Classification of chip cards, description of the principles and technology of operation

Chip cards (or, as they are also called, cards with a chip) turned out to be more attractive for implementing offline authorization ideas. A chip card contains a chip whose properties determine the functionality of the card as a technological product (the functionality of the card as a product, for example, a Bank card, determines the corresponding rules). Chip cards are classified according to the following criteria:
chip type;
method of reading information;
conformity to standards;
application.
depending on the built-in chip, chip cards are divided into several types, which differ in their functions:
cards with integrated memory circuit (memory cards); microprocessor cards; cards with cryptographic logic.
Memory cards are designed to store information and are a chip that only allows you to read and write data. Depending on the conditions for accessing memory areas, memory cards are divided into open and protected memory cards. Open memory cards are practically unsuitable for use as payment cards. They are most often used in special areas (for example, transport) – for data transfer.

Protected memory cards divide memory into areas with different overwriting properties and access conditions. Cards of this type were used in the mid-90s for payment applications, but at the end of the decade they fell into the background, giving way to microprocessor cards.
Microprocessor cards, unlike memory cards, contain a microcontroller with a special program or operating system in addition to the function of storing information. The operating system provides a set of service operations, supports the file system, converts data according to the specified algorithm, and protects information. The microprocessors on these cards are characterized by the following parameters: clock speed, RAM capacity, ROM capacity, and rewritable non-volatile memory capacity.
Access to information stored on the card is delimited by the operating system in various modes:
access mode that allows reading / writing information without secret codes;
read access mode, write access is possible after providing the secret code;
read and write access mode after providing a special code;
mode that prohibits reading and writing information. Information can only be available for internal card commands.
Microprocessor cards support much more intelligent interaction with the payment terminal by expanding the system of commands processed by the chip built into the card. Advanced operating systems for cards support file systems, cryptographic commands, and key commands. Specialized operating systems for payment cards also support advanced concepts such as wallets, with support for appropriate access properties and operations that correspond to the meaning of wallets.
According to the type of interaction with the terminal, chip cards are divided into contact, contactless, or dual-interface cards.

Data exchange with the contact card occurs when the terminal contacts and the metal contact pad of the card come into contact. Contactless cards contain a built-in inductance winding (antenna). When the card is brought to the terminal, the antenna provides power to the chip in its electromagnetic field due to inductive communication. Data is read and written when the card is placed at a certain distance from the terminal, and the location of the card relative to the terminal does not matter. Depending on the reading distance, contactless cards differ in the following types: cards with a close connection (0-1 cm), cards with a proximity connection (0-10 cm), and cards with a victim connection (0-1 m).

Dual cards have both a contact pad and a built-in inductor. These cards work with different types of readers.

A typical microprocessor card
The microprocessor card is made of plastic and contains a chip with a microprocessor and various storage devices: ROM – for storing the operating system, RAM-for executing commands, EEPROM-electrically erasable programmable permanent memory, non-volatile memory for storing application information. The EEPROM is divided into two areas: secret and user. The secret area is not available for application programs and is intended only for storing keys. The user area is organized similarly to memory on floppy disks. When initializing the card chip, a file definition table is generated and placed at the beginning of the user area. Files are located in memory from end to beginning. Each file is divided into a certain number of fixed-length records. In most operating systems, each file has the following attributes: start address, read/write protection labels, read/write protection extension, write length, number of records, file type and name, current record, and file end pointer. Files can be accessed sequentially or directly.

The operating system of the microprocessor provides the following commands: presenting the key, reading an array of file attributes from the definition table, reading information, writing information, searching for a file, clearing the card, writing the file definition to the table, and setting keys.
Keys are stored in a secret area, and there are three types of keys: Bank key, cardholder key, and application keys. Files can be read/write protected with these keys.

Cards with cryptographic logic are used in information security systems to participate directly in the process of data encryption or to generate cryptographic keys, electronic digital signatures, and other necessary information for the system to work.
The scope of application of chip cards is much wider compared to the financial sphere, they are used in access control systems, and in health care (health cards), and insurance. There are also phone cards that are also used for payment, but due to their specificity, of course, they should not be put on a par with payment cards.
Speaking of payment chip cards, it should be noted that they appeared in the 80’s in France and were widely used in their homeland. Most cards issued by French banks since the beginning of the 90s in addition to a magnetic strip carrying chip. It stored data similar to that contained on a magnetic stripe. Their principal advantage was pin storage. It is considered impossible to count the PIN from the chip. At the same time, the chip card independently checks whether the pin representation is correct. Thus, the use of chip cards has significantly improved the security of operations.

