- Email: [email protected]
Turning the cutting edge into everyday use
CTT April.qxd
15/Apr/02
10:09 AM
Page 12
(Black plate)
feature
Banking
Turning the cutting edge into everyday use The Advanced Card Awards competition, timed to coincide with the InfoSecurity/SmartSolv exhibition and conference in London this April, has attracted a wide range of entries. Many of them are practical implementations of products that only a few years ago were at the cutting edge of smart card technology. Here is our guide to some of the products and implementations (under sector headings that we think appropriate) that have caught our eye this year.
Access and ID Competence Management Project The Competence Management Project is a smart card-based system for controlling contractors’ workforces on construction or maintenance sites, in an effort to reduce accidents. Its introduction has been given added impetus by changes in the UK’s Health and Safety regulations, under which directors of companies are now personally liable for accidents in the workplace where negligence can be proven. The Competence Management Project has been designed to ensure that only approved contractors are allowed on-site, and that they are qualified to carry out the work. This is made possible by the use of a centrally managed contractor and employee database that can be accessed over the Internet by managers using handheld PCs, and by the distribution to contractors’ staff of smart cards carrying their ‘competence’ data. The cards also act as a secure access control and ID medium. Major undertakings in the UK with scattered staff working at remote locations, including Railtrack and the Highways Agency, are using Carillion Infrastructure Management, working with Reference Point (systems and database specialists) and Gemplus, to test and install competence management systems. In the current pilot project, Carillion operatives are issued with an identity card that stores a record of competence that fits the authorised Railtrack Worker Requirements. The smart card, supplied by Gemplus, stores an up-to-date record of the individual worker’s ability and training attainments.
12
Using an Assessor’s Smart Card and PIN, an inspector or site foreman can randomly check the Competence Smart Card of any operative working on a site, via a handheld PC with smart card reading capability. The supervisor can make updates in the field to the individual operative’s card, for later synchronisation with the host system. The technology is now being evaluated for Incident Reporting, Cashless Vending, Reward Schemes, Closed-Site Security, Tool Stores and Hazardous Equipment Issue. Contact: Felicity Best at Gemplus Ltd, Tel: +44 2392 488037, Email: [email protected]
Suscom Medusa Furniture The Medusa Smart desking system is supplied by Suscom International. Designed for workplaces such as call-centres, where individual members of staff do not have a dedicated workstation, the Medusa system provides microprocessorcontrolled, height-adjustable desks. This allows each worker to have their own individual height and positional settings to provide them with ergonomically correct working arrangements. These data are then recorded on an individual’s Gemplus GFM 2KB memory smart card, at a read-write unit in the desk. The card is now carried by the individual member of staff, and is read at the desk unit when the cardholder arrives to take over the workstation. The system could be expanded so that the cards could carry premises access data, or even e-purse applications. Contact: Ken Grubb at Flint Distribution (systems integrator), Tel: +44 1530 510333, Email; [email protected]
The Malswitch Project Six financial institutions in Malawi, led by the the country’s Reserve Bank, have joined forces to launch a national EFTPoS and ATM card, known as Malswitch. The system has been designed and installed by Net1 Applied Technology Holdings, a South African-based company. The Malswitch system runs on a central computer switch. Bank accounts are opened for would-be cardholders in the field via stand-alone terminals; the enrolment system captures biometric fingerprints, and includes a digital photograph of the new bank customer. A retail EFTPoS infrastructure, using fingerprint recognition, enables merchants to offer the following functions: • Download funds on to cards from bank accounts; • Upload funds to bank accounts; • Purchase goods using pre-loaded value carried on the smart card; • Purchase electronic value that can be loaded on to the smart card. The ATM infrastructure enables cardholders to carry out transactions on- and off-line. Instead of entering PIN codes, cardholders are identified by their fingerprints at ATMs. A banking EFT system enables financial institutions to offer their account holders access to the national system. An initial stock of 200,000 8KB Malswitch cards is now being delivered by Gemplus in phased batches. The POS terminals are being supplied by Ascom Monetel. BP Malawi has signed up as a user of the infrastructure. This enables the company both to accept the Malswitch card for retail petrol sales, and to offer the Net1 fleet fuel service to corporate customers. Malswitch expects to have one million smart cards in circulation by the end of 2002. By this time there should be: a dozen ATMs accepting the Malswitch card; 120,000 salaries paid through the system; and 150,000 EFTPoS devices installed in merchant locations. Contact: Brenda Stewart at Net1, Tel: +27 11 343 2000, Email: [email protected]
Digital identity authentication for corporate customers of Zagrebacka Bank Zagrebacka Bank, a market-leading Croatian bank, has recently launched its e-zaba Internet-
Card Technology Today April 2002
CTT April.qxd
15/Apr/02
10:09 AM
Page 13
(Black plate)
feature
based banking service for corporate customers. To enable corporate customers to enjoy secure authentication when they embark on e-transactions with the bank, corporate finance officers are being issued with smart cards that carry a PKI solution. The package will enable corporates to process their financial operations securely, using the e-zaba smart card’s digital signature and encryption functions. At the back-end, the bank’s server handles two-factor authentication – the customer knows something (a PIN) and possesses something (a smart card). At the customer’s end of the transaction, the client is using a smart card supplied by SchlumbergerSema, on which ActivCard Gold software is managing Baltimore’s Unicert PKI package. Private keys are generated on the card and the card remains with the user. Contact: Slavenka Dosen at Zagrebacka Banka, Tel: +385 1 4808 235, Email: [email protected]
Postbank’s WAP-based banking for consumers Postbank in the Netherlands and Dutch telecoms operator Telfort have launched a WAPbased mobile banking service for half a million consumers. Security is provided by Simera e-motion smart cards from SchlumbergerSema. The Simera cards combine SIM and WAP identity module functions; the cards also provide encryption for data privacy and for a digital signature. As a result, the identity of the user is confirmed and the transaction is nonrepudiable. All the user needs to do to access the service is to enter their PIN code when requested by the on-screen menu. Contact: Emmanuelle Saby at Schlumberger Sema, Tel: +33 1 46 00 71 04, Email: [email protected]
Health NHS Occupational Health Smart Card The Occupational Health Smart Card (OHSC) scheme has been developed to authenticate the pre-employment status of doctors in the NHS in the UK. Doctors, particularly those in training, often move between hospital trusts. Before a doctor is allowed to work in a hospital, the trust must satisfy itself of the doctor’s suitability, in terms of vaccination status and pre-employment screening. The manual search of paper records (held centrally by the ‘deanery’ at the doctor’s training institition) is expensive to perform, and can delay the availability of the doctor for work.
