Innovative Auto-ID and LBS - Chapter Seven Smart Cards: The Next Generation

Chapter VII: Smart Cards: The Next Generation

 

SMART CARD TECHNOLOGY

Historical Overview

The history of the smart card begins as far back as 1968. By that time magnetic-stripe cards while not widespread, had been introduced into the market (Purdue, 2008). Momentum from these developments, together with advancements in microchip technology made the smart card a logical progression. Two German inventors, Jürgen Dethloff and Helmut Grötrupp applied for a patent to incorporate an integrated circuit into an ID card (Rankl & Effing, 1997, p. 3). This was followed by a similar patent application by Japanese academic, Professor Kunitaka Arimura in 1970. Arimura was interested in incorporating “one or more integrated circuit chips for the generation of distinguishing signals” in a plastic card (Zoreda & Oton, 1994, p. 36). His patent focused on how to embed the actual micro circuitry (Lindley, 1997, p. 13).

 

Smart Cards in the 1970s

In 1971 Ted Hoff from the Intel Corporation also succeeded in assembling a computer on a tiny piece of silicon (Allen & Kutler, 1997, p. 2). McCrindle (1990, p. 9) made the observation that the evolution of the smart card was made possible through two parallel product developments- the microchip and the magnetic-stripe card- that merged into one product. However, it was not until 1974 that previous chip card discoveries were consolidated. Roland Moreno’s smart card patents and vision of an electronic bank manager triggered important advancements, particularly in France. In that year, Moreno successfully demonstrated his electronic payment product by simulating a transaction using an integrated circuit (IC) card. What followed for Moreno, and his company Innovatron, was a batch of patents among which was a stored-value application mounted on a ring which connected to an electronic device.

By the late 1970s the idea of a chip-in-a-card had made a big enough impression that large telecommunications firms were committing research funds towards the development of IC cards. In 1978 Siemens built a memory card around its SIKART chip which could function as an identification and transaction card. Despite early opposition to the new product it did not take long for other big players to make significant contributions to its development. In 1979 Motorola supplied Bull with a microprocessor and memory chip for the CP8 card. In July of that year Bull CP8’s two-chip card was publicly demonstrated in New York at American Express. French banks were convinced that the chip card was the way of the future and called a bid for tender by the seven top manufacturers at the time: CII-HB, Dassault, Flonic-Schlumberger, IBM, Philips, Transac and Thomson. Ten French banks with the support of the Posts Ministry created the Memory Card Group in order to launch a new payment system in France. Such was the publicity generated by the group that more banks began to join in 1981, afraid they would be left behind as the new technology was trialed in Blois, Caen and Lyon. Additionally, the US government awarded a tender to Philips to supply them with IC identification cards.

 

Smart Cards in the 1980s

By 1983 smart cards were being trialed in the health sector to store vaccination records and to grant building access to hemodialysis patients. But it the French who recognized the potential of smart cards in the provision of telephony services. The first card payphones were installed by Flonic Schlumberger for France Telecom and were called Telecarte. By 1984 Norway had launched Telebank, Italy the Tellcard, and Germany the Eurocheque. A number of friendly alliances began between the large manufacturers who realized they could not achieve their goals in isolation. Bull signed an agreement with Motorola and Philips signed and agreement with Thomson. Meanwhile, MasterCard International and Visa International made their own plans for launching experimental applications in the United States. In 1986 Visa published the results of its collaborative trials with the Bank of America, the Royal Bank of Canada and the French CB group. The “...study show[ed] that the memory card [could] increase security and lower the costs of transactions” (Cardshow, 1996, p. 1). Visa quickly decided that the General Instrument Corporation Microelectronics Division would manufacture their smart cards. The two super smart card prototypes were supplied by Smart Card International and named Ulticard. In 1987 MasterCard decided to spend more time reviewing the card’s potential and continued to conduct market research activities. Issues to do with chip card standardization between North America and Europe became increasingly important as more widespread diffusion occurred.

 

Smart Cards in the 1990s

The 1990s was a period characterized by the ‘microprocessor explosion’. Smart cards became a part of that new interest in wearable computing- computer power that was not only cheap and small, but was always with you (Cook, 1997, p. xi). The progress toward the idea of ubiquitous computing is quite difficult to fathom when one considers that the credit-card sized smart card possesses more computing power than the 1945 ENIAC computer which: “...weighed 30 tones, covered 1500 square feet of floor space, used over 17000 vacuum tubes... 70000 resistors, 10000 capacitors, 1500 relays, and 6000 manual switches, consumed 174000 W of power, and cost about $500000” (Martin, 1995, p. 3f). Today’s smart card user is capable of carrying a ‘mental giant’ in the palm of their hand. Smart cards can now be used as payment vehicles, access keys, information managers, marketing tools and customized delivery systems (Allen & Kutler, 1997, pp. 10-11).

Many large multinational companies have supported smart card technology because the benefits are manifold over other technologies. It was projected that by the year 2000, an estimated volume of smart-card related transactions would exceed twenty billion annually (Kaplan, 1996, p. 10). Michael Ugon, a founding father of smart card, said in 1989 that the small piece of plastic with an embedded chip was destined to “...invade our everyday life in the coming years, carrying vast economical stakes” (Ugon, 1989, p. 4). McCrindle (1990, p. ii) likewise commented that the smart card “...ha[d] all the qualities to become one of the biggest commercial products in quantity terms this decade”. And the French in 1997 were still steadily pursuing their dream of a smart city, “...a vision made real by cards that [could] replace cash and hold personal information (Amdur, 1997, p. 3). Currently, while there is a movement by the market to espouse smart card technology, numerous countries and companies continue to use magnetic-stripe cards. However, the vision for smart card now looks achievable, as some countries have vastly upgraded their payment systems (e.g. Singapore and Hong Kong). For a specific history of smart card in Russia see Travin (2008).

 

The Smart Card System

When considering which type of smart card technology to implement for a given service, buyers need to think about their requirements. What is paramount is that there must be a logical fit from the cardholder’s point of view (Hendry, 2007, p. 219). Major issues which need to be resolved include: card type, interface method, storage capacity, card operating functions, standards compliance, compatibility issues and reader interoperability, security features, chip manufacturers, card reliability and life expectancy, card material and quantity and cost.

 

Memory, Microprocessor Cards and Super Smart Cards

As Lindley (1997, p. 15f) pointed out there is generally a lack of agreement on how to define smart card. This can probably be attributed to the differences not only in functionality but also in the price of various types of smart cards. According to Rankl and Effing (1997, pp. 12-14) smart cards can be divided into two groups: memory cards and microprocessor cards. In a memory card there is a memory chip, and in a microprocessor card there is a microcontroller chip. Processor cards which are more sophisticated can be further classified into processor cards with or without coprocessors for executing asymmetric cryptographic algorithms such as RSA (Rivest, Shamir and Adleman). There are also ‘super smart cards’ which have displays and a keypad directly available to the user, many of which were prototyped to market electronic wallets and purses of the future (Rankl, 2007, p. 2). Ferrari et al. (1998), dedicate a whole chapter to the card selection process in their IBM Redbook (ch. 4).

As described by Allen and Kutler (1997, p. 4) memory cards are: “...primarily information storage cards that contain stored value which the user can “spend” in a pay phone, retail, vending, or related transaction.” Memory cards are less flexible than microprocessor cards because they possess simpler security logic. Only basic coding can be carried out on the more advanced memory cards. However, what makes them particularly attractive is their low cost per unit to manufacture, hence their widespread use in pre-paid telephone and health insurance cards (M'Chirgui, 2005). According to Hendry (2007, p. 17) an external application views a memory card as a data storage device with a limited range of functions. Today, wired-logic cards are much more common in which access is protected via a security protocol, either using encryption or a password. Memory cards are still highly marketable for mass market applications such as in transport applications (Blythe, 2000). For example NXP’s MiFare™ divides memory into sectors and fields, with each sector having separate access permissions (Figure 1).

The other type of smart card, the microprocessor card is defined by the International Standards Organization (ISO) and the International Electronic Commission (IEC), as any card that contains a semiconductor chip and conforms to ISO standards (Hegenbarth, 1990, p. 3). The microprocessor actually contains a central processing unit (CPU) which “...stores and secures information and makes decisions, as required by the card issuer’s specific application needs. Because intelligent cards offer a read/write capability, new information can be added and processed” (Allen & Kutler, 1997, p. 4). The CPU is surrounded by four additional functional blocks: read only memory (ROM), electrical erasable programmable ROM (known as EEPROM), random access memory (RAM) and the input/output (I/O) port. The Smart Card Forum Committee (1997, p. 237) outlines that the card is: “...capable of performing calculations, processing data, executing encryption algorithms, and managing data files. It is really a small computer that requires all aspects of software development. It comes with a Card Operating System (COS) and various card vendors offer Application Programming Interface (API) tools.”

 One further variation to note is that microprocessor cards can be contact, contactless (passive or active) or a combination of both (Petri, 1999). Thus users carrying contactless cards need not insert their card in a reader device but simply carry them in their purse or pocket. While the contactless card is not as established as the contact card it has revolutionized the way users carry out their transactions and perceive the technology. Rankl and Effing (1997, pp. 40-60) provide an exhaustive discussion on different types of microcontroller cards.

 

Card Formats

Smart card dimensions are typically 85.6 mm by 54 mm. The standard format ‘ID-1’ stipulated in ISO 7810 was first created in 1985 for magnetic-stripe cards. As smart cards became more popular, ISO made allowances for the microchip to be included in the standard. The standard size in the magnetic-stripe and smart cards gave way to the possibility of card migration. Smaller smart cards have been designed for special applications such as GSM handsets; these are ID-000 format known as the ‘plug-in’ card and ID-00 known as the ‘mini-card’ (Rankl & Effing, 1997, p. 21). It is important to note, that while smart cards come in numerous formats, the common feature is their thickness which is 0.76 mm. For a discussion on form factors of smart cards see Hendry (2007, pp. 54-56).

More recently mini-cards have been marketed and issued by companies such as VISA. The mini-card is almost half the size of a standard credit card at only 40 mm by 66 mm. It is considered a “companion card” to a normal full sized VISA card. The card contained a perforated hole at the bottom left corner so that it can easily be attached to a key chain, mobile phone, or other carry-along device. When the VISA Mini was launched in Australia during breakfast television programs, it was modeled fastened to a chain around the neck of young adults, who claimed it would increase their mobility. On their web site VISA (2008) have stated: “[w]hether you are going out for lunch with colleagues or friends, shopping at your neighborhood store, clubbing or dancing, on vacation or even when you are out for a jog!  Visa Mini is the answer to your demand for increased convenience and mobility in your everyday life.”

 

Card Elements

Several different types of materials are used to produce smart cards (Haghiri & Tarantino, 2002). The first well-known material (also used for magnetic-stripe cards) is PVC (polyvinyl chloride). PVC smart cards however, were noticeably non-resistant to extreme temperature changes, so ABS (acrylonitrile-butadiene-styrol) material has been used for smart cards for some time. PVC cards have been known to melt in climates that reach consistent temperature of 30 degrees Celsius. For instance, when the ERP system was launched in Singapore in 1998 a lot of people complained that melting smart cards had destroyed their card readers. Among the group who reported the most complaints to local newspapers were taxi drivers, who were driving for long periods of time. Similarly card errors often occur to mobile handsets that have been left in high temperatures. PET (polyethylene terephthalate) and PC (polycarbonate) are other materials also used in the production of smart cards.

The two most common techniques for mounting a chip on the plastic foil is the TAB technique (tape automated bonding) and the wire bond technique. The former is a more expensive technique but is considered to have a stronger chip connection and a flatter finish; the latter is more economical because it uses similar processes to that of the semiconductor industry for packaging strips but is thicker in appearance. New processes were developed in the mid 1990s that allowed a card to be manufactured in a single process. Rankl and Effing (1997, p. 40) explain, “[a] printed foil, the chip module and a label are inserted automatically into a form, and injected in one go”.

