Escolar Documentos
Profissional Documentos
Cultura Documentos
Executive Summary
Smart Cards Are Finding Wider Acceptance Among Consumers and
Issuers
Despite belief to the contrary, smart cards are more and more widely used in the
United States. Since the launch of the American Express Blue card and smart
Visa card, millions of smart cards have been issued to consumers, with over 21
million cards predicted to be in circulation by the first quarter of 2003.
The pace at which smart card-ready POS devices are being installed is somewhat slower. However, several large retailers have invested in smart card-ready
POS hardware. In addition, retailers whose hardware is aging may soon be
replacing it with smart card compatible devices.
The issuing and acquiring processing infrastructure is also making progress to
support smart cards. The two leading issuing processors have announced smart
card support and several acquiring processors have announced that they can
support smart card payment transactions. All stakeholders in the financial
payments industry are positioning for expanding consumer smart card use.
Card Marketing, Chips May Proliferate But Few Will Say When, March 2002
Merchant Readiness
Over 21 million smart cards are expected to be deployed by the first quarter of
2003.4 However, consumers still have little opportunity to use the technology,
due to the lack of smart card acceptance devices at retail and merchant locations. Target, the first major retailer to implement smart card acceptance devices
in their stores, has the unique position of being the issuer and retailer. With a
reported 7 million cards issued in mid-2002, Target is upgrading 37,000 POS
terminals in 1,000 stores to use the smart card chip and plans to offer electronic
couponing as its first chip-linked application.5 Target terminals are EMV compliant and thus capable of engaging in EMV transactions based upon payment
software installed in the device.
American Banker, TowerGroup Offers Rosy Forecast for Chips in U.S., Jan. 29, 2002
American Banker, TowerGroup Offers Rosy Forecast for Chips in U.S., Jan. 29, 2002
4
Tower Group. The Prospect for Financial Services Chip Cards in the U.S., presentation by
Theodore Iacobuzio, Smart Card Alliance Conference, October 7, 2002.
5
CardLine, Smart Card Lifts Target Card Program, August, 16, 2002
3
Smart card-ready POS devices are making their way into additional retail and
merchant locations. In 2001, approximately 25% of the over 1.3 million POS
devices shipped by the three largest terminal providers in the United States were
smart card ready. With the aging of the POS installed base, it is expected that
merchants will increasingly upgrade their existing terminals with smart card-ready
devices.
Ingenico 52,200
VeriFone 57,200
Hypercom
209,600
Additional retailers have also made recent investments in smart card-ready POS
terminals, including:
CVS, the leading pharmacy and health service retailer, will install smart card
readers in 450 of its stores to provide support for credit, debit, electronic
benefits transfer (EBT), gift card transactions, and electronic signatures.6
Virgin Megastore, the entertainment retail chain, has installed 320 payment
devices with smart card reader attachments at all U.S. Virgin Megastore
locations.
Rite-Aid, one of the nations leading drugstore chains, has installed smart
card-capable terminals in 4,000 stores to handle the stores closed system,
chip-based gift (stored value) card.7
ShopRite, the largest retailer-owned supermarket cooperative in the United
States, is setting up smart card-ready POS terminals at 200 stores to
implement a loyalty program.8
Some of the deployments described above may not currently support smart card
payment. Retailers who are implementing smart card-ready terminals should
ensure that terminals are EMV Level 1 approved and capable of EMV Level 2
software updates. EMV approved terminals are currently available from all of the
major terminal providers.
Processing Infrastructure
A key portion of the infrastructure required by smart card technology is the
infrastructure required to issue cards and manage the card lifecycle. The two
leading U.S. issuing service providers, First Data and TSYS (Total Systems),
have announced smart card support. First Data has implemented a smart card
management system within their personalization infrastructure that provides a
seamless smart card issuance process. First Data can perform traditional bank
card personalization (such as embossing and encoding) and load, maintain and
update smart card applications throughout a cards life cycle. First Datas vision
is that eventually applications will be loaded dynamically to issued smart cards
through POS devices or ATMs. However, in the near term, applications are
expected to be loaded or updated from the Internet. TSYS is also providing their
customers with a similar capability. Both TSYS and First Data are creating the
infrastructure to ensure that they are able to support all three major card associations. First Data currently has solutions for GlobalPlatform and MULTOS.