Card Technology Today April 2002
TSSI (part of the UK’s Scipher group) came up with a smart card-based system for its client, the Department of Health. The card selected is a Gemplus MPCOS-EMV 32KB; this currently offers data security and will provides a migration path to PKI security when the network infrastructure is available. An Issuing Station is installed at each postgraduate deanery. This comprises a PC and a Gemplus PC410 smart card reader, a camera and a smart card. Authorised members of the deanery staff can personalise cards and enter appropriate data. Updating Stations are installed within hospital Occupational Health and Human Resources departments. These stations also comprise a PC and a Gemplus PC410 smart card reader. A Regional Database resides on a server with a permanent conenction to the NHSNet. Whenever data are entered into the OHSC card, an update log is sent back to a central location, for incorporation in the Regional Database. The database receives this information on a daily basis, and transmits details of lost or stolen cards to the issuing and updating stations. Data held on the OHSC card can only be accessed by a user who has been issued with a smart card and a PIN. Before the user can view or modify any data, their card and PIN must be entered at the terminal, and details of their viewing privileges read from their card. Data can then only be added or amended when both the user and the doctor have each input their card and PIN. At regular intervals, data are automatically transferred via the NHSNet to the central database server, to provide a secure data back-up, in case a card needs to be re-issued. The programme involves issuing smart cards to more than 30,000 doctors in training at 400 sites; in all there are 600 issuing or reading locations spread across every hospital trust in England. The first cards were issued to trainees in the London area beginning in late 2001. Other areas will be covered during the next two years. The NHS believes that providing OHSC cards to an average of 50 new doctors a month will save £550,000 a year in administration. Contact: Ed White at TSSI, Tel: +44 1793 747750, Email: [email protected]
Blatchford Adapative Limb Chas A. Blatchford & Sons, a UK-based manufacturer of prosthetic hardware, needed a means of providing users of its Adaptive artificial
leg with electronic back-up for patient-specific settings. In addition, they needed to provide patients with instructions for safe use of the limb. Blatchford chose to use Gemplus memoryonly chip cards with a 256-byte data capacity. The card fits into a connector that is integral to the programmer unit for the limb. During a fitting session, the patient walks with the limb; the settings are made and finely tuned using a short-range radio link between the programmer and the limb. Once the optimum settings have been determined, the programmer stores them in the unit and also in the smart card; the card can now act as a back-up copy for the patient to keep. If the limb is damaged, or the settings are accidentally altered, then the original setting can be restored, using the data stored on the smart card. Contact: Ken Grubb at Flint Distribution (systems integrator), Tel: +44 1530 510333, Email; [email protected]
Loyalty Shetland SmartCard This is a smart card-based loyalty system. It has been introduced to help the Shetland Islands’ retailers combat the threats to their livelihood posed by islanders making shopping trips to the mainland, by mail-order trading and by the growth of shopping over the Internet. In the scheme, members of the public acquire a Shetland SmartCard (supplied by Gemplus) from a participating retailer, and complete a registration form. Retailers are issued with a transaction terminal for a monthly rental fee. Points are awarded in proportion to the purchases made, and the value of the award is entered on the card. Points can then be redeemed later as a discount on other purchases, or as part of associated incentives for further transactions. The Shetland SmartCard terminal transmits all the transactions daily to a management system, from which multiple reports and statements can be produced. These reports show expenditure by individuals, by visitors, and by location. Advertising and promotional messages can be downloaded daily to the terminals, and will then be printed on shoppers’ receipts. Retailers buy points from the Shetland Retailers Association (SRA) for 1.5p and receive a credit of 1p for each point redeemed. The SRA says that since the cost of running each retailer’s data management and retrieval requirements is proportional to the number of transactions, this is a fair way of distributing costs. The central
13
CTT April.qxd
15/Apr/02
10:09 AM
Page 14
(Black plate)
feature
computer system is run by Scotcomms. At the latest count, there was was one card in every household on the Islands. Contact: Felicity Best at Gemplus Limited, Tel: +44 2392 488037, Email: [email protected]
The Avacon Card The Avacon Card is issued by a German energy utility, to gain and maintain the loyalty of consumers in a market that is being opened up to intensive competition by deregulation. The idea is that the power supplier issues a point – a so-called ‘Watt’ – that is equal to a percentage of each euro on the consumer’s power bill. These points can then be redeemed at a range of retail outlets belonging to ‘partners’; points are downloaded, rather like Air Miles, from the power company to the consumer’s card, at the POS terminals belonging to these partner companies, and can then be either stored or spent. In the pilot scheme in Luneberg, 10,000 households were issued with Avacon cards. Rolled out before the advent of the euro, each card contained DM25 as an initial credit; this amounted to approximately 3% of customer spending with Avacon for gas and electricity over a period of four months. Systems house Syrcon operates the clearing system; the cards are supplied by ORGA. Contact: Graham Carson at ORGA, Tel: +44 118 377 6000, Email: [email protected]
Portable Card Application This is a card-based loyalty system that cardholders carry with them. The cardholder can use the card to download any loyalty application that they would like to use, from a website, a loading device, or an ATM. The idea is that the cardholder who has downloaded a favourite loyalty application can then approach particular retailers to see if they will make the loyalty programme available. The retailer, in turn, would need to be running their EFTPoS system on a C-ZAM/SMASH terminal (developed by Banksys, the IT subsidiary of the Belgian banks). The requested application could then be downloaded from the card to the memory of the terminal. Alternatively, a retailer could take the initiative. Banksys says that whenever a new loyalty programme becomes popular, merchants can download the relevant application from the Internet on to a card of their own, and then upload it into their terminal.