 

Multiapplication and Multifunction Cards

Most smart cards have a single function only. They are issued by a company to a customer for a specific purpose. For example, the first smart card payphone cards were used to make phone calls alone. The customer loaded the card up with money, made a telephone call, and the telephone operator charged the usage amount to the card. Multifunctionality should not be confused with multiapplication cards. Several functions on a smart card might include not only say a function to lend books out from a library, but also stored value for photocopying requirements and proof of identification of the person lending the books. The functions can be card-based (i.e. on board) or server-based via host and database.

Hendry (2007, p. 13) makes the distinction that a multiapplication card is one where several programs have been placed in the card’s memory. These applications can share data within the card, although this is not what usually occurs in practice. Often, a specific application is owned by separate entities, and cardholders need to select which application they wish to use during a given transaction, if it is not readily apparent to the terminal. 

 

Operating Systems

Smart card operating systems can be classified into native operating systems (e.g. using machine language) and interpreter-based operating systems (e.g. Java) (Hansmann et al., 2002). The principal task of operating systems is managing files (Rankl, 2007, p. 11). Where there is more than one application present on the smart card, a multi-application operating system is also present. According to Hendry (2007), such an operating system has to perform application protection, memory management, application downloading and updating. Well-known operating systems include Multos (originally developed by Mondex International), IBM’s MFC, Advantis (which follows GlobalPlatform’s JAVA architecture) and SECCOS (Secure Chip Card Operating System).

 

Interface, Readers and Terminals

Contact versus Contactless Cards

In contact smart cards, a power supply requires to have physical contact for data transfer. The tiny gold-plated 6-8 contacts are defined in ISO 7816-2. As a rule, if a contact smart card contains a magnetic-stripe, the contacts and the stripe must never appear on the same side. Each contact plays an important role. Two of the eight contacts have been reserved (C4 and C8) for future functions but the rest serve purposes such as supply voltage (C1), reset (C2), clock (C3), mass (C5), external voltage for programming (C6), and I/O (C7). Contactless smart cards on the other hand work on the same technical principles that animal transponder implants do. For simple solutions the card only needs to be read so that transmission can be carried out by frequency modulation.

Contactless solutions are becoming increasingly popular for ticketing applications due to the convenience factor. Commuters do not have to stop and queue to wait for “contacts” to read the card, they just go about their normal business and payment takes care of itself, after initialization of the ticket type (e.g. one journey, weekly or monthly). The International Standards Organization (ISO) has standardized the technologies used in contactless smart cards. The relevant standards are ISO14443 for proximity cards and ISO15693 for vicinity cards. ISO14443 is divided into four parts defining different aspects of the interface including physical characteristics, radio-frequency power and signal interface, initialization and anticollision, and transmission protocol. In simple terms, the microchip on a contactless card communicates with the card reader through RFID induction technology. Typically the read range needs to be not more than 10 cm to avoid charging other commuters accidentally. They are often used when transactions must be processed quickly or hands-free, such as on mass transit systems, where smart cards can be used without even removing them from a wallet (Trapanier, Tranchant & Chapleau, 2007).

 

Readers

A device that reads a smart card is known as a card accepting device (CAD) as it does not only read information from the card but also can write to it. Most smart card readers are embedded in larger terminal devices and usually follow application standards such as EMV (JCB Co, MasterCard and VISA), GSM or Calypso (Hendry, 2007, p. 22). Readers can either be insertion readers or motorized readers, the difference being how cardholders interact with the reader and the cost. Insertion readers are more privy to damage while motorized readers usually incorporate a shutter so they cannot be tampered with. Motorized readers slowly draw the card into the reader device, whereas insertion readers expect the cardholder to swipe the card through the contact points manually. This might lead to several read attempts if the cardholder does not know which way to face the card to be read properly etc.

 

Terminals

Terminals can take on various forms depending on where they are being utilized and for what purpose. For example, you can find smart card terminals at the point of sale (POS), in vending machines, kiosks, PC-connected readers, even personal smart-card readers. In the retail sector, the same terminal can be used to read multiple smart card applications. For example the same device can allow a consumer to purchase goods at the checkout, for an employee to log on to a cash register, even to grant customers loyalty points. The trend increasingly is toward self-service devices that cater for the needs of the individual, such as in the case of home banking applications.

 

Standards and Security

Similarly to magnetic-stripe technology, the most common method of user identification in smart cards is the personal identification number (PIN). The PIN is usually four digits in length (even though ISO 9564-1 recommends up to twelve characters), and is compared with the reference number in the card. The result of the comparison is then sent to the terminal which triggers a transaction- accept or reject. Additional to the PIN is a password which is stored in a file on the card and is transparently verified by the terminal. While the magnetic-stripe card relies solely on the PIN, smart card security is implemented at numerous hierarchical levels (Ferrari et al., 1998, pp. 11f).

There are technical options for chip hardware (passive and active protective mechanisms), and software and application-specific protective mechanisms. With all these types of protection against a breach of security, logical and physical attacks are said to be almost impossible (Rankl & Effing, 1997, pp. 261-272). The encryption in smart cards is so much more sophisticated than that of the magnetic-stripe. Crypto-algorithms can be built into smart cards that ensure both secrecy of information and authenticity. However, contactless cards are considered more susceptible to the breakage of keys than contact-only cards. External security features that can be added to the card include: signature strip, embossing, watermarks, holograms, biometrics, microscript, multiple laser image (MLI) and lasergravure (Figure 2). While the smart card is a secure auto-ID technology it has been proven in some instances that the device is still susceptible to damage, loss and theft without the reliance on expensive equipment. This has led to biometrics being stored on the smart card for additional security purposes. Thus we can say that while smart-card security is steadily advancing, at the same time “the range of attacks available to the determined attacker grows continuously wider” (Hendry, 2007, p. 230). What seems to be the consensus view is that even if a card is actually penetrated by an attacker, the wider systems the card is used to link to must remain secure.

 

THE SMART CARD INNOVATION SYSTEM

Social Specialization of Labor

The fundamental difference between the smart card and magnetic-stripe card is the on-board intelligence. Yet while the smart card is a far more sophisticated technology it does not mean it should be considered superior per se. Chadwick (1999, pp. 142-143) for instance, asserts that smart cards are not always the smart choice. Since the smart card’s invention, the microchip has acted to boost the profile of the device. The ultimate vision for the card has been that of a ‘PC in your pocket’, i.e., a mobile PC. Shogase (1988) coined the term ‘plastic pocket bank’. He worked for the Toshiba Corporation while they were developing the VISA SuperSmart Card. Although the card did not achieve expected diffusion rates in places like North America in the mid 1980s, entrepreneurs did not abandon it (especially in Europe). In the late 1980s, Bright (1988, ch. 8) wrote that France and Japan were leading the way followed by the U.S. Today, this geographic concentration still exists but other markets, particularly in Asia are starting to make an impact on the smart card industry, such as Hong Kong, Taiwan, Singapore, and China (McKenna & Ayer, 1997, ch. 3).

 

The Smart Card Stakeholders

Throughout the 1990s smart card gave rise to a new breed of start-up companies that were eager to exploit opportunities as they arose. The excitement even attracted some traditional magnetic-stripe card manufacturers. This was especially true of the system integration specialists who now had the job to build systems that could “talk” to each other (Ferrari, 1998, ch. 13). Not all auto-ID system integration companies were up to the task however, acquiring smart card knowledge required employee retooling and training (Keenan, 1997, p. 35f). With these new start-up companies came new knowledge and also the delineation of niche areas of expertise. Hendry (1997, p. 250) suggests a T-shaped knowledge base in a smart card organization where there are many people who have a top-level understanding of the technology while a few people need to develop detailed knowledge. These companies included: integrated circuit (IC) manufacturers, smart card manufacturers, terminal manufacturers, smart card integrators, smart card software specialists (operating systems, applications and access) and numerous other third parties.

 

Gathering Project Requirements

Smart card product development was unlike traditional technologies. Part of the difficulties with smart card, besides the fact that it was a relatively new high-technology is that most often project requirements were ill-defined, and they kept shifting throughout the lifetime of the project. Timeframes for each phase of development were hard to estimate along with costs and exactly what resources were required and when. Coordinating efforts between various suppliers was also problematic. In addition smart cards were privy to high rates of technical change and higher levels of uncertainty than other technologies (Fruin, 1998, pp. 241-249).

With so many individual stakeholders, many of whom were extremely specialized, designing an end-to-end smart card solution was a complicated task (Slawsky & Zahar, 2005; Davis & Mitchell, 1996). Some of the more complex issues are: “[h]ow can smart cards include multiple brand logos without confusing the consumer? Who is liable for lost and/or stolen cards and how are they replaced? Who provides customer service and how is it made seamless to the consumer? How are applications developed, certified, installed, and upgraded? How are privacy, accuracy, and security insured? How are revenues shared?” (Allen & Kutler, 1997, p. 12f; Ferrari et al., 1998, ch. 12; Barr et al., 1997, pp. 64-68). Fruin (1998, p. 248) summarizes developing smart card technology as “[h]ighly problematic, fraught with technical, organizational, managerial, and human resource difficulties”. Hendry (2007, p. 219) describes the difficulties associated with the implementation of smart card and emphasizes the importance of using a roadmap to help answer questions at each stage.

 

Utilizing Limited Human Resources

Apart from the few large smart card manufacturers, the other technology providers were usually small in size and had limited resources (Dreifus & Monk, 1998, pp. 305-314). Departments within the company had to be agile and customer-oriented but also forward-looking in terms of building generic hardware and reusable software. It is not always easy to mobilize resources in companies whose core products are applicable to more than just one high technology. For instance, in the case of integrated circuit suppliers, smart cards are only one technology among many that they are supplying. It is the same in the case of ISVs (Independent Software Vendors) who may be developing software for not only smart card players but also Internet-centric applications etc. It can be a dangerous proposition to freeze resources on a product-by-product basis but a fine balance needs to be struck between the two possible extremes.

 

Partnering

At the same time smart card component suppliers were also dependent on one another, particularly because no one vendor could provide the whole solution without relying on contributions from smaller players (Lindley, 1998, p. 87). In the VISA SuperSmart card development, Fruin (1998, p. 243) observed that “[n]either Toshiba nor Yanagicho boasted the complex and precise component-design, system-development, and product/process capabilities required for the project. A need for these forced Yanagicho to forge alliances with other Toshiba units and outside vendors.” In addition, one company may have the capabilities to do a particular part of the design process but the sheer magnitude of the project may not afford the time to complete tasks in-house, or there are other firms that have certain core competencies that would do that particular phase more economically.

When several organizations are working together to ensure that a service is available to a customer, it is important that the organizations are working to a common schedule. So many times the media has reported vendors of technology have let down their customers. Multiple vendors working together may have had four-fifths of a given solution ready but missing a vital component that ensures the ability to ‘go-live’ on a project. According to Hendry (2007, p. 220) priorities and decision-making processes need to be aligned and the choice of partners should not limiting in any way.

 

Firm-to-Firm Collaboration

Firm-to-firm collaboration between smart card companies continued to proliferate particularly in Europe (Allen & Kutler, 1997, p. 20; Cagliostro, 1999), even though the North American market was still struggling. Cortese (1997) also reported how the smart card market was poised to grow in the U.S. The establishment of the Smart Card Forum (SCF, 2002) in 1993 was an attempt to bring stakeholders even closer together. Citicorp, Bellcore, and the U.S Treasury Financial Management Services Division were integral to the formation of the Forum attracting business leaders from the public and private sector to share a common smart card vision. By the end of 1997, the Forum boasted 230 corporate and government international entities (Allen & Barr, 1997, pp. 268-273). The common goals of SCF included the:

“- promotion of the interoperability of cards, devices, and systems to assure an open market capable of rapid growth

- facilitation of information exchange, communications, and relationship development across industries in order to stimulate market trials

- service as a resource to policy makers, regulatory bodies, and consumer groups on issues impacting smart cards, especially in the areas of social responsibility and privacy” (Allen & Barr, 1997, p. 266).

