In 2001, after the successful launches of our card operating systems, MCS undertook the development a card lifecycle management system named IdenSafe. It was a web-based server application that was built on ASP technology meant for national identification projects. IdenSafe managed card inventory, generated the personalisation scripts, kept track of card issuance and handled card deactivation and termination. Hardware interfaces for card reader-terminal, biometric scanner and personalisation interfaces were implemented. In addition, a Key Management System (KMS) was developed to handle the key generation, derivation and distribution, and digital signature generation and verification, with the support of hardware security module (HSM).
A card management system will be required to serve and safeguard an open card system like the one supporting our next-generation COS, that manages card inventory and distribution, generates the personalisation scripts, keeps track of the health and status of cards in circulation, and handles de/reactivation and termination. User interface will take place over the internet, whereas urgent alerts and announcements may be delivered via email and phone messages.
The card management system will coordinate the actions of the stakeholders:
- Service providers, e.g. government, bank, transport authority, retailer
- Card issuer
Its operation shall meet industry security levels, including ISO/IEC 27001 information security management system (ISMS), Payment Card Industry Data Security Standard (PCI-DSS), privacy and data protection laws and national Trustmark.
Card application provisioning and personalisation
Expanding on the next-generation COS project, we see card owners/holders sourcing their applications from the internet and installing them on-the-fly. The authenticity of the applications can be verified through PKI technology. Subsequently, the installed application may be activated and personalised by the relevant application provider. For example, the cardholder signs up for an ATM card with a bank, downloads and installs the ATM application into the card, and finally have it activated and personalised by the bank, where the entire procedure is performed over the network. Subsequently, the card may be used at all ATMs like a regular, single-purpose ATM card.
The above card application provisioning and personalisation system should be a familiar concept - think Google Play Store for card applications. Application providers will comprise conventional smart card vendors, retail businesses, financial institutions, governmental agencies, hobbyists and other groups who wish to serve the greater public. Downloads may take place through the existing infrastructure, i.e. payment terminals, ATMs, NFC-enabled mobile devices, public kiosks and home PCs with smart card readers.
The mobile device has become an important computing and communication tool that is gradually gaining traction in the data security space, what with the implementation of secure elements and near-field communication interface. We envision the mobile device playing an important role in facilitating the use of our next-generation smart cards through connecting smart cards to the internet via its built-in NFC interface. Furthermore, security standards and application specifications developed to accommodate the secure element (SE) can be applied to our new smart cards.