14
The system would allow marketing programmes to be offered to a wide range of customers, with flexible time spans and different partners. Merchants, for their part, can also offer various loyalty programmes and thus develop their customer base. Users need not carry numerous cards, and merchants need not install several terminals. The card used in the Portable Card Application is the CosmopolIC multiapplication Java card from Oberthur, which can hold up to five applications and ten files for carrying loyalty points. When the Proton PRISMA multi-application card (incorporating the EMV debit-credit payment function) is rolled out, one CosmopolIC card will be able to offer payment functions as well loyalty applications on a single card, at any C-ZAM/SMASH terminal Contact: Caroline Duterme at Banksys, Tel: +32 2 727 65 21, Email: [email protected]
Xi-Max terminal from Xiring The Xi-Max terminal is a hand-held device that can be used to transfer data from one smart card to another. It can also be used to transfer to terminals (PCs or phones). (The device is reminiscent of the Mondex wallet that pioneered this technology a few years ago.) Xiring has won a contract to supply the X-Max reader to the UK’s Department for Education and Skills (DfES) for use with the Connexions Card. The Connexions Card is being issued to students between 16 and 19 years, as a combined attendance and loyalty card. Students are issued with a smart card carrying their ID details. Each teacher is issued with a smart card that has a large storage capacity, and with a Xi-Max reader. The teacher initialises the reader and their card at the beginning of each class. Each student is then required to sign in. As the attendance recording process takes place, the student data are entered on the teacher’s Xi-Max reader. At the end of the day, the lists of student attendees in all the teacher’s classes are downloaded from the teacher’s card to a central workstation at the school. The Connexions Card project has been running on a pilot basis in the North-East of England since November 2001. It is envisaged that the scheme will be deployed over the whole of England in 2002/3. On a national scale, this could mean Connexions cards being issued to possibly two million students and 70,000 teachers. Xiring’s shareholders include SchlumbergerSema, HSBC and Pechel Industries.
Contact: Jocelyne da Costa at Xiring, Email: [email protected]
Mobile commerce Emome SIM card Taiwanese mobile telecom operator Chunghwa Telecom is using SIM Toolkit technology to offer its customers the Mobile Financial Service Center. This is a mobile commerce package that provides broking, banking and payment services running on one SIM card, the Emome card, developed by Wayia.com. Some 50,000 cards had been issued by the end of 2001; some 600,000 cards are scheduled for issue during 2002. At the time of writing, ten brokers, ten banks and six e-commerce shopping malls had enrolled in the Mobile Financial Service Center. Users of the broking service can buy and sell stocks and shares on-line; obtain latest prices and be alerted to price changes; place orders for offline buying and selling; and obtain a daily record of their transactions. Users of the mobile bank can use moneytransfer services and can check balances, while users of the payment service can pay bills drawing on bank and on credit card accounts. Transactions across the Mobile Financial Service Center are protected by triple DES cryptography; Message Authentication Codes are also attached to transmissions. Contact: Francis Wong at Wayia.com, Tel: +886 2 8780 1122, Email: [email protected]
Security/biometrics Common Access Card, US Department of Defense (DoD) The conception, commissioning and roll-out of the Common Access Card (CAC) has frequently been discussed in CTT, but the ActivCard submission for the Advanced Card Awards this year brings the industry up to date on the CAC’s actual worldwide implementation. As of February 2002, 270,000 cards have been deployed, and 5000 cards are being issued per day. The plan is to issue smart cards to 4.3 million personnel by October 2002. These cardholders include members of the Uniformed Services and Selected Reserves, DoD civilian employees and DoD contractors who work inside the DoD’s ‘firewall’. The DoD is now looking at managing digital identity biometric credentials on the card. “Biometrics are already incorporated in the current issuing system; but biometric on the card offers
Card Technology Today April 2002
CTT April.qxd
15/Apr/02
10:09 AM
Page 15
(Black plate)
feature
additional security that DoD thinks is very worthwhile,” said Robert Brandewie, deputy director of DoD’s Defense Manpower Data Center. “Before we issue or re-issue a DoD card, we actually check the biometrics. We check the fingerprints to make sure that we are re-issuing the card to the same individual again. [But additionally] the high authentication aspect of it would pay off in situations like those we are facing now. What we are concerned about is who is getting on a plane with us, or who is entering our buildings.” ActivCard is the leading provider of smart card and digital identity software for the CAC programme. To integrate biometrics as a third authentication factor [in addition to something that the holder knows (password or PIN) and something that they possess (card or token)] on the CAC, ActivCard has entered into partnership with Sweden-based Precise Biometrics. The aim is to enable Precise Biometrics’ Match-on-Card technology for Java cards to be managed with ActivCard Gold identity management software. Not only will the fingerprint template be stored in the secure environment of a smart card, but the fingerprint image will also be matched and verified on the smart card itself. Contact: Isabelle Joulot at ActivCard, Tel: +33 1 42 04 84 00, Email: [email protected]
Transit MV5100 Manchester ticketing card Travellers in the Greater Manchester area of the UK should soon be able to use a smart card for daily transport ticketing. The Greater Manchester Passenger Transport Executive (GMPTE) currently issues concessionary tickets to 600,000 travellers, mainly children and senior citizens. The first wave of smart cards is to be issued to these travellers, who will be able to use them at card-readers on 3000 buses. The cards will carry period travel concessions, stored value and stored rides. They will be available at point-of-sale terminals in post offices and at GMPTE Travelshops. The MV5100 card will have a dual (contactless/contact) interface. The contactless interface (which is compliant with the ISO 14443 standard) is for public transport use, where a high transaction speed is required; the contact interface is for retail and banking transactions. The cards are to be manufactured by ASK, a French smart card producer based in Sophia Antipolis. They will be compliant with the ITSO (Integrated Transport Smart card Organisation) standard.