GlobalPlatform represents a set of cross-industry technical specifications that
can be used to develop secure and flexible smart card systems. It includes both
card and terminal specifications as well as development tools. Together, these
components define an easy-to-use smart card platform upon which applications
can be added. GlobalPlatform works across different cards and operating
systems but standardizes the process for back-end systems such as personalization, key management and application loading. It enables smart card issuers to
choose between operating systems and application developers while providing a
core security and card management technology. GlobalPlatform specifications
are owned and managed by the GlobalPlatform organization.
The processing infrastructure for both issuers and acquirers must be also upgraded to support smart card payment. Both MasterCard and Visa have developed guidelines for upgrades that allow for support of the EMV specifications.
First Data, National Processing and Vital Processing have all announced that
they can support some level of smart card transaction processing. In fact, Visa
U.S.A. reports that acquirers and processors handling approximately 80% of all
Visa payment transactions have upgraded their systems to facilitate smart Visa
chip transactions between Visa and the processors systems. While Visa and
MasterCard have mandated EMV support in Europe, Latin America and Asia, no
such mandates are planned for North America. Processors determine when to
support EMV payment according to their own business priorities.
In summary, the U.S. smart card industry has made significant progress in the
past two years, adding issuers, consumer smart card products and smart cardready POS terminal installations. The migration of the U.S. payments infrastructure to support smart cards is complex and costly, with each participant in the
transaction needing to invest in new technology and processes. While the
migration is proceeding more slowly in the U.S. than in international markets, the
industry expects smart card adoption and acceptance to continue to grow, with
implementation driven by business cases for new multi-application smart cards
with new services that provide merchant- and consumer-specific benefits.
networks for authorization (if required) and/or uploaded to the host system for
settlement services for the retailer. Responses from the issuer must be passed
back to the terminal.
Issuing, life cycle management and fulfillment systems. Smart cards also
necessitate changes to the issuers infrastructure and processes. Such changes
are required to support smart card life cycle management, fulfillment and online
authorizations. Personalization and initialization information that needs to be
written onto the smart cards includes security keys and certificates, applications
(such as payment and loyalty) and cardholder information. All of this information
is formatted to allow the card production machines to write the data to the chip.
The smart cards can then be issued and sent to the cardholder.
Life cycle management includes managing card issuance, activation and applications, including possible post-issuance support for updating card data and
applications during the POS process. Many smart card life cycle management
systems are available in the market today that manage smart cards from creation
through post-issuance interaction with the card to termination, including lost/
stolen card replacement and customer service interfaces. Smart cards also allow
card/data reconstruction for lost, stolen, damaged or reissued replacement cards.
Consider the example of a cardholder losing a card at noon on Wednesday, after
a smart card loyalty transaction was executed and batched to the loyalty host on
Tuesday. If the card life cycle management system has a batch or real-time
interface with the loyalty host, the replacement card can include current loyalty
data as of Tuesdays transactions.
Retailers and issuers can either outsource life cycle management operations to
qualified vendors or perform them in house using off-the-shelf products.
Smart card fulfillment services include manufacturing, embossing and issuing
plastic cards, activating cards, managing ongoing correspondence with
cardholders, reporting to card issuers, providing transaction authorizations,
providing fraud and risk management, personalizing cards, and producing and
mailing statements.
Terminal, application and key life cycle management systems. As smart
card adoption and usage increases, multi-application cards will become more
common and merchants will want to implement new applications without purchasing a new terminal. More flexible terminals also offer acquirers the ability to
provide new merchant products and services that can be easily and affordably
downloaded and implemented. This will require the implementation of new
terminal, application and key life cycle management systems. A terminal management system must know and track terminal types, locations, capabilities,
platforms, applications and keys used for implementing security functions.
Terminal applications must be tracked to ensure terminal compatibility, to allow
them to be more easily upgraded, or to allow keys to be rotated or revoked. The
keys contained in the terminals (both public and DES keys) also need to be
tracked and managed (e.g., location of keys, key size, key expiration date).
