smart cards and the retail payments infrastructure: …tijo/seminar/infrastructure...smart cards and...

Smart Cards and the

Retail Payments Infrastructure:

Status, Drivers, and Directions

A Smart Card Alliance White Paper

October 2002

Smart Card Alliance 191 Clarksville Road Princeton Junction, NJ 08550 www.smartcardalliance.org Telephone: 1-800-556-6828

Smart Card Alliance © 2002

1

Executive Summary

Smart Cards Are Finding Wider Acceptance Among Consumers and Issuers

Despite belief to the contrary, smart cards are more and more widely used in the United States. Since the launch of the American Express Blue card and smart Visa card, millions of smart cards have been issued to consumers, with over 21 million cards predicted to be in circulation by the first quarter of 2003.

The pace at which smart card-ready POS devices are being installed is some- what slower. However, several large retailers have invested in smart card-ready POS hardware. In addition, retailers whose hardware is aging may soon be replacing it with smart card compatible devices.

The issuing and acquiring processing infrastructure is also making progress to support smart cards. The two leading issuing processors have announced smart card support and several acquiring processors have announced that they can support smart card payment transactions. All stakeholders in the financial payments industry are positioning for expanding consumer smart card use.

Implications of Supporting Smart Card Payment Applications

Smart cards can be used to pay for purchases made at physical and Internet retailers. Both payment applications rely on the presence of certain components: smart cards; smart card applications; smart card reader either at the physical retailer or at a user’s computer; retailer software and host systems supporting smart card applications; acquiring and processing systems capable of supporting smart card transactions; and smart card issuing, life-cycle management and fulfillment systems. Implementing smart card payment applications will require changes on the part of all participants in the transaction: the consumer, the retailer, the card issuer and the acquiring and issuing processors.

Deploying smart cards for payment applications also conveys advantages to each participant. Consumers can use one card for multiple applications. Retail- ers can leverage additional applications to increase sales and strengthen their customer bases. Issuers can use the availability of smart cards to open up new markets.

Challenges for Smart Cards and Retail Payments

Migration of the U.S. payment infrastructure to the use of smart cards is neither simple nor inexpensive, requiring investment in new technology and development of new processes. Smart card support in the United States is currently impeded by the lack of a compelling business case for implementing smart cards only for payment, when compared to the payments infrastructure already in place. Further growth will be driven by business cases for new smart card markets and applications that provide merchant- and consumer-specific benefits. The combination of the technology benefits and the new markets, applications and partnerships that smart cards can support is expected to further drive the U.S. market for smart card use at the retail point of sale. Both analysts and industry participants are expecting continued solid progress for smart card deployment in the United States.


2

About This White Paper

This white paper was developed by the Smart Card Alliance to describe thecurrent state of the smart card payments infrastructure in the United States. Thispaper provides answers to commonly asked questions about the use of smartcards for payment applications, such as:• What is the current status of the efforts to deploy smart cards for retail

payments?• What are the critical components of the smart card payments infrastructure in

the United States?• How do smart cards work when they are used for payment at a physical or

Internet retailer?• What authentication support is available for Internet smart card use?• What issues do retailers consider key to decisions about new technology

investments?• What key markets and applications are expected to drive smart card usage

and acceptance in the U.S. in the near future?• What are the critical barriers to smart card acceptance by merchants and

what are industry participants doing to remove these barriers?


3

Current State of the U.S. Smart Card Payments Infrastructure

Smart card technology has realized widespread growth worldwide over the last few years. The proliferation of the technology in North America has been anticipated since the mid-1990s. However, U.S. smart card growth for payments has not emerged, due to the lack of a definitive business case for all industry participants.

In fact, the three major card associations (American Express, MasterCard and Visa) have established smart card programs with significant issuer participation and over 17 million smart cards in circulation as of the end of 2001.1 The next step is for smart cards to achieve wider acceptance across the merchant popula- tion, allowing consumers to realize the benefits of the technology.

This section outlines the current readiness of the payments infrastructure within North America to accept smart cards, including active card programs, POS (point of sale) deployment, processor readiness and issuer/acquirer readiness.

Smart Card Issuance

The launch of the American Express Blue card in 1999 provided the push that the smart card industry needed. American Express was successful in acquiring new customers based on the look-and-feel that smart cards provided. However, consumers had few places to use the smart card (except as a traditional credit card), and minimal application functionality was included on the cards to exploit the chip. Despite this, the American Express Blue card has been very successful and American Express has initiated the development and implementation of value-added services, which is expected to further increase Blue card acceptance and acquisition.

In 2000, Visa U.S.A. launched smart Visa, a comprehensive brand and technology initiative for multi-application smart cards. Addressing long-standing market barriers, cost, time-to-market and implementation complexities, smart Visa incorporates EMV (Europay MasterCard Visa) payment and applications that facilitate Internet access, secure Internet purchases and rewards services. With major issuers such as First USA, Fleet, Providian and Target now participating, smart Visa has helped to create credibility for smart card technology in North America. The smart Visa launch essentially created de facto standards for the U.S. smart card payment industry by requiring that smart Visa issuers use GlobalPlatform technology. This has become a key benefit for issuers, allowing them to expand card services by issuing new applications over the life of the card. In December 2001, Visa released smart Visa Framework to help to accelerate application development among third-party companies. By leveraging the Framework’s common command API and security functionality, developers can quickly establish data storage files on the card and assign access conditions to those files to ensure the data is read and write protected. Visa also announced the smart Rewards Platform in April 2002, with Target as a participating issuer and retailer. A shared-system initiative designed to reduce technical and time-to- market burdens faced by card issuers and merchants, the smart Rewards platform is the engine that manages the interaction between rewards applications (such as electronic coupon and punch card rewards) on smart cards and soft

1 Card Marketing, “Chips May Proliferate But Few Will Say When,” March 2002


ware and administration rules on POS terminals. It accommodates both Internetand physical POS rewards programs, and allows cardholders to moveseamlessly between the two delivery channels. In support of this rewards effort,Visa, Catuity and Welcome Real-time have agreed to collaboratively developinteroperable solutions for smart card-based rewards or incentive services in theUnited States.

In 2002, MasterCard launched its own smart card initiative, called “OneSMART.”OneSMART is a smart card delivery program for MasterCard issuers offeringconsumer research and end-to-end implementation and marketing support. Thisprogram provides MasterCard issuers with the ability to offer both basic servicesand a broad menu of smart card applications, such as chip-based credit anddebit, Internet payment, security, loyalty, e-ticketing, e-couponing and storedvalue. MasterCard has spent most of 2002 establishing partnerships with keyissuers, such as Citibank (which launched two smart cards in late 2001) andsmart card industry leaders, such as First Data, Welcome Real-time and otherservice providers, to solidify the required services and infrastructure. MasterCardis leveraging the MULTOS technology to provide its own flavor of a multi-applica-tion open environment. MasterCard also announced the publication of theMasterCard Open Data Storage™ (MODS) specification, an application program-ming interface (API) for storing and retrieving data on a smart card. This specifi-cation provides member financial institutions with the ability to offer cardholdersmore control over personal information and greater privacy.