Card Technology Today April 2002
ASK says that the proposed system will: • Allocate with accuracy each transit operator’s share of the pooled income from the sale of pre-paid travel products; • Provide a platform for an electronic purse; • Provide a platform for loyalty and reward schemes; • Be capable of multiple uses, including payment for parking and road use; • Be capable of carrying City Card applications. In November 2001, ASK acquired the manufacturing assets for the Venus contactless smart cards developed by Motorola, along with an unrestricted production license, in a three-way transaction between ERG (which is managing the Manchester project), Motorola and ASK. Contact: Xavier Bon at ASK, Tel: +33 4 97 21 40 13, Email: [email protected]
Transit/citizen’s card JCOP30 Dual-Interface card The first use of the JCOP30 dual-interface (contactless/contact) card from ORGA is in the Cornish Key Card scheme, where some 50,000 cards are being supplied to residents of Cornwall (see News Section, page 4). Cornish residents involved in Phase One of the Cornish Key Card scheme will use their cards for a number of functions, including: concessionary bus fares; car parking payments; library book borrowing; school registration and access control. Further applications will be added, making use of the card’s JavaCard postissuance functionality. The JCOP30 is a dual-interface card in which both the contactless (antenna) and contact (chip) connect in such a way as to operate as a single chip. This means that card applications on either interface can communicate with each other. The card uses the Global Platform open standard with the JavaCard operating system. The contactless interface uses the Philips Mifare ProX chip, and so is compatible with existing Mifare cards in use worldwide in mass transit schemes. In addition to the security features provided by the JavaCard operating system, the JCOP30 card carries a triple DES co-processor. This enables the user to encrypt data and send an electronic signature. The Mifare ProX contactless interface meets both EMV and CEPS (the European purse) standards. It operates at a range of 10 cm. Contact: Graham Carson at ORGA UK, Tel: +44 118 377 6000, Email: [email protected]
in brief TIM Brasil has ordered SIM cards from SchlumbergerSema for the roll-out of its Brazilian GSM service. TIM, a major mobile phone service provider in Italy, hopes to attract 5m Brazilian subscribers in two years. Mobile telephone subscribers can now convert local currency into euros (and vice versa), without having to navigate through complex menus, with the release of a new Java Cardbased SIM card application from ORGA Card Systems. A user of the EuroClick converter simply types in the amount to be converted, and the local currency at the user’s current location is identified automatically. USSD (unstructured supplementary services data) and SMS (short message service) ‘bearers’ can be used to submit conversion requests and return the results. The application runs on ORGA’s service platform wIQ. Payment-processing specialist ACI Worldwide has joined forces with Giesecke & Devrient to provide financial institutions (and other businesses) with end-to-end systems for launching and managing smart card programmes. G&D smart payment cards operate on several platforms, including its proprietary STARCOS system and the multi-function MULTOS and Java systems. ACI will contribute the Smart Chip Manager, a software application that controls the life-cycle of smart cards and the residing applications – including issuance and post-issuance application reloads ‘in the field’. Employees and customers of Swiss Life/ Rentenanstalt are to use VASCO’s Digipass 300 keypad to provide secure access and authentication to its ‘remote’ workers. The staff will initially utilise the Digipass worldwide to access the company’s internal network. Later Swiss Life/Rentenanstalt will offer the Digipass to its brokers to allow them to conduct transactions using dial-up, VPN (Virtual Private Network) and Internet connections with the Swiss Life broker portal. Swiss Life’s Belgian and German subsidiaries are already using VASCO products. The Digipass 300 keypad acts as an online terminal where users can enter PIN codes to gain online access. SCM Microsystems has launched a smart card reader packaged with both USB and serial removable cables. The SCM SCR531 provides a flexible device for PC OEM suppliers who wish to deploy high volumes of readers to endusers with unknown computer configurations. The SCR531 is based on the STC II single chip. It features on-board flash technology and is upgradable, to support future enhancements.
