Smart Cards and the

Retail Payments Infrastructure:

Status, Drivers, and Directions
A Smart Card Alliance White Paper
October 2002

Smart Card Alliance

191 Clarksville Road
Princeton Junction, NJ 08550
www.smartcardalliance.org
Telephone: 1-800-556-6828

Executive Summary
Smart Cards Are Finding Wider Acceptance Among Consumers and
Issuers
Despite belief to the contrary, smart cards are more and more widely used in the
United States. Since the launch of the American Express Blue card and smart
Visa card, millions of smart cards have been issued to consumers, with over 21
million cards predicted to be in circulation by the first quarter of 2003.
The pace at which smart card-ready POS devices are being installed is somewhat slower. However, several large retailers have invested in smart card-ready
POS hardware. In addition, retailers whose hardware is aging may soon be
replacing it with smart card compatible devices.
The issuing and acquiring processing infrastructure is also making progress to
support smart cards. The two leading issuing processors have announced smart
card support and several acquiring processors have announced that they can
support smart card payment transactions. All stakeholders in the financial
payments industry are positioning for expanding consumer smart card use.

Implications of Supporting Smart Card Payment Applications

Smart cards can be used to pay for purchases made at physical and Internet
retailers. Both payment applications rely on the presence of certain components:
smart cards; smart card applications; smart card reader either at the physical
retailer or at a users computer; retailer software and host systems supporting
smart card applications; acquiring and processing systems capable of supporting
smart card transactions; and smart card issuing, life-cycle management and
fulfillment systems. Implementing smart card payment applications will require
changes on the part of all participants in the transaction: the consumer, the
retailer, the card issuer and the acquiring and issuing processors.
Deploying smart cards for payment applications also conveys advantages to
each participant. Consumers can use one card for multiple applications. Retailers can leverage additional applications to increase sales and strengthen their
customer bases. Issuers can use the availability of smart cards to open up new
markets.

Challenges for Smart Cards and Retail Payments

Migration of the U.S. payment infrastructure to the use of smart cards is neither
simple nor inexpensive, requiring investment in new technology and development
of new processes. Smart card support in the United States is currently impeded
by the lack of a compelling business case for implementing smart cards only for
payment, when compared to the payments infrastructure already in place.
Further growth will be driven by business cases for new smart card markets and
applications that provide merchant- and consumer-specific benefits. The combination of the technology benefits and the new markets, applications and partnerships that smart cards can support is expected to further drive the U.S. market
for smart card use at the retail point of sale. Both analysts and industry participants are expecting continued solid progress for smart card deployment in the
United States.
Smart Card Alliance 2002

About This White Paper

This white paper was developed by the Smart Card Alliance to describe the
current state of the smart card payments infrastructure in the United States. This
paper provides answers to commonly asked questions about the use of smart
cards for payment applications, such as:
What is the current status of the efforts to deploy smart cards for retail
payments?
What are the critical components of the smart card payments infrastructure in
the United States?
How do smart cards work when they are used for payment at a physical or
Internet retailer?
What authentication support is available for Internet smart card use?
What issues do retailers consider key to decisions about new technology
investments?
What key markets and applications are expected to drive smart card usage
and acceptance in the U.S. in the near future?
What are the critical barriers to smart card acceptance by merchants and
what are industry participants doing to remove these barriers?

Smart Card Alliance 2002

Current State of the U.S. Smart Card Payments Infrastructure

Smart card technology has realized widespread growth worldwide over the last
few years. The proliferation of the technology in North America has been anticipated since the mid-1990s. However, U.S. smart card growth for payments has
not emerged, due to the lack of a definitive business case for all industry participants.
In fact, the three major card associations (American Express, MasterCard and
Visa) have established smart card programs with significant issuer participation
and over 17 million smart cards in circulation as of the end of 2001.1 The next
step is for smart cards to achieve wider acceptance across the merchant population, allowing consumers to realize the benefits of the technology.
This section outlines the current readiness of the payments infrastructure within
North America to accept smart cards, including active card programs, POS (point
of sale) deployment, processor readiness and issuer/acquirer readiness.

Smart Card Issuance

The launch of the American Express Blue card in 1999 provided the push that the
smart card industry needed. American Express was successful in acquiring new
customers based on the look-and-feel that smart cards provided. However,
consumers had few places to use the smart card (except as a traditional credit
card), and minimal application functionality was included on the cards to exploit
the chip. Despite this, the American Express Blue card has been very successful
and American Express has initiated the development and implementation of
value-added services, which is expected to further increase Blue card acceptance and acquisition.
In 2000, Visa U.S.A. launched smart Visa, a comprehensive brand and technology initiative for multi-application smart cards. Addressing long-standing market
barriers, cost, time-to-market and implementation complexities, smart Visa
incorporates EMV (Europay MasterCard Visa) payment and applications that
facilitate Internet access, secure Internet purchases and rewards services. With
major issuers such as First USA, Fleet, Providian and Target now participating,
smart Visa has helped to create credibility for smart card technology in North
America. The smart Visa launch essentially created de facto standards for the
U.S. smart card payment industry by requiring that smart Visa issuers use
GlobalPlatform technology. This has become a key benefit for issuers, allowing
them to expand card services by issuing new applications over the life of the
card. In December 2001, Visa released smart Visa Framework to help to accelerate application development among third-party companies. By leveraging the
Frameworks common command API and security functionality, developers can
quickly establish data storage files on the card and assign access conditions to
those files to ensure the data is read and write protected. Visa also announced
the smart Rewards Platform in April 2002, with Target as a participating issuer
and retailer. A shared-system initiative designed to reduce technical and time-tomarket burdens faced by card issuers and merchants, the smart Rewards
platform is the engine that manages the interaction between rewards applications
(such as electronic coupon and punch card rewards) on smart cards and soft

Smart Card Alliance 2002

Card Marketing, Chips May Proliferate But Few Will Say When, March 2002

ware and administration rules on POS terminals. It accommodates both Internet

and physical POS rewards programs, and allows cardholders to move
seamlessly between the two delivery channels. In support of this rewards effort,
Visa, Catuity and Welcome Real-time have agreed to collaboratively develop
interoperable solutions for smart card-based rewards or incentive services in the
United States.
In 2002, MasterCard launched its own smart card initiative, called OneSMART.
OneSMART is a smart card delivery program for MasterCard issuers offering
consumer research and end-to-end implementation and marketing support. This
program provides MasterCard issuers with the ability to offer both basic services
and a broad menu of smart card applications, such as chip-based credit and
debit, Internet payment, security, loyalty, e-ticketing, e-couponing and stored
value. MasterCard has spent most of 2002 establishing partnerships with key
issuers, such as Citibank (which launched two smart cards in late 2001) and
smart card industry leaders, such as First Data, Welcome Real-time and other
service providers, to solidify the required services and infrastructure. MasterCard
is leveraging the MULTOS technology to provide its own flavor of a multi-application open environment. MasterCard also announced the publication of the
MasterCard Open Data Storage (MODS) specification, an application programming interface (API) for storing and retrieving data on a smart card. This specification provides member financial institutions with the ability to offer cardholders
more control over personal information and greater privacy.
Smart card issuers are finding that smart cards are attractive to consumers,
resulting in more successful new account acquisition, higher customer retention
and increased usage. Tower Group has reported that responses to chip card
direct mail offers were three times higher than the responses to non-chip card
direct mail offers and that activation rates are higher.2 American Express has
also reported that 67% of their cardholders said that they would charge less to
their Blue card if there were no chip.3

Merchant Readiness
Over 21 million smart cards are expected to be deployed by the first quarter of
2003.4 However, consumers still have little opportunity to use the technology,
due to the lack of smart card acceptance devices at retail and merchant locations. Target, the first major retailer to implement smart card acceptance devices
in their stores, has the unique position of being the issuer and retailer. With a
reported 7 million cards issued in mid-2002, Target is upgrading 37,000 POS
terminals in 1,000 stores to use the smart card chip and plans to offer electronic
couponing as its first chip-linked application.5 Target terminals are EMV compliant and thus capable of engaging in EMV transactions based upon payment
software installed in the device.