Working groups and cross-industry committees were subsequently set up to brainstorm on issues specific to applications. The results of the studies are routinely published in white papers, standards and delivered at industry presentations. Similar forums have begun to sprout throughout the globe. For example, the Asia Pacific Smart Card Forum (APSCF) based in Australia was established in 1995 and had over fifty members in 2001. APSCF not only brought firms with common interests together but also promoted the interests of members to key policy makers at both the political and bureaucratic level of government (APSCF, 2000). The Forum does not exist in its original form, although there are now a number of smart-card related e-governance forums online. There is also the Asia Pacific Smart Card Association (APSCA, 2008) which is active in China, Singapore, Hong Kong, Taiwan, Japan, Korea, Malaysia and Thailand who may not have a large count of members, but boast memberships from the larger organizations such as Chunghwa Telecom Laboratories, Gemalto, IBM, Sony, Unisys, and Zebra.

 

Geographic Clustering

A pattern soon began to emerge linking the success of the smart card technology provider to its physical proximity to the customer. Lindley (1997, p. 88) also noted this stating that there was globally “…a strong correlation between the incidence of local suppliers and smart card application users.” In an effort to increase their revenues, European and Asian suppliers entered the US market, establishing a local presence in the hope that this would result in sales. Some of these smart card suppliers in the US believe that a smart card manufacturing group should be established in Silicon Valley: “[a] group such as this is needed to provide a road map, if you like, and a vision for the industry over the next decade.” Townend believed that the full spectrum of industry should participate in the group (McIntosh, 1997, p. 45) in order for greater collaboration to take place between firms and also as a central location to be able to demonstrate the full potential of smart card to prospective customers.

 

Private Enterprise and University: Forging New Links

As a result of geographic clustering very useful relationships began to form between private enterprise and local university research institutes. Not only was this a mechanism to perform useful collaborative research and development but it was also a way to attract skilled talent into the industry. Big smart card players like Schlumberger continued to fund and support initiatives particularly during the 1990s. The University of Michigan’s Centre for Information Technology Integration (CITI) is just one example. In late 1999 it formed a partnership with Schlumberger to develop the world’s smallest web server to run on a smart card (Media, 1999; University of Michigan, 1999). Prior to that CITI was investigating the future possibilities of the U-M card, the university’s campus smart card, supplied by Schlumberger. Both groups believed that the partnership would be mutually beneficial in the long term. At the University of Malaga the GISUM group was also researching smart card in 2002 (GISUM). The work was being supported by the European Union (EU) and the Spanish Ministry of Science. Two projects are of interest here- the eTicket project and the electronic forms framework for citizen-to-government (C2G) Internet-based transactions. Some collaboration between universities and enterprises, have resulted in university campus space being dedicated to technology parks/centers. For instance, the Smart Card Design Centre (SMDC, 2002) was operated as a business unit, housed within the City University of Hong Kong. The Smart Card Design Centre was funded by the Innovation and Technology Commission and the Hong Kong Government.

 

Consortiums and Alliances

The late 1990s saw a trend towards the formation of consortia and strategic alliances. Consortiums in high-tech typically pool together specialist resources from private enterprise, universities and other institutes, usually in anticipation of a new opportunity. As opposed to collaborative research on a specific topic that seeks to satisfy particular outcomes, a consortium’s scope is broader and usually more exploratory in response to a government or prospective large customer initiative. An example of this is the VerifiCard project in Europe which had six partners from four different countries, though it is not unusual to find consortiums with twenty partners containing mostly private companies. The VerifiCard project included: the University of Nijmegen (Netherlands), INRIA (France), Technical University of Munich (Germany), University of Kaiserslautern (Germany), Swedish Institute of Computer Science (Sweden) and SchlumbergerSema (France) (Partners, 2002). Most consortia usually have at least one or two big players that influence the direction of the rest of the group. It is also not unusual to find fierce competitors come together in consortiums, although typically this is avoided in overly competitive scenarios whereby separate consortia form.

Traditional players in auto-ID applications have especially sought to form alliances with providers of infrastructure, including banks, financial services, and telecommunications companies (Allen & Kutler, 1997, p. 16; Keenan, 1997, p. 37; Tam & Ho, 2007). Smart card business developers have identified new creative possibilities, piggybacking on the success of existing applications but in many cases the market response from users and merchants has been uncertain. For instance, there is the possibility for telecommunications operators to be earning revenues from public payphones capable of acting as cashless de facto ATMs or consumers being able to add vending machine purchase charges to their mobile phone bill or even CATV companies making use of set-top boxes to give subscribers online services on-demand. All these ideas sound very useful but in addition to the possibility of very slow take-up rates, deployment can be very tricky as well.

Independent software vendors (ISVs) specializing in smart card can build what look to be cutting-edge applications but without the access infrastructure (fixed or wireless), it is impossible to proceed. Hendry (1997, p. 250) makes the important observation that while individual applications can be built in a very short time frame (especially for closed systems), it can take two to three years for a national infrastructure to support the application to emerge and even five to ten years for a global one. Hendry’s analysis is precise: “[g]etting the infrastructure right, and making it easy to upgrade and add applications, should… be a top priority for any scheme.” In the same way telecommunication operators may wish to deploy state-of-the-art applications but how to collect revenues from subscribers (i.e. billing issues) and how to share profits between the players in the value chain may be fuzzy.

Alliances also act to curb the threats from non-traditional new entrants that may know little about the smart card business but have the venture capital to invest. With the rise of the dot.coms, non-traditional players especially entered the banking and telecommunication sectors hoping to make a lot of money from online applications. Many of these companies were attracted by the inflated revenue forecasts that were being predicted by analysts so the whole business case was built on shaky foundations from the outset. There was little in the form of user surveys granting valuable feedback, and unfortunately millions of dollars have been wasted during this time on ‘get rich quick’ schemes. Kaplan (1996, ch. 4) has identified successes and failures in the smart card industry pre-1996. He provides a good example in the Smart Card International experience (Kaplan, 1996, p. 22). The company assembled worldwide licensing rights but it was unable to distribute its product because it had no strategic alliances with other companies to assist with reselling locally, e.g. the Global Chipcard Alliance.

 

Communicating Information

With smart card development innately encouraging so many interactions between stakeholders it is no surprise that so much literature has been published on the topic. The distribution of information has acted to continually educate all the various stakeholders, including users, about smart cards and their applications. Today users are a lot more technically astute than they used to be. The PC, cable television, game play-stations, Internet and mobile phone, and more recently the personal digital assistant (PDA) and internet POD (iPOD) have all contributed to a more technology-savvy society. In some ways the permeation of so much information may have been one reason why some users have resisted the change (Lindley, 1998, pp. 144-145; Keenan, 1997, pp. 26-34). The Internet has played an important role in granting people access to information that was otherwise in hard-copy form in limited locations, such as public libraries.

Today there are daily reports on worldwide smart card activities. Apart from the numerous web sites like SCN (1999) there are a number of industry magazines dedicated to smart cards is indicative of the general growth of the auto-ID industry over the years. Some of the more prominent journals include: Card Technology, Cards&Payments, Card Technology Today (now CTT), Report on Smart Cards, Smart Card and Systems Weekly, Smart Card Monthly, Smart Card News and Smart Cards and Comments. There is an explicit knowledge infrastructure that has grown with the industry.

Industry associations are also contributing to smart card growth, like the Smart Card Industry Association (SCIA) that was established in 1989. SCIA acts as a resource centre and is also involved in organizing conferences and other industry events. SCIA’s primary purpose is educational in nature. SCIA represents smart card technology providers. Other institutions include the SmartCard Developers Association, the International Card Manufacturers Association (ICMA) and the Smart Card Club, Card Europe. The latter association which tries to promote user confidence in smart cards believe (Kaplan, 1996, p. 318): “...that only by achieving consensus across both industry and country borders, [they]… will be able to achieve a true representative set of products and standards leading to full interoperability with a multi-service capability...”

     

The Importance of ISO

According to ISO, “[s]tandards are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose” (Dreifus & Monk, 1998, p. 29). It is not difficult to see why standards play such an important role in smart card development. Without them there would be no common point of reference for any of the stakeholders to follow. ISO is a worldwide federation of national standards bodies which has worked towards ways of making cards and equipment interoperable (ISO, 2008). Adherence to ISO standards is not compulsory but it is advisable.

Unlike magnetic-stripe cards where proprietary schemes could possibly increase the security of applications in particular scenarios, smart cards have in-built security features and standardization is almost always desirable (Mayes & Markantonakis, 2008). In the case of magnetic-stripe card technology, it was no coincidence that ISO 7810 was composed, “rather [it was] the close cooperation among major providers that established global standards and specifications” (Kaplan, 1996, p. 210). Early smart card developers adopted existing magnetic-stripe standards initially in order to allow a smooth migration from magnetic-stripe. Today all three technologies can be utilized on the same card- “the information... can be accessed by reading the chip, swiping the magnetic stripe, or making an imprint from the embossing” (Dreifus & Monk, 1998, p. 31).

Other important ISO standards that influenced the rise of smart cards were ISO 7816 which defines ICCs (Integrated Circuit Cards) with contacts and ISO 10536 which defines contactless ICCs (Jacquinot Consulting, 2008). ISO 7816 contains seven parts stipulating guides to physical characteristics, dimensions and locations of the contacts, electrical signals and transmission protocols, inter-industry commands, application identifiers and data elements for interchange. Suppliers should be ISO 7816 or ISO 10536 compliant even though adhering to ISO standards does not ensure that interoperability is achieved between cards and terminal equipment. ISO leaves room for industry-level specifications but when none exist mismatches can happen (McKenna & Ayer, 1997, p. 48). Hendry (1997, pp. 253-258) provides a complete list and description of ISO standards as related to smart cards. Ferrari et al. (1998, ch. 3) also discusses standards and specifications, especially ISO 7816, CEN726 (the ETSI version), GSM, EMV (MULTOS), PC/SC, the OpenCard framework, IATA Resolution 791, SEIS (Secured Electronic Information in Society), Cryptoki, CDSA (Common Data Security Architecture), PC/SC Workgroup, and MASSC a generic architecture for multiapplication smart cards.

 

Specifications

As has already been mentioned ISO ICC standards are not so constraining that there is no room for industry-specific standards. Thus in some cases additional specifications need to be drawn. In late 1993, Europay, MasterCard and Visa took the initiative to join forces as EMV to formulate ICC Specifications for Payment Services. As Kaplan (1996, p. 214) explains, the EMV cooperation was the pooling of expertise for a common goal. The objective was, “to eventually permit interoperability among chip-based payment cards for credit and debit applications [figure 3]. Without common technical standards, an array of incompatible systems would proliferate- building serious barriers to both consumer and merchant acceptance” (Allen & Kutler, 1997, p. 8). Dreifus and Monk (1998, p. 42) notice that the development of the EMV specification followed a series of evolutionary steps. The EMV specifications were delivered in three parts each focusing on a different set of issues. EMV-1 described the smart card and its environment, EMV-2 described the terminal environment and EMV-3 described how data would be exchanged between the card and the terminal.

EMVCo was established by the EMV alliance in 1999 to administer EMV standards for debit/credit cards. The newer CEC (Chip Electronic Commerce) and the existing SET (Secure Electronic Transaction) was combined in the EMV specification (Jones, 2000; EMVCo, 2003; SET, 2000). It also should be noted that e-purse standards emerged (not in competition to EMV but at another layer of detail) called CEPS (Common Electronic Purse Specifications) and TAPA (Terminal Architecture for PSAM Applications), i.e. PSAM standing for Purchase Secure Application Modules. “The PSAM is a device that performs security functions during an electronic purse purchase transaction. TAPA provides a structure for terminals that can process single or multiple applications” (Jones, 2000). In 2002, MasterCard acquired Europay and in 2004, JCB International joined EMVCo alongside MasterCard and VISA. An important lesson learnt from the development of the EMV specification is (Allen & Kutler, 1997, p. 12): “that progress… requires collective discussion, and action. No one company can optimize smart cards unilaterally, and even industry-wide coordination through, say, a banking or retailing association, will fall short of the mark.”

