Smart cards

What Are Smart Cards?

Smart cards are pocket-sized plastic cards that contain an embedded integrated circuit capable of storing and processing data. Unlike earlier magnetic stripe cards, which hold a fixed data pattern readable by any compatible reader, a smart card's chip can execute commands, perform cryptographic operations, and selectively reveal information only after verifying that the requester is authorized. The combination of storage, computation, and tamper resistance in a form factor the size of a credit card makes smart cards one of the most widely deployed security tokens in the world, with billions of cards in circulation across banking, government identity, mobile telecommunications, and transit.

The technology emerged in the 1970s from work by French inventors including Roland Moreno, who filed early patents on card-embedded microprocessors. The international standards that now govern the field are consolidated in ISO/IEC 7816 for contact cards and ISO/IEC 14443 for contactless cards operating at 13.56 MHz.

Physical and Communication Interfaces

Smart cards communicate with readers through two principal interface types. Contact cards, defined by ISO/IEC 7816 Parts 1 through 3, expose a set of gold-plated electrical contacts on their surface that carry power, clock, reset, and bidirectional data signals. Contactless cards use radio frequency coupling at 13.56 MHz over distances up to approximately ten centimeters, as specified in ISO/IEC 14443. Dual-interface cards incorporate both contact and contactless interfaces on a single chip, allowing the same card to be used with older contact terminals and modern tap-to-pay readers. The Secure Technology Alliance's introduction to smart card standards provides a reference map of the ISO/IEC standards applicable to each interface type, security layer, and application domain.

Cryptography and Data Security

The security architecture of a smart card rests on its ability to execute cryptographic algorithms internally without exposing secret key material to the outside world. Common algorithms supported include AES (Advanced Encryption Standard, standardized in FIPS 197), RSA, and elliptic curve cryptography for public-key operations. The card's operating system enforces a file access control policy that specifies which commands require PIN verification, mutual authentication with a reader, or a secure messaging session before sensitive data can be read or written. Hardware design features such as metal shielding, memory encryption, and sensors that detect physical probing attacks make extracting key material from a chip without triggering self-destruction mechanisms extremely difficult. The ISO/IEC 7816-8:2021 standard specifies interindustry security commands that span contact and contactless implementations.

Access Control

Smart cards function as portable identity credentials, carrying certificates, biometric reference data, or application-specific authorization tokens that a reader can verify without contacting a central database. In government applications, the U.S. FIPS 201 Personal Identity Verification (PIV) standard defines how federal employees use smart card credentials to authenticate to both physical facilities and information systems. Corporate logical access control systems issue smart cards that carry X.509 certificates, enabling PKI-based login to workstations and VPNs. In mobile networks, the SIM card is a smart card that stores the subscriber's authentication key and network subscription credentials, executing a challenge-response protocol with the network to confirm identity before granting service. The ANSI Blog's analysis of ISO/IEC 7816-4:2020 covers the command set and security architecture that underpins these access control applications.

Applications

Smart cards have applications across a wide range of sectors, including:

  • Financial payment cards following the EMV specification for chip-and-PIN and contactless transactions
  • Government identity documents and electronic passports with ICAO-compliant contactless chips
  • SIM and eSIM cards in mobile telecommunications devices
  • Physical and logical access control in corporate and government facilities
  • Transit fare collection systems in metropolitan rail and bus networks
  • Healthcare credential cards carrying clinical access permissions and patient data
Loading…