Smart card issuers are finding that smart cards are attractive to consumers,resulting in more successful new account acquisition, higher customer retentionand increased usage. Tower Group has reported that responses to chip carddirect mail offers were three times higher than the responses to non-chip carddirect mail offers and that activation rates are higher.2 American Express hasalso reported that 67% of their cardholders said that they would charge less totheir Blue card if there were no chip.3

Merchant Readiness

Over 21 million smart cards are expected to be deployed by the first quarter of2003.4 However, consumers still have little opportunity to use the technology,due to the lack of smart card acceptance devices at retail and merchant loca-tions. Target, the first major retailer to implement smart card acceptance devicesin their stores, has the unique position of being the issuer and retailer. With areported 7 million cards issued in mid-2002, Target is upgrading 37,000 POSterminals in 1,000 stores to use the smart card chip and plans to offer electroniccouponing as its first chip-linked application.5 Target terminals are EMV compli-ant and thus capable of engaging in EMV transactions based upon paymentsoftware installed in the device.

4

2 American Banker, “TowerGroup Offers Rosy Forecast for Chips in U.S.,” Jan. 29, 20023 American Banker, “TowerGroup Offers Rosy Forecast for Chips in U.S.,” Jan. 29, 20024 Tower Group. “The Prospect for Financial Services Chip Cards in the U.S.,” presentation by

Theodore Iacobuzio, Smart Card Alliance Conference, October 7, 2002.5 CardLine, “Smart Card Lifts Target Card Program,” August, 16, 2002


5

Smart card-ready POS devices are making their way into additional retail and merchant locations. In 2001, approximately 25% of the over 1.3 million POS devices shipped by the three largest terminal providers in the United States were smart card ready. With the aging of the POS installed base, it is expected that merchants will increasingly upgrade their existing terminals with smart card-ready devices.

Additional retailers have also made recent investments in smart card-ready POS terminals, including: • CVS, the leading pharmacy and health service retailer, will install smart card

readers in 450 of its stores to provide support for credit, debit, electronic benefits transfer (EBT), gift card transactions, and electronic signatures.6

• Virgin Megastore, the entertainment retail chain, has installed 320 payment devices with smart card reader attachments at all U.S. Virgin Megastore locations.

• Rite-Aid, one of the nation’s leading drugstore chains, has installed smart card-capable terminals in 4,000 stores to handle the store’s closed system, chip-based gift (stored value) card.7

• ShopRite, the largest retailer-owned supermarket cooperative in the United States, is setting up smart card-ready POS terminals at 200 stores to implement a loyalty program.8

Some of the deployments described above may not currently support smart card payment. Retailers who are implementing smart card-ready terminals should ensure that terminals are EMV Level 1 approved and capable of EMV Level 2 software updates. EMV approved terminals are currently available from all of the major terminal providers.

6 Chain Store Age, “Contests Brighten the POS,” Feb. 1, 2002 7 Electronic Transactions Association, “An Industry Primer on Smart Cards,” Nov. 2001 8 RIS News, “Smarter Swipers Arrive,” Sept. 2001

VeriFone – 57,200

Ingenico – 52,200

Hypercom –209,600

Source: Card Technology, July 2002

Figure 1: Smart Card-Ready POS T erminals Shipped in U.S. in 2001


Processing Infrastructure

A key portion of the infrastructure required by smart card technology is theinfrastructure required to issue cards and manage the card lifecycle. The twoleading U.S. issuing service providers, First Data and TSYS (Total Systems),have announced smart card support. First Data has implemented a smart cardmanagement system within their personalization infrastructure that provides aseamless smart card issuance process. First Data can perform traditional bankcard personalization (such as embossing and encoding) and load, maintain andupdate smart card applications throughout a card’s life cycle. First Data’s visionis that eventually applications will be loaded dynamically to issued smart cardsthrough POS devices or ATMs. However, in the near term, applications areexpected to be loaded or updated from the Internet. TSYS is also providing theircustomers with a similar capability. Both TSYS and First Data are creating theinfrastructure to ensure that they are able to support all three major card associa-tions. First Data currently has solutions for GlobalPlatform and MULTOS.

GlobalPlatform represents a set of cross-industry technical specifications thatcan be used to develop secure and flexible smart card systems. It includes bothcard and terminal specifications as well as development tools. Together, thesecomponents define an easy-to-use smart card platform upon which applicationscan be added. GlobalPlatform works across different cards and operatingsystems but standardizes the process for back-end systems such as personaliza-tion, key management and application loading. It enables smart card issuers tochoose between operating systems and application developers while providing acore security and card management technology. GlobalPlatform specificationsare owned and managed by the GlobalPlatform organization.

The processing infrastructure for both issuers and acquirers must be also up-graded to support smart card payment. Both MasterCard and Visa have devel-oped guidelines for upgrades that allow for support of the EMV specifications.First Data, National Processing and Vital Processing have all announced thatthey can support some level of smart card transaction processing. In fact, VisaU.S.A. reports that acquirers and processors handling approximately 80% of allVisa payment transactions have upgraded their systems to facilitate smart Visachip transactions between Visa and the processors’ systems. While Visa andMasterCard have mandated EMV support in Europe, Latin America and Asia, nosuch mandates are planned for North America. Processors determine when tosupport EMV payment according to their own business priorities.

In summary, the U.S. smart card industry has made significant progress in thepast two years, adding issuers, consumer smart card products and smart card-ready POS terminal installations. The migration of the U.S. payments infrastruc-ture to support smart cards is complex and costly, with each participant in thetransaction needing to invest in new technology and processes. While themigration is proceeding more slowly in the U.S. than in international markets, theindustry expects smart card adoption and acceptance to continue to grow, withimplementation driven by business cases for new multi-application smart cardswith new services that provide merchant- and consumer-specific benefits.

6


Physical Retail Payment and Smart Cards

Using smart cards for payment at physical retailers requires changes to processes and infrastructure for all of the transaction participants. This section describes the transaction process for a physical smart card payment transaction and identifies the infrastructure components that are required to support the process.

Physical Retail Payment Smart Card Infrastructure Components

Smart card payment at physical retailers requires the following components: • Consumer smart cards and smart card applications. • Retailer POS hardware and software that can accept and process smart

cards. • Acquirer/processor infrastructure to authorize and settle smart card

transactions and manage the terminal base, terminal applications and keys. • Issuer systems that support the transaction process and manage the issued

card base.

Smart cards . An estimated 21 million smart cards will be in consumer hands by the first quarter of 2003. The U.S. market is developing based on smart card technology that supports multiple applications and provides both scalability for program expansion and post-issuance capability for future applications.

Smart card applications . Software must reside on the smart card to support the applications of interest to the issuer and physical retailer (such as loyalty, payment, coupons, security). These applications are either loaded when the card is issued or added to the card later (through the smart card terminal, ATM or the Internet).

EMV smart card POS terminals . Retailers require POS hardware that can process smart cards. They can use standalone POS terminals that dial out or are networked for transaction authorization, or smart card readers that are integrated with cash registers (for convenience and tighter integration with retailer POS systems).

Terminal applications. Merchants must have the smart card payment applications loaded on the terminal or other integrated POS device (e.g., a cash regis- ter), along with any related keys.

POS terminals that currently support magnetic stripe payment cards wait for the card swipe or key entry. To support smart cards, the POS terminals must wait for card swipe, key entry or card insert. The POS system may also need to support transactions that integrate payment and other value-added applications. Con- sumers should be able to insert a card once and complete both the payment and the value-added transaction.

Retailer host systems . Retailers must upgrade other host systems to support the additional data from a smart card payment transaction and any other applications that are offered (e.g., loyalty or electronic coupons).