American Banker, TowerGroup Offers Rosy Forecast for Chips in U.S., Jan. 29, 2002
American Banker, TowerGroup Offers Rosy Forecast for Chips in U.S., Jan. 29, 2002
4
Tower Group. The Prospect for Financial Services Chip Cards in the U.S., presentation by
Theodore Iacobuzio, Smart Card Alliance Conference, October 7, 2002.
5
CardLine, Smart Card Lifts Target Card Program, August, 16, 2002
3

Smart Card Alliance 2002

Smart card-ready POS devices are making their way into additional retail and
merchant locations. In 2001, approximately 25% of the over 1.3 million POS
devices shipped by the three largest terminal providers in the United States were
smart card ready. With the aging of the POS installed base, it is expected that
merchants will increasingly upgrade their existing terminals with smart card-ready
devices.

Figure 1: Smart Card-Ready POS Terminals Shipped in U.S. in 2001

Ingenico 52,200

VeriFone 57,200

Hypercom
209,600

Source: Card Technology, July 2002

Additional retailers have also made recent investments in smart card-ready POS
terminals, including:
CVS, the leading pharmacy and health service retailer, will install smart card
readers in 450 of its stores to provide support for credit, debit, electronic
benefits transfer (EBT), gift card transactions, and electronic signatures.6
Virgin Megastore, the entertainment retail chain, has installed 320 payment
devices with smart card reader attachments at all U.S. Virgin Megastore
locations.
Rite-Aid, one of the nations leading drugstore chains, has installed smart
card-capable terminals in 4,000 stores to handle the stores closed system,
chip-based gift (stored value) card.7
ShopRite, the largest retailer-owned supermarket cooperative in the United
States, is setting up smart card-ready POS terminals at 200 stores to
implement a loyalty program.8
Some of the deployments described above may not currently support smart card
payment. Retailers who are implementing smart card-ready terminals should
ensure that terminals are EMV Level 1 approved and capable of EMV Level 2
software updates. EMV approved terminals are currently available from all of the
major terminal providers.

Chain Store Age, Contests Brighten the POS, Feb. 1, 2002

Electronic Transactions Association, An Industry Primer on Smart Cards, Nov. 2001
8
RIS News, Smarter Swipers Arrive, Sept. 2001
7

Smart Card Alliance 2002

Processing Infrastructure
A key portion of the infrastructure required by smart card technology is the
infrastructure required to issue cards and manage the card lifecycle. The two
leading U.S. issuing service providers, First Data and TSYS (Total Systems),
have announced smart card support. First Data has implemented a smart card
management system within their personalization infrastructure that provides a
seamless smart card issuance process. First Data can perform traditional bank
card personalization (such as embossing and encoding) and load, maintain and
update smart card applications throughout a cards life cycle. First Datas vision
is that eventually applications will be loaded dynamically to issued smart cards
through POS devices or ATMs. However, in the near term, applications are
expected to be loaded or updated from the Internet. TSYS is also providing their
customers with a similar capability. Both TSYS and First Data are creating the
infrastructure to ensure that they are able to support all three major card associations. First Data currently has solutions for GlobalPlatform and MULTOS.
GlobalPlatform represents a set of cross-industry technical specifications that
can be used to develop secure and flexible smart card systems. It includes both
card and terminal specifications as well as development tools. Together, these
components define an easy-to-use smart card platform upon which applications
can be added. GlobalPlatform works across different cards and operating
systems but standardizes the process for back-end systems such as personalization, key management and application loading. It enables smart card issuers to
choose between operating systems and application developers while providing a
core security and card management technology. GlobalPlatform specifications
are owned and managed by the GlobalPlatform organization.
The processing infrastructure for both issuers and acquirers must be also upgraded to support smart card payment. Both MasterCard and Visa have developed guidelines for upgrades that allow for support of the EMV specifications.
First Data, National Processing and Vital Processing have all announced that
they can support some level of smart card transaction processing. In fact, Visa
U.S.A. reports that acquirers and processors handling approximately 80% of all
Visa payment transactions have upgraded their systems to facilitate smart Visa
chip transactions between Visa and the processors systems. While Visa and
MasterCard have mandated EMV support in Europe, Latin America and Asia, no
such mandates are planned for North America. Processors determine when to
support EMV payment according to their own business priorities.
In summary, the U.S. smart card industry has made significant progress in the
past two years, adding issuers, consumer smart card products and smart cardready POS terminal installations. The migration of the U.S. payments infrastructure to support smart cards is complex and costly, with each participant in the
transaction needing to invest in new technology and processes. While the
migration is proceeding more slowly in the U.S. than in international markets, the
industry expects smart card adoption and acceptance to continue to grow, with
implementation driven by business cases for new multi-application smart cards
with new services that provide merchant- and consumer-specific benefits.

Smart Card Alliance 2002

Physical Retail Payment and Smart Cards

Using smart cards for payment at physical retailers requires changes to processes and infrastructure for all of the transaction participants. This section
describes the transaction process for a physical smart card payment transaction
and identifies the infrastructure components that are required to support the
process.

Physical Retail Payment Smart Card Infrastructure Components

Smart card payment at physical retailers requires the following components:
Consumer smart cards and smart card applications.
Retailer POS hardware and software that can accept and process smart
cards.
Acquirer/processor infrastructure to authorize and settle smart card
transactions and manage the terminal base, terminal applications and keys.
Issuer systems that support the transaction process and manage the issued
card base.
Smart cards. An estimated 21 million smart cards will be in consumer hands by
the first quarter of 2003. The U.S. market is developing based on smart card
technology that supports multiple applications and provides both scalability for
program expansion and post-issuance capability for future applications.
Smart card applications. Software must reside on the smart card to support
the applications of interest to the issuer and physical retailer (such as loyalty,
payment, coupons, security). These applications are either loaded when the
card is issued or added to the card later (through the smart card terminal, ATM or
the Internet).
EMV smart card POS terminals. Retailers require POS hardware that can
process smart cards. They can use standalone POS terminals that dial out or
are networked for transaction authorization, or smart card readers that are
integrated with cash registers (for convenience and tighter integration with
retailer POS systems).
Terminal applications. Merchants must have the smart card payment applications loaded on the terminal or other integrated POS device (e.g., a cash register), along with any related keys.
POS terminals that currently support magnetic stripe payment cards wait for the
card swipe or key entry. To support smart cards, the POS terminals must wait for
card swipe, key entry or card insert. The POS system may also need to support
transactions that integrate payment and other value-added applications. Consumers should be able to insert a card once and complete both the payment and
the value-added transaction.
Retailer host systems. Retailers must upgrade other host systems to support
the additional data from a smart card payment transaction and any other applications that are offered (e.g., loyalty or electronic coupons).
Acquiring/processing systems. The acquiring and processing system infrastructure must receive the smart card data collected by each POS terminal when
the terminal goes online. The transaction is then routed through the financial
Smart Card Alliance 2002

