This invention relates to an IC card system such as a bank card system, more particularly to an IC card system that is secure, yet can be developed without spoiling a large number of cards.
Wallet-size cards, similar in appearance to ordinary credit cards but having embedded integrated circuits (ICs), are issued by institutions such as banks as a convenient means of managing financial and other data. Popularly known as "smart cards," these cards will be referred to herein as IC cards. An IC card system comprises not only the IC cards themselves but also various software. The software includes, for example, an issuing program used in issuing the cards to end users, and application programs used to process the cards when they are inserted in card-handling devices such as automatic teller machines.
A feature of IC card systems is that they can be made extremely secure by protecting the cards with passwords, and by protecting certain data in the cards from alteration even by a person who knows the password. Typically, the cards are manufactured by one entity (the card manufacturer), then issued by another entity (the card issuer) to end users. In one conventional system, the card manufacturer programs the cards with a manufacturer's password known only to the card manufacturer and card issuer. Upon receiving a card from the card manufacturer, the card issuer changes the password to an issuer's password known only to the card issuer, stores certain issuer data and application data in the card, and sets protection bits that permanently prevent some of these data from being altered. When the card issuer issues the card to an end user, he stores further information in the card, such as the user's name, address, and personal identity number. Some of this information may also be permanently protected from alteration.
An end user cannot tamper with the data in his card because he does not know the issuer's password. If the card is stolen by a third party, that party cannot tamper with the card for the same reason. If the third party steals a card from the card manufacturer, he still cannot tamper with it because he does not know the manufacturer's password. The card manufacturer himself is unable to tamper with a card once the card issuer has changed the password. Furthermore, even if someone who knew the issuer's password were to use it to gain unauthorized access to an already-issued card, he would be unable to reissue the card to himself because of the permanent protection of data in the card. In this way an IC card can be made secure against virtually any kind of attack, whether it be by an end user, a third party, the card manufacturer, or an employee of the card-issuing institution.
A disadvantage of these security arrangements, however, is that the card issuer is forced to expend a large number of cards in the process of developing and debugging his software. This is particularly true when the software is developed through a trial-and-error process, which is often the case. Consider, for example, a card issuer who is developing an issuing program. He completes a first version of the program and tests it by issuing a first card to an imaginary end user. The card is then evaluated by checking that it contains correct data and works correctly with application software. If any deficiencies are found, the issuing program is modified, and the modified program is tested by issuing a second card. Even if no problems are found, additional cards are issued to test the program under different sets of issuing conditions.
This process is repeated until the issuing program has been completely developed, tested, and debugged. A new card is required for each test, because the permanent data protection applied when each card is issued prevents the card from being reused For another test. Each test accordingly spoils one card. As the program development process typically involves many tests, many cards must be sacrificed in this way.