Smart Card Standards

Smart cards have the further advantage over magnetic stripe cards of being reloadable, and allowing advanced features like phone banking, automatic memory dialing and on-line services. Smart cards are used as identification device for GSM digital mobile phonesPrimarily, smart card standards govern physical properties, communication characteristics, and application identifiers of the embedded chip and data. Almost all standards refer to the ISO 7816-1,2 & 3 as a base reference.

International Organization for Standardization (ISO)

The ISO facilitates the creation of voluntary standards through a process that is open to all parties. ISO 7816 is the international standard for integrated-circuit cards (commonly known as smart cards) that use electrical contacts on the card, as well as cards that communicate with readers and terminals without contacts, as with radio frequency (RF/Contactless) technology. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with what ISO 7816 and 14443 does NOT cover as well as what it does. Copies of these standards can be purchased through the American National Standards Institute (ANSI). Copies of ISO standards are for sale on the ISO website.

Application-specific properties are being debated with many large organizations and groups proposing their standards. Open system card interoperability should apply at several levels:

1). To the card itself,

2). The card's access terminals (readers),

3). The networks and

4). The card issuers' own systems. Open system card interoperability will only be achieved by conformance to international standards.

This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, MULTOS, the Open Card Framework and PC/SC specifications.

This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, the Global Platform and PC/SC specifications.

These organizations are active in smart card standardization: The following standards and the organizations that maintain them are the most prevalent in the smart card industry:

ISO/IEC is one of the worldwide standard-setting bodies for technology, including plastic cards. The primary standards for smart cards are ISO/IEC 7816, ISO/IEC 14443, ISO/IEC 15693 and ISO/IEC 7501.

ISO/IEC 7816

ISO/IEC 7816 is a multi-part international standard broken into fourteen parts. ISO/IEC 7816 Parts 1, 2 and 3 deal only with contact smart cards and define the various aspects of the card and its interfaces, including the card’s physical dimensions, the electrical interface and the communications protocols. ISO/IEC 7816 Parts 4, 5, 6, 8, 9, 11, 13 and 15 are relevant to all types of smart cards (contact as well as contactless). They define the card logical structure (files and data elements), various commands used by the application programming interface for basic use, application management, biometric verification, cryptographic services and application naming. ISO/IEC 7816 Part 10 is used by memory cards for applications such as pre-paid telephone cards or vending machines. ISO/IEC 7816 Part 7 defines a secure relational database approach for smart cards based on the SQL interfaces (SCQL).

ISO/IEC 14443

ISO/IEC 14443 is an international standard that defines the interfaces to a "close proximity" contactless smart card, including the radio frequency (RF) interface, the electrical interface, and the communications and anti-collision protocols. ISO/IEC 14443 compliant cards operate at 13.56 MHz and have an operational range of up to 10 centimeters (3.94 inches). ISO/IEC 14443 is the primary contactless smart card standard being used for transit, financial, and access control applications. It is also used in electronic passports and in the FIPS 201 PIV card.

ISO/IEC 15693

ISO/IEC 15693 describes standards for "vicinity" cards. Specifically, it establishes standards for the physical characteristics, radio frequency power and signal interface, and anti-collision and transmission protocol for vicinity cards that operate to a maximum of 1 meter (approximately 3.3 feet).

ISO/IEC 7501 describes standards for machine-readable travel documents and has made a clear recommendation on smart card topology.

International Civil Aviation Organization (ICAO)

ICAO issues guidance on the standardization and specifications for Machine Readable Travel Documents (MRTD) such as passports, visas, and travel documents. ICAO has published the specification for electronic passports using a contactless smart chip to securely store traveler data.

Federal Information Processing Standards (FIPS)

FIPS, developed by the Computer Security Division within the National Institute of Standards and Technology (NIST). FIPS standards are designed to protect federal assets, including computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules.

FIPS 140 (1-3)

The security requirements contained in FIPS 140 (1-3) pertain to areas related to the secure design and implementation of a cryptographic module, specifically: cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

FIPS 201

This specification covers all aspects of multifunction cards used in identity management systems throughout the U.S. government.

Europay, MasterCard, and Visa (EMV)

Europay, MasterCard, and Visa formed EMV Company, LLC and created the "Integrated Circuit Card Specifications for Payment Systems". These specifications are related to ISO7816 and create a common technical basis for card and system implementation of a stored value system. Integrated Circuit Card Specifications for Payment Systems can be obtained from a Visa, MasterCard or Europay member bank.

PC/SC

A globally implemented standard for cards and readers, called the PC/SC specification. This standard only applies to CPU contact cards. Version 2.0 also dictates PIN pad to card communications. Apple, Oracle-Sun, Linux and Microsoft all support this standard.

Microsoft has built PC/SC into their smart card services as a framework that supports many security mechanisms for cards and systems. PC/SC is now a fairly common middleware interface for PC logon applications. The standard is a highly abstracted set of middleware components that allow for the most common reader card interactions.

Comité Européen de Normalisation (CEN) and European Telecommunications Standards Institute (ETSI)

CEN and ETSI focus on telecommunications, as with the GSM SIM for cellular telephones. GSM 11.11 and ETSI300045. CEN can be contacted at Rue de Stassart, 36 B-1050 Brussels, Belgium, attention to the Central Secretariat.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA adopts national standards for implementing a secure electronic health transaction system in the U.S. Example transactions affected by this include claims, enrollment, eligibility, payment and coordination of benefits. Smart cards are governed by the requirements of HIPAA pertaining to data security and patient privacy.

