Smart Card Standards
This information comes from the website Smart Card Basics. Primarily, smart card standards govern physical properties, communication characteristics, and application identifiers of the embedded chip and data. Almost all standards refer to the ISO 7816-1, 2 & 3 as a base reference.
Application-specific properties are being debated with many large organizations and groups proposing their standards. Open system card interoperability should apply at several levels: 1). To the card itself, 2). The card's access terminals (readers), 3). The networks and 4). The card issuers' own systems. Open system card interoperability will only be achieved by conformance to international standards.
This site's sponsors are committed to compliance with ISO and ITSEC security standards as well as industry initiatives such as EMV, MULTOS, the Open Card Framework and PC/SC specifications.
These organizations are active in smart card standardization: The following standards and the organizations that maintain them are the most prevalent in the smart card industry:
ISO - International Standards Organization This organization facilitates the creation of voluntary standards through a process that is open to all parties. ISO 7816 is the international standard for integrated-circuit cards (commonly known as smart cards) that use electrical contacts on the card, as well as cards that communicate with readers and terminals without contacts, as with radio frequency (RF/Contactless) technology. Anyone interested in obtaining a technical understanding of smart cards needs to become familiar with what ISO 7816 and 1443 does NOT cover as well as what it does. Copies of these standards can be purchased through ANSI American National Standards Institute. ANSI's address and phone is: 11 West 42nd Street, New York, NY 10036 - For more information and copies of standards, see the ISO website or call (212) 642-4900.
ISO 7816 Summary - This is a quick overview of what the 7816 specifications cover. As these can be in revision at any time, check with ISO for the latest updates. Some of these are frozen and some are in revision; please check with ANSI for the most current revision. ISO 7816 has six parts. Some have been completed; others are currently in draft stage.
- ISO 7816-1: Physical Characteristics, 1987; defines the physical dimensions of contact smart cards and their resistance to static electricity, electromagnetic radiation and mechanical stress. It also describes the physical location of an IC card's magnetic stripe and embossing area.
- ISO 7816-2: Dimensions and Location of Contacts, 1988; defines the location, purpose and electrical characteristics of the card's metallic contacts.
- ISO 7816-3: Electronic Signals and Transmission Protocols, 1989; defines the voltage and current requirements for the electrical contacts as defined in part 2 and asynchronous half-duplex character transmission protocol (T=0). Amendment 1: 1992, Protocol type T=1, asynchronous half duplex block transmission protocol. smart cards that use a proprietary transmission protocol carry the designation, T=14. Amendment 2: 1994, Revision of protocol type selection.
- ISO 7816-4: Inter-industry Commands for Interchange; establishes a set of commands for CPU cards across all industries to provide access, security and transmission of card data. Within this basic kernel, for example, are commands to read, write and update records.
- ISO 7816-5: Numbering System and Registration Procedure for Application Identifiers (AID); sets standards for Application Identifiers. An AID has two parts. The first is a Registered Application Provider Identifier (RID) of five bytes that is unique to the vendor. The second part is a variable length field of up to 11 bytes that RIDs can use to identify specific applications.
- ISO 7816-6: Inter-industry data elements; physical transportation of device and transaction data, answer to reset and transmission protocols. The specifications permit two transmission protocols: character protocol (T=0) or block protocol (T=1). A card may support either but not both. (Note: Some card manufacturers adhere to neither of these protocols. The transmission protocols for such cards are described as T=14).
- ISO 7816-7: Inter-industry command for Structured Card Query Language (SCQL); This document specifies the concept of a SCQL database (SCQL = Structured Card Query Language based on SQL, see MS ISO 9075), and the related inter-industry enhanced commands.
- ISO 7816-8: Commands for Security Operation; this document codifies internal card commands for security operations.
- ISO 7816-9: Commands for Card Management; specifies a description and coding of the life cycle of cards and related objects, a description and coding of security attributes of card related objects, functions and syntax of additional inter-industry commands, data elements associated with these commands, and a mechanism for initiating card-originated messages.
- ISO 7816-10: Electrical signals and answer to reset for synchronous cards; this part of ISO 7816 specifies the power, signal structures, and the structure for the answer to reset between an integrated circuit card(s) with synchronous transmission and an interface device such as a terminal.
- ISO 7816-11: Personal verification through biometric methods; currently a draft. See the Bio API for more info.
FIPS (Federal Information Processing Standards) Developed by the Computer Security Division within National Institute of Standards and Technology (NIST). FIPS standards are designed to protect federal assets including computer and telecommunications systems. The following FIPS standards apply to smart card technology and pertain to digital signature standards, advanced encryption standards, and security requirements for cryptographic modules.
- FIPS 140 (1-3): The security requirements contained in FIPS 140 (1-3) pertain to areas related to the secure design and implementation of a cryptographic module, specifically: cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
- FIPS 201: Currently a draft, this specification will cover all aspects of multifunction cards used in identity management systems throughout the U.S. government.
PC/SC - A Microsoft proposed and implemented standard for cards and readers, called the PC/SC specification. This proposal only applies to CPU cards. They have also built into their CryptoAPI a framework that supports many security mechanisms for cards and systems. PC/SC is now a fairly common middleware interface for PC logon applications. The standard is a highly abstracted set of middleware components that allow for the most common reader card interactions.
CEN (Comite' Europe'en de Normalisation) and ETSI (European Telecommunications Standards Institute) is focused on telecommunications, as with the GSM SIM for cellular telephones. GSM 11.11 and ETSI300045. CEN can be contacted at Rue de Stassart, 36 B-1050 Brussels, Belgium, attention to the Central Secretariat.
HIPAA - The Health Insurance Portability and Accountability Act adopts national standards for implementing a secure electronic health transaction system in the U.S. Example transactions affected by this include claims, enrollment, eligibility, payment and coordination of benefits. Smart cards are governed by the requirements of HIPAA pertaining to data security and patient privacy.
IC Communications Standards - these existed for non-volatile memories before the chips were adopted for smart card use. This specifically applies to the I2C and SPI EEPROM interfaces.