15
15/Apr/02
10:09 AM
Page 12
(Black plate)
feature
Banking
Turning the cutting edge into everyday use The Advanced Card Awards competition, timed to coincide with the InfoSecurity/SmartSolv exhibition and conference in London this April, has attracted a wide range of entries. Many of them are practical implementations of products that only a few years ago were at the cutting edge of smart card technology. Here is our guide to some of the products and implementations (under sector headings that we think appropriate) that have caught our eye this year.
Access and ID Competence Management Project The Competence Management Project is a smart card-based system for controlling contractors’ workforces on construction or maintenance sites, in an effort to reduce accidents. Its introduction has been given added impetus by changes in the UK’s Health and Safety regulations, under which directors of companies are now personally liable for accidents in the workplace where negligence can be proven. The Competence Management Project has been designed to ensure that only approved contractors are allowed on-site, and that they are qualified to carry out the work. This is made possible by the use of a centrally managed contractor and employee database that can be accessed over the Internet by managers using handheld PCs, and by the distribution to contractors’ staff of smart cards carrying their ‘competence’ data. The cards also act as a secure access control and ID medium. Major undertakings in the UK with scattered staff working at remote locations, including Railtrack and the Highways Agency, are using Carillion Infrastructure Management, working with Reference Point (systems and database specialists) and Gemplus, to test and install competence management systems. In the current pilot project, Carillion operatives are issued with an identity card that stores a record of competence that fits the authorised Railtrack Worker Requirements. The smart card, supplied by Gemplus, stores an up-to-date record of the individual worker’s ability and training attainments.
12
Using an Assessor’s Smart Card and PIN, an inspector or site foreman can randomly check the Competence Smart Card of any operative working on a site, via a handheld PC with smart card reading capability. The supervisor can make updates in the field to the individual operative’s card, for later synchronisation with the host system. The technology is now being evaluated for Incident Reporting, Cashless Vending, Reward Schemes, Closed-Site Security, Tool Stores and Hazardous Equipment Issue. Contact: Felicity Best at Gemplus Ltd, Tel: +44 2392 488037, Email: [email protected]
Suscom Medusa Furniture The Medusa Smart desking system is supplied by Suscom International. Designed for workplaces such as call-centres, where individual members of staff do not have a dedicated workstation, the Medusa system provides microprocessorcontrolled, height-adjustable desks. This allows each worker to have their own individual height and positional settings to provide them with ergonomically correct working arrangements. These data are then recorded on an individual’s Gemplus GFM 2KB memory smart card, at a read-write unit in the desk. The card is now carried by the individual member of staff, and is read at the desk unit when the cardholder arrives to take over the workstation. The system could be expanded so that the cards could carry premises access data, or even e-purse applications. Contact: Ken Grubb at Flint Distribution (systems integrator), Tel: +44 1530 510333, Email; [email protected]
The Malswitch Project Six financial institutions in Malawi, led by the the country’s Reserve Bank, have joined forces to launch a national EFTPoS and ATM card, known as Malswitch. The system has been designed and installed by Net1 Applied Technology Holdings, a South African-based company. The Malswitch system runs on a central computer switch. Bank accounts are opened for would-be cardholders in the field via stand-alone terminals; the enrolment system captures biometric fingerprints, and includes a digital photograph of the new bank customer. A retail EFTPoS infrastructure, using fingerprint recognition, enables merchants to offer the following functions: • Download funds on to cards from bank accounts; • Upload funds to bank accounts; • Purchase goods using pre-loaded value carried on the smart card; • Purchase electronic value that can be loaded on to the smart card. The ATM infrastructure enables cardholders to carry out transactions on- and off-line. Instead of entering PIN codes, cardholders are identified by their fingerprints at ATMs. A banking EFT system enables financial institutions to offer their account holders access to the national system. An initial stock of 200,000 8KB Malswitch cards is now being delivered by Gemplus in phased batches. The POS terminals are being supplied by Ascom Monetel. BP Malawi has signed up as a user of the infrastructure. This enables the company both to accept the Malswitch card for retail petrol sales, and to offer the Net1 fleet fuel service to corporate customers. Malswitch expects to have one million smart cards in circulation by the end of 2002. By this time there should be: a dozen ATMs accepting the Malswitch card; 120,000 salaries paid through the system; and 150,000 EFTPoS devices installed in merchant locations. Contact: Brenda Stewart at Net1, Tel: +27 11 343 2000, Email: [email protected]
Digital identity authentication for corporate customers of Zagrebacka Bank Zagrebacka Bank, a market-leading Croatian bank, has recently launched its e-zaba Internet-
Card Technology Today April 2002
CTT April.qxd
15/Apr/02
10:09 AM
Page 13
(Black plate)
feature
based banking service for corporate customers. To enable corporate customers to enjoy secure authentication when they embark on e-transactions with the bank, corporate finance officers are being issued with smart cards that carry a PKI solution. The package will enable corporates to process their financial operations securely, using the e-zaba smart card’s digital signature and encryption functions. At the back-end, the bank’s server handles two-factor authentication – the customer knows something (a PIN) and possesses something (a smart card). At the customer’s end of the transaction, the client is using a smart card supplied by SchlumbergerSema, on which ActivCard Gold software is managing Baltimore’s Unicert PKI package. Private keys are generated on the card and the card remains with the user. Contact: Slavenka Dosen at Zagrebacka Banka, Tel: +385 1 4808 235, Email: [email protected]
Postbank’s WAP-based banking for consumers Postbank in the Netherlands and Dutch telecoms operator Telfort have launched a WAPbased mobile banking service for half a million consumers. Security is provided by Simera e-motion smart cards from SchlumbergerSema. The Simera cards combine SIM and WAP identity module functions; the cards also provide encryption for data privacy and for a digital signature. As a result, the identity of the user is confirmed and the transaction is nonrepudiable. All the user needs to do to access the service is to enter their PIN code when requested by the on-screen menu. Contact: Emmanuelle Saby at Schlumberger Sema, Tel: +33 1 46 00 71 04, Email: [email protected]
Health NHS Occupational Health Smart Card The Occupational Health Smart Card (OHSC) scheme has been developed to authenticate the pre-employment status of doctors in the NHS in the UK. Doctors, particularly those in training, often move between hospital trusts. Before a doctor is allowed to work in a hospital, the trust must satisfy itself of the doctor’s suitability, in terms of vaccination status and pre-employment screening. The manual search of paper records (held centrally by the ‘deanery’ at the doctor’s training institition) is expensive to perform, and can delay the availability of the doctor for work.
