ ﺃﻨﻈﻤﺔ
4b106083ad4f0a3b549beaec9500c714.ppt