Just like EMV, ETSI (European Telecommunications Standard Institute) decided to formulate an industry specification in the 1980s for its proposed Global Systems for Mobile (GSM) network. The specification, known as SIM (Subscriber Identity Module) is predominantly used in Europe and Asia. The SIM has the functionality to perform authentication and offer a personalized service to subscribers. GSM offers international compatibility and allows for the subscriber to roam in any country where there is GSM coverage. GSM specifications include: security aspects (02.09), SIM (02.17), network functions (03.20) and SIM interface (11.11). When designing smart card solutions different levels of standards need to be adhered to dependent on the application. These levels may pertain to the physical card itself, the contact pads, the card reader, the interface, the Application Programming Interface (API), the application itself, even card management. Standards and specifications can change and/ or evolve. According to Dreifus and Monk (1998, p. 46) changes in standards are “…a result of the natural evolution and the maturation of the technology”.

 

Legal, Regulatory and Policy Issues

Regulation E and Stored Value Cards (SVCs)

In 1987 Svigals (p. xviii) noticed that the national governments of Japan and France were beginning to implement government policies and actions relating to smart cards. Twenty years later the rise of smart card schemes in operation has brought the question of regulation into the spotlight. This is not necessarily a bad thing for the industry; some experts see it as an evolutionary step in the life-cycle of smart cards. Barr et al. (1997, p. 69) believe that a technology such as smart card is becoming commercially significant when lawyers and regulators begin to study the legal, regulatory and policy implications. From about the late 1990s discussion about Regulation E has increased. “Regulation E was promulgated by the Federal Reserve Board as the implementing regulation for the Electronic Fund Transfer Act of 1978. It is designed to protect consumers and defines the right and obligations of consumers and ‘financial institutions’ with respect to electronic transaction affecting consumer accounts” (Barr et al., 1997, p. 70). In the past it has been easier to identify smart card applications that require financial transactions to be performed and need appropriate regulations, but with the introduction of multiapplication smart cards this defining line has blurred. According to Barr et al. (1997, p. 78), the following issues need to be considered: “is the issuer of a SVC going to be treated as a bank for federal or state purposes; will there be export control restrictions because of the encryption used in the smart cards; and how will general commercial law principles which have evolved in connection with old-style payment systems apply to smart card.”

Financial institutions are no longer banks, building societies and credit unions; they can be anything from telecommunications companies to airlines, it all depends on the services being offered. The Federal Reserve board believes “that if cards are used to access an account” they are subject to Regulation E (Noe, 1995, p. 44). Thus, the Board has issued proposed changes to Regulation E and how it should be applied to stored value cards (SVCs). Owens and Onyshko (1996) provide a comprehensive discussion on regulations, legal and privacy issues as they relate to credit cards, debit cards and SVCs. One industry spokesman, the president of Cash Station Incorporated, James Hayes, does not think that Regulation E should be imposed on SVCs. Hayes rather compares SVCs to cash equivalents rather than customer transaction accounts. He believes that smart card “development will be impeded by regulation imposed before the purpose, risks and benefits can be clearly assessed... [he] cautioned that smart card regulation is in its infancy and that it will continue to evolve” (Noe, 1995, p. 45).

In 1997, the US Federal Reserve issued a clarification and simplification of Regulation E, finally providing protection to credit cardholders (Grupe, Kuechler & Sweeney, 2003). “Maintaining consumer confidence, managing technology and preventing fraud are among the most often cited reasons for applying regulation E to smart card transactions” (Puri, 1997, p. 138). One of the biggest problems of Regulation E is that it requires a receipt to be kept for every transaction, and in the case of smart cards, this is very difficult given the breadth of applications a single card could support (e.g. parking meters, vending machines etc) (Figure 4). In 1998 O’Connor wrote about the de minimis exemption for stored value cards in proposed changes to Regulation E. He pointed out that removing SVC protections would make cardholders easy targets for either unscrupulous vendors or fraudulent issuers who disburse defective cards. He called this an “open invitation to fraud”. To make things even more complicated it is no longer the point of sale (POS) in which companies focus on but the point of interaction. Furletti (2004b) believes the whole area of payment cards and Regulation E is very “unsettled” which has led to a great deal of consumer confusion. There has been a clear call for uniform standards to be introduced (Furletti, 2004a).

 

Who Has Access to Information and Where?

In 1997, Puri (p. 134) stated that on average 80 more times of data can be stored on a smart card than a magnetic-stripe card; today about 10 megabytes of data can be stored on a smart card. No matter how one looks at future possibilities, the smart card is set to play a major role in remote banking services. Tarbox (1997, p. 262) believes that smart card issuers must therefore disclose to application developers and consumers, how and who will have access to information, and how it will be distributed. For a thorough discussion on privacy see Branscomb (1994). On the topic of smart cards (p. 70) she provocatively questions: “[b]ut are we willing to have so much medical information about ourselves contained in so little electronic space, with possible access not only to us and the doctors treating us, but as well to our insurance companies, our employers, and the FBI, not to mention that bizarre world of computers voyeurs?” Cuddy (1999), Brin (1998), and Davies (1996, ch. 7; 1992, ch. 4) offer groundbreaking insights into this area. When considering the rise of multiapplication cards, the problem of ‘who owns information’ is even more complex. At least a single application card can undergo some sort of assessment with visible limits.

Another question mark that surrounds world-wide interoperability of smart cards is how they will be regulated when they are used in different countries. For example, does a regulation applied in the U.S. have any legal bearing in Australia or Japan? Some have suggested the enactment of a number of privacy torts related to smart card, others are encouraging the use of electronic contracts between issuers and consumers since new laws are not about to appear overnight. The contract should give the consumer confidence that they will have full control of personal information on the card (i.e., in case of error); why this personal information is required, who will use it and for how long; how the consumer’s privacy is protected to ensure non-disclosure and if a particular application is covered by existing statutes; and reference to the issuer’s privacy policy (Cavazos & Morin, 1995, pp. 34-45; Barr et al., 1997, p. 76).

 

Sources on Consumer Acceptance of Smart Card

Svigals (1987, ch. 16) was one of the first authors to discuss the potential societal impacts of smart card as was C. P. Smith (1990, ch. 9). For key strategies and considerations for user acceptance of smart cards refer to Lindley (1994) and Cooper, Gencturk & Lindley (1996). Consumer acceptance of the smart card in some geographic regions is very low, even in some cases where adoption of other high-technologies such as mobile phones has been high (Bright, 1988, pp. 145-149; Card World, 1990, pp. 42-45; Radigan, 1995; Smart Card Alliance, 2006). Specifically it was user privacy concerns that initially hampered smart card diffusion in many parts of the world (Lindley, 1997, pp. 132-142; Barr et al., 1997, pp. 73-78; Vincent, 1995). A number of links can be found on Ontario’s Smart Card Project created by the Information Policy Research Program (2002). The site contains useful press clippings and articles on public policy and smart card. Included in this site are links to Roger Clarke’s articles on public policy issues related to identification (Clarke, 1997). Other useful reports include: Privacy Committee of NSW (1995) and the Privacy Commissioner (1995).

 

The Social Implications of Mass Market Chip Cards

Many citizens across the globe have vehemently protested the use of smart cards for citizen identification. However in some countries citizens are powerless to voice their concerns, while in other countries governments have already introduced unique lifetime identifiers (ULI) linked to an ‘everything’ card (Drudge, 1998) without much public discourse or consultation. It is not the technology itself that most people fear but what it represents and how the capability of unique ID can be used by anyone who has access to the information, particularly potential totalitarian governments or regimes. For a comparison between Australian and UK national ID proposals, see Jackson and Ligertwood (2006, pp. 45-55) and for an indepth review of Australia’s identity card proposals see Jordan (2008).

While there are many advantages gained by the use of multiapplication smart cards for government and non-government applications, more research needs to go into what these advantages mean in real terms. Almost always, the economics behind large schemes such as national ID cards are unjustified, costing the taxpayer more in the long-term (M.G. Michael & K. Michael, 2006, pp. 359-364). The notion of many ‘little brothers’ versus one Big Brother has been put forward in opposition to multiapplication cards. While the intent of the issuer may be noble, i.e. to offer a better service to its customers, no one can guarantee that the information will not be used ‘against’ an individual. These are not conspiracy theories but lessons from history (K. Michael & M.G. Michael, 2006).

One of the most infamous uses of dossiers against a people was that of the Nazis against the Jews (Black, 2001). Evans (1987) writes with reference to the proposition of an ID card in Australia: “I can understand why many people- particularly those who have lived under totalitarian regimes or fled from Nazism- oppose the Australia card”. In 2006, the Australian government proposed the Human Services Access Card which was to replace 17 different cards issued by 4 government agencies (Australian Privacy Foundation, 2007; Greenleaf, 2007). In the end the proposal did not gain support (Clark, 2008, pp. 156-166). This is contrast to country-specific mass market cards in Hong Kong (Octopus, 2008) and Britain (e.g. Oyster Card). There seem to be cultural differences in the adoption of new mass technologies. Due to their multiapplication capabilities, smart cards are renowned for function creep.

Function creep is defined by Clarke (1996) as “the commencement of a scheme with a small number of uses, but with accretion of additional uses (and often intrinsically more invasive ones) at a later stage.” For example, the Octopus Card was never meant to be a government ID card, but specific applications were deployed after the card was introduced as a solution for transit (Figure 5). Observers suspect that the British Oyster Card may be going down the same roadmap. Each Oyster smart card has a unique ID number which is linked to the registered owner’s name. Every time the card is used a transaction is recorded of where and when it occurred. Commuters have been told that the data is retained for planning purposes to help in the provisioning of services, but it is well-known that the data could also be released to law enforcement agencies (Turban & Brahm, 2000; Mustafa, Giannopoulos & Pitsiava-Latinopoulou, 1995; Teal, 1994). Mark Littlewood of the civil rights group Liberty in the UK reflects: “[a]ll too often we have seen data collected for one apparent purpose, only for it to end up being used for something entirely different” (Scullion, 2003).

 

SMART CARDS APPLICATIONS

Overview

Like the magnetic-stripe card and bar code card before it, the smart card can be applied to many different applications (Datamonitor, 1996, ch. 3). The question is whether or not the smart card is the best-fit solution to the problem at hand (Carr, 2002). For example, “[i]n France, virtually all bank cards have been converted from magnetic stripe technology to chip technology to cut down on fraud” (Lever, 1997, p. 18); yet the same level of migration cannot be assumed in all parts of the world. It is therefore not surprising that it was also in France that one of the first multiapplication city smart cards was trialed in Vitrolles in 1990 (Sola, 1990). The UK also announced a similar CityCard project in 1998. Smart cards are also being used more and more for travel and to reduce traffic congestion. The Electronic Road Pricing (ERP) system in Singapore, officially launched in March of 1998, collects two forms of road revenue: using a particular stretch of road and for entering the CBD (Central Business District) during designated busy hour traffic periods. Inserted in the reader of each vehicle is a Cash Card which is debited each time the vehicle crosses an ERP area. Parking is yet another application for smart cards used for charging drivers for the time they occupy a space and/or given access to a car park (Figure 6). Prepaid smart cards have even been used for consumer electricity payment (Raad, Sheltami & Sallout, 2007).

Health cards using smart card technology have also become common. The main motivators for the use of smart cards in health care from the patient, service provider and payer perspectives can be found in Brainerd and Tarbox (1997, p. 155). Smart cards can store patient information making the processing of transactions particularly in hospitals easier. In some countries like Germany, the health care smart card has been implemented successfully but for the greater part controversy surrounds privacy aspects of the card. There is a fear that if health data is stored centrally then it may be at risk of being misused by independent entities. Errors in patient records can also be damaging to an individual if they go unnoticed. However fully networked and integrated health care systems that incorporate end-to-end health provision are still lacking. It is envisaged that in the future, a patient will be able to visit his/her doctor, receive a diagnosis from the doctor and store this information on the smart card. If the patient requires drugs, prescriptions could be made electronically to ensure non-conflicting medications were given. Visits to specialists and test results could also be stored on the card.

