THAILAND Smart Card Standard Application Requirements Version 1.0 Thailand Smart Card Working Group 01 April 1999 Released Number: 1.1 Thailand Smart Card Standard Application Version 1.0 Page Thailand Smart Card Standard Application Requirements INDEX Introduction 1.1 Smart card Scheme Overview 1.1.1 Scope .4 1.1.2 Scheme Structure 1.2 Smart card Requirements .8 1.2.1 Compliance Requirements .8 1.2.2 Data Elements and Files 1.2.3 Standard Commands .10 1.3 Terminal Requirements 11 1.3.1 Terminal Types 11 1.3.2 Terminal Capabilities 11 1.4 Application Requirements 12 1.4.1 Application Scope 12 1.4.2 Application Selection 13 1.4.3 Transaction Processing 13 1.4.4 Data Integrity 15 1.4.5 Year 2000 Support 15 1.5 Network Requirements 16 1.6 Settlement and Clearing Requirements 17 Security Requirements .18 2.1 Smart cards Delivery 18 2.2 Symmetric Key Management 18 2.2.1 Symmetric Key Generation .18 2.2.2 Key Distribution 19 2.2.3 Key Loading Process 19 2.3 Asymmetric Key Management .19 2.3.1 Public Key Pairs Generation 19 2.3.2 Certification Authority 20 2.4 Card Personalization .20 2.4.1 Chip Personalization .20 2.4.2 Magnetic Stripe Encoding and Embossing .21 2.5 Post Personalization 21 2.5.1 Files Access Conditions 21 2.5.2 Files And Application Locking 22 2.5.3 Secret Code Protection 22 2.6 Cryptographic Security Requirements 22 2.6.1 Temporary Session Key Generation 22 2.6.2 Card Authentication 22 2.6.3 Cardholder Authentication 23 2.6.3 Secure Messaging 23 ID Card Application 24 3.1 Functional Requirements 24 3.2 Application Owner 25 3.3 Data Requirements 25 3.4 Card Surface Requirements 26 3.5 Security Requirements 27 3.6 Application Transactions .27 Thailand Smart Card Standard Application Version 1.0 Page Credit/Debit Card Application 28 4.1 Functional Requirements 28 4.2 Application Owner 28 4.3 Data Requirements 28 4.4 Card Surface Requirements 29 4.5 Security Requirements 29 4.6 Application Transactions .30 Electronic Purse Application 31 5.1 Functional Requirements .31 5.2 Application Owner 32 5.3 Data Requirements 32 5.3 Card Surface Requirements 33 5.4 Security Requirements 33 5.5 Application Transaction 34 Loyalty Application 36 6.1 Functional Requirements .36 6.2 Application Owner 36 6.3 Data Requirements 37 6.4 Card Surface Requirements 38 6.5 Security Requirements 38 6.6 Application Transaction 38 Pilot Project 41 7.1 Producing specifications 41 7.2 Developing prototypes and conducting test .41 7.3 Building system facilities and network 41 7.4 Conducting pilot run 41 7.5 Rolling out as commercial .42 7.6 Refining and evaluating achievement 42 7.7 Ongoing operations for open-end 42 Appendix A - Terminal Types 44 Appendix B - BER-TLV Data Object .45 B.1 Coding of BER-TLV Data Objects 45 B.1.1 Coding of the Tag Field of BER-TLV Data Objects .45 B.1.2 Coding of the Length Field of BER-TLV Data Objects 46 B.1.3 Coding of the Value Field of Data Objects 46 Appendix C – Transaction Message Format .48 C.1 Credit Card Transaction Message Formats 49 C.2 Debit Card Transaction Message Formats 59 C.3 Electronic Purse Transaction Message Format 68 C.4 Loyalty Program Transaction Message Formats 73 Appendix D - Normative References .78 Thailand Smart Card Standard Application Version 1.0 Page Introduction 1.1 Smart card Scheme Overview 1.1.1 Scope Form a past decade smart cards are widespread popular solution in many parts of the world A group of international card associations has developed the open standard smart card specifications for payment application and more applications in the future The Thailand smart card working group was formed by the commencement of National Electronics and Computer Technology Center (NECTEC) to develop the smart card standard application requirements for Thailand The primary purpose of Thailand smart card standard requirements is to ensure interoperability between products from different manufacturers and application venders The standard requirements shall pave a way for all smart card players to build up a same application scheme and a same network that allow all parties sharing their benefits out of their terminals and networks However the requirement is not mandated the interoperability between others different commercial applications This requirement specification has objectives as following: • Ensure a common framework for all smart card application providers • Provide sufficient flexibility to accommodate interoperability of products from different manufacturers • Address industry-specific business practices • Offer opportunities to expand smart card markets and to leverage existing terminals, network and IT infrastructure The scope of functions is opened for one or more card applications