Knowing and managing a terminals configuration, abilities and limitations are
important for acquirer support of multi-application smart card implementations.
Physical
Retailer
EMV-approved POS
terminals that accept
smart cards
POS terminal-resident
software that handles
payment and other
smart card applications
Host system upgrades
to integrate new data
for payment and other
applications and to
communicate with the
acquirer/processor
Routing of transaction
data to payment
processor and/or other
service providers
Acquiring
Processor
Issuer
Other Service
Providers
Infrastructure and
processing services
for smart card
payment transactions
Infrastructure to issue
and manage smart
cards
Infrastructure and
processing services
for related smart
card application
transactions (e.g.,
loyalty, authentication)
Infrastructure and
processing services
for smart card
application transactions (e.g., payment,
loyalty, authentication)
Personalization
bureaus
Transactions for
authorization
and/or settlement
Transactions for
authorization
and/or settlement
Merchant
Processor
Smart card
Billing statements
Dispute resolution
Consumer
Merchant
Acquiring
Bank
Settlement files
Financial
Networks
Consumer
Issuing
Bank
Transactions for
authorization
and/or settlement
Card management functions
(e.g. update to
data)
10
Consumer Infrastructure
Smart cards. Smart cards issued by American Express and Visa and
MasterCard issuers currently support Internet authentication and payment, with
plans to support additional applications in the future.
Smart card applications. As with physical payment, software must reside on
the smart card to support the applications of interest to the issuer and retailer
(e.g., authentication, payment, loyalty, coupons).
PC-based smart card readers. Consumers must connect EMV Level 1-approved smart card readers to their PCs. Each smart card issuer offers readers
with the smart card. Readers are available that operate with serial, USB and
PCMCIA interfaces.
10
11
Merchant
Web Site
Loyalty
Server
Authentication
Server
BACKEND
Internet
PC
NS
Plug-In
IE
ActiveX
Loyalty
Appn
Security
Appn
NS
Plug-In
NS
Plug-In
IE
ActiveX
Convenience
Appn
Other
Appns
IE
ActiveX
Payment Appn
(VSDC, M/Chip)
Microsoft PC/SC
CARD
Loyalty
12
Security
Payment
(VSDC, M/Chip)
Convenience
Other
Appns
13
24x7 Helpdesk. The Internet retailer needs to train customer support personnel
on the smart card process. Consumer smart card issues are different from
magnetic stripe card issues. The merchant also needs to be sensitive to the fact
that consumers are now expected to install both the client software and the smart
card reader.
Figure 5 illustrates one possible system architecture for supporting the Internet
smart card payment process.
Figure 5: Smart Card-Enabled Internet System Architecture
Consumer
PC
Internet
Consumer
Wireless
Device
Firewall
Loyalty
Server
Merchant
Web
Server
Payment
Networks
Authentication
Server
Card
Data
Legacy
Systems
HSM
14
15
16
17
18
Internet commerce
General retail
Mobile commerce
Transit
Contactless payment
Campuses
Government
19
Loyalty programs have long been a staple of the retailer market segment. S&H
Green Stamps, an early example, allowed customers to purchase products in
one store and redeem stamps for merchandise in another, in exchange for
information about themselves. This type of program enabled retailers to personalize the shopping experience with targeted content (for example, by offering
discounts aimed at getting customers to try a new brand or product). The ability
to stimulate customer demand to buy more by understanding purchase history,
recommending additional items, alerting customers to new purchasing opportunities and rewarding greater levels of purchasing is a key driver.
The need for better levels of information about customers encourages the implementation of customer profiles. Retailers could benefit from the capture and use
of a profile that defines consumer buying habits and history. This information can
provide the retailer with data that suggests ways to promote higher margin products, accelerate the checkout process by facilitating self-service check out and
encourage customer loyalty through incentive promotions and programs at the
store. Smart cards provide significant benefits to both retailers and consumers by
being able to securely store data so that no unauthorized entity can view it. Smart
cards impose strict security requirements on data access, hiding information
stored in one application from others. This ensures that consumer data is private
and that retailers can securely access only data that is relevant to them.
