Internet Insight: Get Smart

Smart cards may handle most of our transaction needs-if we let them.

Imagine discarding that pocketful of plastic: credit, debit and frequent-flyer cards; grocery store affinity program cards; and passes that get you into offices. Imagine replacing them with one smart card, a piece of plastic the size of a credit card, with memory and a processor that securely store financial, loyalty, even medical and job-related information.

Its a vision thats within reach, and it may have enough market momentum to become reality. The United States and Canada saw a 37 percent increase in smart-card use between 1999 and 2000, according to a report commissioned by the Smart Card Alliance, a group of vendors and users formed to promote smart-card use. That progress stems from the confluence of a number of factors, ranging from the creation of technical standards and the increasing use of the Internet to a heightened attention to security since the Sept. 11 terrorist attacks.

The smart-card industry scored significant wins last year, with marquee names signing up to deploy the cards. Minneapolis-based Target Corp.s Target stores became the first retailer to introduce a branded smart Visa card. Visa U.S.A. expected to have 8.5 million smart cards, including Targets, in the United States at the end of last year, and American Express Co. reported 4 million users of Blue smart cards at the close of 2000. No Blue card numbers for last year are available yet.

Financial services are just one arena for smart cards. The Smart Card Alliance reports 125 percent growth in corporate campus use of smart cards, with Microsoft Corp. and Sun Microsystems Inc. leading the way as two major enterprises that use smart cards internally for employee access to buildings. In addition, the Department of Defense has issued 110,000 of the more than 4 million new smart cards used for physical and electronic access.

Whats more, the United States will see a surge in smart-card use now that AT&T Wireless and Cingular Wireless have pledged to convert their networks to GSM (Global System for Mobile Communications). GSM phones use smart cards, called subscriber identity modules, that store subscriber information. These cards allow wireless users to remove the card and insert it into another phone—a friends handset or an upgraded model—and be charged on their regular bill and accessed via the same phone number.

With banks, enterprises and public transportation entities issuing smart cards, industry leaders are striving to ensure that something dumb doesnt happen—for example, having people carry 15 smart cards instead of 15 magnetic-stripe cards. Ultimately, consumers will likely tote fewer cards but probably wont carry just one.

Password, Please

Multiple-application cards require more memory—and more is becoming available. "Five years ago, the maximum capacity was 6KB to 8KB. Today, its 128KB," said Francois Lasnier, vice president of sales and marketing, smart cards, for SchlumbergerSema, in New York, one of the top smart-card manufacturers. Those high-capacity cards are still too expensive for most applications, so few have hit the market. Most cards offer 32KB of memory.

Memory capacity is expected to grow by three or four times in the next five years, but the cost likely wont drop much below todays 32KB cards. "Well see the increase in capacity holding the price or slightly depressing the price," said Charles Walton, president of Carados Inc., a Burlington, Mass., developer of smart-card technology. Three years ago, smart cards cost about $10; today, they sell for about $1.

Some said, however, that memory probably cant increase fast enough to allow single cards to run many applications. "Its not possible right now. Theres too little memory," said Shalini Chowdhary, an analyst for Frost & Sullivan, a market research company in San Jose, Calif. "There either has to be a revolution in smart cards so the memory really increases manyfold, or, otherwise, you have to access remote servers."

One way to avoid the memory issue is to put only passwords on the card. For example, Compaq Computer Corp., in Houston, recently introduced Netissimo, a product designed by software developer Inc. that allows consumers to insert a smart card into a reader at their PC terminal to automatically connect to the Internet. The card holds various types of passwords, so users dont have to manually sign in to access Web sites or online accounts that require registration, such as banks, frequent-flyer sites or Web-based e-mail. The scheme echoes that used by Suns Sun Ray business appliances. Available since 1999, the devices offer applications to users via remote servers and employ smart cards to authenticate users and store session information.

Some data, however—likely the most often used—will certainly be stored locally on the card. For example, some cards may have an application that acts as a change purse or a wallet from which users can pay for a coffee in a shop and earn loyalty points. That could be the same purse that pays for public transportation or other point-of-sale applications (see story, right).

"The card is a good place to perform secure processing and is a storage container," Walton said. Smart cards can store passwords for hundreds of applications, he said.

