As the card industry progresses from the usage of the magnetic strip cards to the utilization of the smart cards, the ability to process the information provided on the card substantially increases.
When a transaction is requested using the conventional magnetic strip card, a host system must be contacted to authorize the transactions (e.g., credit/debit transactions); this is because such conventional magnetic strip card has no information processing capability thereon. In contrast, the smart card may utilize a mechanism (provided therein) to authorize the transaction. This mechanism does not have to reside only on the host system, and at least a portion thereof may be provided on the smart card. In this manner, the processing capability for authorizing the transaction can be moved from the host system to either the smart card or a balanced combination of the host system and the smart card.
As a result of the smart cards superior security, reliability and capacity, the market for the smart cards is rapidly expanding. Indeed, the ability of the smart cards to maintain the intelligent (e.g., executable) applications thereon, such as “access”, “credit/debit”, “electronic cash”, etc. provides such expanding market. The existing smart cards utilize card authentication/verification methodologies to perform the transactions (e.g., cryptographic techniques). In particular, the conventional smart card can be authenticated either statically or dynamically.
With the static authentication, when the card is inserted into a transaction terminal, the smart card transmits a “digital signature” to such terminal. The digital signature contains information which uniquely identifies each smart card, e.g., the card serial number, manufacture ID, manufacture date, etc. Then, the transaction terminal decrypts the signature to determine if the smart card data is genuine. If so, the transaction process is continued; otherwise, it is terminated.
With the dynamic authentication, the transaction terminal generates random data (e.g., a seed), and requests the smart card to encrypt the random data. When the transaction terminal receives the encrypted random data from the smart card, the terminal decrypts this encrypted data. If the decrypted data is the same as the seed, then it is determined that the smart card is genuine. Such dynamic authentication is only possible with the smart cards due to the ability of the smart cards to perform the cryptography thereon.
When the smart card is utilized to facilitate the “electronic cash”, it may be important to use the “risk managed” smart card application on such smart card. One of the key economic risk exposures of the smart card is that the electronic cash can be “counterfeit”. Thus, it is important to minimize the impact of such counterfeit electronic cash, and to ensure the stability and utilization of the smart card.
It is preferable to exploit the on-chip data processing power of the smart card to the maximum extent by utilizing a smart card electronic cash risk management functionality on the smart cards. By installing the risk management functionality on a chip of the smart card, some of the critical risk management tasks are performed, at the time of the transaction, autonomously on the transacting smart cards.
One of the more important indications for many transactions is an indication of “time”. This indication can be used to enforce the fact that the sequence of events should occur in an orderly manner. Currently, the smart cards access the host system to determine this time indication. However, there is no effective way to keep track of the time by the smart cards when the host system is not utilized by the cards. To enable the smart cards to determine certain operations (e.g., an expiration of a particular smart card), it may be preferable for the chip on the smart card to utilize a scheme where an approximate time indication can be obtained, without the necessity of connecting the smart card to the host system. Without using such scheme, if and when the smart card is subjected to an attack (e.g., an unauthorized request for the financial information is made), the smart card may be vulnerable to receiving particular data which may have been maliciously modified. With this modified data, the smart card may be utilized in a fraudulent manner.