A prepaid smart card contains stored value which the personhholding it can spend at retailers. After accepting stored valueffrom cards, retailers are periodically reimbursed with actualmmoney by system providers. A system provider receives money inaadvan ce from people and stores corresponding value onto theirccards. During each of these three kinds of transactions, securedddata representing value is exchanged for actual money or forggoods and services, as illustrated in Fig. 1. Telephone cards used in France and elsewhere are probably thebbest known prepaid smart cards (though some phone cards useooptical or magnetic techniques, which are not considered here).NNational prepaid systems combining public transportation, publicttel ephones, merchants, and vendinghave already been announced inaa number of countries. And road tolls at full highway speed arennot far behind.
The systems proposed so far are compared, after a quick look attthe card types on which they are based.
Shared-key card systems require a tamper-resistant secured moduleiin each vending machine or other point of payment. The moduleuuses the key it shares with a card to authenticate messagesdduring purchases. This lets the card convince the module that ithh as reduced its stored value by the correct amount and that it isggenuine. A card convinces by using the shared key to encryptaa random challenge issued by the module together with an amount,sso that the module can decrypt the transmission and compare the rresult with the expected challenge and amount. Periodically, themmodule transmits a similarly authenticated message, viattelecommunication or manual collection procedure, back to thessystem provider, who reimburses the retailer.
The secured module in a shared-key system thus needs to store oraat least be able to re-create secret keys of all cards, whichggives some problems. If the cards of multiple system providersaare to be accepted at the same retailers, all the retailers must hhave secured modules containing keys of every provider. Thismmeans either a mutually trusted module containing the keys ofmmultiple providers, which might be hard to achieve, or one modulepper provider, which becomes impractical as the number ofpprovide rs grows. Furthermore, in any shared-key system, ifaa module is penetrated, not only is significant retailer fraudffacilitated, but the entire card base may be compromised.
Signature-transporting and -creating card types avoid thesepproblems since they do not require secured modules. Cashrregisters need no secret keys, only public ones, in order toaauthenticate the signatures, which act like guaranteed checksffilled in with all the relevant details. These same signaturesccan later be verified by the system provider for reimbursement.((Although tamper-resistant modules are not needed forvverification, they can still be used to aggregate transactions.)BBoth signature -based card types also allow the cards of anynnumber of issuers to be accepted at all retailers; retailersccannot cheat issuers, and issuers cannot cheat each other. Theseaare the only truly open systems.
The reason for identification of shared-key cards is thatssecurity is thought to be too low if all cards have the masterkkey. Therefore cards are given unique keys, and the cash registernneeds the card identity each time to re-create the correspondinguun ique card key from the master key.
The signature-transporting approach avoids the need foriidentification, since instead of a single key per card, cards useaa different signature per payment. When signatures are made bytthe system provider on blinded checks that are then unblinded bytthe card, not even the system provider can trace payments toccards.
Bonding chips into modules, assembling them into cards, andpprinting can cost about the same for all card types, roughly US$00.50 -2.00 (plus the cost of the small fraction of chips that areddamaged during production). Nonrefillable cards, however,ttypi cally use less durable materials and less costly productionttechniques.
Memory card chips are much smaller, and consequently much lesseexpensive to produce, than those in microcontroller cards. Theyccost, depending on the type, roughly between US$ 0.10 - 0.40 inqquantity. Shared-key and signature-transporting cards today useee
xactly the same chip hardware, only the masked-in softwareddiffers. Suitable chips cost about US$ 1.00 - 1.20 in quantity.SSignature-creating card chips, which need extra circuitry for thecco -processor (or a very powerful processor), require more onaa chi p, are relatively new on the market, and currently costsseveral times more.
If cards are issued with value on them, as is of course requiredwwith nonrefillable memory cards, then they must be transported,sstored, and dispensed, using costly security and auditpprovisions, like those associated with bank notes. Refillableccards ca n be distributed without value and avoid these costs, butoon the other hand require infrastructure for on-line reloadttransactions with system providers.
Retailer equipment costs may be higher than card costs. Typicalrratios of cards to points of sale (about 100 to 1 for cashrregisters and higher with vending, phones, etc.) and even thepprice of current terminals (about US$ 150 - 1500) suggest that theppoin t-of-sale equipment can be more costly than even a dedicatedmmicrocontroller card base.
In the shared-key approach, secured modules trusted by all systempproviders must be installed in all retailer equipment. In openssystems such security modules must be significantly moreeelaborate and costly than any card, since the security offered byaa card is generally considered inadequate to protect the keys ofaall other cards. But the higher cost of terminals incorporatingssuch modules is at odds with the objective of automating allmmanner of low value payments, such as in vending. Transactionpproc essing by the system providers also requiresttamper-resistant devices. Proper management of keys and auditingoof such systems are cumbersome and expensive. If shared-keyssystems grow, and start to include less trustworthy retailers andmmore system provid ers, even the minimum security necessarybbecomes excessively costly.
With either signature card type, suitable software notttamper-resistant modules is all retailer equipment needs in ordertto verify payments and later forward the signatures forrreimbursement. These can then be verified by any transactionpprocessing compu ter that has copies of the freely availableppublic keys, thereby reducing exposure while both increasing theqquality and reducing the cost of security audit and controls.
The remaining two card types, shared-key andssignature-transporting, can today be based on exactly the samekkinds of microcontroller chips, and thus have the same card cost.TThe system cost with shared-keys, however, is significantlyhhigher than with sig nature-transporting. The main reason is thatsshared-keys require tamper-resistant modules at all points ofppayment and processing sites, while these modules are not neededwwith signature- transporting.
In addition to cost, there are other reasons to preferssignature-transporting cards for larger systems. Privacy may beaan issue in large-scale consumer systems, and the other cardttypes are unable to address this problem, whilessignature-transporting sol ves it neatly. When more retailers andssystem providers are included, as large open systems are built oraas closed systems grow and merge, the cost of maintaining evenmmerely acceptable security with shared keys becomes prohibitive.BBy contrast, signatur e-transporting maintains a very high leveloof security while allowing flexible scaling and merging ofssystems.