EMV specifications
International payment systems, realizing that the future belongs to chip cards, began considering the possibility of transferring their main card products to a new technology based on chip cards in the early 90’s. It is very important that the leading payment associations have joined their efforts in this direction. In 1994 . Visa Int., MasterCard Int. and Europay Int.formed a working group that eventually included more than 20 well – known card, hardware and solution providers to develop EMV*(43) specifications for a chip card. After two years of work by all interested parties and the release of two interim versions, a version of the specifications was released in 1996, called EMV96, which became the first banking sector standard for a chip card. (Strictly speaking, the EMV specifications are not a standard, of course, but they are based on the above-mentioned group of ISO 7816 standards.) These specifications are not a frozen document, and new versions of them will appear in the future. EMV includes the following specifications:
to a chip card (Integrated Circuit Card Specifications for Payment Systems);
on the chip card application (Integrated Circuit Card Application Specifications for Payment Systems);
to a terminal that works with a chip card (Integrated Circuit Card Terminal Specifications for Payment Systems).
Specifications for a chip card consist of four parts. The first part, based on ISO 7816-1, 2, 3, describes the Electromechanical characteristics, logical interface, and exchange protocols.
When talking about specifications at the functional level, you should first define their “scope”. Figuratively, it can be described as the interaction of the “card-terminal” with the indirect influence of the Issuer, the acquirer and the trust center.
The card supports a hierarchical file system. Data files are linear, and records contain objects that can be simple or composite. The object has a TLV structure (tag-length-value, i.e. tag – label, length, value). Using tags allows you not to worry about the specific location of this value in the file and record, it is only important that the object is located in the file belonging to the prescribed group. After analyzing the tags, you can uniquely interpret the data stored by the card.

Historically, the first (and still widely used) method of authorization is the so-called voice authorization. When the transaction is completed, the store’s cashier calls the Bank or the Bank’s processing center and informs them of the card number and expiration date that identify it, the amount of the transaction, and the pick-up point number (assigned by the acquiring Bank before servicing the pick-up point). The operator of the authorization center (a division of the Bank or processing center) enters a request into the system and, after receiving a response from it, informs the cashier.

The described authorization method is the simplest. Its advantage is economy. Disadvantages include low efficiency and less security compared to electronic authorization, which will be discussed below. The efficiency is low (and the operation execution time is correspondingly long) due to the need to call the authorization center and get a response by phone. Please note that the data about the payment transaction is “entered” twice: the cashier on the phone informs the number and expiration date of the card and the amount of the operation (which, we note, he previously received at the cash register), the operator of the authorization center enters the same data from the computer keyboard into the system. Duplication of input (which increases the probability of accidental errors), natural time delays for connecting, transmitting data and receiving a response, and cause a relatively low efficiency of the operation, which in some cases makes it simply unacceptable to accept cards for payment.

Especially annoying is the low efficiency of voice authorization when performing operations with relatively small amounts (it is unlikely from the point of view of the store that a queue is created due to a long authorization of an operation for a small amount, and customers who want to make purchases for much higher amounts refuse to stand in line and leave without making purchases).

The mechanism aimed at overcoming this contradiction is offline authorization of “pre-limit” operations, in which communication with the authorization center for obtaining permission for operations with an amount below the authorization limit (floor limit) defined for this point of sale is not carried out. The decision to perform this operation is made by the cashier independently (based on the agreement between the merchant and the acquiring Bank, which determines the rules for offline authorization). The following conditions are checked: the transaction amount does not exceed the established limit, the card has not expired, and the card number is not in the stop list. A stop list is a list of card numbers that are not allowed to be accepted from the acquiring Bank to the merchant. This list usually includes lost or stolen cards. In some cases, the acquirer uses the extended concept of a stop list.

Setting limits for allowing offline authorization made it possible to optimize the process of performing operations in terms of increasing its efficiency, provided that a certain level of security is maintained for performing operations.
More advanced is the method of authorization using electronic devices (electronic authorization). Almost all payment systems that use magnetic cards require online authorization for cash withdrawal operations.
Electronic authorization is also more secure – the authorization request includes at least data from the second track of the magnetic stripe. Authorization using data read from the magnetic stripe allows the cashier to disclose inconsistencies between the embossed and encoded data (fraud involving “pasting” the embossed characters or recoding the magnetic stripe).

Electronic cash registers with built-in card readers or POS-terminals are used for electronic authorization of purchase operations. The most advanced technology is that the cashier does not duplicate the input of payment transaction data: the authorization request is formed using data read from the magnetic stripe and the amount taken from the electronic image of the cash register receipt.

The technology for performing operations with electronic authorization can be combined with the mechanism for performing pre-limit operations. In this case, the POS terminal reads the magnetic stripe of the card for operations with an amount not exceeding the established limit and checks the following conditions: whether the card number*(40) is correct, whether the card has expired, whether the card is not in the stop list, whether online authorization is required in accordance with the service code. If all these conditions are met (and sometimes even the condition that the amount of all operations performed with this card for the current day does not exceed the established limit), the operation is authorized online by the POS-terminal itself.

A combined technology that combines electronic online authorization and offline authorization of pre-limit transactions achieves, in a certain sense, an optimal balance between the requirements of efficiency and security of transactions.