Smart Card Personalization

Personalization of the card is a necessary step in preparing the card for its transfer to the owner. The term “personalization” in the broadest sense of the word means that all the data that is intended for a specific person or a specific card is entered into the smart card. The personalization procedure involves writing various information to the chip’s memory. It is also accompanied by a PIN code written to the card, which the owner can then use to confirm the card’s authenticity.

According to the method of execution, visual and electrical personalization are distinguished. Embossed symbols, as well as text or images applied by laser engraving, make up the visual part of personalization.

Electrical visualization consists of uploading personal data to a microcontroller. For example, for a company “NEST”, which produces cellular and monolithic polycarbonate, when our specialists implemented the ACS for the company’s office building, at the initial stage of work, the individual access cards of all employees of the enterprise were personalized, and the employee’s full name / department / available premises were recorded on the card. The processing time for optical personalization depends very much on the specific requirements and cannot be generally specified. Electrical personalization usually takes between 5 and 20 seconds, depending on the amount of data.

Names and other symbolic information are applied to the smart card by a special installation. Since the application procedure is accompanied by vibration and noise, these installations are usually located in a separate room. Often, instead of mechanical application, laser engraving equipment is used, with which the areas under the film coating of the card body can be blackened using a laser beam. This method is useful if you need to have a black-and-white image on the card body.

The data for the chip is written to memory in the same way as during initialization. However, secret keys are involved in this procedure, and cryptographically secure data transmission is often used to prevent an attacker from listening in on the data channel. For cards used for financial transactions, sometimes more complex methods are used. For example, a personalization setup uses a special security module to re-encrypt the encrypted personalization data received from the card issuer and then upload it directly to the smart card.

The advantage of this method is that the employee working on the personalization installation will not know the secret data in the smart card and, in addition, will not be able to spy on them on the data transmission lines. A common trend in smart card personalization is to move to a process that is fully cryptographically secure.

When the personalization process is completed, the personalization machine performs several quality control tests of the completed smart card. In the most recent machines, for example, each smart card is scanned by a camera, and the computer evaluates the optical personalization by checking it against a production database. In case of an error, the card is thrown into the bin of damaged cards and a new copy of the card is automatically created. Usually, the personalization data in the microcontroller is also checked. However, this is technically difficult to accomplish, since read access to many files is not allowed. Therefore, for these tests, personalization machines often have special security modules.

The lifecycle of smart cards

According to the ISO 10202-1 standard, phase 2 of the smart card lifecycle covers the following processes:

  1. electrical testing of the smart card;
  2. completing the installation in the smart card of the operating system;
  3. initialize the application.
  4. Electrical testing
    The first production step of this phase is the electrical testing of the smart card. The main test is to perform an ISO sequence to activate the smart card, to which the card must give the correct ATR response. If this ATR can be accepted and it matches the expected response, then it is clear that at least the microcontroller core is functioning. This test is followed by special tests for hardware components such as ROM, EEPROM, and RAM.

To ensure high performance of these tests (some tests may last several seconds), special machines are used that process several cards in parallel. Usually, carousel machines with a capacity of up to 3,500 cards per hour are used.

  1. Completing the installation of the operating system
    Most operating systems are only partially located in the programmable ROM of the smart card. The link tables and part of the program code are loaded into the ESP ROM of the smart card only after authentication with a secret key. This process allows you to perform some adaptation of the program code of the ROM to fix an error or special cases of applications, without requiring a new ROM mask. For example, for the company “Lomkom”, which accepts non-ferrous metal and its primary processing, we performed work on uploading the personal data of the Customer’s employees into identification smart cards for them to gain access to the warehouse premises of the company, which allowed the company’s management to have operational information about the entry/exit of employees to control zones.

The smart card operating system is not fully present in the smart card until the EEPROM data is written to the card. After that, you can execute all the commands of the application, such as SELECT (Select) and READ RECORD (Read record). The completion of the operating system boot is performed using machines that process multiple cards in parallel, as well as perform input control of the cards.

  1. Initializing the application
    Completing the loading of the card’s operating system provides it with the necessary software to perform the next production step. This step is to download all the data that belongs to the app and is the same for all the smart cards in that app. These include app data, which does not change from card to card, and all other non-personal data, which is also the same for each smart card. This step is called initialization.

At the file level, initialization consists of creating all the necessary files (MF, DF, and EF) and filling them as much as possible with the application data. When using modern operating systems, this is done using the commands CREATE, UPDATE BINARY, and UPDATE RECORD. This processing step is the last step where all smart cards are considered the same. Therefore, initialization can be performed using fast machines that process multiple cards in parallel. Personal data will not be uploaded to the smart card will not occur until the transition to the next step, called personalization.