The largest application of smart cards however is for public telephones. Figures released by Datamonitor indicated that in 1996 around 66 countries had adopted smart card payphones and smart cards for payphones accounted for approximately 75% of all smart cards sold globally. While the benefits offered by smart payphone cards over magnetic-stripe payphone cards are negligible, telephone operators are strategically positioning themselves for tomorrow’s mass market consumer mobile payment applications. If the smart card infrastructure in payphones is ready to be used, it is only a matter of additional software to be written for other applications such as banking. Imagine using a payphone or a mobile device that could act as an ATM (Figure 7). The development of the Global Standard for Mobile Telecommunications (GSM) required a subscriber identity module (SIM) to be inserted into the mobile handset. The SIM is the mechanism that allows a subscriber to connect to the network and is essentially a smart card made to ISO specifications (Moorhead, 1994). Smart cards are also being used for satellite and cable television (CATV) to prevent unauthorized viewing of programs and for metering of household energy use. Security algorithms decode the signal via a set-top box. Monnin (1992, pp. 418-421) writes of the exclusive advantages in pay-TV. University campus smart cards are also widely used.

Many governments are also looking into smart cards for social welfare and more generally for citizen identification (e.g. for voting). The Malaysian Government multiapplication smart card known as MyKad began being issued by the National Registration Department in 2001. The ID card is now issued to all citizens and permanent residents over the age of 12 years old and there are now about 20 million active MyKads with more to follow as citizens continue to migrate from the older ID card. MyKad card holds drivers license details, passport data, and other information. In some countries such national cards have been launched without adequate data protection and privacy legislation. In 2002, there is the well-known case of the Japanese government who launched JukiNet effectively linking national, regional and local government databases together, without adequate privacy protections. Within 24 hours, local authorities had disconnected from the network citing privacy problems. A privacy law was then rushed through Japan’s judicial system. According to Hendry (2007, p. 199) the Diet and Juki Cards which are now commonplace in Japan, contain the name, address, civil status, and a link to the holder’s records in JukiNet.

 

Case 1: Smart Cards in Telecommunications

Pre-paid Telephones Cards

Without a doubt, prepaid smart cards for public payphones account for the largest segment of the smart card market (Crotch-Harvey, 1996), and this continues to hold true today. In 1995, telecommunication-specific smart cards accounted for 80 per cent of the market. More recent market share forecasts are available. They indicate that the market share has shifted by application type (Freedonia, 2003; Frost & Sullivan, 2004; IMS, 2008). The future for broadband services continues to flourish which forced traditional telecommunications companies in the 1990s to form alliances or even merge with CATV companies, Internet Service Providers (ISPs), Web software businesses and media corporations in a bid to share their risks and make sure they are not left out of the race (Wilson, 2001). All these applications require smart cards for subscriber access authorization with capabilities to bill customers for services used and information content downloaded (Hadeed, 2000).

The first recognized trial of smart cards for prepaid telephone cards was by the French Post Telephone and Telegraph (PTT) in 1982-83. The French justified the move from coin operated payphones to smart card payphones by highlighting that about 15 per cent of phone call tariffs were lost as a direct result of telephone charging frauds and coin theft (Svigals, 1987, p. 97). The French trials were so successful that in 1984 ten thousand smart card payphones were installed in France with 400,000 smart cards issued to consumers. By 1995 there were a reported 1.5 billion prepaid telephone cards sold- “four hundred million of these were smart cards that can be accepted in one of every five payphones in more than 70 countries” (Lutz, 1997, p. 131). The smart cards used by French Telecom were made by Gemplus (now Gemalto). Gemplus is the leading maker of smart phonecards with 40 per cent of the market share. It supplies smart cards to 50 national telephone operators in about 50 countries worldwide. Gemplus sold 120 millions smart cards in 1994 alone.

In 1994 US WEST marketed the Telecard smart card in conjunction with the Nortel Millennium payphone. In 1995, Québec Telephone became the first company in North America to modernize its entire payphone system. In 1996, BellSouth chose to team up with Nortel at the Atlanta Olympic Games. BellSouth deployed 200 smart card-compatible Nortel Millennium intelligent payphones which were able to handle VISA Cash. Nortel was the first to bring smart card capable payphones to North America and in 2003 they had more than 100000 Millennium terminals installed throughout the region. It was a way for BellSouth to differentiate itself from the other 866 payphone providers in Georgia. The Millennium payphone was multi-pay, multi-card capable, accepting “VISA Cash as well as magnetic-striped, commercial credit and calling cards, and coins” (Scarlett & Manley, 1996, p. 3). By 1997, the smart cards had become so popular that Mondex International decided to use the Nortel Millennium payphone and Nortel PowerTouch 360 (also known as the Vista in Canada) to offer electronic banking and home banking services. Customers now have the additional ability to ‘reload’ their prepaid cards by transferring funds from their personal accounts. In essence, the intelligent telephone has now become a remote ATM.

 

Subscriber Identity Modules in Mobile Phones

Another use of smart cards in telecommunications since 1992 is as a SIM card, also known as the User Identity Module (UIM), for mobile handsets.  As Kaplan describes (1996, p. 162): “SIM cards contain non-volatile information embedded by the manufacturer related to security and identity, and a programmable memory (electrically erasable) to provide for optional and dynamically changeable information.” It is the microchip in the SIM card that authorizes the subscriber’s connection to the network. This way the subscriber can place and receive calls. The card is personalized in such a way that the subscriber’s account information is stored on the microchip. Other data includes card ID, PIN, service features, access class and memory configuration. Subscribers can remove the SIM card and put it into any other GSM handset and all the subscriber-customized features will work, provided they are the same standard size (e.g. standard ISO SIM card). Another excellent feature of the SIM is that it allows for global roaming. Global roaming provides the subscriber access worldwide at the operating frequency or technology used in a particular country (e.g. GSM, DCS 1800, PCS 1900, DECT, UMTS or satellite systems). The most important function of the SIM card is that of billing (pre-paid or post paid). A subscriber can take their card with them anywhere and have total control of who uses it- the PIN enabling the SIM is always a safe practice for any subscriber just in case they lose their phone or have it stolen.

 

Mobile Payment Systems

Reports which herald the SIM as a vital piece of tomorrow’s wireless personal digital assistants (PDA) do so for good reason (Ince, 1997, pp. 26-30). Japan’s NTT DoCoMo launched i-Mode at the end of 2000, to trial a packet-switched mode of transmission over the 2G mobile environment. By 2003, about 3000 companies were offering transaction capabilities over i-Mode officially linked to DoCoMo’s mobile commerce billing system. The results speak for themselves; in 2003, more than 50 per cent of mobile subscribers use i-Mode and about 40,000 new subscribers were joining the network each day. The first generation of i-Mode applications allowed the user to do anything that the ‘fixed’ Internet offered, such as book airline tickets, buy and sell shares on the stock market, play games, check the latest weather forecasts, shop and browse for products, play government-approved lotteries, download images and even use a company’s intranet. DoCoMo’s c-Mode, marketed in 2004 was also set to challenge the way in which consumers spent their money. Using their wireless handset, consumers were able to purchase items from vending machines and be billed accordingly on their i-Mode bill. Today, i-Mode in Japan boasts 48 million subscribers and currently more than 95,000 Internet sites are providing a variety of content (NTT-DOCOMO, 2008).

In Singapore consumers can pay for their taxi fare via their mobile phone as well as purchase coke from a vending machine. In the Australian market, Vodafone and 3 were eager to follow the Japanese example, although the readiness of the market was debatable in 2003. In 2002, Telstra began running trials in Bronte, Sydney: “[c]ashless parking meters activated by mobile phones and smart cards…” (R. Smith, 2002, p. 11). But it is not inconceivable that the wireless personal digital assistant (PDA) or e-wallet will become the future mechanism by which all purchases, even government transactions will be made. Coupled with mobility will be the ability to use the same smart card in the home. In the case of such cable television applications like video-on-demand (VoD) or home shopping, smart cards have the ability to not only grant the customer access to subscription channels but also to charge the individual for content viewed and items purchased (Hendry, 1997, p. 153). Lutz adds (1997, p. 141) that “[s]mart cards can add substantial value to th[e] growing industry by providing payment options, access authorizations, personalized services, and security”.

 

Smart versus “Dumb” Cards

PhoneCards

In 1990, Telecom Australia introduced the Phonecard- a prepaid telephone card system. The technology supplied by the Anritsu Corporation had been used in Japan for some years successfully. Cook (1994, p. 1) an executive of Telecom’s payphone services business unit described the technology choice in conference proceedings. “The technology revolves around an encoded magnetic stripe which is credited with a series of dollar values ($5, $10, $20 and $50) that are decremented according to the call type when inserted in the payphone…” Telecom saw many benefits to the widespread roll-out of magnetic-stripe technology. They believed that it would increase profitability of their payphone business, reduce vandalism and theft of public payphones and be more convenient for the consumer. Telecom produced in excess of 10 million cards per year and over 75 per cent of payphones accepted PhoneCard. However, Telecom did reveal that the costs of producing and distributing the cards were expensive when counted with the costs of upgrades to payphones (Cook, 1994, p. 5). The Telecom experience is quite typical of many telephone operators’ experience in the United States. The company was aware of smart card technology being used in France at the time of making the magnetic-stripe decision but opted for the ‘safer’ option. Perhaps this was a strategic decision, for Telecom Australia (now Telstra), to gauge consumer reaction to the PhoneCard before moving towards the more expensive smart card solution. Still, this was either an expensive strategic move or an expensive loss.

 

Smart PhoneCards

In 1997, Telstra launched ‘Smart Phonecards’ in Perth. Within a six-month transition period all magnetic-stripe cards were phased out and new payphone terminals were installed (developed by Spanish manufacturer Amper) (Figure 8). Telstra have made it obvious that the new Telstra Smart Phonecard would also facilitate cashless payment for a variety of goods. The Phonecard experience seems to be a recurring pattern in other countries worldwide. In Pakistan for example, where 100 million people had access to only 2000 payphones in Islamabad and Lahore in 2002, competing operators implemented different auto-ID solutions. In Britain, BT (British Telecom) replaced their optical card payphones with smart card. Even in the United Arab Emirates, old coin and magnetic-stripe payphone terminals were replaced with smart-card capable ones (Fromentin & Traisnel, 1995, p. 82). Yet in the mid 1990s, the U.S. smart card payphone situation was still “very much in its infancy, with only a few payphones equipped with readers capable of handling credit cards or telephone chargecards. There are signs of change, however, with several operators conducting trials with magnetic stripe cards” (Communications, 1995, p. 58).

 

Plain Old Calling Cards

Telecom’s pre-paid PhoneCard should be differentiated from other services that are presently being offered by telephone operators. For instance, using the AT&T Direct Service requires a consumer only to be in possession of a recognized credit card such as American Express, MasterCard, Diners Club or an AT&T corporate card. The service offered by AT&T does not require the use of the magnetic-stripe technology to make a call internationally. The process only requires the use of a touchtone telephone. The cardholder enters the special AT&T Access Number (dependent on where the call is being originated), dials the international telephone number and then enters the AT&T Calling Card number plus the credit card number followed by the four digit expiration date to complete the call. All calls are then billed to the cardholder’s credit card. If the process of dialing all these numbers seems prone to error, that is because it is. Telephone operators have a host of calling card services some of which only require the cardholder of an access card to dial an operator which then places a call on behalf of the caller. Newer more innovative secure network access can be achieved using biometrics (Messmer, 1998, pp. 1-2).

 

Case 2: Smart Cards for Health Care

Almost every patient in a more developed country (MDC) possesses a health care card of some type, whether he or she is covered by either private health insurance or a government medicare scheme or both. While in Europe and Canada smart cards have been prevalent in the health care sector other countries such as the U.S. and Australia have lagged behind. In the U.S. several attempts have been made to introduce a health care card (Hausen & Bruening, 1994, pp. 24-32), especially by the Clinton administration but these failed; the same as in the Australian case. In Clinton’s proposal the smart card would carry an ID number, and the information to be stored on the card was very comprehensive including blood type, allergies, health insurance details, treatment programmes and major illnesses (Stix, 1994).

