The use of passive cards, comprising a magnetic strip and/or chip for storing information, for applications such as payment devices (i.e. chip and PIN) and travel passes, is well known. Advantages of using such cards include the cards being cheap and easy to manufacture. In addition, their small size and low weight makes them highly portable.
Developments in mobile telephone technology have allowed these also to be used as payment devices, passes and other applications. The communication and processing capability of mobile telephones provides many advantages over passive cards, in particular an increased service availability for the cardholder.
However, a problem with using mobile telephones for applications such as payment devices is that it is difficult to provide a secure device. Mobile telephones are required to support a diverse range of applications and it cannot be ensured that these are all from trusted sources. It is therefore necessary for complicated techniques to be applied in order to protect the information on the mobile telephone from any malware that may also be present. In addition, the relatively large cost of a mobile telephone means that if it is lost, as sometimes happens with items in common usage, then it is expensive to replace.
An improvement over the above-described passive cards is a display card with keyboard (DCK). FIGS. 1 and 2 show known architectures of DCKs, FIG. 3 shows the architecture of a known DCK at the level of its user interfaces.
As shown in FIG. 3, a known DCK may comprise contact and contactless interfaces, a specialised keyboard, simplified display and signalling LEDs. The user interface provided by the keyboard and simplified display allow improved security and functionality. For example, the card may generate a one time password, OTP, that may be autonomously displayed by the DCK and used to log onto an internet banking account.
Advantages of a DCK over a mobile telephone include the DCK being inherently more secure since it is a lot harder for a malicious party to gain access to any information stored by the DCK. A DCK is also not required to run the diverse range of applications that mobile telephones are and so they do not experience malware problems due to software from untrusted sources. Moreover, DCKs are easily used for both contact and contactless information transfer with a terminal whereas mobile telephones are only usable for contactless information transfer. In addition, the relatively low cost of DCKs means that they are cheap and easy to replace if lost.
The architectures of known DCKs are described below with reference to FIGS. 1 and 2.
FIG. 1 shows a first known architecture of a DCK that is used as a payment device. There are two separate processors, shown as Chip and Display Control. The card also has interfaces for contact and contactless communication as well as a specialised keyboard and a simplified display.
The Chip accommodates a typical payment application (P), and possibly other applications as may be required for ticketing, loyalty, etc. The only way of accessing applications in the Chip is through the external services interface, either through contact or contactless communication with the DCK.
The Display Control (D) is connected to the specialized keyboard and to the simplified display. There is no communication path on the DCK between the Chip and the Display Control and accordingly these modules are not able communicate with each other. In addition, the Display Control has no connection to the contact and contactless interfaces, which can only be used to access the Chip.
In the architecture shown in FIG. 1, the Display Control implements a Cardholder Authentication Program (CAP) Token Generation Service (CTGS), with a separate cryptographic key for Application Cryptogram (AC) computation and OTP generation. This requires the Display Control to be implemented as a tamper resistant/tamper detective-responsive component and therefore increases costs.
Another problem with the architecture of the DCK shown in FIG. 1 is that the Display Control can only provide services that do not require access to the applications in the Chip. It therefore cannot provide services such as the reading of an accumulator/counter of the balance of a payment application, or the reading of a trace record in a log file.
FIG. 2 shows another architecture of a known DCK. The architecture in FIG. 1 has been modified to comprise a Sniffer in communication with the Display Control so that further services can be provided. The Sniffer is able to read the communication between the Chip and the contact and contactless interfaces. From this information, the Display Control is able to deduce, for example, an external account balance.
However, a problem with the architecture of FIG. 2 is that the additional services provided are limited to what can be achieved by reading the communication between the contact and contactless interfaces and the Chip. In practice, all that can be determined form this communication are updates of accumulators/counters, their limits and balances. It is not possible for the Display Control to directly access any of the information in the Chip.
Moreover, the architectures of the DCKs in FIGS. 1 and 2 are not scalable. Their electronic circuitry is designed for specific functions; to provide a new function, such as to temporarily disable information transfer over the contactless interface, would require a change in the electrical and physical configuration of the DCKs.
The DCKs in FIGS. 1 and 2 both comprise batteries. The battery in each DCK is used to power only the Display Card and not the Chip. The Chip is powered by the point of interaction, POI, terminal, either through the Chip's contacts or by electromagnetic induction through an antenna. A further problem with known DCKs is that their operation is restricted by the technique of powering the Chip.