The Target smart Visa card is the most notable example of a prominent retailer
implementing both payment and non-payment applications on a single smart card
and using smart card programs to create strategic competitive advantage. In
addition to payment, Target is implementing a loyalty program and electronic
coupons in partnership with Procter & Gamble, Unilever, Pepsi-Cola, and Mattel,11
with deployment to be complete this year.
Mobile commerce. The mobile commerce market has seen high growth throughout the world. In the United States, however, the absence of a telecommunications standard has made implementation a challenge. U.S. carriers use PCS or
CDMA technologies, which do not use smart chips. The next few years will see
the proliferation of GSM networks in the United States, with AT&T beginning to
convert their networks and other carriers following. The SIM card will allow issuers
to provide an easier payment mechanism for mobile commerce. Other technologies, such as Bluetooth, are also being investigated to further mobile commerce.
Non-payment applications such as identity authentication and information provisioning will be key to driving this market.
Transit. The transportation and transit market is already moving ahead with smart
card technology (for example, SmarTrip in Washington, D.C., Amtrak, BART in the
San Francisco Bay Area, and the Chicago Transit Authority). These systems use
smart card-based electronic tokens for fare collection. Issuers can take advantage
of these systems by offering a payment method tied to the transit cards at nearby
retailers. For example, the North Dallas Tollway in Texas uses an RFID technology to collect fares. The same system can be used at participating McDonalds
restaurants.
Contactless payment. Contactless technology is particularly well suited to the
retail environment. The pass-by method of card presentation is convenient and
allows multiple form factors to be used for the payment device. A fast, secure
transaction can be accomplished simply by presenting a card, key fob, or other
contactless device to the reader. One of the most compelling uses for contactless
cards is at drive-through retail establishments, where long read ranges are required for a good user experience. Devices such as the ExxonMobil SpeedPass
are useable outdoors, even in inclement weather or a dirty environment.
Contactless readers have no slots, switches, or pins, significantly lowering the cost
of ownership and maintenance. Finally, contactless systems are specified by ISO
international standards, supporting straightforward extensibility and
interoperability. Contactless technology can be an excellent complement to
contact technology in appropriate situations.
11
20
CardLine, Smart Card Lifts Target Card Program, August, 16, 2002
Campuses. Both college and business campuses have begun to use smart
cards. Major uses have been: asset tracking; meal plans; physical access to labs,
dorms, and special events; network logons; and secure data storage, including
personnel records, digital certificates and health data. The same card can also
have a financial application, allowing purchases on campus and at nearby retailers via stored value or prepaid accounts. Another successful application is the
SMARTIX baseball stadium ticketing program, which allows season tickets to be
downloaded off the web onto a smart card. The card is then used to enter parking
lots and stadiums. Cardholders can also transfer their tickets electronically, with
transferred tickets downloaded from the web or picked up at a will-call window.
Both the San Diego Padres and the Los Angeles Dodgers are currently using
SMARTIX.
Government. The power of the smart card for government health and entitlement
programs lies in the cards ability to hold both payment and non-payment applications. In conjunction with host systems, these applications provide multiple
benefits to recipients. Smart card usage in entitlement programs such as the U.S.
food stamps program or the Women, Infants and Children (WIC) program is
already a reality. Ohio and Wyoming have smart card-based EBT programs in
place, with New Mexico, Texas and several New England states also implementing programs. The U.S. government is also using smart cards to control both
physical and logical access to facilities and networks and is expanding the
number of programs and agencies that are using smart cards for employee
identification. The U.S. Navy is moving forward on a smart card implementation
that will include an electronic purse application for use on naval bases.
New smart card applications are setting the stage for additional penetration by
card issuers, adoption by merchants and usage by consumers. Integrating nonpayment applications with new and traditional payment applications creates a
compelling business case for implementing smart card technology.
21
In the absence of a compelling business case, large retailers are not venturing
into contact smart card programs without a clear justification. Instead, the
merchant community is likely to rely on incentives from other stakeholders (such
as issuers and card associations) to provide assistance with re-terminalization
costs, interchange incentives (e.g., card-present rates and guaranteed payments
for Internet purchases) and reduced chargeback costs.