to be co-exist on the same multi purpose smart card The following are applications that are referenced in this specification: 1) ID Card Application 2) Credit/Debit Card Application 3) Electronic Purse Application 4) Loyalty Card Application There are key words expressed in these standards that tell you what is mandatory and what is optional WILL or SHALL or SHOULD are mandatory while MAY is an optional term The Thailand smart card working group is responsible to develop the preliminary standard application requirements for multi-purpose smart card The smart card Scheme Provider or the application provider whose propose to implement the national standard smart card scheme should submit the technical details specification to the Thailand smart card committee before the implementation shall be commenced The Thailand smart card working group reserves the right to amend or delete any part of this requirements specification or any document forming part of this specification in the future without Thailand Smart Card Standard Application Version 1.0 Page prior notice in order to have effect to the change of international standards, technologies, government policies or to correct any error, ambiguity that may arise 1.1.2 Scheme Structure An open multi-purpose smart card scheme consists of the following seven participants: 1) 2) 3) 4) 5) 6) 7) Smart card Scheme Provider Card Holder Service Provider or Merchant Card Issuer Value Issuer Value Acquirer Clearing House A single entity may perform functions for two or more roles of the smart card scheme participants In non-financial smart card schemes such as ID card, the application may perform fewer functions and fewer participants than that is shown in the figure However there is no limited if more functions of other scheme applications shall be co-exist on the same multi-purpose card Smart Card Scheme Relationships Fund Pool Issuer Issuer Value ValueIssuer Issuer Cardholder Cardholder Scheme Provider Acquirer Acquirer Clearing ClearingHouse House (OHFWURQLF Merchant Merchant / /Service Service provider provider 9DOXH Figure : Open Smart Card Scheme Participants Thailand Smart Card Standard Application Version 1.0 Page 1) Smart Card Scheme Provider The smart card scheme providers play a key role because they establish the smart card application scheme and guarantee the security and the valuable information contained within the system The identifying characteristics of a smart card scheme provider are: • Develop the specifications, rules and conditions • Establish security procedures and keys management • Grant membership (certifies, authorizes and monitors) • Guarantees the trust of information or electronic value in the smart card system 2) Card Holder Card holders are consumers or people who use smart cards for storing information, identifying themselves or exchanging electronic value in cards with products and services from joining scheme participants Cardholder activity can be off-line or on-line, traceable or anonymous depending on the function mechanisms used to implement a smart card application scheme The identifying characteristics of cardholder are: • Valid to carry a card (certified by Card Issuer) • Abide by rules and condition of the card scheme • May or may not associate with institutions ownership • May have relationship with other scheme participants • May willing to keep money/points as electronic value in the smart card 3) Service Provider or Merchant Service providers or merchants exchange their information, products and services with the information and/or electronic value stored in cardholder’s smart cards Service providers and merchants can be any individual establishments, e.g municipal governments, telephone companies, transportation companies, retail merchants, fast food restaurants, convenience stores, vending machine etc Smart card acceptance terminals are specially designed devices to meet functionality and purpose of usage applications Such as, the payment acceptance terminal can transfer electronic value from cardholder’s smart card to store in a terminal The identifying characteristics of service provider or merchant are: • Trusted and certified by Scheme Provider or Value Acquirer to access value in cards • Abide by rules and conditions of the smart card scheme • May or may not associate with institutions ownership • May accept cards from multiple issuers and • May have relationship with more than one scheme acquirers • May collected value with fund pools of Card Issuers through a Value Acquirer 4) Card Issuer Card issuers are participants granted by the smart card scheme provider to personalize, distribute the smart cards and operate the smart card