 

In Europe and Canada

France

In contrast, in France the Sesame Vitale scheme has been in place since 1986. The smart card scheme used to assist the French Social Security boasted of approximately 10 million French citizens and over 100000 doctors and other health professionals in the late 1990s. Ultimately the scheme will cover the entire French population for the primary purpose of proving the identification of the cardholder and conveying prescriptions to pharmacists. The scheme is not directly concerned with individual patient medical records- this is the task of another card called Santal. Other projects that have been piloted in France include the Biocarte system and the Transvie card.

 

Germany

In 1989 the German Health Insurance Card, Versichertenkarte, was distributed to citizens by government, enforceable by law. In the case of Germany where a national health care card was introduced, Kaplan (1996, pp. 158-161) describes the advantages to patients, insurers and health care providers noting however, that there are privacy risks associated with the scheme. Also, Hendry (1997, ch. 13) discusses medical records, prescriptions and patient monitoring and Gogou et al. (2000, pp. 559-561) a smart card network for health services. The Versichertenkarte card was used to provide individuals with access to medical treatment and to assist with billing of services and the reduction of administration costs. Schaefer (1997, p. 1) reported that by October 1994, 63.4 million cards had been distributed to insured persons and about 135,000 readers had been installed at medical institutions. The card was accepted by about 93 per cent of health insured persons and about 45 per cent of all doctors. By the end of 1994 the card was issued to about 79 million persons. The content on the patient card included: title, given name, surname, date of birth, address, name of health fund, insurance company identification number, patient health insurance number, status of the insured and the card expiration date. The magnitude of this project cannot be underestimated.

 

Canada

The Québec health card developed by the Laval University Medical center and the Québec Health Insurance board was piloted in May 1993. About 7,000 cards were issued to potential participants and about 300 doctors, pharmacists and nurses were targeted. The information on the health card was grouped in five separate zones: identification, emergency, vaccination, medications and medical history. In Ontario, in the same year the Encounter smart card was also piloted. Cards were issued to about 2,200 volunteers and 80 health care providers. The card contained three separate sections: biographical, health status data and encounter (patient visiting) data. However what was different about this card was that it contained not only numbers relevant to health but also the unique lifetime identifier (ULI) of the patient represented in the registered persons official database. According to Lindley (1997, p. 97) there were over 30 health card trials between 1985-1990, some were implemented widely while others were not. For an overview of a smart health care service case study see Kaplan (1996, pp. 104-109). McCrindle (1990 ch. 9) provides a generic overview of medical applications with some international examples.

 

Europe-Wide

Since the Schengen Agreement, European-wide smart card health schemes have also been promoted by specific programs like the Advanced Informatics Medicine (AIM). It is envisaged that cross-border national medical sectors in Europe will be integrated in a shared system. One of the functions of the Eurocard will be to reduce health administrative costs. The Diabcard is also making headways in Germany, Austria, Italy and Spain. The Diabcard “...provides the specification for a chip card-based medical information system (CCMIS) for the treatment of patients with chronic diseases” (Engelbrecht et al., 1996; Schaefer, 1997, p. 4). In 2004, the European Health Insurance Card was introduced as a proof of national health insurance valid in all countries of the EU (Hendry, 2007, p. 187). The Card allows a cardholder or their family to receive necessary healthcare in a public system of any European Union country or in Switzerland, if they become ill or injured while on a temporary stay in that country. According to the European Commission (2004), “the health insurance card represents an essential stage in the possible development of new services or functions using information technologies, such as storing medical data on a smart card or secure access to the medical file through the insured’s identifier.” Under the eEurope 2002 charter of Smart Card Initiatives, the card is seen as paving the way forward to responding to the needs of citizens and the business community.

 

Privacy Concerns over the Smart Card

The Medicare card distributed to all Australian citizens entitles the cardholder to receive government-funded medical services and benefits. For example, the card can be used to subsidize patient visits to general practitioners (GPs). The card contains a magnetic-stripe, an embossed number, an expiry date and the name(s) of the cardholder(s). Before a cardholder can see a doctor, he/she must present the card which is carbon-copied and forwarded to the Health Insurance Commission (HIC) for processing. Due to earlier privacy concerns regarding pseudo national ID cards, attempts to introduce a smart card were extinguished. The Minister of Health in 1991 promised the public that a smart card would never replace the existing system (Davies, 1992, pp. 52-55). However, the Warren Center still believed that a smart card would “improve the administration of PBS, and reduce fraud and errors... a smart chip could also be added to the Medicare card, storing the history of the drugs issued and for which benefits had been paid” (Privacy Committee of NSW, 1995, p. 32). The process proposed by the Warren Center was not only seen as efficient to administration but possibly life-saving for the patient. Despite the on-board security of smart cards, a great number of Australians still view the smart card with some distrust, primarily because of its storage capacity.

Private health care funds in Australia are also beginning to roll-out magnetic-stripe cards. MBF (Medical Benefits Fund) distributed cards to their customers in 1998 and NIB in 1999. The MBF card unlike the Medicare Card is not embossed but does display the cardholder’s signature. When patients claim rebates on health services that are not covered by Medicare, they must now present their private health insurance card as a way for the health fund to track expenses. Previously, the system was confusing for patients and health institutions wishing to claim money owed to them- several different medical bills for health services made reconciliation difficult. The MBF cardholder is also entitled to discounts at certain health-related companies like Rebel sports store and entertainment venues (MBF, 1999).  

 

The Potential for Biometrics and RFID

Other auto-ID devices being used in health care include biometrics and RFID (Fulcher, 2003). For a person in a critical condition who requires urgent medical attention, and who is unconscious, biometric identification in the form of hand or fingerprint scanning could end up preventing further damage or death (Takac, 1990, p. 19). Many people have died unnecessarily because of injections they are either allergic to or have received too high a dosage. Even as early as 1999, SJB reported that there were over 70 live installations of biometrics in health care. Menendez (1999) also writes about biometrics for health care. In 1992, Kaufman and Woodward (1992, pp. 165-167) who pioneered a medical record system called Plustag-Magic, also demonstrated the use of alternative technology for health care.

Today, RFID tags and transponders are being adopted, mainly for the precise identification of new-born babies, mentally-ill patients or those suffering from allergies. While there are many tags or bracelets that do not possess any intelligence (like bar code), RFID is a technology that is predicted to change everything from physical access control in hospitals to drug delivery using biochips to treat illnesses like diabetes. During the Severe Acute Respiratory Syndrome (SARS) epidemic, Ling (2003) described the use of the Contact Track & Trace system, and the Hospital Movement Tracking System, based on RFID technology used to monitor visitors, patients and hospital staff. The system worked as follows. Every individual given physical access to the hospital was issued with a RFID sensor card to be worn around the neck. As people walked around the hospital, data was captured via RFID readers and stored in the central computer’s database. Information about an individual’s contact in the hospital was stored for 21 days after each new contact point.

 

Medical Implantable Devices

RFID transponders which store a unique ID can now also be implanted for emergency response applications (Michael, Michael & Ip, 2007). It is estimated there are over two thousand recipients of these tiny identification devices, most of which are sourced back to the Food and Drug Administration approved products of the VeriChip Corporation, based in the United States. The premier implantable VeriChip is used for the VeriMed application, namely patient identification. There are over 900 registered medical facilities that are now equipped with VeriChip readers. The VeriMed system claims to overcome the problems often associated with ‘at-risk’ individuals. For example, to aid patients in times of crisis- if they have collapsed, suffered memory loss, are unable to communicate, or have a complex medical history they cannot recollect. Corporate marketing identifies the following benefits of the VeriMed system: rapid identification in the emergency response (ER) room, instant medical record access, and improved emergency response (VeriMed, 2007). The chip simply stores a unique identification number, and associated medical records are stored in a secure global Verichip subscriber (GVS) registry database. The chip is inserted through a basic medical procedure, in the subdermal layer of the skin in the left or right upper arm, much as in the case of a dog or cat implant. VeriChip’s other non-implantable applications are related to infant protection, wander prevention, and emergency management among others. An alternate approach to the medical implantable device is the wireless monitoring technology called Digital Plaster (Toumaz, 2008; BBC News, 2005).

 

Smart Cards Today

The smart card as an auto-ID technique came up against a number of barriers which hampered its success early on (Kaplan, 1996, pp. 22-24; Hill, 1996, p. 1). Mitchell (1995) believed that one of the primary reasons that smart cards had not reached their anticipated potential in the U.S. was because merchants did not accept the card to begin with. The merchant indifference towards smart card meant that consumers could not offer the payment method to purchase goods and services because the likelihood of their being an available device to read the card was very low. A Gartner study in 1998 also reported that smart cards were a push technology and until new developments established their business value, that the technology would continue not to meet wild expectations (Essick, 1998, p. 1). For instance, Dataquest’s (1999) worldwide chip market forecast for 1997-2002 was off the mark. Schiffer (2000) provides an insight into why the smart card encountered such obstacles, giving the analogy of the electric automobile, and the way that social behavior stifled its development process. Part of the blame should also be shared with the system developers who overlooked the fact that customers have a mind of their own and they cannot be manipulated to act in a certain way (Rankl, 2007, p. xi).

The period post the dot.com crash saw smart card giants endure some turmoil as expectant smart card demand projections were not reached. Smart card companies like Schlumberger and Gemplus shed a sizeable chunk of their workforce at this time. It must be stressed that this is not to set a pessimistic undertone about the future of the smart card, only to underscore that other types of cards such as bar code and magnetic-stripe, have maintained their place in the auto-ID industry. Today, smart cards have proliferated in a variety of countries and for stable mass market applications like national ID cards. Countries like China and Hong Kong have rolled out citizen identification cards that are truly multiapplication in nature. The Octopus Card in Hong Kong for instance, is not only a national ID card, but it is used for passenger transport and as an e-payment mechanism (Chau & Poon, 2003; Poon & Chau, 2001). While it is indisputable that the Octopus Card has suffered function creep, its citizens do not seem to feel that their privacy is encroached but much rather that the card is highly convenient in their busy lives. Hendry (2007, p. 219) has written that the scope of multi-application smart card projects has a strong tendency toward ‘function creep’ as has been discussed already in this chapter.

Rankl (2007) believes that today, the smart card has reached a turning point in its lifecycle, a type of paradigm shift. He believes that the driver for smart card has little to do with technology being pushed onto consumers, and that today, it has more to do with the needs of users preoccupying developers. He writes: “[t]his is quite a normal cycle in the course of technology development, as has been seen repeatedly in this form and in similar forms” (Rankl, 2007, p. xi). The authors agree with Rankl, that it was quite a ‘normal’ path for smart card to go through on the product lifecycle curve but it came with associated tangible and intangible costs to the industry at large as well.

 

CONCLUSION

Multiapplication smart cards have the potential to herald in a pure cashless society. Attempts in the 1990s by private enterprises like Mondex, toward the acceptance of a smart card wallet were only mildly successful. Some critics would go as far as stating that these ventures were a dismal failure. ePayment solutions beyond anything such as petty cash transactions, seem to be a stumbling block for smart card city-based schemes. The promise of smart card seems more practicable in a government-mandated solution whereby an ID card has multiple applications and multiple functionalities onboard. While these sorts of schemes seem to be popular in Asia and some parts of Europe, the United States, Canada, Australia and lesser developed countries have chosen other routes for personal ID, such as tax file numbers and the like. Time will tell if even these countries will adopt smart ID solutions, especially given the seemingly increased sense of nations requiring better border security. Contact smart cards have been widely adopted in health care for patient tracking and also by the steady telecommunications industry, particularly for mobile telephony. Contactless smart cards on the other hand, remain popular as access control solutions and in electronic road pricing as vehicle solutions. It is true to say that for the time being, the full force of smart cards have yet to be unleashed, although as in the case of bar code and magnetic stripe card, the infrastructure that is growing around the technology, takes time to build. We may well be entering a new decade where the capacity for smart card as an epayment solution will explode, coupled with broadband Internet, cable television, high definition television (HDTV), and the like.