networks for authorization (if required) and/or uploaded to the host system for
settlement services for the retailer. Responses from the issuer must be passed
back to the terminal.
Issuing, life cycle management and fulfillment systems. Smart cards also
necessitate changes to the issuers infrastructure and processes. Such changes
are required to support smart card life cycle management, fulfillment and online
authorizations. Personalization and initialization information that needs to be
written onto the smart cards includes security keys and certificates, applications
(such as payment and loyalty) and cardholder information. All of this information
is formatted to allow the card production machines to write the data to the chip.
The smart cards can then be issued and sent to the cardholder.
Life cycle management includes managing card issuance, activation and applications, including possible post-issuance support for updating card data and
applications during the POS process. Many smart card life cycle management
systems are available in the market today that manage smart cards from creation
through post-issuance interaction with the card to termination, including lost/
stolen card replacement and customer service interfaces. Smart cards also allow
card/data reconstruction for lost, stolen, damaged or reissued replacement cards.
Consider the example of a cardholder losing a card at noon on Wednesday, after
a smart card loyalty transaction was executed and batched to the loyalty host on
Tuesday. If the card life cycle management system has a batch or real-time
interface with the loyalty host, the replacement card can include current loyalty
data as of Tuesdays transactions.
Retailers and issuers can either outsource life cycle management operations to
qualified vendors or perform them in house using off-the-shelf products.
Smart card fulfillment services include manufacturing, embossing and issuing
plastic cards, activating cards, managing ongoing correspondence with
cardholders, reporting to card issuers, providing transaction authorizations,
providing fraud and risk management, personalizing cards, and producing and
mailing statements.
Terminal, application and key life cycle management systems. As smart
card adoption and usage increases, multi-application cards will become more
common and merchants will want to implement new applications without purchasing a new terminal. More flexible terminals also offer acquirers the ability to
provide new merchant products and services that can be easily and affordably
downloaded and implemented. This will require the implementation of new
terminal, application and key life cycle management systems. A terminal management system must know and track terminal types, locations, capabilities,
platforms, applications and keys used for implementing security functions.
Terminal applications must be tracked to ensure terminal compatibility, to allow
them to be more easily upgraded, or to allow keys to be rotated or revoked. The
keys contained in the terminals (both public and DES keys) also need to be
tracked and managed (e.g., location of keys, key size, key expiration date).
Knowing and managing a terminals configuration, abilities and limitations are
important for acquirer support of multi-application smart card implementations.

Smart Card Alliance 2002

Figure 2 summarizes the changes to the infrastructure that are required to

support smart cards for physical retail payment.
Figure 2: Physical Payment Infrastructure Changes to Support Smart Card Payment
Consumer

Smart card usage

for payment

Physical
Retailer
EMV-approved POS
terminals that accept
smart cards
POS terminal-resident
software that handles
payment and other
smart card applications
Host system upgrades
to integrate new data
for payment and other
applications and to
communicate with the
acquirer/processor
Routing of transaction
data to payment
processor and/or other
service providers

Acquiring
Processor

Issuer

Other Service
Providers

Infrastructure and
processing services
for smart card
payment transactions

Infrastructure to issue
and manage smart
cards

Infrastructure and
processing services
for related smart
card application
transactions (e.g.,
loyalty, authentication)

Terminal, applications and key

management
merchant support
Host system
upgrades

Infrastructure and
processing services
for smart card
application transactions (e.g., payment,
loyalty, authentication)

Personalization
bureaus

Card, application and

key life cycle management systems
Secure web site
support for application
or coupon downloads

Host Security Modules

(HSMs) to perform
related cryptographic
operations
Integration with other
retailer software
systems

Using Smart Cards at Physical Retailers

To illustrate how the smart card infrastructure works, consider the following smart
card payment transaction process. Other sequences of events can also be used
to complete a transaction.
1. After the items purchased by the consumer have been scanned or while
scanning is in process, the POS terminal prompts the consumer to insert the
smart card.
2. The terminal asks the cardholder to select the account they want to use for
payment, Debit or Credit. To simplify the payment process, PINs are not
required for smart card payment in the U.S.
3. The payment application on the EMV terminal reads the relevant information
from the smart card and, based on rules present in both the card and
terminal, begins a series of risk checks to see if a transaction can be
Smart Card Alliance 2002

approved offline or online. If the risk exposure of the transaction is extremely

low and all risk checks have been performed and passed, the transaction can
be approved offline. If the transaction has more risk exposure than an issuer
or acquirer is willing to accept or if an offline risk check fails, the transaction
is sent online for authorization. Offline risk checks include transaction type,
offline card and cardholder authentication, previous transaction results,
random selection and pre-established rules in the card and terminal.
Currently, all U.S. smart card issuers are requiring that their transactions be
authorized online.
4. The POS informs the consumer that the transaction was accepted or
declined and completes the transaction. If the POS is set up to do so, it may
also print a receipt.
Recently, contactless transactions have also been attracting interest as a way to
reduce the consumer payment process time at the retailer. When a contactless
smart card is presented to the reader, the data transmitted between the card and
the reader is encrypted and the transaction process flows as described above.
Figure 3 illustrates the participants and flow of data in the smart card transaction
process.
Figure 3: Physical Retail Smart Card Transaction Process

Funds, Transaction reports, Chargeback reports

Transactions for
authorization
and/or settlement

Transactions for
authorization
and/or settlement
Merchant

Processor

Smart card
Billing statements
Dispute resolution

Consumer

Merchant
Acquiring
Bank
Settlement files

Financial
Networks

Consumer
Issuing
Bank

Transactions for
authorization
and/or settlement
Card management functions
(e.g. update to
data)

Consumer uses smart card.

Terminal, card and cardholder interact to:
Verify the consumer is the proper cardholder.
Execute issuer risk management policies to determine if the transaction
should be authorized online.

Significant retailer investment is required to accept smart cards. Retailers

continue to upgrade their POS systems and a significant fraction of terminals are
currently shipped smart card ready. POS software may be able to be upgraded
to add smart card payment and other value-added applications over time. In the
future, this will allow merchants to more easily take advantage of new applications that exploit smart card technology without new hardware investment.
Smart Card Alliance 2002

10

Internet Retail Payment and Smart Cards

This section describes the infrastructure components required for an Internet
smart card payment transaction. This section assumes that the Internet retailer
has a commerce-enabled web site in place and is adding smart card capability to
the Internet site.
Security and cardholder authentication for remote channels are critical issues
facing issuers and the Internet community today. Unlike the physical world, there
is no signed sales receipt associated with todays ecommerce transactions.
Without such evidence, it is very difficult to dispute the cardholders claim of not
engaging in a given card transaction. As a result, issuer and retailer expenses
associated with chargeback processing for Internet transactions are increasing.
In fact, chargebacks due to cardholder non-authorization represent as much as
84% of all electronic commerce chargebacks.9
At the same time, industry data suggests that consumers are holding back on
Internet purchases due to lingering security worries. MasterCard research, for
example, shows that 90% of Internet non-buyers worry that their personal and
financial information may fall into the hands of hackers and 71% are concerned
about credit card fraud.10 This level of reluctance is a very real barrier to building
online business. The implementation of smart cards and strong Internet authentication may help to overcome these issues.

Internet Retail Payment Smart Card Infrastructure Components

The Internet retailer smart card infrastructure includes the following components:
Consumer smart cards and smart card applications.
A smart card reader for the consumers personal computer (PC).
PC client software to support smart card applications.
Internet retailer server support for smart card applications.
Acquirer/processor infrastructure for authorization and settlement of smart
card transactions.
Issuer systems supporting the authentication and transaction process and
managing the issuer card base.