Card Technology Today April 2002
TSSI (part of the UK’s Scipher group) came up with a smart card-based system for its client, the Department of Health. The card selected is a Gemplus MPCOS-EMV 32KB; this currently offers data security and will provides a migration path to PKI security when the network infrastructure is available. An Issuing Station is installed at each postgraduate deanery. This comprises a PC and a Gemplus PC410 smart card reader, a camera and a smart card. Authorised members of the deanery staff can personalise cards and enter appropriate data. Updating Stations are installed within hospital Occupational Health and Human Resources departments. These stations also comprise a PC and a Gemplus PC410 smart card reader. A Regional Database resides on a server with a permanent conenction to the NHSNet. Whenever data are entered into the OHSC card, an update log is sent back to a central location, for incorporation in the Regional Database. The database receives this information on a daily basis, and transmits details of lost or stolen cards to the issuing and updating stations. Data held on the OHSC card can only be accessed by a user who has been issued with a smart card and a PIN. Before the user can view or modify any data, their card and PIN must be entered at the terminal, and details of their viewing privileges read from their card. Data can then only be added or amended when both the user and the doctor have each input their card and PIN. At regular intervals, data are automatically transferred via the NHSNet to the central database server, to provide a secure data back-up, in case a card needs to be re-issued. The programme involves issuing smart cards to more than 30,000 doctors in training at 400 sites; in all there are 600 issuing or reading locations spread across every hospital trust in England. The first cards were issued to trainees in the London area beginning in late 2001. Other areas will be covered during the next two years. The NHS believes that providing OHSC cards to an average of 50 new doctors a month will save £550,000 a year in administration. Contact: Ed White at TSSI, Tel: +44 1793 747750, Email: [email protected]
Blatchford Adapative Limb Chas A. Blatchford & Sons, a UK-based manufacturer of prosthetic hardware, needed a means of providing users of its Adaptive artificial
leg with electronic back-up for patient-specific settings. In addition, they needed to provide patients with instructions for safe use of the limb. Blatchford chose to use Gemplus memoryonly chip cards with a 256-byte data capacity. The card fits into a connector that is integral to the programmer unit for the limb. During a fitting session, the patient walks with the limb; the settings are made and finely tuned using a short-range radio link between the programmer and the limb. Once the optimum settings have been determined, the programmer stores them in the unit and also in the smart card; the card can now act as a back-up copy for the patient to keep. If the limb is damaged, or the settings are accidentally altered, then the original setting can be restored, using the data stored on the smart card. Contact: Ken Grubb at Flint Distribution (systems integrator), Tel: +44 1530 510333, Email; [email protected]
Loyalty Shetland SmartCard This is a smart card-based loyalty system. It has been introduced to help the Shetland Islands’ retailers combat the threats to their livelihood posed by islanders making shopping trips to the mainland, by mail-order trading and by the growth of shopping over the Internet. In the scheme, members of the public acquire a Shetland SmartCard (supplied by Gemplus) from a participating retailer, and complete a registration form. Retailers are issued with a transaction terminal for a monthly rental fee. Points are awarded in proportion to the purchases made, and the value of the award is entered on the card. Points can then be redeemed later as a discount on other purchases, or as part of associated incentives for further transactions. The Shetland SmartCard terminal transmits all the transactions daily to a management system, from which multiple reports and statements can be produced. These reports show expenditure by individuals, by visitors, and by location. Advertising and promotional messages can be downloaded daily to the terminals, and will then be printed on shoppers’ receipts. Retailers buy points from the Shetland Retailers Association (SRA) for 1.5p and receive a credit of 1p for each point redeemed. The SRA says that since the cost of running each retailer’s data management and retrieval requirements is proportional to the number of transactions, this is a fair way of distributing costs. The central
13
CTT April.qxd
15/Apr/02
10:09 AM
Page 14
(Black plate)
feature
computer system is run by Scotcomms. At the latest count, there was was one card in every household on the Islands. Contact: Felicity Best at Gemplus Limited, Tel: +44 2392 488037, Email: [email protected]
The Avacon Card The Avacon Card is issued by a German energy utility, to gain and maintain the loyalty of consumers in a market that is being opened up to intensive competition by deregulation. The idea is that the power supplier issues a point – a so-called ‘Watt’ – that is equal to a percentage of each euro on the consumer’s power bill. These points can then be redeemed at a range of retail outlets belonging to ‘partners’; points are downloaded, rather like Air Miles, from the power company to the consumer’s card, at the POS terminals belonging to these partner companies, and can then be either stored or spent. In the pilot scheme in Luneberg, 10,000 households were issued with Avacon cards. Rolled out before the advent of the euro, each card contained DM25 as an initial credit; this amounted to approximately 3% of customer spending with Avacon for gas and electricity over a period of four months. Systems house Syrcon operates the clearing system; the cards are supplied by ORGA. Contact: Graham Carson at ORGA, Tel: +44 118 377 6000, Email: [email protected]
Portable Card Application This is a card-based loyalty system that cardholders carry with them. The cardholder can use the card to download any loyalty application that they would like to use, from a website, a loading device, or an ATM. The idea is that the cardholder who has downloaded a favourite loyalty application can then approach particular retailers to see if they will make the loyalty programme available. The retailer, in turn, would need to be running their EFTPoS system on a C-ZAM/SMASH terminal (developed by Banksys, the IT subsidiary of the Belgian banks). The requested application could then be downloaded from the card to the memory of the terminal. Alternatively, a retailer could take the initiative. Banksys says that whenever a new loyalty programme becomes popular, merchants can download the relevant application from the Internet on to a card of their own, and then upload it into their terminal.
