A number of standards and specifications are relevant for smart card implementations, with some focused on industry-specific applications. A summary of the standards bodies and different smart card standards and specifications is presented below.
ISO/IEC is one of the worldwide standard-setting bodies for technology, including plastic cards. The primary standards for smart cards are ISO/IEC 7816, ISO/IEC 14443, ISO/IEC 15693 and ISO/IEC 7501.
While not a smart card standard, the Near Field Communication (NFC) standard, ISO/IEC 18092, is an important contactless technology standard that is expected to be integrated into mobile phones and other devices.
In addition, ISO/IEC 24727 is a multi-part standard aimed at achieving interoperability among various smart card systems. The goal is to provide the necessary interfaces and services to enable interoperability among divergent systems, with a particular focus on identification, authentication, and signature services, and removing the dependence on vendor specific implementations. ISO/IEC 24727 is a set of programming interfaces for interactions between integrated circuit cards (ICCs) and external applications, including generic services for multi-sector use. The organization and the operation of the ICC conform to ISO/IEC 7816-4.
As a result of Homeland Security Presidential Directive 12 (HSPD-12), issued by President George W. Bush on August 27, 2004, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, on February 25, 2005. FIPS 201 provides the specifications for a standard Federal smart ID card, called the PIV card, that must be used for both physical and logical access and can be used for other applications as determined by individual agencies. The PIV card is a smart card with both contact and contactless interfaces. Government agencies are currently implementing FIPS 201-compliant systems.
T has also issued a number of special publications with additional specifications for PIV card implementations. Published specifications are available at https://csrc.nist.gov/publications/sp.
FIPS standards are developed by the Computer Security Division within NIST. FIPS standards are designed to protect Federal computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules.
ANSI recommends standards directed to the needs of the U.S. and supervises standards-making activities. It does not write or develop standards itself. Thus, in the U.S., any group that participates in ISO must first participate in ANSI. The International Committee for Information Technology Standards (INCITS) serves as ANSI’s Technical Advisory Group (TAG). Working groups within INCITS – such as B10 (Identification Cards and related devices), T6 (Radio Frequency Identification Technology) and M1 (biometrics) contribute directly to ISO groups (for example, the ISO/IEC Joint Technical Committee 1/Subcommittee 17 (JTC 1/SC 17)).
GlobalPlatform (GP) is an international, non-profit association. GlobalPlatform protects digital services by standardizing and certifying a security hardware/firmware combination, known as a secure component, which acts as an on-device trust anchor. This facilitates collaboration between service providers and device manufacturers, empowering them to ensure the right level of security within all devices to protect against threats. GlobalPlatform specifications also standardize the secure management of digital services and devices once deployed in the field.
Common Criteria (CC) is an internationally approved security evaluation framework providing a clear and reliable evaluation of the security capabilities of IT products, including secure ICs, smart card operating systems, and application software. CC provides an independent assessment of a product’s ability to meet security standards, with the goal of giving customers confidence in the security of IT products and leading to better decisions about security. Security-conscious customers, such as national governments, are increasingly requiring CC certification in making purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings. CC has been adopted and is recognized by 14 countries.
The International Civil Aviation Organization (ICAO) is responsible for issuing guidance on the standardization and specifications for Machine Readable Travel Documents (MRTD) – i.e., passports, visas, and travel documents. ICAO published the specification for electronic passports that uses a contactless smart chip in the passport to securely store information on the passport holder’s data page.
The IATA develops standards for recommendation to the airline and transportation industry. IATA has formed a task force to develop interoperability standards for smart card-based ticketless travel. Its mission is to ensure easy and convenient negotiation of electronic airline tickets.
The G-8 countries have come together to develop a standard format for populating data on a health card. This standard attempts to create interoperability across health cards from the G-8 countries. It addresses file formats, data placement on the card, and use of digital certificates in health care.
This law states that the Secretary of Health and Human Services (HHS) is to adopt national standards for implementing a secure electronic health transaction system. Examples of these transactions include: claims, enrollment, eligibility, payment, and coordination of benefits. The goal of HIPAA is to create a secure, cost-effective means for individuals to efficiently accomplish electronic health care transactions. HHS has designated the Centers for Medicare and Medicaid Services the responsible entity for enforcing HIPAA.
The mobile phone industry has several telecommunication standards, but the predominant one globally is GSM. The GSM standard uses smart cards called Subscriber Identity Modules (SIMs) that are configured with information essential to authenticating a GSM-compliant mobile phone, thus allowing a phone to receive service whenever the phone is within coverage of a suitable network. The GSM standard is managed by the European Telecommunication Standards Institute.
EMV is an open-standard set of specifications for smart card payments and acceptance devices. EMVCo, owned by American Express, JCB, MasterCard, and Visa, manages, maintains and enhances the EMV specifications, to ensure global interoperability of chip-based payment cards with acceptance devices including point of sale terminals and ATMs. The EMV standard initially started out as a terminal specification but has evolved to contain four books:
EMVCo is also active in developing specifications, requirements and approval processes for supporting contactless and mobile payments.
The PC/SC Workgroup was formed in 1996 and included Schlumberger Electronic Transactions, Bull CP8, Hewlett-Packard, Microsoft, and other leading vendors. This group has developed open specifications for integrating smart cards with personal computers. The specifications are platform-independent and based on existing industry standards. They are designed to enable application developers to create smart card-based secure network applications for banking, health care, corporate security, and electronic commerce. The specifications include cryptographic functionality and secure storage, programming interfaces for smart card readers and PCs, and a high-level application interface for application development. The specifications are based on the ISO/IEC 7816 standard and support EMV and GSM application standards.
The OpenCard Framework is a set of guidelines announced by IBM, Netscape, NCI, and Sun Microsystems for integrating smart cards with network computers. The guidelines are based on open standards and provide an architecture and a set of application program interfaces (APIs) that enable application developers and service providers to build and deploy smart card solutions on any OpenCard-compliant network computer. Through the use of a smart card, an OpenCard-compliant system will enable access to personalized data and services from any network computer and dynamically download from the Internet all device drivers that are necessary to communicate with the smart card. By providing a high-level interface which can support multiple smart card types, the OpenCard Framework is intended to enable vendor-independent card interoperability. The system incorporates Public Key Cryptography Standard (PKCS) – 11 and is expandable to include other public key mechanisms.
The American Public Transportation Association (APTA) is a nonprofit international association of 1,500 public and private sector organization and established standards for the U.S. transit industry. Additional information is available at http://www.aptastandards.com.
Java Card provides a smart card operating system for running multiple applications. The applicable Java Card specification is: Java Card 3.0.1 Platform Specification.
MULTOS is a high security, multi-application smart card operating system. It is governed by an open consortium of industry-wide companies, the MULTOS Consortium, who manage and license the MULTOS specifications, which cover all stages of the smart device lifecycle.
The MULTOS Consortium is a group of cross-industry global organizations with the objective of promoting the MULTOS high security multi-application platform as a standard for smart cards across all market segments. The consortium governs the development of the technology in line with customer needs, sets policies for the open licensing of the MULTOS specifications, and ensures the interoperability and interchangeability of platforms from many vendors through the stringent Type Approval and Security Evaluation policies of the MULTOS platform. As of 2014, over 500 million MULTOS cards have been deployed worldwide in sectors including payments, ID and transit.
Many new secure ID system implementations are using both biometrics and smart cards to improve the security and privacy of the ID system.