Consumer Infrastructure
Smart cards. Smart cards issued by American Express and Visa and
MasterCard issuers currently support Internet authentication and payment, with
plans to support additional applications in the future.
Smart card applications. As with physical payment, software must reside on
the smart card to support the applications of interest to the issuer and retailer
(e.g., authentication, payment, loyalty, coupons).
PC-based smart card readers. Consumers must connect EMV Level 1-approved smart card readers to their PCs. Each smart card issuer offers readers
with the smart card. Readers are available that operate with serial, USB and
PCMCIA interfaces.

Source: MasterCard International.

Source: MasterCard International.

10

Smart Card Alliance 2002

11

PC client software. Consumers must install client software to support smart

card applications. This software can include:
Graphical user interfaces for e-wallet functions, data storage or PIN
management.
EMV Level 2 software.
Loyalty application software.
Middleware to provide the interface between applications such as loyalty,
data storage and the smart card reader.
Drivers for the smart card reader.
ActiveX or Netscape plug-ins (or both) to provide the interface between the
merchants web site and the client software.
Diagnostic tools.
Documentation and help files.
Installation wizards.
Public key signing.
Figure 4 illustrates the architecture of the software on the consumers smart card
and PC.
Figure 4: Architecture of Smart Card Support for the Internet Consumer

Merchant
Web Site

Loyalty
Server

Authentication
Server

BACKEND
Internet

Web Browser (Netscape or Internet Explorer)

PC

NS
Plug-In

IE
ActiveX

Loyalty
Appn

Security
Appn

NS
Plug-In

NS
Plug-In

IE
ActiveX

Convenience
Appn

Other
Appns

IE
ActiveX

Payment Appn
(VSDC, M/Chip)

Microsoft PC/SC

EMV Level 1 Smart Card Reader

CARD

Loyalty

Smart Card Alliance 2002

12

Security

Payment
(VSDC, M/Chip)

Convenience

Other
Appns

Merchant and Service Provider Infrastructure

Merchant Web Server. Content and web services must change on the merchant web site to support smart cards. These changes include serving HTML
pages with embedded tags used by the client application to process payment
and authentication information at the consumers PC. The web server may
require changes to support authentication and payment. For authentication, this
may include:
Routing the http request sent by the client to the authentication server. The
authentication server then validates the authentication request.
Analyzing the response from the authentication server to determine whether
authentication is approved and sending it to the client application. Once
authentication is validated, a session is opened between the client and the
merchant site. Session management can be performed by the merchant web
server in the same way that it is currently handled for non-smart card
solutions.
Merchant web servers may already include the functionality to route transactions
to the appropriate financial networks for payment. However, the merchant would
have to modify or extend this functionality to support smart cards. The acquirer
and issuer payment systems must also be modified to process smart card-based
transactions (for example, additional data elements and new transaction processes need to be supported). As a result, the current interface between the
acquirer/processor and the merchant web server may have to change.
Authentication Server. The authentication server provides the service that
allows access to a secure site. It receives requests from the web server, validates these requests using the Host Security Module (HSM), and returns the
validation result to the web server. The main services provided by the authentication server are:
Authentication of requests.
Card hot-list verification.
Legacy system integration.
Key management.
Currently, an authentication server can be part of the web server or can be a
separate entity. An existing authentication server would have to modified to
support smart card-based authentication. It is very important to add this functionality without affecting existing support for magnetic stripe cards.
Loyalty Server. If a merchant wants to participate in a smart card-based loyalty
program, the web server also needs to interface with a loyalty server. Loyalty
servers accumulate and manage loyalty points on each purchase and provide the
ability for the consumer to redeem those points during an Internet purchase. The
loyalty server can either be located in-house or outsourced. Many providers offer
loyalty solutions that can easily be integrated into a merchants payment system.
Server Interfaces. As a result of the changes discussed above, the following
interfaces may need to be developed or modified:
PC/client - Merchant web server.
Merchant web server - Payment system networks.
Merchant web server - Authentication server.
Merchant web server - Loyalty server.
Authentication server - HSM.
Authentication server - Legacy systems.
Smart Card Alliance 2002

13

24x7 Helpdesk. The Internet retailer needs to train customer support personnel
on the smart card process. Consumer smart card issues are different from
magnetic stripe card issues. The merchant also needs to be sensitive to the fact
that consumers are now expected to install both the client software and the smart
card reader.
Figure 5 illustrates one possible system architecture for supporting the Internet
smart card payment process.
Figure 5: Smart Card-Enabled Internet System Architecture

Consumer
PC
Internet
Consumer
Wireless
Device

Firewall

Loyalty
Server

Merchant
Web
Server

Payment
Networks

Authentication
Server

Card
Data

Legacy
Systems
HSM

Using Smart Cards at Internet Retailers

This section describes the Internet smart card payment transaction process. The
section assumes that:
The end user is already connected to the Internet and the browser is started.
The smart card reader is connected to the users computer.
The necessary smart card client software is installed on the users PC.
Authentication Process
1. The user visits the merchants home page, by entering the URL manually, by
using the browsers favorites or history function, or by selecting a URL stored
on the smart card or computer.
2. The merchant web server determines that the home page is not protected.
The web page is sent to the user.
3. The home page includes a link to a protected page (e.g., the users account
information or a checkout page). When the user selects the link, the
merchant web server starts the card reader software.
4. The card reader software prompts the user to insert the smart card into the
PCs smart card reader and enter a password.
5. The smart card validates the password.
6. A unique transaction certificate is routed to the merchants authentication
server that authenticates the cardholder/smart card combination. The
certificate is created by the card, making it unique for each access attempt.
Smart Card Alliance 2002

14

If the authentication server approves the transaction, the merchant can

assume that this is indeed the correct cardholder. The twofold guarantee
offered by the combination of what the user has (a card) and what the user
knows (a password) provides the merchant with robust security.
7. When authentication is received, a session is created. The user then can
access protected resources or web pages until the user exits or the session
times out.
Payment Process
1. The user browses a merchant web site and fills a shopping cart.
2. Once the user decides to check out, the web site order form starts the smart
card reader software. If applicable, the user is given a chance to redeem
loyalty points before checking out.
3. The software prompts the user to insert the smart card into the smart card
reader and enter a password.
4. The smart card validates the password and launches the cardholders ewallet, which stores the cardholders credit card information, along with billing
and shipping information.
5. The e-wallet fills the order form with the cardholders information from the
smart card.
6. Once the user confirms the purchase, the transaction is routed to the credit
card issuer to authenticate the cardholder/smart card combination. Each
card creates a unique digital certificate. This certificate is sent to the issuer
via the merchant site. If the issuer approves the transaction, the merchant
can assume that this is indeed the correct cardholder. The twofold guarantee
offered by the combination of what the user has (a card) and what the user
knows (a password) provides the merchant with extra peace of mind.
Additional merchant benefits include liability shift for fraudulent transactions
and non-repudiation.
7. Once authentication is received from the card issuer, the merchant requests
an authorization through the credit card network (if necessary). The
transaction then flows like a card-not-present transaction.
8. If the merchant participates in a loyalty program, points are added to the
users loyalty account (either on the card itself or on a loyalty server).
Other Applications
An Internet merchants infrastructure includes multiple subsystems. The most
obvious is the payment system, which is also the most important for smart cards.
In addition to the payment system, a merchants infrastructure may include
inventory management, stocking number management, risk management,
server-based promotions and other merchandising or management systems.
These systems are typically proprietary and therefore different for each retailer.
Any changes to these systems that might be required to support added value
applications using smart cards may therefore be unique.

Internet Authentication Support from Visa and MasterCard

Both MasterCard and Visa have implemented Internet transaction security
programs MasterCard SecureCode and Verified by Visa (VbV) to
improve the authentication of Internet consumers. Both services can be used
with or without a smart card.