Acquiring/processing systems . The acquiring and processing system infrastructure must receive the smart card data collected by each POS terminal when the terminal goes online. The transaction is then routed through the financial

7


8

networks for authorization (if required) and/or uploaded to the host system forsettlement services for the retailer. Responses from the issuer must be passedback to the terminal.

Issuing, life cycle management and fulfillment systems . Smart cards alsonecessitate changes to the issuer’s infrastructure and processes. Such changesare required to support smart card life cycle management, fulfillment and onlineauthorizations. Personalization and initialization information that needs to bewritten onto the smart cards includes security keys and certificates, applications(such as payment and loyalty) and cardholder information. All of this informationis formatted to allow the card production machines to write the data to the chip.The smart cards can then be issued and sent to the cardholder.

Life cycle management includes managing card issuance, activation and applica-tions, including possible post-issuance support for updating card data andapplications during the POS process. Many smart card life cycle managementsystems are available in the market today that manage smart cards from creationthrough post-issuance interaction with the card to termination, including lost/stolen card replacement and customer service interfaces. Smart cards also allowcard/data reconstruction for lost, stolen, damaged or reissued replacement cards.

Consider the example of a cardholder losing a card at noon on Wednesday, aftera smart card loyalty transaction was executed and batched to the loyalty host onTuesday. If the card life cycle management system has a batch or real-timeinterface with the loyalty host, the replacement card can include current loyaltydata as of Tuesday’s transactions.

Retailers and issuers can either outsource life cycle management operations toqualified vendors or perform them in house using off-the-shelf products.

Smart card fulfillment services include manufacturing, embossing and issuingplastic cards, activating cards, managing ongoing correspondence withcardholders, reporting to card issuers, providing transaction authorizations,providing fraud and risk management, personalizing cards, and producing andmailing statements.

Terminal, application and key life cycle management systems . As smartcard adoption and usage increases, multi-application cards will become morecommon and merchants will want to implement new applications without pur-chasing a new terminal. More flexible terminals also offer acquirers the ability toprovide new merchant products and services that can be easily and affordablydownloaded and implemented. This will require the implementation of newterminal, application and key life cycle management systems. A terminal man-agement system must know and track terminal types, locations, capabilities,platforms, applications and keys used for implementing security functions.Terminal applications must be tracked to ensure terminal compatibility, to allowthem to be more easily upgraded, or to allow keys to be rotated or revoked. Thekeys contained in the terminals (both public and DES keys) also need to betracked and managed (e.g., location of keys, key size, key expiration date).Knowing and managing a terminal’s configuration, abilities and limitations areimportant for acquirer support of multi-application smart card implementations.


9

Figure 2 summarizes the changes to the infrastructure that are required to support smart cards for physical retail payment.

Using Smart Cards at Physical Retailers

To illustrate how the smart card infrastructure works, consider the following smart card payment transaction process. Other sequences of events can also be used to complete a transaction.

1. After the items purchased by the consumer have been scanned or while scanning is in process, the POS terminal prompts the consumer to insert the smart card.

2. The terminal asks the cardholder to select the account they want to use for payment, “Debit or Credit.” To simplify the payment process, PINs are not required for smart card payment in the U.S.

3. The payment application on the EMV terminal reads the relevant information from the smart card and, based on rules present in both the card and terminal, begins a series of risk checks to see if a transaction can be

Other ServiceProviders

Infrastructure andprocessing servicesfor related smartcard applicationtransactions (e.g.,loyalty, authentica-tion)

Personalizationbureaus

Consumer

Smart card usagefor payment

PhysicalRetailer

EMV-approved POSterminals that acceptsmart cards

POS terminal-residentsoftware that handlespayment and othersmart card applications

Host system upgradesto integrate new datafor payment and otherapplications and tocommunicate with theacquirer/processor

Routing of transactiondata to paymentprocessor and/or otherservice providers

Host Security Modules(HSMs) to performrelated cryptographicoperations

Integration with otherretailer softwaresystems

AcquiringProcessor

Infrastructure andprocessing servicesfor smart cardpayment transac-tions

Terminal, applica-tions and keymanagementmerchant support

Host systemupgrades

Issuer

Infrastructure to issueand manage smartcards

Infrastructure andprocessing servicesfor smart cardapplication transac-tions (e.g., payment,loyalty, authentication)

Card, application andkey life cycle manage-ment systems

Secure web sitesupport for applicationor coupon downloads

Figure 2: Physical Payment Infrastructure Changes to Support Smart Card Payment


10

approved offline or online. If the risk exposure of the transaction is extremelylow and all risk checks have been performed and passed, the transaction canbe approved offline. If the transaction has more risk exposure than an issueror acquirer is willing to accept or if an offline risk check fails, the transactionis sent online for authorization. Offline risk checks include transaction type,offline card and cardholder authentication, previous transaction results,random selection and pre-established rules in the card and terminal.Currently, all U.S. smart card issuers are requiring that their transactions beauthorized online.

4. The POS informs the consumer that the transaction was accepted ordeclined and completes the transaction. If the POS is set up to do so, it mayalso print a receipt.

Recently, contactless transactions have also been attracting interest as a way toreduce the consumer payment process time at the retailer. When a contactlesssmart card is presented to the reader, the data transmitted between the card andthe reader is encrypted and the transaction process flows as described above.

Figure 3 illustrates the participants and flow of data in the smart card transactionprocess.

Significant retailer investment is required to accept smart cards. Retailerscontinue to upgrade their POS systems and a significant fraction of terminals arecurrently shipped smart card ready. POS software may be able to be upgradedto add smart card payment and other value-added applications over time. In thefuture, this will allow merchants to more easily take advantage of new applica-tions that exploit smart card technology without new hardware investment.

Figure 3: Physical Retail Smart Card Transaction Process

MerchantAcquiring

Bank

FinancialNetworks

ConsumerIssuingBank

Processor

Consumer

Merchant

Funds, Transaction reports, Chargeback reports

Transactions forauthorizationand/or settlement

Smart cardBilling statementsDispute resolution

Settlement files

• Transactions for authorization and/or settlement• Card management functions (e.g. update to data)

Consumer uses smart card.Terminal, card and cardholder interact to:• Verify the consumer is the proper cardholder.• Execute issuer risk management policies to determine if the transaction should be authorized online.

Transactions forauthorizationand/or settlement


Internet Retail Payment and Smart Cards

This section describes the infrastructure components required for an Internet smart card payment transaction. This section assumes that the Internet retailer has a commerce-enabled web site in place and is adding smart card capability to the Internet site.

Security and cardholder authentication for remote channels are critical issues facing issuers and the Internet community today. Unlike the physical world, there is no signed sales receipt associated with today’s ecommerce transactions. Without such evidence, it is very difficult to dispute the cardholder’s claim of not engaging in a given card transaction. As a result, issuer and retailer expenses associated with chargeback processing for Internet transactions are increasing. In fact, chargebacks due to “cardholder non-authorization” represent as much as 84% of all electronic commerce chargebacks.9

At the same time, industry data suggests that consumers are holding back on Internet purchases due to lingering security worries. MasterCard research, for example, shows that 90% of Internet non-buyers worry that their personal and financial information may fall into the hands of hackers and 71% are concerned about credit card fraud.10 This level of reluctance is a very real barrier to building online business. The implementation of smart cards and strong Internet authentication may help to overcome these issues.

Internet Retail Payment Smart Card Infrastructure Components

The Internet retailer smart card infrastructure includes the following components: • Consumer smart cards and smart card applications. • A smart card reader for the consumer’s personal computer (PC). • PC client software to support smart card applications. • Internet retailer server support for smart card applications. • Acquirer/processor infrastructure for authorization and settlement of smart

card transactions. • Issuer systems supporting the authentication and transaction process and

managing the issuer card base.

