Smart Card Standards Explained
With so many smart card related standards in existence it is important to understand what they mean and how they are relevant. In this article we provide an overview of several key standards and what part they play in the smart card eco-system.
Each standard discussed in this article defines a key aspect of smart card behaviour or functionality. These core standards are at the heart of most major smart cards on the market today.
The standards discussed in this article are:
One of the most important smart card standards, ISO 7816 is a core standard underpinning many smart cards available today. Many other smart card technologies refer back to parts of ISO 7816 for aspects of their functionality.
ISO 7816 consists of 15 parts with each defining a different aspect of card level capability. We won't describe all 15 parts here but two crucial aspects defined by the standard are (1) the electrical interface with the card via contacts and (2) the communication protocol between a smart card reader (called an interface device in the standard) and a smart card.
ISO 7816 was originally written for cards with electrical contacts exposed on the card surface (“contact cards”). The standard describes the signals and transmission protocols at the electrical interface for contact cards. This information is used by hardware manufacturers making card readers who need to know how to communicate with a card at the lowest I/O level. Contactless smart cards are defined by a separate standard, ISO 14443 covered below.
The communication protocol defined by ISO 7816 consists of a set of commands that can be used to control and manage a smart card and also the structure of the command/response payloads exchanged between a smart card reader and a smart card, the Application Protocol Data Unit (APDU).
APDUs come in two forms, command APDUs and response APDUs. Command APDUs are sent from a card reader to a card and they contain the instruction code, parameters and data. Response APDUs are sent from a card back to the card reader and contain the response data and status code.
ISO 14443 defines the operation of contactless smart cards, or proximity cards, meaning cards that have a Radio Frequency (RF) antenna embedded in them. The standard describes the wireless communication protocol used at the link layer between a card and a card reader which operates at 13.56 MHz (RFID HF).
ISO 14443 proximity cards are powered through electromagnetic induction when the card is brought into the RF field generated by a card reader. Compliant cards have an operating range of up to 10cm but this is limited by the size of the antenna in the card and the signal power of the card reader or terminal, so in practice the operating range is often within 1cm.
Importantly, ISO 14443 does not define the higher level communication protocol (the command set) used by applications. Many ISO 14443 compliant cards use the command set defined in ISO 7816-4 but some, like the MiFARE DESFire, use their own.
NFC, meaning Near Field Communication, is a set of wireless close-range communication protocols allowing two devices to communicate with each other and exchange data. NFC incorporates several standards including ISO 14443 (see above).
NFC defines two modes of communication, active and passive. In passive mode a powered device like a smart card reader generates an RF field that powers the target, a smart card for example. Active mode allows two NFC devices to communicate peer-to-peer.
NFC defines three modes of operation as follows:
- Reader/Writer - In this mode the NFC enabled device can act like a traditional hardware interface device that can read from and write to contactless (ISO 14443) smart cards/tags.
- Card Emulation - In this mode an NFC enabled device, such as a smart phone, can act like a smart card or tag, and become a target for another NFC enabled device like a card payment terminal. Mobile payment technology like Apple Pay works with the smart phone operating in this mode.
- Peer-to-Peer - In peer-to-peer mode two NFC devices can participate in a two-way communication to exchange data in a custom manner.
PC/SC is a de facto cross-platform API for integrating smart cards into desktop applications. It was originally defined for Windows by Microsoft in the late 1990s and called the WinSCard API. It has been ported to Linux and Mac by the PCSC Lite project.
The PC/SC API allows an application to discover smart cards readers attached to the host computer and then to connect to and communicate with a smart card that is present in a reader. The API does not distinguish how the card is present in the reader so the card might be a traditional contact card inserted into a reader or it could be a contactless card presented to a contactless card reader.
This standard defines the physical characteristics of identification cards including size, resistance to bending, and durability.
Important sizes defined by this standard include:
- ID-1 - A size of 85.60 × 53.98 mm. This is used for most smart cards including bank cards (credit cards, debit cards etc), travel cards. Also used for driving licences in many countries.
- ID-000 - A size of 25 mm × 15 mm with one corner cut off. This size is used for SIM cards in mobile phones.
Java Card is a technology for smart cards that allows on-card applications to be written in Java. Java Card smart cards (Java Cards) run a minimal Java environment and the on-card applications are written as applets which run upon it. Java Cards are commonly used for e-ID applications (eg, PKI, ID Cards), payment cards (credit/debit cards) and SIM cards for mobile phones.
A Java Card applet will typically handle a custom set of commands and can optionally handle any of the commands defined in ISO 7816-4.
Java Card provides a secure environment for storing sensitive information. Applets are isolated from each other and from the underlying card operating system and hardware. Java Card applets access cryptography features of a card via the Java Card library and runtime.
GlobalPlatform is a standard for securely managing the contents of a smart card, for example the installation and removal of applications to/from the card. Management is performed over cryptographic protocols which authenticates and secures the process.