Smart Card Alliance 2002

15

MasterCard SecureCode provides the issuer with a choice of authentication

options and includes a PC Authentication Program, Chip Authentication Program,
and a MasterCard implementation of 3-D Secure. Each of these solutions
converge around the passing of authentication data via MasterCards Universal
Cardholder Authentication Field (UCAF). The Chip Authentication Program
option within MasterCard SecureCode was designed to offer the ease of use and
security of an EMV-compliant smart card for authentication through a users PC.
This solution is designed to interoperate with the UCAF hidden fields and specifications and is supported by both standalone and connected smart card readers.
If the cardholder has installed the necessary PC software and reader, the
cardholder inserts the smart card into a card reader and enters their PIN during
the Internet payment process at participating merchants. The chip then generates a value that the cardholder places into the issuer pop-up window which
appears on the order confirmation page. The other MasterCard SecureCode
implementation options may also include a smart card component.
Verified by Visa (VbV), uses the 3-D Secure protocol to enhance and validate
payments made through the Internet. All smart Visa cards are VbV-ready. If a
cardholder has installed a reader and the necessary software to support it, then
when that customer shops at a participating merchant location, they will be
instructed to insert the smart Visa card into the reader. Cryptographic information
on the smart card chip is then interrogated and compared, along with the usersupplied password, by the access control system to information known about the
card. This provides the card issuer with two-factor authentication.
The goal is to improve consumer confidence in using credit cards on the Internet
and reduce the number of Internet merchant chargebacks. The advantage to the
merchant of using these authentication programs is to further reduce
chargebacks when consumers use MasterCard SecureCode or Verified by Visa.

Smart Card Alliance 2002

16

Key Drivers for Smart Cards and Retail Payments

Todays large retailers cannot possibly provide the personalized service their
small town counterparts once did. Increased costs, shrinking margins and the
increased competition represented by large national chains are causing retailers
to look toward technology to provide order-of-magnitude gains in market share
and corresponding reductions in infrastructure support costs.

Key Drivers for Retailer Investment

Regardless of the application, product or service, every retailer looks at a certain
set of criteria to decide whether an investment is warranted. The criteria applied
to an investment decision tend to fall into four major categories.
1. Will the investment result in reduced time in the lane or a decrease in
labor costs? Time is money for retailers. One compelling justification in any
business case for a technology investment is its ability to shorten customer
lines and expedite checkout. The ability to reduce staff costs while at the
same time improving the checkout experience and minimizing the frustration
associated with long lines is a key driver for adoption of a new retail
technology.
2. Will the investment result in increased sales, acquisition of new
customers or improved customer loyalty? Retailers face the challenge of
determining how to motivate customers to spend more during a shopping
experience or encourage them to transfer spending from another retailer.
The requirement to know who your competition is crosses market segments.
Grocery stores compete with fast-food restaurants by offering hot prepared
foods. General merchandisers compete with gas stations by selling gasoline
at locations in their parking lots. Competition for the consumers wallet is
strong and represents a significant driver.
3. Will the investment reduce transaction costs or protect against costs
associated with consumer or merchant fraud? Different tender methods
have different costs of doing business. Fraudulent coupons, rebate
redemptions, credit cards, checks or refunds increase the cost of doing
business. Technology investments that reduce the impact of fraud on the
bottom line will be looked at favorably.
4. Will the investment affect the customers purchase behavior? The ability
to influence customer selection is a significant challenge. The customer who
makes a large purchase is not always the most profitable customer. This
customer may be a selective buyer, choosing to buy only loss-leading items.
Retailers are looking for ways to influence customers to buy higher margin
goods, increasing customer value and margin per shopping experience.
To be adopted, technology must demonstrate a reasonable return on investment.
The basic question usually is Should I spend money on this technology investment as opposed to building another store at a different location or implementing
another retail system enhancement?
Retailer Challenges
Todays retailers face some unique challenges. The first challenge is how to find
out who the customer is, to allow up-selling or cross-selling. The second challenge is how to improve the quality of the customers experience while still
allowing the customer to remain anonymous.
Smart Card Alliance 2002

17

The first challenge requires a retailer/issuer agreement to consolidate data about

the retailers customers and their experiences. The retailer can then compile the
data from multiple databases and leverage it across its own retail channels
(which might include physical stores, web sites and catalogs). Knowing which
products are purchased, how they are purchased and in what combination they
are purchased allows retailers to suggest complementary items.
The second challenge requires new capabilities that can create positive customer
experiences or avoid negative ones (such as finding that a desired item is out of
stock). For the retailer, the challenge becomes how to apply information technology to positively reinforce the shopping experience.
The challenge for the smart card industry as a whole is to offer a cost-effective
technology solution that presents the retailer with a sufficiently compelling
business case.

Smart Card Applications Addressing Retailer Priorities

Todays smart cards can support a variety of payment and non-payment applications. Since each retailer has a unique set of requirements and business priorities, the decision process and business case for deploying smart card technology
differs from retailer to retailer. This section highlights some of the applications
that are expected to drive retailer acceptance of smart cards.
Smart Card Credit and Debit Payment Applications
With over 21 million smart cards expected to be in circulation in the United States
by the first quarter of 2003, one might believe that increasing consumer use of
smart cards would drive retailers and processors in 2002 and 2003 to upgrade
their magnetic stripe-based payment infrastructure to support smart card-based
payment. For a pure payment application, however, this is not expected to be
the case.
Smart card payment that is based on the EMV specification (and mandated by
the card associations) is being deployed in Europe, Latin America and Asia to
reduce credit card fraud and telecommunications expenses. The majority of
payment transactions in the United States, however, are authorized online,
resulting in lower fraud rates than in other parts of the world. In addition, U.S.
issuers have developed sophisticated fraud detection tools and neural networks
that are very effective in identifying fraud. Those same tools have not been
deployed in other parts of the world. As a result, fraud by itself does not provide
a sufficient business case for physical payment infrastructure stakeholders to
invest in infrastructure upgrades. In addition, the U.S. also enjoys low telecommunications costs.
It is expected that the driving business case for smart card adoption in the United
States will be based on revenue generation, new payment types and valueadded applications and programs. When added to a payment card, these
applications (discussed next) can increase the overall value proposition to the
cardholder, retailer and issuer.

Smart Card Alliance 2002

18

Emerging Smart Card Markets and Applications: Keys to Making Smart

Card Payment a Reality
Although it is the smart card payment application that attracts media attention in
the financial world, emerging non-payment applications are expected to create
the business case for issuers to introduce smart card products, retailers to accept
them and consumers to demand them. The smart cards currently being issued
by American Express and by MasterCard and Visa issuers support multiple
applications. Many new POS terminals also have expanded memory and
increased power, enabling them to be multifunctional and support multiple
applications.
Seven key markets, each with a specific set of application drivers, are adding
momentum to the movement toward smart card implementation in the United
States today. Each market application is concerned about security, speed,
convenience and customer gratification. The markets are:

Internet commerce
General retail
Mobile commerce
Transit
Contactless payment
Campuses
Government

Internet commerce. It is estimated that the number of users of the Internet in

the United States has reached at least 100 million. As important are the evergrowing number of retailer web sites capable of commerce on the Internet. The
combination of consumer fears of providing a credit card number on the Internet,
a higher fraud rate for Internet transactions, and new Internet payment competitors (e.g., Billpay and PayPal) creates a compelling value proposition for smart
cards for Internet commerce. By issuing smart cards that securely carry a
consumers private keys, issuers can reassure consumers that paying with a
credit card is both as safe as and more convenient than using one of the Internet
competitors. By accepting smart cards, Internet retailers can reduce their fraud
rate and associated costs. Thus, the need for more secure cardholder authentication may boost the use of smart cards on the Internet.
General retail. The ability of smart cards to support programs that drive new
customer acquisition, improve customer loyalty and support innovative new
merchandising programs addresses a number of retailer priorities. Loyalty
programs, electronic coupons, targeted advertising, partner marketing programs
and customer profiles are stimulating the interest of retailer marketing groups.
The card associations are also developing standard platforms to address these
requirements. The ability for smart cards to be used at both Internet and physical
stores offers significant benefits for bricks and clicks retailers.