14
The system would allow marketing programmes to be offered to a wide range of customers, with flexible time spans and different partners. Merchants, for their part, can also offer various loyalty programmes and thus develop their customer base. Users need not carry numerous cards, and merchants need not install several terminals. The card used in the Portable Card Application is the CosmopolIC multiapplication Java card from Oberthur, which can hold up to five applications and ten files for carrying loyalty points. When the Proton PRISMA multi-application card (incorporating the EMV debit-credit payment function) is rolled out, one CosmopolIC card will be able to offer payment functions as well loyalty applications on a single card, at any C-ZAM/SMASH terminal Contact: Caroline Duterme at Banksys, Tel: +32 2 727 65 21, Email: [email protected]
Xi-Max terminal from Xiring The Xi-Max terminal is a hand-held device that can be used to transfer data from one smart card to another. It can also be used to transfer to terminals (PCs or phones). (The device is reminiscent of the Mondex wallet that pioneered this technology a few years ago.) Xiring has won a contract to supply the X-Max reader to the UK’s Department for Education and Skills (DfES) for use with the Connexions Card. The Connexions Card is being issued to students between 16 and 19 years, as a combined attendance and loyalty card. Students are issued with a smart card carrying their ID details. Each teacher is issued with a smart card that has a large storage capacity, and with a Xi-Max reader. The teacher initialises the reader and their card at the beginning of each class. Each student is then required to sign in. As the attendance recording process takes place, the student data are entered on the teacher’s Xi-Max reader. At the end of the day, the lists of student attendees in all the teacher’s classes are downloaded from the teacher’s card to a central workstation at the school. The Connexions Card project has been running on a pilot basis in the North-East of England since November 2001. It is envisaged that the scheme will be deployed over the whole of England in 2002/3. On a national scale, this could mean Connexions cards being issued to possibly two million students and 70,000 teachers. Xiring’s shareholders include SchlumbergerSema, HSBC and Pechel Industries.
Contact: Jocelyne da Costa at Xiring, Email: [email protected]
Mobile commerce Emome SIM card Taiwanese mobile telecom operator Chunghwa Telecom is using SIM Toolkit technology to offer its customers the Mobile Financial Service Center. This is a mobile commerce package that provides broking, banking and payment services running on one SIM card, the Emome card, developed by Wayia.com. Some 50,000 cards had been issued by the end of 2001; some 600,000 cards are scheduled for issue during 2002. At the time of writing, ten brokers, ten banks and six e-commerce shopping malls had enrolled in the Mobile Financial Service Center. Users of the broking service can buy and sell stocks and shares on-line; obtain latest prices and be alerted to price changes; place orders for offline buying and selling; and obtain a daily record of their transactions. Users of the mobile bank can use moneytransfer services and can check balances, while users of the payment service can pay bills drawing on bank and on credit card accounts. Transactions across the Mobile Financial Service Center are protected by triple DES cryptography; Message Authentication Codes are also attached to transmissions. Contact: Francis Wong at Wayia.com, Tel: +886 2 8780 1122, Email: [email protected]
Security/biometrics Common Access Card, US Department of Defense (DoD) The conception, commissioning and roll-out of the Common Access Card (CAC) has frequently been discussed in CTT, but the ActivCard submission for the Advanced Card Awards this year brings the industry up to date on the CAC’s actual worldwide implementation. As of February 2002, 270,000 cards have been deployed, and 5000 cards are being issued per day. The plan is to issue smart cards to 4.3 million personnel by October 2002. These cardholders include members of the Uniformed Services and Selected Reserves, DoD civilian employees and DoD contractors who work inside the DoD’s ‘firewall’. The DoD is now looking at managing digital identity biometric credentials on the card. “Biometrics are already incorporated in the current issuing system; but biometric on the card offers
Card Technology Today April 2002
CTT April.qxd
15/Apr/02
10:09 AM
Page 15
(Black plate)
feature
additional security that DoD thinks is very worthwhile,” said Robert Brandewie, deputy director of DoD’s Defense Manpower Data Center. “Before we issue or re-issue a DoD card, we actually check the biometrics. We check the fingerprints to make sure that we are re-issuing the card to the same individual again. [But additionally] the high authentication aspect of it would pay off in situations like those we are facing now. What we are concerned about is who is getting on a plane with us, or who is entering our buildings.” ActivCard is the leading provider of smart card and digital identity software for the CAC programme. To integrate biometrics as a third authentication factor [in addition to something that the holder knows (password or PIN) and something that they possess (card or token)] on the CAC, ActivCard has entered into partnership with Sweden-based Precise Biometrics. The aim is to enable Precise Biometrics’ Match-on-Card technology for Java cards to be managed with ActivCard Gold identity management software. Not only will the fingerprint template be stored in the secure environment of a smart card, but the fingerprint image will also be matched and verified on the smart card itself. Contact: Isabelle Joulot at ActivCard, Tel: +33 1 42 04 84 00, Email: [email protected]
Transit MV5100 Manchester ticketing card Travellers in the Greater Manchester area of the UK should soon be able to use a smart card for daily transport ticketing. The Greater Manchester Passenger Transport Executive (GMPTE) currently issues concessionary tickets to 600,000 travellers, mainly children and senior citizens. The first wave of smart cards is to be issued to these travellers, who will be able to use them at card-readers on 3000 buses. The cards will carry period travel concessions, stored value and stored rides. They will be available at point-of-sale terminals in post offices and at GMPTE Travelshops. The MV5100 card will have a dual (contactless/contact) interface. The contactless interface (which is compliant with the ISO 14443 standard) is for public transport use, where a high transaction speed is required; the contact interface is for retail and banking transactions. The cards are to be manufactured by ASK, a French smart card producer based in Sophia Antipolis. They will be compliant with the ITSO (Integrated Transport Smart card Organisation) standard.