The back office integration cost of implementing smart card applications is also
seen as a major hurdle. Retailers must incur the cost of modifying other store
and POS systems to accommodate new smart card applications. Like many
businesses, retailers have had to make tough budgeting decisions since 2001.
Competition for IT dollars has grown significantly, for both card issuers and
merchants. Other costs such as project management and in-store training also
add to the overall implementation expense.
Compelling smart card business cases are being created in specific retail segments and for new applications.
22
Internet commerce provides another bright spot for the smart card business
case. At the Electronic Transactions Association meeting in April 2002, Barry
Davis, senior consultant with First Annapolis Consulting, delivered a presentation
that identified the anticipated growth of Internet commerce as an improved
business case for smart cards for Internet merchants. Due to higher fraud rates
in Internet transactions vs. physical transactions (1.14%12 vs .09% in 200113),
Internet retailers who implement smart cards could see significant savings from a
reduction in fraud and card-present transaction rates. The increase in Internet
purchases as a percentage of overall consumer purchases will help drive consumer use of smart cards, integration of smart card readers with personal
computers and complementary bricks and clicks programs, providing additional
momentum to physical POS smart card implementations.
While the business case for smart card-based payment is challenging, these new
applications and business relationships are expected to add drivers for U.S.
smart card deployment. Merchants will only implement the smart card infrastructure when they see a positive business case. This business case will be driven
by a combination of applications and partnerships that drive revenues, lower
costs and increase consumer satisfaction and loyalty.
12
13
23
Gartner Group, One Percent of Online Sales Lost to Fraud, InternetWeek, March 4, 2002.
Tower Group, Credit Card Skimming: Growing Trend or Media Hype? Transaction World, Sept.
2001
24
With a compelling business case, few industries wait for final standards. Market
leaders drive forward in parallel with standardization and specification efforts and
implementations iterate through several revisions. The financial industry is very
active in initiating activities to address issues that are critical barriers to deployment. The industry has a strong history of successfully developing and implementing specifications that benefit all stakeholders.
While the necessary standards and specifications are in place for retailers to be
able to invest in smart card based payment today, there are still issues with
interoperability and standardization that must be addressed. Industry groups are
initiating activities to work on these issues for the newer applications. As with most
new technologies, however, it will take time for these efforts to result in specifications, standards and compliant products to use in smart card implementations.
25
Conclusion
The U.S. smart card industry has made significant progress in the past two years
toward supporting smart cards for payment at the retail point of sale, adding
issuers, consumer smart card products and smart card-ready POS terminal
installations. Momentum is growing, as card associations, issuers, retailers and
processors/acquirers all launch programs and deploy new infrastructure to
support smart card payment.
The migration of the U.S. payment infrastructure to support smart cards is
complex and costly. Each participant in the payment transaction will need to
invest in new technology and processes. So far, it has been difficult for retailers
and other transaction participants to create a business case for investment in
smart card technology. The problem has been exacerbated by the presence of
competing technologies in the marketplace and by an economic downturn that
has slowed investment in all businesses.
The migration to smart card support is definitely proceeding more slowly in the
United States than in international markets. However, the industry expects smart
card adoption and acceptance to continue to grow. Multiple key markets, each
with specific application requirements, are driving retail smart card implementations.
Smart cards support programs that can help retailers acquire new customers,
improve customer loyalty, and implement new merchandising programs.
Smart cards offer both Internet commerce and mobile commerce an easy
and safe means of payment, reducing risk for both the merchant and the
consumer.
Smart cards are already being used in several large transportation and
transit markets.
Colleges and businesses both are leveraging the ability of smart cards to
support multiple related applications on one card, increasing convenience
and efficiency.
Multiple applications on a single card are proving useful to government
health and welfare programs.
Contactless technology is finding increasing acceptance in situations where
fast, secure transactions with long read ranges are critical, such as for
gasoline purchases or in drive-through retail establishments.