Smart Card Alliance 2002

19

Loyalty programs have long been a staple of the retailer market segment. S&H
Green Stamps, an early example, allowed customers to purchase products in
one store and redeem stamps for merchandise in another, in exchange for
information about themselves. This type of program enabled retailers to personalize the shopping experience with targeted content (for example, by offering
discounts aimed at getting customers to try a new brand or product). The ability
to stimulate customer demand to buy more by understanding purchase history,
recommending additional items, alerting customers to new purchasing opportunities and rewarding greater levels of purchasing is a key driver.

The need for better levels of information about customers encourages the implementation of customer profiles. Retailers could benefit from the capture and use
of a profile that defines consumer buying habits and history. This information can
provide the retailer with data that suggests ways to promote higher margin products, accelerate the checkout process by facilitating self-service check out and
encourage customer loyalty through incentive promotions and programs at the
store. Smart cards provide significant benefits to both retailers and consumers by
being able to securely store data so that no unauthorized entity can view it. Smart
cards impose strict security requirements on data access, hiding information
stored in one application from others. This ensures that consumer data is private
and that retailers can securely access only data that is relevant to them.
The Target smart Visa card is the most notable example of a prominent retailer
implementing both payment and non-payment applications on a single smart card
and using smart card programs to create strategic competitive advantage. In
addition to payment, Target is implementing a loyalty program and electronic
coupons in partnership with Procter & Gamble, Unilever, Pepsi-Cola, and Mattel,11
with deployment to be complete this year.
Mobile commerce. The mobile commerce market has seen high growth throughout the world. In the United States, however, the absence of a telecommunications standard has made implementation a challenge. U.S. carriers use PCS or
CDMA technologies, which do not use smart chips. The next few years will see
the proliferation of GSM networks in the United States, with AT&T beginning to
convert their networks and other carriers following. The SIM card will allow issuers
to provide an easier payment mechanism for mobile commerce. Other technologies, such as Bluetooth, are also being investigated to further mobile commerce.
Non-payment applications such as identity authentication and information provisioning will be key to driving this market.
Transit. The transportation and transit market is already moving ahead with smart
card technology (for example, SmarTrip in Washington, D.C., Amtrak, BART in the
San Francisco Bay Area, and the Chicago Transit Authority). These systems use
smart card-based electronic tokens for fare collection. Issuers can take advantage
of these systems by offering a payment method tied to the transit cards at nearby
retailers. For example, the North Dallas Tollway in Texas uses an RFID technology to collect fares. The same system can be used at participating McDonalds
restaurants.
Contactless payment. Contactless technology is particularly well suited to the
retail environment. The pass-by method of card presentation is convenient and
allows multiple form factors to be used for the payment device. A fast, secure
transaction can be accomplished simply by presenting a card, key fob, or other
contactless device to the reader. One of the most compelling uses for contactless
cards is at drive-through retail establishments, where long read ranges are required for a good user experience. Devices such as the ExxonMobil SpeedPass
are useable outdoors, even in inclement weather or a dirty environment.
Contactless readers have no slots, switches, or pins, significantly lowering the cost
of ownership and maintenance. Finally, contactless systems are specified by ISO
international standards, supporting straightforward extensibility and
interoperability. Contactless technology can be an excellent complement to
contact technology in appropriate situations.
11

Smart Card Alliance 2002

20

CardLine, Smart Card Lifts Target Card Program, August, 16, 2002

Campuses. Both college and business campuses have begun to use smart
cards. Major uses have been: asset tracking; meal plans; physical access to labs,
dorms, and special events; network logons; and secure data storage, including
personnel records, digital certificates and health data. The same card can also
have a financial application, allowing purchases on campus and at nearby retailers via stored value or prepaid accounts. Another successful application is the
SMARTIX baseball stadium ticketing program, which allows season tickets to be
downloaded off the web onto a smart card. The card is then used to enter parking
lots and stadiums. Cardholders can also transfer their tickets electronically, with
transferred tickets downloaded from the web or picked up at a will-call window.
Both the San Diego Padres and the Los Angeles Dodgers are currently using
SMARTIX.
Government. The power of the smart card for government health and entitlement
programs lies in the cards ability to hold both payment and non-payment applications. In conjunction with host systems, these applications provide multiple
benefits to recipients. Smart card usage in entitlement programs such as the U.S.
food stamps program or the Women, Infants and Children (WIC) program is
already a reality. Ohio and Wyoming have smart card-based EBT programs in
place, with New Mexico, Texas and several New England states also implementing programs. The U.S. government is also using smart cards to control both
physical and logical access to facilities and networks and is expanding the
number of programs and agencies that are using smart cards for employee
identification. The U.S. Navy is moving forward on a smart card implementation
that will include an electronic purse application for use on naval bases.
New smart card applications are setting the stage for additional penetration by
card issuers, adoption by merchants and usage by consumers. Integrating nonpayment applications with new and traditional payment applications creates a
compelling business case for implementing smart card technology.

Smart Card Alliance 2002

21

Key Challenges for Smart Cards and Retail Payments

Smart cards have gained momentum in retail payment in the past 18 months.
However, the cards still face significant challenges in gaining widespread merchant acceptance and consumer use. This section reviews the barriers to the
adoption of smart cards and describes what is being done to overcome these
barriers.

Merchant/Retailer Business Case and Profitability

The most compelling barrier to the adoption of smart cards by merchants and
retailers is the lack of a clear business case. The POS environment is not in
place to support widespread acceptance of smart cards for business reasons
rather than technical reasons. While smart cards can now support numerous
applications that are of interest to retailers, the business case is still difficult to
define, for the following reasons:

Non-payment applications are not maturing quickly enough to overcome

vendor differences and interoperability issues. The development and
issuance costs of moving non-payment applications to the smart card also
adversely affect the business case.
There are significant challenges in aligning all stakeholder (issuer, merchant,
acquirer, consumer) interests.
Competing technologies can be used for certain applications.
Other technology projects have higher priority, due to perceived better return
on investment and easier implementation. For example, bar codes, Internet
accessed terminals, and consumer-friendly devices such as coupon kiosks
tend to generate measurable bottom-line contributions quickly.

In the absence of a compelling business case, large retailers are not venturing
into contact smart card programs without a clear justification. Instead, the
merchant community is likely to rely on incentives from other stakeholders (such
as issuers and card associations) to provide assistance with re-terminalization
costs, interchange incentives (e.g., card-present rates and guaranteed payments
for Internet purchases) and reduced chargeback costs.
The back office integration cost of implementing smart card applications is also
seen as a major hurdle. Retailers must incur the cost of modifying other store
and POS systems to accommodate new smart card applications. Like many
businesses, retailers have had to make tough budgeting decisions since 2001.
Competition for IT dollars has grown significantly, for both card issuers and
merchants. Other costs such as project management and in-store training also
add to the overall implementation expense.
Compelling smart card business cases are being created in specific retail segments and for new applications.