Consumer Infrastructure Smart cards . Smart cards issued by American Express and Visa and MasterCard issuers currently support Internet authentication and payment, with plans to support additional applications in the future.

Smart card applications . As with physical payment, software must reside on the smart card to support the applications of interest to the issuer and retailer (e.g., authentication, payment, loyalty, coupons).

PC-based smart card readers. Consumers must connect EMV Level 1-approved smart card readers to their PCs. Each smart card issuer offers readers with the smart card. Readers are available that operate with serial, USB and PCMCIA interfaces.

11

9Source: MasterCard International. 10Source: MasterCard International.


12

PC client software . Consumers must install client software to support smartcard applications. This software can include:• Graphical user interfaces for e-wallet functions, data storage or PIN

management.• EMV Level 2 software.• Loyalty application software.• Middleware to provide the interface between applications such as loyalty,

data storage and the smart card reader.• Drivers for the smart card reader.• ActiveX or Netscape plug-ins (or both) to provide the interface between the

merchant’s web site and the client software.• Diagnostic tools.• Documentation and help files.• Installation wizards.• Public key signing.

Figure 4 illustrates the architecture of the software on the consumer’s smart cardand PC.

Figure 4: Architecture of Smart Card Support for the Internet Consumer

BACKEND

PC

CARD

MerchantWeb Site

LoyaltyServer

AuthenticationServer

Internet

Web Browser (Netscape or Internet Explorer)

LoyaltyAppn

Microsoft PC/SC

EMV Level 1 Smart Card Reader

Loyalty

NSPlug-In

IEActiveX

SecurityAppn

Payment Appn(VSDC, M/Chip)

ConvenienceAppn

OtherAppns

SecurityPayment

(VSDC, M/Chip)OtherAppns

IEActiveX

NSPlug-In

IEActiveX

NSPlug-In

Convenience


13

Merchant and Service Provider Infrastructure Merchant Web Server . Content and web services must change on the merchant web site to support smart cards. These changes include serving HTML pages with embedded tags used by the client application to process payment and authentication information at the consumer’s PC. The web server may require changes to support authentication and payment. For authentication, this may include: • Routing the http request sent by the client to the authentication server. The

authentication server then validates the authentication request. • Analyzing the response from the authentication server to determine whether

authentication is approved and sending it to the client application. Once authentication is validated, a session is opened between the client and the merchant site. Session management can be performed by the merchant web server in the same way that it is currently handled for non-smart card solutions.

Merchant web servers may already include the functionality to route transactions to the appropriate financial networks for payment. However, the merchant would have to modify or extend this functionality to support smart cards. The acquirer and issuer payment systems must also be modified to process smart card-based transactions (for example, additional data elements and new transaction processes need to be supported). As a result, the current interface between the acquirer/processor and the merchant web server may have to change.

Authentication Server . The authentication server provides the service that allows access to a secure site. It receives requests from the web server, validates these requests using the Host Security Module (HSM), and returns the validation result to the web server. The main services provided by the authentication server are: • Authentication of requests. • Card hot-list verification. • Legacy system integration. • Key management.

Currently, an authentication server can be part of the web server or can be a separate entity. An existing authentication server would have to modified to support smart card-based authentication. It is very important to add this functionality without affecting existing support for magnetic stripe cards.

Loyalty Server . If a merchant wants to participate in a smart card-based loyalty program, the web server also needs to interface with a loyalty server. Loyalty servers accumulate and manage loyalty points on each purchase and provide the ability for the consumer to redeem those points during an Internet purchase. The loyalty server can either be located in-house or outsourced. Many providers offer loyalty solutions that can easily be integrated into a merchant’s payment system.

Server Interfaces . As a result of the changes discussed above, the following interfaces may need to be developed or modified: • PC/client - Merchant web server. • Merchant web server - Payment system networks. • Merchant web server - Authentication server. • Merchant web server - Loyalty server. • Authentication server - HSM. • Authentication server - Legacy systems.


14

24x7 Helpdesk . The Internet retailer needs to train customer support personnelon the smart card process. Consumer smart card issues are different frommagnetic stripe card issues. The merchant also needs to be sensitive to the factthat consumers are now expected to install both the client software and the smartcard reader.

Figure 5 illustrates one possible system architecture for supporting the Internetsmart card payment process.

Using Smart Cards at Internet Retailers

This section describes the Internet smart card payment transaction process. Thesection assumes that:• The end user is already connected to the Internet and the browser is started.• The smart card reader is connected to the user’s computer.• The necessary smart card client software is installed on the user’s PC.

Authentication Process1. The user visits the merchant’s home page, by entering the URL manually, by

using the browser’s favorites or history function, or by selecting a URL storedon the smart card or computer.

2. The merchant web server determines that the home page is not protected.The web page is sent to the user.

3. The home page includes a link to a protected page (e.g., the user’s accountinformation or a checkout page). When the user selects the link, themerchant web server starts the card reader software.

4. The card reader software prompts the user to insert the smart card into thePC’s smart card reader and enter a password.

5. The smart card validates the password.6. A unique transaction certificate is routed to the merchant’s authentication

server that authenticates the cardholder/smart card combination. Thecertificate is created by the card, making it unique for each access attempt.

Figure 5: Smart Card-Enabled Internet System Architecture

ConsumerPC

ConsumerWirelessDevice

Internet

Fire

wal

l

MerchantWeb

Server

LoyaltyServer

AuthenticationServer

LegacySystems

HSM

CardData

PaymentNetworks


If the authentication server approves the transaction, the merchant can assume that this is indeed the correct cardholder. The twofold guarantee offered by the combination of what the user has (a card) and what the user knows (a password) provides the merchant with robust security.

7. When authentication is received, a session is created. The user then can access protected resources or web pages until the user exits or the session times out.

Payment Process 1. The user browses a merchant web site and fills a shopping cart. 2. Once the user decides to check out, the web site order form starts the smart

card reader software. If applicable, the user is given a chance to redeem loyalty points before checking out.

3. The software prompts the user to insert the smart card into the smart card reader and enter a password.

4. The smart card validates the password and launches the cardholder’s e- wallet, which stores the cardholder’s credit card information, along with billing and shipping information.

5. The e-wallet fills the order form with the cardholder’s information from the smart card.

6. Once the user confirms the purchase, the transaction is routed to the credit card issuer to authenticate the cardholder/smart card combination. Each card creates a unique digital certificate. This certificate is sent to the issuer via the merchant site. If the issuer approves the transaction, the merchant can assume that this is indeed the correct cardholder. The twofold guarantee offered by the combination of what the user has (a card) and what the user knows (a password) provides the merchant with extra peace of mind. Additional merchant benefits include liability shift for fraudulent transactions and non-repudiation.

7. Once authentication is received from the card issuer, the merchant requests an authorization through the credit card network (if necessary). The transaction then flows like a card-not-present transaction.

8. If the merchant participates in a loyalty program, points are added to the user’s loyalty account (either on the card itself or on a loyalty server).

Other Applications An Internet merchant’s infrastructure includes multiple subsystems. The most obvious is the payment system, which is also the most important for smart cards. In addition to the payment system, a merchant’s infrastructure may include inventory management, stocking number management, risk management, server-based promotions and other merchandising or management systems. These systems are typically proprietary and therefore different for each retailer. Any changes to these systems that might be required to support added value applications using smart cards may therefore be unique.