Smart card applications can also encourage new business partnerships that
benefit all participants. For example, electronic couponing offers an opportunity
for large retailers to partner with manufacturers or service providers, increasing
customer bases and strengthening brand loyalty.
The benefits of adopting smart cards for payment are compelling. The ability of a
smart card to support multiple applications provides flexibility and a stronger
business case for the retailer, who can add applications over time. Smart cards
also offer unmatched security functionality, allowing for safer transactions and
enhancing cardholder privacy. In addition, because smart cards are subject to
active standardization efforts, interoperable solutions are available from multiple
vendors.
The combination of the technology benefits and the new markets, applications
and partnerships that smart cards can support is expected to further drive the
Smart Card Alliance 2002
26
U.S. market for smart card use at the retail point of sale. Both analysts and
industry participants are expecting continued solid progress for smart card
deployment in the United States.
For more information about smart cards and the role that they play in retail
payment and other applications, please visit the Smart Card Alliance web site at
www.smartcardalliance.org or contact the Smart Card Alliance directly at 1-800556-6828.
27
References
An Industry Primer on Smart Cards, Electronic Transactions Association,
November 2001.
Chips May Proliferate But Few Will Say When, Card Marketing, March 2002.
Contests Brighten the POS, Chain Store Age, February 1, 2002.
Credit Card Skimming: Growing Trend or Media Hype? Transaction World,
September 2001.
One Percent of Online Sales Lost to Fraud, InternetWeek, March 4, 2002.
The Prospect for Financial Services Chip Cards in the U.S., presentation by
Theordore Iacobuzio, Tower Group, Smart Card Alliance conference, October 7,
2002.
Smart Card Lifts Target Card Program, CardLine, August, 16, 2002.
Smart Cards: Seizing Strategic Business Opportunities, Smart Card Forum,
edited by Catherine A. Allen and William J. Barr, McGraw-Hill, 1997.
Smarter Swipers Arrive, RIS News, September 2001.
TowerGroup Offers Rosy Forecast for Chips in U.S., American Banker, January
29, 2002.
28
Publication Acknowledgements
This position paper was developed by the Smart Card Alliance to discuss the
implementation and technology issues associated with smart cards and retail
payments. Publication of this document by the Smart Card Alliance does not
imply the endorsement of any of the member organizations of the Alliance.
The Smart Card Alliance wishes to thank the Terminal and eTransaction Infrastructure Task Force members for their comments and contributions. Task Force
members include: ACI Worldwide, ACS, ADB, Bank of America, Citicorp,
Crosscom National, Inc., First Data, Gemplus, Hypercom, IBM, Ingenico,
MasterCard International, Netlink Transaction Services, New England Bankcard
Association, NTRU Cryptosystems, Inc., Ohio University Center for Automatic
Identification, Potomac Systems, SchlumbergerSema, SCM Microsystems,
Thales, U.S. Office of the Comptroller of the Currency, Visa U.S.A, WMATA.
Special thanks go to the Task Force members who wrote, reviewed and edited
this white paper.
Jeff Beulke, ACI Worldwide
Alan Bondzio, ADB
Matthew Byrne, First Data
Amol Deshmukh, SchlumbergerSema
Eric Dumois, Hypercom
Rahul Gadkari, SchlumbergerSema
Tim Held, ACI Worldwide
Greg Jones, Visa U.S.A.
Jasen Judd, NTRU Cryptosystems, Inc.
Diana Knox, Visa U.S.A.
Copyright Notice
Copyright 2002 Smart Card Alliance, Inc. All rights reserved.
Trademark Notice
All registered trademarks or trademarks are the property of their respective
owners.
Smart Card Alliance 2002
29
Application Area
Reference / Organization
Managing Standard
ISO/IEC 7816
ANSI / ISO
EMV
EMVCO
(www.emvco.com)
GlobalPlatform
GlobalPlatform
(www.globalplatform.org)
PC/SC
Microsoft
(www.pcscworkgroup.com)
MULTOS
MAOSCO
(www.multos.com)
JavaCard
X509
ANSI / NIST
ISO/IEC 14443
& ISO/IEC 15693
ISO / IEC
30
31