system The identifying characteristics of a Card Issuer are: • Authorized and quarantined by the scheme provider • Personalize and distribute cards to card holders • May incorporate additional functions in the card • May co-issue/later join with other scheme participants • Response to manage a database and/or a fund pool Thailand Smart Card Standard Application Version 1.0 Page 5) Value Issuer Value issuers are related with financial or commercial requirements Value issuers are responsible for loading electronic value into smart cards The value recharging function is performed through a special reload terminal ( or specially equipped ATM), which has a certain high degree of reliability and security The identifying characteristics of value issuer are: • Authorized and certified by the Card Issuer • Load and update electronic value to the card • Perform only online by a trusted device and under a secured environment • May operate the device to accept bank notes or transfer value from bank account 6) Value Acquirer Value acquirers are related with financial or commercial requirements Value acquirers are responsible for accepting electronic value from service provider and merchants and exchanging it for a credit to their deposit account As concentrators, Value Acquirers collect service providers and merchant smart card transactions and forward them to the clearing house Depending on the scheme operating regulations, Value acquirers may forward all of the details transaction data or just summary totals to the clearing house The identifying characteristics of Value Acquirer are: • Authorized and certified by the scheme provider • Response to collect electronic value from merchant/service providers • Provide devices, terminal, network and manage black lists • Manage terminals and verify collected transactions • May forward all transactions to be exchanged at clearing house • May accept for more than one card issuers or more than one scheme participants 7) Clearing House The clearing house are related with financial and commercial requirements The clearing house accommodate financial reconciliation system for fund transferring from Card Issuers to Value Acquirers The amount transferred is equal to the accumulated electronic value collected by the Value Acquirers from Merchants and Service Providers and submitted to the clearing house The identifying characteristics of clearing house are: • Authorized and certified by the scheme provider • Receive transactions batches from value acquirers • Response to reconcile and accommodate transferring funds from card issuers to value acquirers • May forward all details transactions from value acquirers to card issuers • Usually operate by a scheme provider or its sub-contractor Thailand Smart Card Standard Application Version 1.0 Page 1.2 Smart card Requirements 1.2.1 Compliance Requirements All smart cards shall comply with the following international standards: - ISO 7816 Part : Physical characteristics ISO 7816 Part : IC contacts ISO 7816 Part : Electronic signals and transmission protocols ISO 7816 Part : Industry commands for interchange ISO 7816 part : Numbering system and registration procedure for application identifiers EMV ICC Specification Part : Electromechanical characteristics, logical interface, and transmission protocol EMV ICC Specification Part : Application selection All relevant sections of ISO 10373 : Test methods The followings are additional requirements for cards to be used for financial transactions : - EMV ICC Specification Part : Data elements and commands EMV ICC Specification Part 4: Security aspects ISO 7811 Part : Recording technique – Embossing ISO 7811 Part : Recording technique – Magnetic stripe ISO 7811 Part : Recording technique – Location of embossed characters ISO 7811 Part : Recording technique – Location of magnetic read only tracks -Tracks 1and2 ISO 7811 Part : Recording technique – Location of read-write magnetic track – Track ISO 7812 Identification cards: Numbering System and Registration Procedure for Issuer Identifiers (1987) ISO 7813 Identification cards: Magnetic stripe encoding Further more, smart cards may comply with the following international standards: - ISO 639 : Codes for the representation of names ISO 3166 : Codes for the representation of languages and countries ISO 4217 : Codes for the representation of currencies The physical mechanism of smart card should include the following hardware security features: • • • • • • • • A fuse that disables access to the EEPROM manufacturing test mode A unique and unalterable serial number for each card to avoid cloning Power On reset for power supplies outside a specific range Diversified system key to