Internet Authentication Support from Visa and MasterCard

Both MasterCard and Visa have implemented Internet transaction security programs — MasterCard SecureCode™ and Verified by Visa™ (VbV) — to improve the authentication of Internet consumers. Both services can be used with or without a smart card.

15


MasterCard SecureCode provides the issuer with a choice of authenticationoptions and includes a PC Authentication Program, Chip Authentication Program,and a MasterCard implementation of 3-D Secure. Each of these solutionsconverge around the passing of authentication data via MasterCard’s UniversalCardholder Authentication Field (UCAF). The Chip Authentication Programoption within MasterCard SecureCode was designed to offer the ease of use andsecurity of an EMV-compliant smart card for authentication through a user’s PC.This solution is designed to interoperate with the UCAF hidden fields and specifi-cations and is supported by both standalone and connected smart card readers.If the cardholder has installed the necessary PC software and reader, thecardholder inserts the smart card into a card reader and enters their PIN duringthe Internet payment process at participating merchants. The chip then gener-ates a value that the cardholder places into the issuer pop-up window whichappears on the order confirmation page. The other MasterCard SecureCodeimplementation options may also include a smart card component.

Verified by Visa (VbV), uses the 3-D Secure protocol to enhance and validatepayments made through the Internet. All smart Visa cards are VbV-ready. If acardholder has installed a reader and the necessary software to support it, thenwhen that customer shops at a participating merchant location, they will beinstructed to insert the smart Visa card into the reader. Cryptographic informationon the smart card chip is then interrogated and compared, along with the user-supplied password, by the access control system to information known about thecard. This provides the card issuer with two-factor authentication.

The goal is to improve consumer confidence in using credit cards on the Internetand reduce the number of Internet merchant chargebacks. The advantage to themerchant of using these authentication programs is to further reducechargebacks when consumers use MasterCard SecureCode or Verified by Visa.

16


Key Drivers for Smart Cards and Retail Payments

Today’s large retailers cannot possibly provide the personalized service their small town counterparts once did. Increased costs, shrinking margins and the increased competition represented by large national chains are causing retailers to look toward technology to provide order-of-magnitude gains in market share and corresponding reductions in infrastructure support costs.

Key Drivers for Retailer Investment

Regardless of the application, product or service, every retailer looks at a certain set of criteria to decide whether an investment is warranted. The criteria applied to an investment decision tend to fall into four major categories.

1. Will the investment result in reduced time in the lane or a decrease in labor costs? Time is money for retailers. One compelling justification in any business case for a technology investment is its ability to shorten customer lines and expedite checkout. The ability to reduce staff costs while at the same time improving the checkout experience and minimizing the frustration associated with long lines is a key driver for adoption of a new retail technology.

2. Will the investment result in increased sales, acquisition of new customers or improved customer loyalty? Retailers face the challenge of determining how to motivate customers to spend more during a shopping experience or encourage them to transfer spending from another retailer. The requirement to know who your competition is crosses market segments. Grocery stores compete with fast-food restaurants by offering hot prepared foods. General merchandisers compete with gas stations by selling gasoline at locations in their parking lots. Competition for the consumer’s wallet is strong and represents a significant driver.

3. Will the investment reduce transaction costs or protect against costs associated with consumer or merchant fraud? Different tender methods have different costs of doing business. Fraudulent coupons, rebate redemptions, credit cards, checks or refunds increase the cost of doing business. Technology investments that reduce the impact of fraud on the bottom line will be looked at favorably.

4. Will the investment affect the customer’s purchase behavior? The ability to influence customer selection is a significant challenge. The customer who makes a large purchase is not always the most profitable customer. This customer may be a selective buyer, choosing to buy only loss-leading items. Retailers are looking for ways to influence customers to buy higher margin goods, increasing customer value and margin per shopping experience.

To be adopted, technology must demonstrate a reasonable return on investment. The basic question usually is “Should I spend money on this technology investment as opposed to building another store at a different location or implementing another retail system enhancement?”

Retailer Challenges Today’s retailers face some unique challenges. The first challenge is how to find out who the customer is, to allow up-selling or cross-selling. The second challenge is how to improve the quality of the customer’s experience while still allowing the customer to remain anonymous.

17


18

The first challenge requires a retailer/issuer agreement to consolidate data aboutthe retailer’s customers and their experiences. The retailer can then compile thedata from multiple databases and leverage it across its own retail channels(which might include physical stores, web sites and catalogs). Knowing whichproducts are purchased, how they are purchased and in what combination theyare purchased allows retailers to suggest complementary items.

The second challenge requires new capabilities that can create positive customerexperiences or avoid negative ones (such as finding that a desired item is out ofstock). For the retailer, the challenge becomes how to apply information technol-ogy to positively reinforce the shopping experience.

The challenge for the smart card industry as a whole is to offer a cost-effectivetechnology solution that presents the retailer with a sufficiently compellingbusiness case.

Smart Card Applications Addressing Retailer Priorities

Today’s smart cards can support a variety of payment and non-payment applica-tions. Since each retailer has a unique set of requirements and business priori-ties, the decision process and business case for deploying smart card technologydiffers from retailer to retailer. This section highlights some of the applicationsthat are expected to drive retailer acceptance of smart cards.

Smart Card Credit and Debit Payment ApplicationsWith over 21 million smart cards expected to be in circulation in the United Statesby the first quarter of 2003, one might believe that increasing consumer use ofsmart cards would drive retailers and processors in 2002 and 2003 to upgradetheir magnetic stripe-based payment infrastructure to support smart card-basedpayment. For a pure payment application, however, this is not expected to bethe case.

Smart card payment that is based on the EMV specification (and mandated bythe card associations) is being deployed in Europe, Latin America and Asia toreduce credit card fraud and telecommunications expenses. The majority ofpayment transactions in the United States, however, are authorized online,resulting in lower fraud rates than in other parts of the world. In addition, U.S.issuers have developed sophisticated fraud detection tools and neural networksthat are very effective in identifying fraud. Those same tools have not beendeployed in other parts of the world. As a result, fraud by itself does not providea sufficient business case for physical payment infrastructure stakeholders toinvest in infrastructure upgrades. In addition, the U.S. also enjoys low telecom-munications costs.

It is expected that the driving business case for smart card adoption in the UnitedStates will be based on revenue generation, new payment types and value-added applications and programs. When added to a payment card, theseapplications (discussed next) can increase the overall value proposition to thecardholder, retailer and issuer.


Emerging Smart Card Markets and Applications: Keys to Making Smart Card Payment a Reality Although it is the smart card payment application that attracts media attention in the financial world, emerging non-payment applications are expected to create the business case for issuers to introduce smart card products, retailers to accept them and consumers to demand them. The smart cards currently being issued by American Express and by MasterCard and Visa issuers support multiple applications. Many new POS terminals also have expanded memory and increased power, enabling them to be multifunctional and support multiple applications.

Seven key markets, each with a specific set of application drivers, are adding momentum to the movement toward smart card implementation in the United States today. Each market application is concerned about security, speed, convenience and customer gratification. The markets are:

• Internet commerce • General retail • Mobile commerce • Transit • Contactless payment • Campuses • Government

Internet commerce . It is estimated that the number of users of the Internet in the United States has reached at least 100 million. As important are the ever- growing number of retailer web sites capable of commerce on the Internet. The combination of consumer fears of providing a credit card number on the Internet, a higher fraud rate for Internet transactions, and new Internet payment competitors (e.g., Billpay and PayPal) creates a compelling value proposition for smart cards for Internet commerce. By issuing smart cards that securely carry a consumer’s private keys, issuers can reassure consumers that paying with a credit card is both as safe as and more convenient than using one of the Internet competitors. By accepting smart cards, Internet retailers can reduce their fraud rate and associated costs. Thus, the need for more secure cardholder authentication may boost the use of smart cards on the Internet.