Card Technology Today April 2002
ASK says that the proposed system will: • Allocate with accuracy each transit operator’s share of the pooled income from the sale of pre-paid travel products; • Provide a platform for an electronic purse; • Provide a platform for loyalty and reward schemes; • Be capable of multiple uses, including payment for parking and road use; • Be capable of carrying City Card applications. In November 2001, ASK acquired the manufacturing assets for the Venus contactless smart cards developed by Motorola, along with an unrestricted production license, in a three-way transaction between ERG (which is managing the Manchester project), Motorola and ASK. Contact: Xavier Bon at ASK, Tel: +33 4 97 21 40 13, Email: [email protected]
Transit/citizen’s card JCOP30 Dual-Interface card The first use of the JCOP30 dual-interface (contactless/contact) card from ORGA is in the Cornish Key Card scheme, where some 50,000 cards are being supplied to residents of Cornwall (see News Section, page 4). Cornish residents involved in Phase One of the Cornish Key Card scheme will use their cards for a number of functions, including: concessionary bus fares; car parking payments; library book borrowing; school registration and access control. Further applications will be added, making use of the card’s JavaCard postissuance functionality. The JCOP30 is a dual-interface card in which both the contactless (antenna) and contact (chip) connect in such a way as to operate as a single chip. This means that card applications on either interface can communicate with each other. The card uses the Global Platform open standard with the JavaCard operating system. The contactless interface uses the Philips Mifare ProX chip, and so is compatible with existing Mifare cards in use worldwide in mass transit schemes. In addition to the security features provided by the JavaCard operating system, the JCOP30 card carries a triple DES co-processor. This enables the user to encrypt data and send an electronic signature. The Mifare ProX contactless interface meets both EMV and CEPS (the European purse) standards. It operates at a range of 10 cm. Contact: Graham Carson at ORGA UK, Tel: +44 118 377 6000, Email: [email protected]
in brief TIM Brasil has ordered SIM cards from SchlumbergerSema for the roll-out of its Brazilian GSM service. TIM, a major mobile phone service provider in Italy, hopes to attract 5m Brazilian subscribers in two years. Mobile telephone subscribers can now convert local currency into euros (and vice versa), without having to navigate through complex menus, with the release of a new Java Cardbased SIM card application from ORGA Card Systems. A user of the EuroClick converter simply types in the amount to be converted, and the local currency at the user’s current location is identified automatically. USSD (unstructured supplementary services data) and SMS (short message service) ‘bearers’ can be used to submit conversion requests and return the results. The application runs on ORGA’s service platform wIQ. Payment-processing specialist ACI Worldwide has joined forces with Giesecke & Devrient to provide financial institutions (and other businesses) with end-to-end systems for launching and managing smart card programmes. G&D smart payment cards operate on several platforms, including its proprietary STARCOS system and the multi-function MULTOS and Java systems. ACI will contribute the Smart Chip Manager, a software application that controls the life-cycle of smart cards and the residing applications – including issuance and post-issuance application reloads ‘in the field’. Employees and customers of Swiss Life/ Rentenanstalt are to use VASCO’s Digipass 300 keypad to provide secure access and authentication to its ‘remote’ workers. The staff will initially utilise the Digipass worldwide to access the company’s internal network. Later Swiss Life/Rentenanstalt will offer the Digipass to its brokers to allow them to conduct transactions using dial-up, VPN (Virtual Private Network) and Internet connections with the Swiss Life broker portal. Swiss Life’s Belgian and German subsidiaries are already using VASCO products. The Digipass 300 keypad acts as an online terminal where users can enter PIN codes to gain online access. SCM Microsystems has launched a smart card reader packaged with both USB and serial removable cables. The SCM SCR531 provides a flexible device for PC OEM suppliers who wish to deploy high volumes of readers to endusers with unknown computer configurations. The SCR531 is based on the STC II single chip. It features on-board flash technology and is upgradable, to support future enhancements.
15