Smart Card Alliance 2002

22

Merchants who have already invested in POS hardware upgrades will be

able to add new applications (payment or non-payment) to leverage their
investment.
Strong co-branding relationships between retailers and manufacturers or
retailers and issuers can be extended to deliver smart card value
propositions and leverage common business goals. For example, retailer
access to issuer or card association consumer promotion programs can help
increase retailer market exposure and attract new customers.

Retail segments in which speed of payment is essential (e.g., quick service

restaurants) are considering contactless/proximity payment solutions to gain
a strategic advantage. The success of programs such as ExxonMobils
SpeedPass have shown that low time-in-field and pass-by convenience have
major advantages for volume retailers.
Bricks and clicks retailers can use smart cards as a strategy enabler
through Internet programs linked to physical stores (such as coupons
downloadable to smart cards).
Co-marketing arrangements with smart card applications can be
implemented through merchant coalitions, formed by assembling noncompeting merchants that are complementary based on price, quality or
lifestyle.
Issuer and transit authorities can cooperate to implement a mass transit
application on issuer cards (using proximity/contactless technology),
providing improved convenience for the consumer and an additional payment
type for merchants.
Retailer implementation of loyalty programs, coupons and rewards can
provide a strategic advantage and help retailers deploy creative marketing
programs to retain and attract customers.

Internet commerce provides another bright spot for the smart card business
case. At the Electronic Transactions Association meeting in April 2002, Barry
Davis, senior consultant with First Annapolis Consulting, delivered a presentation
that identified the anticipated growth of Internet commerce as an improved
business case for smart cards for Internet merchants. Due to higher fraud rates
in Internet transactions vs. physical transactions (1.14%12 vs .09% in 200113),
Internet retailers who implement smart cards could see significant savings from a
reduction in fraud and card-present transaction rates. The increase in Internet
purchases as a percentage of overall consumer purchases will help drive consumer use of smart cards, integration of smart card readers with personal
computers and complementary bricks and clicks programs, providing additional
momentum to physical POS smart card implementations.
While the business case for smart card-based payment is challenging, these new
applications and business relationships are expected to add drivers for U.S.
smart card deployment. Merchants will only implement the smart card infrastructure when they see a positive business case. This business case will be driven
by a combination of applications and partnerships that drive revenues, lower
costs and increase consumer satisfaction and loyalty.

Standards and Interoperability

Standards-based solutions are critical to fueling adoption of new technologies.
Such solutions support compatibility, interoperability and component availability.
Standards allow the consumer to use a single card and card reader for multiple
applications at multiple retailers. Standards enable the retailer to install the
smart card hardware and software infrastructure, knowing that all customer cards
will work, a selection of interoperable hardware and software products will be

12
13

Smart Card Alliance 2002

23

Gartner Group, One Percent of Online Sales Lost to Fraud, InternetWeek, March 4, 2002.
Tower Group, Credit Card Skimming: Growing Trend or Media Hype? Transaction World, Sept.
2001

available, and the infrastructure investment will be preserved. Standards help

the issuer drive the mass deployment of interoperable cards and readers and
enable multi-organization partnerships. The processor can focus efforts on a
common standards-based implementation, reducing the cost of infrastructure
deployment and maintenance.
Standards for using smart cards for retail payment have been driven by aggressive international implementations of smart card-based debit and credit card
transactions. International standards and consortia-led specifications are already
in place, with supporting products available from multiple manufacturers. The
following are some of the standards and specifications that are relevant to smart
card usage for retail payments.
EMV. First published in 1996, the EMV Level 1 and Level 2 specifications
define the physical and electrical characteristics of the smart card, the
organization of applications within the card, the set of commands, the
transaction flow for the purchase process and the specification for card
acceptance terminals. Both MasterCard and Visa require all payment
devices to be approved through a certified EMV lab.
PC/SC. The PC/SC specifications allow PC-based applications to be
independent of the smart card reader.
Open Operating System. The proprietary smart card operating systems of
the 1990s are being replaced by common operating systems, such as
JavaCard and MULTOS. These open operating systems allow card and
application issuers to be more independent of card manufacturers and
support faster application development and deployment.
GlobalPlatform. Comprised of a suite of card, system and device
specifications, GlobalPlatform specifications define a standard upon which
multiple consumer and business applications can be built, distributed and
managed. The specifications standardize back-end systems such as
personalization, security, key management and application loading, while
streamlining the critical processes in smart card lifecycle management, from
issuance to reissuance.
Both credit and debit card payment transactions at a physical point of sale are
currently supported by solutions based on the above specifications. However,
effort is still required to develop standards that will result in interoperable solutions for some of the newer, highly desirable applications that could drive faster
smart card adoption. Such applications include:

Loyalty applications. Loyalty programs benefit both the consumer and

retailer by providing consumers with rewards for shopping at selected
retailers and providing retailers with a way to retain and reward loyal
customers. Smart card-based loyalty programs allow consumers to receive
their rewards faster and at a lower cost to the retailer and are expected to
allow rewards programs to span multiple retailers. Standards or industrydriven specifications currently do not exist for loyalty system
implementations, so each smart card issuer defines its own unique approach.
Both MasterCard and Visa have recently started to define common
approaches for smart card-based loyalty programs. Visa announced an
agreement with the two leading loyalty system vendors, Catuity and
Welcome Real-time, to define and implement a common approach for
supporting multiple card technologies at a single rewards-enabled POS
device. Visa also announced the smart Rewards Platform, a shared-system

Smart Card Alliance 2002

24

initiative designed to reduce technical and time-to-market burdens faced by

card issuers and merchants. MasterCard published specifications for MODS,
an API for storing and retrieving data on smart cards.
Smart card readers and PCs. Using smart cards for Internet purchases
and authentication is expected to be a key market driver. The PC/SC
specification does not yet address a standard mechanism for launching an
application when a smart card is inserted into a PC-based card reader. The
PC/SC Workgroup is currently working on this issue, with plans to include
this function in Version 2 of the PC/SC specification.

With a compelling business case, few industries wait for final standards. Market
leaders drive forward in parallel with standardization and specification efforts and
implementations iterate through several revisions. The financial industry is very
active in initiating activities to address issues that are critical barriers to deployment. The industry has a strong history of successfully developing and implementing specifications that benefit all stakeholders.
While the necessary standards and specifications are in place for retailers to be
able to invest in smart card based payment today, there are still issues with
interoperability and standardization that must be addressed. Industry groups are
initiating activities to work on these issues for the newer applications. As with most
new technologies, however, it will take time for these efforts to result in specifications, standards and compliant products to use in smart card implementations.

Smart Card Alliance 2002

25

Conclusion
The U.S. smart card industry has made significant progress in the past two years
toward supporting smart cards for payment at the retail point of sale, adding
issuers, consumer smart card products and smart card-ready POS terminal
installations. Momentum is growing, as card associations, issuers, retailers and
processors/acquirers all launch programs and deploy new infrastructure to
support smart card payment.
The migration of the U.S. payment infrastructure to support smart cards is
complex and costly. Each participant in the payment transaction will need to
invest in new technology and processes. So far, it has been difficult for retailers
and other transaction participants to create a business case for investment in
smart card technology. The problem has been exacerbated by the presence of
competing technologies in the marketplace and by an economic downturn that
has slowed investment in all businesses.
The migration to smart card support is definitely proceeding more slowly in the
United States than in international markets. However, the industry expects smart
card adoption and acceptance to continue to grow. Multiple key markets, each
with specific application requirements, are driving retail smart card implementations.