General retail . The ability of smart cards to support programs that drive new customer acquisition, improve customer loyalty and support innovative new merchandising programs addresses a number of retailer priorities. Loyalty programs, electronic coupons, targeted advertising, partner marketing programs and customer profiles are stimulating the interest of retailer marketing groups. The card associations are also developing standard platforms to address these requirements. The ability for smart cards to be used at both Internet and physical stores offers significant benefits for “bricks and clicks” retailers.

Loyalty programs have long been a staple of the retailer market segment. S&H Green Stamps, an early example, allowed customers to purchase products in one store and redeem stamps for merchandise in another, in exchange for information about themselves. This type of program enabled retailers to person- alize the shopping experience with targeted content (for example, by offering discounts aimed at getting customers to try a new brand or product). The ability to stimulate customer demand to buy more by understanding purchase history, recommending additional items, alerting customers to new purchasing opportunities and rewarding greater levels of purchasing is a key driver.

19


The need for better levels of information about customers encourages the imple-mentation of customer profiles. Retailers could benefit from the capture and useof a profile that defines consumer buying habits and history. This information canprovide the retailer with data that suggests ways to promote higher margin prod-ucts, accelerate the checkout process by facilitating self-service check out andencourage customer loyalty through incentive promotions and programs at thestore. Smart cards provide significant benefits to both retailers and consumers bybeing able to securely store data so that no unauthorized entity can view it. Smartcards impose strict security requirements on data access, hiding informationstored in one application from others. This ensures that consumer data is privateand that retailers can securely access only data that is relevant to them.

The Target smart Visa card is the most notable example of a prominent retailerimplementing both payment and non-payment applications on a single smart cardand using smart card programs to create strategic competitive advantage. Inaddition to payment, Target is implementing a loyalty program and electroniccoupons in partnership with Procter & Gamble, Unilever, Pepsi-Cola, and Mattel,11

with deployment to be complete this year.

Mobile commerce . The mobile commerce market has seen high growth through-out the world. In the United States, however, the absence of a telecommunica-tions standard has made implementation a challenge. U.S. carriers use PCS orCDMA technologies, which do not use smart chips. The next few years will seethe proliferation of GSM networks in the United States, with AT&T beginning toconvert their networks and other carriers following. The SIM card will allow issuersto provide an easier payment mechanism for mobile commerce. Other technolo-gies, such as Bluetooth, are also being investigated to further mobile commerce.Non-payment applications such as identity authentication and information provi-sioning will be key to driving this market.

Transit . The transportation and transit market is already moving ahead with smartcard technology (for example, SmarTrip in Washington, D.C., Amtrak, BART in theSan Francisco Bay Area, and the Chicago Transit Authority). These systems usesmart card-based electronic tokens for fare collection. Issuers can take advantageof these systems by offering a payment method tied to the transit cards at nearbyretailers. For example, the North Dallas Tollway in Texas uses an RFID technol-ogy to collect fares. The same system can be used at participating McDonald’srestaurants.

Contactless payment. Contactless technology is particularly well suited to theretail environment. The pass-by method of card presentation is convenient andallows multiple form factors to be used for the payment device. A fast, securetransaction can be accomplished simply by presenting a card, key fob, or othercontactless device to the reader. One of the most compelling uses for contactlesscards is at drive-through retail establishments, where long read ranges are re-quired for a good user experience. Devices such as the ExxonMobil SpeedPassare useable outdoors, even in inclement weather or a dirty environment.Contactless readers have no slots, switches, or pins, significantly lowering the costof ownership and maintenance. Finally, contactless systems are specified by ISOinternational standards, supporting straightforward extensibility andinteroperability. Contactless technology can be an excellent complement tocontact technology in appropriate situations.

20

11 CardLine, “Smart Card Lifts Target Card Program,” August, 16, 2002


Campuses. Both college and business campuses have begun to use smart cards. Major uses have been: asset tracking; meal plans; physical access to labs, dorms, and special events; network logons; and secure data storage, including personnel records, digital certificates and health data. The same card can also have a financial application, allowing purchases on campus and at nearby retailers via stored value or prepaid accounts. Another successful application is the SMARTIX baseball stadium ticketing program, which allows season tickets to be downloaded off the web onto a smart card. The card is then used to enter parking lots and stadiums. Cardholders can also transfer their tickets electronically, with transferred tickets downloaded from the web or picked up at a will-call window. Both the San Diego Padres and the Los Angeles Dodgers are currently using SMARTIX.

Government . The power of the smart card for government health and entitlement programs lies in the card’s ability to hold both payment and non-payment applications. In conjunction with host systems, these applications provide multiple benefits to recipients. Smart card usage in entitlement programs such as the U.S. food stamps program or the Women, Infants and Children (WIC) program is already a reality. Ohio and Wyoming have smart card-based EBT programs in place, with New Mexico, Texas and several New England states also implementing programs. The U.S. government is also using smart cards to control both physical and logical access to facilities and networks and is expanding the number of programs and agencies that are using smart cards for employee identification. The U.S. Navy is moving forward on a smart card implementation that will include an electronic purse application for use on naval bases.

New smart card applications are setting the stage for additional penetration by card issuers, adoption by merchants and usage by consumers. Integrating non- payment applications with new and traditional payment applications creates a compelling business case for implementing smart card technology.

21


Key Challenges for Smart Cards and Retail Payments

Smart cards have gained momentum in retail payment in the past 18 months.However, the cards still face significant challenges in gaining widespread mer-chant acceptance and consumer use. This section reviews the barriers to theadoption of smart cards and describes what is being done to overcome thesebarriers.

Merchant/Retailer Business Case and Profitability

The most compelling barrier to the adoption of smart cards by merchants andretailers is the lack of a clear business case. The POS environment is not inplace to support widespread acceptance of smart cards for business reasonsrather than technical reasons. While smart cards can now support numerousapplications that are of interest to retailers, the business case is still difficult todefine, for the following reasons:

• Non-payment applications are not maturing quickly enough to overcomevendor differences and interoperability issues. The development andissuance costs of moving non-payment applications to the smart card alsoadversely affect the business case.

• There are significant challenges in aligning all stakeholder (issuer, merchant,acquirer, consumer) interests.

• Competing technologies can be used for certain applications.• Other technology projects have higher priority, due to perceived better return

on investment and easier implementation. For example, bar codes, Internetaccessed terminals, and consumer-friendly devices such as coupon kioskstend to generate measurable bottom-line contributions quickly.

In the absence of a compelling business case, large retailers are not venturinginto contact smart card programs without a clear justification. Instead, themerchant community is likely to rely on incentives from other stakeholders (suchas issuers and card associations) to provide assistance with re-terminalizationcosts, interchange incentives (e.g., card-present rates and guaranteed paymentsfor Internet purchases) and reduced chargeback costs.

The back office integration cost of implementing smart card applications is alsoseen as a major hurdle. Retailers must incur the cost of modifying other storeand POS systems to accommodate new smart card applications. Like manybusinesses, retailers have had to make tough budgeting decisions since 2001.Competition for IT dollars has grown significantly, for both card issuers andmerchants. Other costs such as project management and in-store training alsoadd to the overall implementation expense.