Such a tool can make access to applications more secure because passwords can be longer and more random, since users wont have to memorize them.

Smart cards offer enhanced security for e-commerce as well as any online function that requires authentication, such as digital signatures. A smart-card issuer could offer customers digital certificates that confirm their identities online and allow them to digitally sign documents as well as a key that translates encrypted information.

If a business user, for example, wants to sign a purchase agreement, an application on the computer or Internet sends a thumbnail of the document, called a digest, to the smart card in the smart-card reader. The processor on the card signs the digest using the certificate stored on the card, then sends it back to the computer. The certificate and key never leave the card.

In contrast, in applications that dont use smart cards, the certificate and the key are stored on the hard drive of the users computer or in a browser. There, they can be easily stolen. In addition, the user can access only the key and certificate from a particular machine.

Such high levels of security are useful in enterprises or business-to-business applications. Identrus LLC, a company formed by a group of banks to create a method for allowing their business customers to securely buy and sell online, found that the highest level of security it could find to secure online transactions is smart cards.

"It was set up to provide a high level of assurance so that people feel comfortable transacting millions or even billions online," said Dave Oshman, senior vice president of technology for Identrus, in New York. Identrus has 53 banks signed on to use the system, with 10 already implementing the smart cards. Business customers of those 10 banks currently use smart cards and readers attached to their computers to digitally sign and authorize purchases and sales.

The Age of Multiapp Cards

Despite the utility of stored passwords, efforts to enable multiple applications to run from a single card are continuing. Visa U.S.A. has built a platform that can allow the combination of more than 30 applications on its smart cards and expects to introduce offerings that combine credit card functions with frequent-flyer programs within six to 12 months. Kenny Thomas, director of corporate relations for Visa U.S.A., in San Francisco, said the cards can store the data for those programs, not just passwords, to access the data online. Applications that store affinity programs may be small enough to share a card.

Ensuring that data isnt shared among applications on a single card is no longer a problem because many of the leading smart-card deployments use Suns JavaCard technology. JavaCards, licensed by smart-card leaders Gemplus International S.A., in Luxembourg, and SchlumbergerSema and used by Visa and the Department of Defense, allow multiple applications to run on the same chip. "Each is firewalled from each other. So now one application for one service doesnt know the other applications on the card even exist," said Albert Leung, business development manager for JavaCard at Sun, in Palo Alto, Calif. Despite these steps, there are still obstacles to the single-card concept. Infineon Technologies AG, the largest maker of semiconductors for smart cards, said cards with its chips can support multiple applications but blames disagreements among potential card partners for the slowdown. "Its the marketing efforts of the [issuers]," said Paul Legacki, group manager of business development, North America, for Infineon, in Munich, Germany.

While few can imagine competing banks sharing a card, for example, some natural collaborations will likely occur. "There will be some logical combinations that will also make political sense," said Leo Legaspi, director of business development for Oberthur Card Systems, a smart-card manufacturer in Paris. One card might hold work-related applications, including those that allow access to buildings; allow electronic access to databases; and store cash for purchasing lunch in the cafeteria. Another card might serve as a credit card and retain loyalty program information.

Users may be reluctant to combine certain applications on a single card for security reasons, despite assurances of firewalls among programs. "Even if its technically possible, I wouldnt want my medical records on the same card as my Blockbuster [Inc.] points," said Donna Farmer, president and CEO of the Smart Card Alliance, in New York.

Identrus original vision was to create an Identrus global card that would be used for all applications. But, so far, the company allows only a single application to run on the card for security reasons. "Were paranoid," Identrus Oshman said.

In addition, Oshmans not convinced theres a business case for some of the applications often talked about. "Were beginning to get the impression that smart cards may be overkill for some things," he said. He does not think the high levels of security provided by a smart card are really necessary for checking a frequent-flyer mileage balance, for example. But there are still plenty of believers in the single-card concept. "Our hope and vision is to have the smart Visa card become that single card," Visas Thomas said.

For millions of plastic-burdened consumers, its a vision that cant come soon enough.

Nancy Gohring is a free-lance writer based in Seattle. She can be reached at [email protected]