 

REFERENCES

Allen, C. A., & Barr, W. J. (Eds.). (1997). Smart Cards: Seizing Strategic Business Opportunities. New York: McGraw-Hill.

Allen, C. A., & Kutler, J. (1997). Overview of smart cards and the industry’, in Smart Cards: seizing strategic business opportunities. In C. A. Allen & W. J. Barr (Eds.), (pp. 2-20). New York: McGraw-Hill.

Amdur, D. (1997). France moves toward chip card future- Internet seen as opportunity in the United States.

APSCA. (2008). Members. Asia Pacific Smart Card Association   Retrieved 1 December 2008, from http://www.apsca.org/members/member.php

APSCF. (2000). Australian Smart Card Capabilities. Paper presented at the Asia Pacific Smart Card Forum, The Warren Centre for Advanced Engineering, the University of Sydney.

Argy, P., & Bollen, R. (1999). Australia: raising the e-commerce comfort level. IT Pro(November-December), 56-58.

Australian. (2002, 7 May). Pay your taxi fare by mobile phone. The Australian, p. 2.

Australian Privacy Foundation. (2007). The Federal government calls it a ‘Human Services Access Card’.   Retrieved 3 December 2008, from http://www.privacy.org.au/Campaigns/ID_cards/HSAC-FAQ3.html

Barr, W. J. (1997). Shifting boundaries. In C. A. Allen & W. J. Barr (Eds.), Smart Cards: Seizing Strategic Business Opportunities (pp. 57-78). New York,: McGraw-Hill.

BBC News. (2005). 'Digital plaster' monitors health. BBC News   Retrieved 5 December 2008, from http://news.bbc.co.uk/1/hi/health/4617633.stm

Black, E. (2001). IBM and the Holocaust. UK: Little, Brown and Company.

Blythe, P. (2000). Transforming Access to and Payment for Transport Services through the Use of Smart Cards. Journal of Intelligent Transportation Systems, 6(1), 45 - 68.

Brainerd, L., & Tarbox, J. D. (1997). Healthcare and smart card technology. In C. A. Allen & W. J. Barr (Eds.), Smart Cards: Seizing Strategic Business Opportunities (pp. 151-168). New York: McGraw-Hill.

Branscomb, A. W. (1994). Who Owns Information? New York: Basic Books.

Bright, R. (1988). Smart Cards: principles, practice, applications. New York: John Wiley & Sons.

Brin, D. (1998). The Transparent Society: will technology force us to choose between privacy and freedom? Massachusetts: Perseus Books.

Browne, F. X., & Cronin, D. (1996). Payment technologies, financial innovation, and laissez-faire banking. Cato Journal, 15(1), 101-116.

Cagliostro, C. (1999). Rosy outlook predicted for US smart card market. Card Forum International(November/December), 45-47.

Card World (Ed.). (1990). ITALY- Slowed by cultural resistance. Surrey.

Cardshow. (1996). The birth of smart cards: 1974-1989. The Smart Card Cybershow- Smart Card Museum, from http://www.cardshow.com/museum/ex70.html

Carr, M. R. (2002, 20-24 October). Smart card technology with case studies. Paper presented at the 36th Annual 2002 International Carnahan Conference on Security Technology.

Cavazos, E. A., & Morin, G. (1995). Cyberspace and the Law: Your rights and duties in the on-line world. Massachusetts: The MIT Press, Massachusetts.

Chadwick, D. (1999). Smart cards aren’t always the smart choice. IEEE Computer(December), 142-143.

Chau, P. Y. K., & Poon, S. (2003). Octopus: An E-Cash Payment System Success Story. Communications of the ACM, 46(9), 129-133.

CITI. (2002). Center for Information Technology Integration.   Retrieved 6 December 2002, from http://www.citi.umich.edu/

Clark, S. R. (2008). Privacy and National Identity Cards: A legal and technical study. In K. Michael & M. G. Michael (Eds.), Australia and the New Technologies: Evidence Based Policy in Public Administration. Wollongong: University of Wollongong.

Clarke, R. (1996). Privacy Issues in Smart Card Application in the Retail Financial Sector XamaX Consultancy   Retrieved 3 December 2008, from http://www.anu.edu.au/people/Roger.Clarke/DV/ACFF.html

Clarke, R. (1997). Roger Clarke’s main publications on data surveillance and information privacy. Xamax Consultancy   Retrieved 15 September 1997, from http://www.anu.edu.au/people/Roger.Clarke/DV/RogersDVBibl.html

Communications. (1995). The word on the street... Communications International, 22(4), 56-58.

Cook, J. (1994, 15-16 October). Lessons from the Phonecard: "Watch this space" advertising. Paper presented at the AIC Conference.

Cook, S. (1997). Foreword. In C. A. Allen & W. J. Barr (Eds.), Smart Cards: Seizing Strategic Business Opportunities (pp. xi-xiv). New York: McGraw-Hill.

Cooper, J., Gencturk, N., & Lindley, R. A. (1996). A sociotechnical approach to smart card systems design: an Australian case study. Behaviour & Information Technology, 15(1), 3 - 13.

Cortese, A. (1997). The ultimate plastic. Business Week, 119-122.

Crotch-Harvey, T. (1996). Smart cards in telecoms. Smart Card News, from http://www.smartcard.co.uk/telecoms.htm

Crowley, M. J. (1996). Stored value: an analysis of its institutional and economic implications. Melbourne: Monash University.

Cuddy, D. L. (1999). Secret Records Revealed: the men, the money & the methods behind the new world order. Oklahoma City: Hearthstone Publishing.

Datamonitor. (1996). Global Smart Cards. London: Datamonitor.

Dataquest. (1999). Smart card research. from http://www.smartcardcentral.com/research/

Davies, S. (1992). Big Brother: Australia’s growing web of surveillance. Australia: Simon and Schuster.

Davies, S. (1996). Monitor: extinguishing privacy on the information superhighway. Sydney: PAN Macmillan.

Davis, R. H., & Mitchell, H. (1996). Smart cards: a design for the future. Journal of Information Technology, 11(1), 79 - 97.

Devargas, M. (1992). Smart Cards and Memory Cards. New York: Blackwell Publishing.

Dreifus, H. N., & Monk, J. T. (1997). Smart Cards: a guide to building and managing smart card applications. New York: John Wiley and Sons.

Drudge, M. (1998). ID number to track medical history. from http://www.warroom.com/natid.html

EMVCo. (2003). Europay, MasterCard and Visa Co. from http://www.emvco.com/

Engelbrecht, R., Hildebrand, C., Bruguas, E., De Leiva, A., & Corcoy, R. (1996). DIABCARD an application of a portable medical record for persons with diabetes. Informatics for Health and Social Care, 21(4), 273 - 282.

European Commission. (2004). European health card for 1 June 2004. Employment, Social Affairs and Equal Opportunities   Retrieved 3 December 2008, from http://ec.europa.eu/employment_social/news/2003/feb/hicard_en.html

Eurosmart. Eurosmart: the voice of the smart card industry. from http://www.eurosmart.com/

Evans, D. (1987, 12 August). Everything you wanted to know about the Australia Card… but were afraid to ask. The Daily Mirror.

Ferrari, J., Mackinnon, R., Poh, S., & Yatawara, L. (1998). Smart Cards: a case study: Research Triangle Park.

Freedonia Group. (2003). World Smart Cards to 2006 - Demand and Sales Forecasts, Market Share, Market Size, Market Leaders.   Retrieved 3 December 2008, from http://www.freedoniagroup.com/World-Smart-Cards.html

Fromentin, J.-R., & Traisnel, J. (1995). Smart payphone services. Telecommunications, 29(7), 82-83.

Frost and Sullivan. (2004). World Contactless Smart Card Market and Market Share Study.   Retrieved 3 December 2008, from http://www.researchandmarkets.com/reports/365434

Fruin, W. M. (1998). Smart cards and product-development strategies in the electronics industry in Japan. IEEE Transactions on Engineering Management, 45(3), 241-249.

Fulcher, J. (2003). The use of smart devices in eHealth. Paper presented at the Proceedings of the 1st international symposium on Information and communication technologies Dublin.

Fünfrocken, S. (1999). Protecting mobile web-commerce agents with smartcards. First International Symposium on Agent Systems and Applications, 90-102.

Furletti, M. (2004a). Payment System Regulation and How It Causes Consumer Confusion.   Retrieved 1 December 2008, from http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2004/PaymentSystemRegulation_112004.pdf

Furletti, M. (2004b). Prepaid Card Markets & Regulation.   Retrieved 1 December 2008, from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=927077

GISUM. (2002). GISUM research group.   Retrieved 6 December 2002, from http://www.lcc.uma.es/~gisum

Gogou, V. (2000, July 23-28). A smart card network in health care services. Paper presented at the Proceedings of the 22nd Annual EMBS International Conference, Chicago, Illinois.

Greenleaf, G. (2007). Australia's Proposed ID Card: Still Quacking Like a Duck Computer Law & Security Report, 23.

Grupe, F. H., Kuechler, W., & Sweeney, S. (2003). Dealing with Data Privacy Protection: An Issue for the 21st Century. Information Security Journal: A Global Perspective, 11(6), 45 - 56.

Hadeed, A. (2000). Using Smart Cards to Gain Market Share. New York: Gower Publishing Company.

Haghiri, Y., & Tarantino, T. (2002). Smart Card Manufacturing: A Practical Guide. London: Wiley.

Hansmann, U., Nicklous, M. S., Schäck, T., & Schneider, A. (2002). Smart Card Application Development Using Java. Germany: Springer.

Hausen, T., & Bruening, P. (1994). Hidden costs and benefits of government card technologies, IEEE Technology and Society Magazine (Vol. 13, pp. 24-32).

Hayes, S. (2002). SIMple device for coke online. The Australian, p. 8.

Hegenbarth, M. (1990, 15-16 October). The latest status in standardisation of smart card technology. Paper presented at the in proceedings of the AIC Conference, Smart Card technology: applications for the 1990’s, Sydney.

Hendry, M. (1997). Smart Card Security and Applications (Artech House Telecommunications Library). Boston: Artech House.

Hill, M. J. (1996). Contact and contactless cards. from http://mot2.mot-sps.com/csic/smartcrd/library/cc_simple.html

IMS. (2008). The Worldwide Market for Smart Cards and Semiconductors in Smart Cards. IMS Research Group   Retrieved 3 December 2008, from http://www.electronics.ca/reports/ic/smart_cards.html

Ince, J. (1997). Simplicity & standards. Cellular Business, 14(2), 26-30.

Information Policy Research Program. (2002). Ontario smart card project. from http://www.fis.utoronto.ca/research/iprp/sc/

ISO. (1999). 35.240.15 Identification cards and related devices. International Standards Organisation, 1-3.

ISO. (2008). ISO/IEC 7816-15:2004. International Organization for Standardization   Retrieved 5 December 2008, from http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=35168

Jackson, M., & Ligertwood, J. (2006). Identity management: is an identity card the solution for Australia? In K. Michael & M. G. Michael (Eds.), The Social Implications of Information Security Measures on Citizens and Business (pp. 45-55). Wollongong: Wollongong University.

Jacquinot Consulting. (2008). The ISO 7816 Smart Card Standard: Overview CardWerk: Smart Card Solutions   Retrieved 5 December 2008, from http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816.aspx

Johnston, M. (1997, 19 May). The ultimate plastic. Business Week, 62-33.

Jones, D. (2000). Europay and Visa issue new e-purse standards. Ctt, 11(6), 5-6.

Jordan, R. (2008). Identity Cards and the Access Card. Australian Government: Parliamentary Library   Retrieved 5 December 2006, from http://www.aph.gov.au/library/intguide/LAW/IdentityCards.htm

Jouet, J. (Ed.). (1991). European Telematics: the emerging economy of words. Holland: North-Elsevier Science.