Compelling smart card business cases are being created in specific retail seg-ments and for new applications.

• Merchants who have already invested in POS hardware upgrades will beable to add new applications (payment or non-payment) to leverage theirinvestment.

• Strong co-branding relationships between retailers and manufacturers orretailers and issuers can be extended to deliver smart card valuepropositions and leverage common business goals. For example, retaileraccess to issuer or card association consumer promotion programs can helpincrease retailer market exposure and attract new customers.

22


• Retail segments in which speed of payment is essential (e.g., quick service restaurants) are considering contactless/proximity payment solutions to gain a strategic advantage. The success of programs such as ExxonMobil’s SpeedPass have shown that low time-in-field and pass-by convenience have major advantages for volume retailers.

• “Bricks and clicks” retailers can use smart cards as a strategy enabler through Internet programs linked to physical stores (such as coupons downloadable to smart cards).

• Co-marketing arrangements with smart card applications can be implemented through merchant coalitions, formed by assembling non- competing merchants that are complementary based on price, quality or lifestyle.

• Issuer and transit authorities can cooperate to implement a mass transit application on issuer cards (using proximity/contactless technology), providing improved convenience for the consumer and an additional payment type for merchants.

• Retailer implementation of loyalty programs, coupons and rewards can provide a strategic advantage and help retailers deploy creative marketing programs to retain and attract customers.

Internet commerce provides another bright spot for the smart card business case. At the Electronic Transactions Association meeting in April 2002, Barry Davis, senior consultant with First Annapolis Consulting, delivered a presentation that identified the anticipated growth of Internet commerce as an improved business case for smart cards for Internet merchants. Due to higher fraud rates in Internet transactions vs. physical transactions (1.14%12 vs .09% in 200113), Internet retailers who implement smart cards could see significant savings from a reduction in fraud and card-present transaction rates. The increase in Internet purchases as a percentage of overall consumer purchases will help drive consumer use of smart cards, integration of smart card readers with personal computers and complementary “bricks and clicks” programs, providing additional momentum to physical POS smart card implementations.

While the business case for smart card-based payment is challenging, these new applications and business relationships are expected to add drivers for U.S. smart card deployment. Merchants will only implement the smart card infrastructure when they see a positive business case. This business case will be driven by a combination of applications and partnerships that drive revenues, lower costs and increase consumer satisfaction and loyalty.

Standards and Interoperability

Standards-based solutions are critical to fueling adoption of new technologies. Such solutions support compatibility, interoperability and component availability. Standards allow the consumer to use a single card and card reader for multiple applications at multiple retailers. Standards enable the retailer to install the smart card hardware and software infrastructure, knowing that all customer cards will work, a selection of interoperable hardware and software products will be

23

12 Gartner Group, “One Percent of Online Sales Lost to Fraud,” InternetWeek, March 4, 2002. 13 Tower Group, “Credit Card Skimming: Growing Trend or Media Hype?” Transaction World, Sept.

2001


available, and the infrastructure investment will be preserved. Standards helpthe issuer drive the mass deployment of interoperable cards and readers andenable multi-organization partnerships. The processor can focus efforts on acommon standards-based implementation, reducing the cost of infrastructuredeployment and maintenance.

Standards for using smart cards for retail payment have been driven by aggres-sive international implementations of smart card-based debit and credit cardtransactions. International standards and consortia-led specifications are alreadyin place, with supporting products available from multiple manufacturers. Thefollowing are some of the standards and specifications that are relevant to smartcard usage for retail payments.• EMV. First published in 1996, the EMV Level 1 and Level 2 specifications

define the physical and electrical characteristics of the smart card, theorganization of applications within the card, the set of commands, thetransaction flow for the purchase process and the specification for cardacceptance terminals. Both MasterCard and Visa require all paymentdevices to be approved through a certified EMV lab.

• PC/SC. The PC/SC specifications allow PC-based applications to beindependent of the smart card reader.

• Open Operating System . The proprietary smart card operating systems ofthe 1990s are being replaced by common operating systems, such asJavaCard and MULTOS. These open operating systems allow card andapplication issuers to be more independent of card manufacturers andsupport faster application development and deployment.

• GlobalPlatform . Comprised of a suite of card, system and devicespecifications, GlobalPlatform specifications define a standard upon whichmultiple consumer and business applications can be built, distributed andmanaged. The specifications standardize back-end systems such aspersonalization, security, key management and application loading, whilestreamlining the critical processes in smart card lifecycle management, fromissuance to reissuance.

Both credit and debit card payment transactions at a physical point of sale arecurrently supported by solutions based on the above specifications. However,effort is still required to develop standards that will result in interoperable solu-tions for some of the newer, highly desirable applications that could drive fastersmart card adoption. Such applications include:

• Loyalty applications . Loyalty programs benefit both the consumer andretailer by providing consumers with rewards for shopping at selectedretailers and providing retailers with a way to retain and reward loyalcustomers. Smart card-based loyalty programs allow consumers to receivetheir rewards faster and at a lower cost to the retailer and are expected toallow rewards programs to span multiple retailers. Standards or industry-driven specifications currently do not exist for loyalty systemimplementations, so each smart card issuer defines its own unique approach.

Both MasterCard and Visa have recently started to define commonapproaches for smart card-based loyalty programs. Visa announced anagreement with the two leading loyalty system vendors, Catuity andWelcome Real-time, to define and implement a common approach forsupporting multiple card technologies at a single rewards-enabled POSdevice. Visa also announced the smart Rewards Platform, a shared-system

24


initiative designed to reduce technical and time-to-market burdens faced by card issuers and merchants. MasterCard published specifications for MODS, an API for storing and retrieving data on smart cards.

• Smart card readers and PCs . Using smart cards for Internet purchases and authentication is expected to be a key market driver. The PC/SC specification does not yet address a standard mechanism for launching an application when a smart card is inserted into a PC-based card reader. The PC/SC Workgroup is currently working on this issue, with plans to include this function in Version 2 of the PC/SC specification.

With a compelling business case, few industries wait for final standards. Market leaders drive forward in parallel with standardization and specification efforts and implementations iterate through several revisions. The financial industry is very active in initiating activities to address issues that are critical barriers to deployment. The industry has a strong history of successfully developing and implementing specifications that benefit all stakeholders.

While the necessary standards and specifications are in place for retailers to be able to invest in smart card based payment today, there are still issues with interoperability and standardization that must be addressed. Industry groups are initiating activities to work on these issues for the newer applications. As with most new technologies, however, it will take time for these efforts to result in specifications, standards and compliant products to use in smart card implementations.

25


Conclusion

The U.S. smart card industry has made significant progress in the past two yearstoward supporting smart cards for payment at the retail point of sale, addingissuers, consumer smart card products and smart card-ready POS terminalinstallations. Momentum is growing, as card associations, issuers, retailers andprocessors/acquirers all launch programs and deploy new infrastructure tosupport smart card payment.

The migration of the U.S. payment infrastructure to support smart cards iscomplex and costly. Each participant in the payment transaction will need toinvest in new technology and processes. So far, it has been difficult for retailersand other transaction participants to create a business case for investment insmart card technology. The problem has been exacerbated by the presence ofcompeting technologies in the marketplace and by an economic downturn thathas slowed investment in all businesses.