IC Communications Standards

The IC Communications Standards existed for non-volatile memories before the chips were adopted for smart card use. This specifically applies to the I2C and SPI EEPROM interfaces.

Global System for Mobile Communication (GSM)

The GSM standard is dominant in the cell phone industry and uses smart cards called Subscriber Identification Modules (SIMs) that are configured with information essential to authenticating a GSM-compliant mobile phone, thus allowing a phone to receive service whenever the phone is within coverage of a suitable network. This standard is managed by the European Telecommunication Standards Institute. The two most common standards for cards are 11.11 and 11.14.

OpenCardT Framework

The OpenCardT framework is an obsolete standard. The following data is for informative purposes only.

The OpenCard framework was a set of guidelines announced by IBM, Netscape, NCI, and Sun Microsystems for integrating smart cards with network computers. The guidelines were based on open standards and provided an architecture and a set of application program interfaces (APIs) that enable application developers and service providers to build and deploy smart card solutions on any OpenCard-compliant network computer. Through the use of a smart card, an OpenCard-compliant system should have enabled access to personalized data and services from any network computer and dynamically download from the Internet all device drivers that are necessary to communicate with the smart card. By providing a high-level interface which can support multiple smart card types, the OpenCard Framework was intended to enable vendor-independent card interoperability. The system incorporated Public Key Cryptography Standard (PKCS) - 11 and was supposed to be expandable to include other public key mechanisms.

GlobalPlatform (GP)

GlobalPlatform is an international, non-profit association. Its mission is to establish, maintain and drive adoption of standards to enable an open and interoperable infrastructure for smart cards, devices and systems that simplifies and accelerates development, deployment and management of applications across industries. The GP standard has been adopted by virtually all the banks worldwide for JavaCard®-based loading of cryptographic data. The standard establishes mechanisms and policies that enable secure channel communications with a credential.

Common Criteria (CC)

Common Criteria is an internationally approved security evaluation framework providing a clear and reliable evaluation of the security capabilities of IT products, including secure ICs, smart card operating systems, and application software. CC provides an independent assessment of a product's ability to meet security standards. Security-conscious customers, such as national governments, are increasingly requiring CC certification in making purchasing decisions. Since the requirements for certification are clearly established, vendors can target very specific security needs while providing broad product offerings.

Smart Card Links

ACT Canada – Advanced Card Technology Association of Canada.
EuroSmart – European Smart Card Association. Great resource.
JavaCard Forum – Promotes Java for multiple-application smart cards. 
MULTOS – First open, Multiple-application OS for highest security. 
MUSCLE – Smart cards in a Linux environment. PCSC lite.
HID Global– OMNIKEY Smart card reader and chipset manufacturer, maker of HID Prox and iCLASS cards 
PACSprobe – Software to read PACS data (card number, facility code ..)
PCSC Workgroup – Standard for integrating smart cards and smart card readers.
Smart Card Alliance – Promotes smart card technology.

Biometric Standards

Many new secure ID system implementations are using both biometrics and smart cards to improve the security and privacy of an ID system.

ANSI-INCITS 358-2002

ANSI-INCITS 358-2002, BioAPI Specification - (ISO/IEC 19784-1). BioAPI is intended to provide a high-level generic biometric authentication model-one suited for any form of biometric technology. It covers the basic functions of enrollment, verification, and identification, and includes a database interface to allow a biometric service provider (BSP) to manage the technology device and identification population for optimum performance. It also provides primitives that allow the application to separately manage the capture of samples on a client workstation, and the enrollment, verification, and identification functions on a server. The BioAPI framework has been ported to Win32, Linux, UNIX, and WinCE. Note that BioAPI is not optimum for a microcontroller environment such as might be embedded within a door access control reader unit or within a smart card processor. BioAPI is more suitable when there is a general-purpose computer available.

ANSI-INCITS 398

ANSI-INCITS 398, Common Biometric Exchange Formats Framework (CBEFF) - (ISO/IEC 19785-1). The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric technologies and exchange data in a common way. These data can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version of the original CBEFF, the Common Biometric Exchange File Format, originally published as NISTIR 6529.

ANSI-INCITS

ANSI-INCITS Biometric Data Format Interchange Standards. ANSI-INCITS has created a series of standards specifying the interchange format for the exchange of biometric data. These standards specify a data record interchange format for storing, recording, and transmitting the information from a biometric sample within a CBEFF data structure. The ANSI-INCITS published data interchange standards are shown below. There are ISO equivalents to each standard listed here.

ANSI-INCITS 377-2004

Finger Pattern Based Interchange Format

ANSI-INCITS 378-2004

Finger Minutiae Format for Data Interchange

ANSI-INCITS 379-2004

Iris Interchange Format

ANSI-INCITS 381-2004

Finger Image Based Interchange Format

ANSI-INCITS 385-2004

Face Recognition Format for Data Interchange

ANSI-INCITS 395-2005

Signature/Sign Image Based Interchange Format

ANSI-INCITS 396-2004

Hand Geometry Interchange Format

ISO/IEC 19794

ISO/IEC 19794 series on biometric data interchange formats. Part 1 is the framework, Part 2 defines the finger minutiae data, Part 3 defines the finger pattern spectral data, Part 4 defines the finger image data, Part 5 defines the face image data, Part 6 defines the iris image data, and still in development, Part 7 will define the signature/sign time series data, Part 8 will define the finger pattern skeletal data and Part 8 will define the vascular image data.