Kaplan, J. M. (1996). Smart Cards: the global information passport- managing a successful smart card program. London: International Thomson Computer Press.

Kaufman, A., & Woodward, L. H. (1992). PlusTag-Magic medical record system. Computing Applications to Assist Persons with Disabilities, 165-167.

Keenan, W. (1997). Components of the business proposition: the consumer demand proposition:the consumer demand proposition. In C. A. Allen & W. J. Barr (Eds.), Smart Cards: Seizing Strategic Business Opportunities (pp. 21-43). New York: McGraw-Hill.

Lever, R. (1997). Smart cards: the next generation of money. Europe, 365, 16-18.

Lindley, R. A. (1997). Smart Card Innovation. Australia: Saim.

Ling, T. C. (2003). Contact track and trace. Electronics Review, 16(2).

Lokan, C. J. (1991). The design and applications of smart cards. he Australian Computer Journal, 23(4), 159-164.

Lopez, J. (2002). The role of smart cards in practical information security. ERCIM News, from http://www.ercim.org/publication/Ercim_News/enw49/merino.html

Lutz, K. (1997). Telecommunications and information services. In C. A. Allen & W. J. Barr (Eds.), Smart Cards: seizing strategic business opportunities (pp. 128-150). New York: McGraw-Hill.

M'Chirgui, Z. (2005). The economics of the smart card industry: Towards coopetitive strategies. Economics of Innovation and New Technology, 14(6), 455-477.

Macaire, A. (2000). An open secure terminal infrastructure for hosting personal services. Paper presented at the IEEE International Conference on Technology of Object-Oriented Languages.

Marron, K. (2000, 9 June). Incubators nurture e-com ventures. The Globe and Mail, p. E5.

Martin, C. D. (1993). The myth of the awesome thinking machine. Communications of the ACM, 36(4), 120-133.

Mayes, K., & Markantonakis, K. (Eds.). (2008). Smart Cards, Tokens, Security and Applications. Germany: Springer.

MBF. (1999). ‘Member privileges’, Living Well (MBF), pp. 22-23.

McCrindle, J. (1990). Smart Cards. London: Springer-Verlag.

McIntosh, T. (1997, 29 April). Curly questions for smart cards. The Australian, p. 45.

McKenna, J., & Ayer, K. (1997). Worldwide developments and player motivations. In C. A. Allen & W. J. Barr (Eds.), Smart Cards: Seizing Strategic Business Opportunities (pp. 44-56). New York: McGraw-Hill.

Media. (1999, 19 November). University of Michigan develops the world’s smallest web server in partnership with Schlumberger. ScreamingMedia, from http://industry.java.sun.com/javanews/stories/print/0,1797,20667,00.html

Messmer, E. (1998). Using ‘body language’ to secure networks. NetworkWorldFusion, 1-2.

Michael, K., Michael, M., & Ip, R. (2007). Microchip Implants for Humans as Unique Identifiers: a Case Study on VeriChip. Paper presented at the 3TU: Ethics, Identity and Technology, The Hague, The Netherlands.

Michael, K., & Michael, M. G. (2006). Historical Lessons on ID Technology and the Consequences of an Unchecked Trajectory. Prometheus, 24(4), 365 - 377.

Michael, M. G., & Michael, K. (2006). National Security: The Social Implications of the Politics of Transparency. Prometheus, 24(4), 359-364.

Mitchell, R. (1995). Sorry we don’t take smart cards. Credit Card Management, 8(5), 16, 18.

Monnin, G. (1992). Smart cards exclusive advantages in pay-TV. Paper presented at the IBC 1992.

Moorhead, S. (1994). Personalisation of GSM telephones, AIC Conferences.

Mustafa, M. A. S., Giannopoulos, G. A., & Pitsiava-Latinopoulou, M. (1995). The Electronic Road Tolling and Enforcement Experiment of Thessaloniki. Journal of Intelligent Transportation Systems, 2(4), 327 - 340.

Noe, J. (1995). The dawn of smart card regulation. America’s Community Banker, 4(11), 44-45.

NTT-DOCOMO. (2008). i-mode.   Retrieved 3 December 2008, from http://www.nttdocomo.com/services/imode/index.html

O'Connor, S. M. (1998). The De Minimis Exemption of Stored Value Cards From Regulation E: An Invitation to Fraud? The Richmond Journal of Law and Technology, 5(2).

Octupus. (2008). Welcome to Octupus.   Retrieved 3 December 2008, from http://www.octopuscards.com/consumer/en/index.jsp

Owens, R. C., & Onyshko, T. S. (1996). Legal regulations and privacy concerns relating to credit cards, debit cards and stored-value cards.   Retrieved 21 January 1999, from http://www.smythlyons.ca/it/credit/index.htm

Partners, V. (2002). VerifiCard Project. from http://www.cs.kun.nl/VerifiCard/files/partners.html

Petri, S. (1999). An Introduction to Smart Cards. Messaging Magazine   Retrieved 5 December 2008, from http://www.opengroup.org/comm/the_message/magazine/mmv5n5/SmartCards.htm

Poon, S., & Chau, P. Y. K. (2001). Octopus: The Growing E-payment System in Hong Kong. Electronic Markets, 11(2), 97 - 106.

Privacy Commissioner. (1995). Smart Cards: implications for privacy: Commonwealth of Australia, Canberra.

Privacy Committee of NSW. (1995). Smart Cards: Big Brother’s Little Helpers. 66(August).

Purdue. (2008). Magnetic Stripe. Material Handling and Industrial Distribution Lab: School of Industrial Engineering at Purdue University   Retrieved 5 December 2008, from http://cobweb.ecn.purdue.edu/~tanchoco/MHE/ADC-is/Magnetic/main.shtml

Puri, V. (1997). Smart cards – the smart way for the banks to go? International Journal of Bank Marketing, 15(4), 134–139.

Raad, M. W., Sheltami, T., & Sallout, M. (2007, 26-27 July). A Smart Card Based Prepaid Electricity System. Paper presented at the 2nd International Conference on Pervasive Computing and Applications.

Radigan, J. (1995). Consumers are lukewarm on smart cards. US Banker,  105(9), 24.

Rankl, W. (2007). Smart Card Applications: Design Models for using and Programming Smart Cards. West Sussex: John Wiley and Sons.

Rankl, W., & Effing, W. (1997). Smart Card Handbook. New York: John Wiley and Sons.

Rijn, F. V. (1988, 24-27 June 1987). Concerning home telematics. Paper presented at the proceedings of the IFIP TC 9 conference on social implications of home interactive telematics, Amsterdam.

RUN. (12 March 2008). Dismantling contactless smartcards. Radboud University Nijmegen   Retrieved 25 November 2008, from http://www2.ru.nl/media/pressrelease.pdf

Scarlett, D., & Manley, T. Smart cards brighten Atlanta this summer. Northern Telecom, Enterprise: Millennium- SmartCard, from http://www.nortel.com/home/about/articles/smartcard/

SCF. (2002). Smart Card Forum. from http://www.smcardforum.org

Schaefer, O. P. (1994). Introduction of chip technology to healthcare in Germany. Smart Card News, from http://www.smartcard.co.uk/health.htm

Schiffer, M. B. (2000). Looking back: why the electric automobile lost market share: How social behaviour can affect product technology. IEEE Potentials, 40-43.

SCIA. SCIA...Your link to a smart future.   Retrieved 20 January 1999, from http://cardtech.faulknergray.com/scia.htm

Scullion, A. (2003). Smart cards track commuters. BBC News | Technology   Retrieved 3 December 2008, from http://news.bbc.co.uk/2/hi/technology/3121652.stm

SET. (2000). Secure Electronic Transaction. from http://www.setco.org/

Shogase, H. (1988). The very smart card: a plastic pocket bank. IEEE Spectrum, 25(10), 35-39.

SJB. (1999). Biometrics are hot in health care. smartcard&biometrics Research News(July), 2.

Slawsky, J. H., & Zafar, S. (2005). Developing And Managing a Successful Payment Cards Business. London: Ashgate Publishing.

Smart Card Alliance. (2006). Contactless Payments: Consumer Attitudes and Acceptance in the United States. Smart Card Talk   Retrieved 5 December 2008, from http://www.smartcardalliance.org/newsletter/december_2006/feature_1206.html

Smart Cards. (2002). SchlumbergerSema smart cards, terminals, consulting and system integration.   Retrieved 6 December 2002, from http://www.smartcards.net/

SMDC. Centre information. from http://www.smartcard.com.hk/layout.htm

Smith, C. P. (1990). Smart Cards- the user’s view. In P. L. Hawkes (Ed.), Integrated Circuit Cards, Tags and Tokens: New Technology and Applications (pp. 165-176). Oxford: BSP Professional Books.

Smith, R. (2002, 28 July). Motorists dial up to pay parking fees. The Sunday Telegraph, p. 11.

Sola, R. (1990, 15-16 October 1990). Case study: City card implementation in Vitrolles, France- from concept to reality. Paper presented at the AIC Conferences.

Stix, G. (1994). Dr. Big Brother. Scientific American, February, 79.

Sun-Herald. (2002, 29 December). Multimedia phones put friends in frame. The Sun-Herald, p. 27.

Svigals, J. (1987). Smart Cards: the new bank cards. New York: Macmillan Publishing Company.

Takac, P. F. (1990, 15-16 October). An analysis of the issue of smartcard applications within the health services sector. Paper presented at the AIC Conference.

Tam, K. Y., & Ho, S. Y. (2007). A Smart Card Based Internet Micropayment Infrastructure: Technical Development and User Adoption. Journal of Organizational Computing and Electronic Commerce, 17(2), 145 - 173.

Tarbox, A. (1997). Security, privacy, and smart cards. In C. A. Allen & W. J. Barr (Eds.), Smart Cards: seizing strategic business opportunities (pp. 248-264). New York: McGraw-Hill.

Teal, R. F. (1994). Using Smart Technologies to Revitalize Demand Responsive Transit. Journal of Intelligent Transportation Systems, 1(3), 275 - 293.

Toumaz. (2008). Connected Freedom. Toumaz Technology   Retrieved 5 December 2008, from http://www.toumaz.com/public/page.php?page=sensium_intro

Trapanier, M., Tranchant, N., & Chapleau, R. (2007). Individual Trip Destination Estimation in a Transit Smart Card Automated Fare Collection System. Journal of Intelligent Transportation Systems, 11(1), 1 - 14.

Travin, V. (2008). The history of smart-cards and their place in modern Russia St.Petersburg State University: Faculty of Economics   Retrieved 5 December 2008, from http://works.tarefer.ru/29/100312/index.html

Tual, J.-P. (1999). MASCC: a generic architecture for multiapplication smart cards. IEEE Micro(September-October).

Turban, E., & Brahm, J. (2000). Smart Card-Based Electronic Card Payment Systems in the Transportation Industry. Journal of Organizational Computing and Electronic Commerce, 10(4), 281 - 293.

Ugon, M. (1989). Smart card- present and future. In D. Chaum (Ed.), Smart Card 2000: the future of IC cards. New York: North-Holland.

University of Michigan. (1999). Joint investigation of enhancements to smart card technology. from http://www.umich.edu/~newsinfo/Releases/1999/Feb99/r020999c.html

VeriMed. (2007). Solutions: VeriMed. VeriChip Corporation Retrieved 7 December 2007, from http://www.verichipcorp.com/content/solutions/verimed

Vincent, N. (1995, 26 August). Big brother is selling you. The Daily Telegraph.

VISA. (2008). VISA Mini: A breakthrough in Card Design. VISA-ASIA   Retrieved 24 November 2008, from http://www.visa-asia.com/ap/au/cardholders/cardsservices/visa_mini.shtml

Website, S. C. I. A. SCIA home.   Retrieved 27 November 2001, from http://www.scia.org

Wilson, C. (2001). Get Smart: The Emergence of Smart Cards in the United States and their Pivotal Role in Internet Commerce. New York: Artech House.

Zoreda, J. L., & Oton, J. M. (1994). Smart Cards. Boston: Artech House.