The migration to smart card support is definitely proceeding more slowly in theUnited States than in international markets. However, the industry expects smartcard adoption and acceptance to continue to grow. Multiple key markets, eachwith specific application requirements, are driving retail smart card implementa-tions.

• Smart cards support programs that can help retailers acquire new customers,improve customer loyalty, and implement new merchandising programs.

• Smart cards offer both Internet commerce and mobile commerce an easyand safe means of payment, reducing risk for both the merchant and theconsumer.

• Smart cards are already being used in several large transportation andtransit markets.

• Colleges and businesses both are leveraging the ability of smart cards tosupport multiple related applications on one card, increasing convenienceand efficiency.

• Multiple applications on a single card are proving useful to governmenthealth and welfare programs.

• Contactless technology is finding increasing acceptance in situations wherefast, secure transactions with long read ranges are critical, such as forgasoline purchases or in drive-through retail establishments.

Smart card applications can also encourage new business partnerships thatbenefit all participants. For example, electronic couponing offers an opportunityfor large retailers to partner with manufacturers or service providers, increasingcustomer bases and strengthening brand loyalty.

The benefits of adopting smart cards for payment are compelling. The ability of asmart card to support multiple applications provides flexibility and a strongerbusiness case for the retailer, who can add applications over time. Smart cardsalso offer unmatched security functionality, allowing for safer transactions andenhancing cardholder privacy. In addition, because smart cards are subject toactive standardization efforts, interoperable solutions are available from multiplevendors.

The combination of the technology benefits and the new markets, applicationsand partnerships that smart cards can support is expected to further drive the

26


U.S. market for smart card use at the retail point of sale. Both analysts and industry participants are expecting continued solid progress for smart card deployment in the United States.

For more information about smart cards and the role that they play in retail payment and other applications, please visit the Smart Card Alliance web site at www.smartcardalliance.org or contact the Smart Card Alliance directly at 1-800- 556-6828.

27


References

“An Industry Primer on Smart Cards,” Electronic Transactions Association,November 2001.

“Chips May Proliferate But Few Will Say When,” Card Marketing, March 2002.

“Contests Brighten the POS,” Chain Store Age, February 1, 2002.

“Credit Card Skimming: Growing Trend or Media Hype?” Transaction World,September 2001.

“One Percent of Online Sales Lost to Fraud,” InternetWeek, March 4, 2002.

“The Prospect for Financial Services Chip Cards in the U.S.,” presentation byTheordore Iacobuzio, Tower Group, Smart Card Alliance conference, October 7,2002.

“Smart Card Lifts Target Card Program,” CardLine, August, 16, 2002.

“Smart Cards: Seizing Strategic Business Opportunities,” Smart Card Forum,edited by Catherine A. Allen and William J. Barr, McGraw-Hill, 1997.

“Smarter Swipers Arrive,” RIS News, September 2001.

“TowerGroup Offers Rosy Forecast for Chips in U.S.,” American Banker, January29, 2002.

28


About the Smart Card Alliance

The Smart Card Alliance is the leading not-for-profit, multi-industry association of member firms working to accelerate the widespread acceptance of multiple applications for smart card technology. The Alliance membership includes leading companies in banking, financial services, computer, telecommunications, technology, healthcare, retail and entertainment industries, as well as a number of government agencies. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. For more information, visit www.smartcardalliance.org.

Publication Acknowledgements

This position paper was developed by the Smart Card Alliance to discuss the implementation and technology issues associated with smart cards and retail payments. Publication of this document by the Smart Card Alliance does not imply the endorsement of any of the member organizations of the Alliance.

The Smart Card Alliance wishes to thank the Terminal and eTransaction Infra- structure Task Force members for their comments and contributions. Task Force members include: ACI Worldwide, ACS, ADB, Bank of America, Citicorp, Crosscom National, Inc., First Data, Gemplus, Hypercom, IBM, Ingenico, MasterCard International, Netlink Transaction Services, New England Bankcard Association, NTRU Cryptosystems, Inc., Ohio University Center for Automatic Identification, Potomac Systems, SchlumbergerSema, SCM Microsystems, Thales, U.S. Office of the Comptroller of the Currency, Visa U.S.A, WMATA.

Special thanks go to the Task Force members who wrote, reviewed and edited this white paper.

Jeff Beulke , ACI Worldwide Alan Bondzio, ADB Matthew Byrne , First Data Amol Deshmukh , SchlumbergerSema Eric Dumois , Hypercom Rahul Gadkari , SchlumbergerSema Tim Held, ACI Worldwide Greg Jones, Visa U.S.A. Jasen Judd, NTRU Cryptosystems, Inc. Diana Knox, Visa U.S.A.

Copyright Notice

Copyright 2002 Smart Card Alliance, Inc. All rights reserved.

Trademark Notice

All registered trademarks or trademarks are the property of their respective owners.

29

Michael Madden , MasterCard InternationalCathy Medich , Consultant and Task Force Co-ChairChristopher Nardone , MasterCard InternationalMatt Radcliffe , SchlumbergerSemaEric Schindewolf , Visa U.S.A.Randy Vanderhoof, Smart Card AllianceCliff W ilke , Office of the Comptroller of the Currency


Appendix A: Relevant Standards – Smart Cards and Retail Payments

The following table summarizes the standards that are relevant to implementingsmart cards for retail payment.

30

Standard /Specification

ISO/IEC 7816

EMV

GlobalPlatform

PC/SC

MULTOS

JavaCard

X509

ISO/IEC 14443& ISO/IEC 15693

Application Area

Interface between the card and the terminal.

Commands and related transaction flow forcredit and debit card payment. Hardwarespecifications for financial smart cards andterminals. Multi-application selection for smartcards.

Card application management and issuance inthe smart card, acceptance devices and back-end systems.

Common driver interface for all smart cardreaders connected to Microsoft Windows.

Open card operating system providing a turnkeypackage for card issuers, including certificationauthority, language, tools and personalizationprocess.

Standard, flexible tool box and operating systemfor smart card application development. Usedwith GlobalPlatform, provides the specificationfor interoperable application management andcard issuance.

Format for digital signatures and associatedcertificates.

Standards specifying contactless smart cardoperation.

Reference / OrganizationManaging Standard

ANSI / ISO

EMVCO(www.emvco.com)

GlobalPlatform(www.globalplatform.org)

Microsoft(www.pcscworkgroup.com)

MAOSCO(www.multos.com)

Java Card Forum(www.javacardforum.org)

ANSI / NIST

ISO / IEC


31

Appendix B: Glossary of Acronyms

AAV Accountholder Authentication Value ANSI American National Standards Institute API Application Programming Interface ATM Automated Teller Machine CDMA Code Division Multiple Access DES Data Encryption Standard EBT Electronic Benefits Transfer EMV Europay MasterCard Visa GSM Global System for Mobile Communications HSM Hardware Security Module IEC International Electrotechnical Commission ISO International Organization for Standardization MODS MasterCard Open Data Storage NIST National Institute of Standards and Technology PC Personal Computer PCMCIA Personal Computer Memory Card International Association PCS Personal Communications Service PC/SC Personal Computer/Smart Card PDA Personal Data Assistant PIN Personal Identification Number POS Point of Sale RFID Radio Frequency Identification SIM Subscriber Identify Module SPA Secure Payment Application UCAF Universal Cardholder Authentication Field USB Universal Serial Bus VbV Verified by Visa WIC Women, Infants and Children

smart cards and the retail payments infrastructure: …tijo/seminar/infrastructure...smart cards and...

Documents