Smart cards support programs that can help retailers acquire new customers,
improve customer loyalty, and implement new merchandising programs.
Smart cards offer both Internet commerce and mobile commerce an easy
and safe means of payment, reducing risk for both the merchant and the
consumer.
Smart cards are already being used in several large transportation and
transit markets.
Colleges and businesses both are leveraging the ability of smart cards to
support multiple related applications on one card, increasing convenience
and efficiency.
Multiple applications on a single card are proving useful to government
health and welfare programs.
Contactless technology is finding increasing acceptance in situations where
fast, secure transactions with long read ranges are critical, such as for
gasoline purchases or in drive-through retail establishments.

Smart card applications can also encourage new business partnerships that
benefit all participants. For example, electronic couponing offers an opportunity
for large retailers to partner with manufacturers or service providers, increasing
customer bases and strengthening brand loyalty.
The benefits of adopting smart cards for payment are compelling. The ability of a
smart card to support multiple applications provides flexibility and a stronger
business case for the retailer, who can add applications over time. Smart cards
also offer unmatched security functionality, allowing for safer transactions and
enhancing cardholder privacy. In addition, because smart cards are subject to
active standardization efforts, interoperable solutions are available from multiple
vendors.
The combination of the technology benefits and the new markets, applications
and partnerships that smart cards can support is expected to further drive the
Smart Card Alliance 2002

26

U.S. market for smart card use at the retail point of sale. Both analysts and
industry participants are expecting continued solid progress for smart card
deployment in the United States.
For more information about smart cards and the role that they play in retail
payment and other applications, please visit the Smart Card Alliance web site at
www.smartcardalliance.org or contact the Smart Card Alliance directly at 1-800556-6828.

Smart Card Alliance 2002

27

References
An Industry Primer on Smart Cards, Electronic Transactions Association,
November 2001.
Chips May Proliferate But Few Will Say When, Card Marketing, March 2002.
Contests Brighten the POS, Chain Store Age, February 1, 2002.
Credit Card Skimming: Growing Trend or Media Hype? Transaction World,
September 2001.
One Percent of Online Sales Lost to Fraud, InternetWeek, March 4, 2002.
The Prospect for Financial Services Chip Cards in the U.S., presentation by
Theordore Iacobuzio, Tower Group, Smart Card Alliance conference, October 7,
2002.
Smart Card Lifts Target Card Program, CardLine, August, 16, 2002.
Smart Cards: Seizing Strategic Business Opportunities, Smart Card Forum,
edited by Catherine A. Allen and William J. Barr, McGraw-Hill, 1997.
Smarter Swipers Arrive, RIS News, September 2001.
TowerGroup Offers Rosy Forecast for Chips in U.S., American Banker, January
29, 2002.

Smart Card Alliance 2002

28

About the Smart Card Alliance

The Smart Card Alliance is the leading not-for-profit, multi-industry association of
member firms working to accelerate the widespread acceptance of multiple
applications for smart card technology. The Alliance membership includes
leading companies in banking, financial services, computer, telecommunications,
technology, healthcare, retail and entertainment industries, as well as a number
of government agencies. Through specific projects such as education programs,
market research, advocacy, industry relations and open forums, the Alliance
keeps its members connected to industry leaders and innovative thought. The
Alliance is the single industry voice for smart cards, leading industry discussion
on the impact and value of smart cards in the U.S. For more information, visit
www.smartcardalliance.org.

Publication Acknowledgements
This position paper was developed by the Smart Card Alliance to discuss the
implementation and technology issues associated with smart cards and retail
payments. Publication of this document by the Smart Card Alliance does not
imply the endorsement of any of the member organizations of the Alliance.
The Smart Card Alliance wishes to thank the Terminal and eTransaction Infrastructure Task Force members for their comments and contributions. Task Force
members include: ACI Worldwide, ACS, ADB, Bank of America, Citicorp,
Crosscom National, Inc., First Data, Gemplus, Hypercom, IBM, Ingenico,
MasterCard International, Netlink Transaction Services, New England Bankcard
Association, NTRU Cryptosystems, Inc., Ohio University Center for Automatic
Identification, Potomac Systems, SchlumbergerSema, SCM Microsystems,
Thales, U.S. Office of the Comptroller of the Currency, Visa U.S.A, WMATA.
Special thanks go to the Task Force members who wrote, reviewed and edited
this white paper.
Jeff Beulke, ACI Worldwide
Alan Bondzio, ADB
Matthew Byrne, First Data
Amol Deshmukh, SchlumbergerSema
Eric Dumois, Hypercom
Rahul Gadkari, SchlumbergerSema
Tim Held, ACI Worldwide
Greg Jones, Visa U.S.A.
Jasen Judd, NTRU Cryptosystems, Inc.
Diana Knox, Visa U.S.A.

Michael Madden, MasterCard International

Cathy Medich, Consultant
and Task Force Co-Chair
Christopher Nardone, MasterCard
International
Matt Radcliffe, SchlumbergerSema
Eric Schindewolf, Visa U.S.A.
Randy Vanderhoof, Smart Card Alliance
Cliff Wilke, Office of the Comptroller
of the Currency

Copyright Notice
Copyright 2002 Smart Card Alliance, Inc. All rights reserved.

Trademark Notice
All registered trademarks or trademarks are the property of their respective
owners.
Smart Card Alliance 2002

29

Appendix A: Relevant Standards Smart Cards and Retail Payments

The following table summarizes the standards that are relevant to implementing
smart cards for retail payment.
Standard /
Specification

Application Area

Reference / Organization
Managing Standard

ISO/IEC 7816

Interface between the card and the terminal.

ANSI / ISO

EMV

Commands and related transaction flow for

credit and debit card payment. Hardware
specifications for financial smart cards and
terminals. Multi-application selection for smart
cards.

EMVCO
(www.emvco.com)

GlobalPlatform

Card application management and issuance in

the smart card, acceptance devices and backend systems.

GlobalPlatform
(www.globalplatform.org)

PC/SC

Common driver interface for all smart card

readers connected to Microsoft Windows.

Microsoft
(www.pcscworkgroup.com)

MULTOS

Open card operating system providing a turnkey

package for card issuers, including certification
authority, language, tools and personalization
process.

MAOSCO
(www.multos.com)

JavaCard

Standard, flexible tool box and operating system

for smart card application development. Used
with GlobalPlatform, provides the specification
for interoperable application management and
card issuance.

Java Card Forum

(www.javacardforum.org)

X509

Format for digital signatures and associated

certificates.

ANSI / NIST

ISO/IEC 14443
& ISO/IEC 15693

Standards specifying contactless smart card

operation.

ISO / IEC

Smart Card Alliance 2002

30

Appendix B: Glossary of Acronyms

AAV
ANSI
API
ATM
CDMA
DES
EBT
EMV
GSM
HSM
IEC
ISO
MODS
NIST
PC
PCMCIA
PCS
PC/SC
PDA
PIN
POS
RFID
SIM
SPA
UCAF
USB
VbV
WIC

Smart Card Alliance 2002

31

Accountholder Authentication Value

American National Standards Institute
Application Programming Interface
Automated Teller Machine
Code Division Multiple Access
Data Encryption Standard
Electronic Benefits Transfer
Europay MasterCard Visa
Global System for Mobile Communications
Hardware Security Module
International Electrotechnical Commission
International Organization for Standardization
MasterCard Open Data Storage
National Institute of Standards and Technology
Personal Computer
Personal Computer Memory Card International Association
Personal Communications Service
Personal Computer/Smart Card
Personal Data Assistant
Personal Identification Number
Point of Sale
Radio Frequency Identification
Subscriber Identify Module
Secure Payment Application
Universal Cardholder Authentication Field
Universal Serial Bus
Verified by Visa
Women, Infants and Children