protect the card during manufacturing and transportation to the card issuer Read and write access to EEPROM controlled by ROM software and issuer application Read and write access to ROM prohibited Low voltage detection Low frequency detection Thailand Smart Card Standard Application Version 1.0 Page 1.2.2 Data Elements and Files An application in the smart card includes a set of data information These data information may be accessible to the terminal after a successful application selection A data element is the smallest unit of data information in the smart card that may be identified by a name, a format, and a coding 1.2.2.1 Data Objects Referring to the data object defining in EMV specification, a data object is formed in tag, length, value format (TLV) A tag, coding in hexadecimal number, uniquely identifies a data object within the environment of an application The length is the number of byte of the data object The value is content of the data object A data object may consist either of a data element or of one or more data objects A data object that encapsulates a data element is called a primitive data object A data object that encapsulates more than one data elements is called a constructed data object The mapping of data objects into records is left to the smart card application designed during the pilot project The detail description of which data elements are to be used shall be comprised in the smart card application specification that will be submitted by the pilot issuers Note: The data objects in TLV format is mandated for debit/credit application in order to be in line with EMV ICC specification Other application's data objects to be found in this document are presented in TLV form However, the implementation of TLV for applications, such as ID card, electronic purse and loyalty program are optional, the issuers may redefine data records in fixed format for a reason to save the smart card memory space 1.2.2.2 Files The file structure, referencing method and level of security is based on the purpose of the file The layout of the data files accessible from the smart card are left to the discretion of the pilot issuers except for the directory files described on the following: The smart card should support the file organization that complies with the basic file organizations as defined in ISO/IEC 7816-4, which has two types of file categories: • Dedicated file (DF) • Elementary file (EF) The data structure for an elementary file allows four options: • Linear Fixed • Linear variable • Cyclic • Transparent Master File(MF) is a dedicated file which is the root of the file structure as shown in figure Thailand Smart Card Standard Application Version 1.0 Page MF DF EF DF EF EF EF EF EF EF Figure : smart card File and Data structure The application selection of the standard applications should conform to the EMV ICC specification, the path to the set of applications in the smart card is gotten by selecting the Payment System Environment (PSE) See more in section 1.4.3.the application selection Other applications conforming to ISO/IEC 7816-4 but not conforming to the EMV specification may also be present in the smart card as individual proprietary application 1.2.3 Standard Commands 1.2.3.1 Message Structure The terminal and the card shall implement the physical data link, and transport layers as defined in ISO 7816 part and The command messages to be communicated between the terminal and the card should conform to the standard transmission protocol as defined in ISO 7816 part and the standard instruction byte is defined in ISO/IEC 7816-4 The application protocol of the command message that sent from the terminal and the response message that returned by the card to the terminal shall be Application Protocol Data Units (APDU) The structure of the APDU command-response and command codes is defined in ISO 7816 part 3, part and EMV ICC specification All other commands may be defined as extended requirements by specific applications such as electronic purse and loyalty program Thailand Smart Card Standard Application Version 1.0 Page 10 ... the Thailand standard smart card committee The foreign or the international smart card scheme provider that want to launch their program in Thailand may report their reserved RID to the Thailand. .. should submit the technical details specification to the Thailand smart card committee before the implementation shall be commenced The Thailand smart card working group reserves the right to... amend or delete any part of this requirements specification or any document forming part of this specification in the future without Thailand Smart Card Standard Application Version 1.0 Page prior