In every high-stakes card game, there comes a time when a player has to show 'em or fold 'em.
Flush off the successful tests of smart cards in closed environments such as military bases, office parks and college campuses, the financial industry has laid its hand on the table and pushed the technology into the economic mainstream. By virtue of their experience managing customer contacts and card programs, banks have a leading role in this gambit, forging cross-industry partnerships to develop innovative new smart card services. Eventually, these partnerships could make smart cards the non-PC portals for what are now Internet-only financial applications.
This next step could happen sooner than many expect. Although the need to secure e-commerce fueled the initial rush to pass the chips around, banks are now preparing to up the ante-by enabling smart card capabilities at some of the approximately 10 million point-of-sale terminals, 350,000 electronic cash registers and 260,000 ATMs in the United States.
"The POS terminals deployed in the late 80s and early 90s have become extremely expensive to maintain," said Patrick Gauthier, senior vice president of smart card applications at Visa U.S.A. "We are witnessing, regardless of chip, the early stages of a 'reterminalization' wave which will probably touch 40-45% of the installed base of point-of-sale when everything is said and done."
Reterminalization to smart cards is not without risk, however. Taking into account the cost of upgrading host software at over 14,000 banks and providing card readers to about 58 million online shoppers, a fully-deployed national smart card-enabled infrastructure would cost a whopping $9.8 billion, according to Datamonitor.
But the potential jackpot makes the smart card bet worthwhile, some experts said. North American business-to-consumer e-commerce revenues totaled $17.4 billion in 1999, according to Datamonitor. "That's nothing compared to the $4 trillion that happens through credit cards in the offline world," said Jay H. Lee, senior vice president of e-business strategy development at FleetBoston, which introduced Fusion, a self-branded Visa smart card, last September.
FleetBoston is not the only bank pursuing potential smart card business. Providian Financial and Bank One subsidiary First USA also offer Visa-branded smart cards. Visa also announced that Bank of America, Capital One, Chase Manhattan, Citibank, MBNA and Wells Fargo will use its cards.
MasterCard, which is active in global smart card and digital cash initiatives, indicated that announcements for the U.S. bank market are forthcoming as well.
American Express has also made a major foray into the smart card business. Indeed, its "Blue" smart card, launched in September 1999, was first to market, and has carved-out a profitable niche with an estimated five to six million users. "The industry was surprised by the success of Amex Blue over the past 18 months," said Richard Cornelius, a partner at Accenture, formerly Andersen Consulting. "The card appeals to a very attractive demographic for an issuer. It tends to appeal to people who are higher net worth, technically savvy and tend to use the card a lot."
A chance to boost online usage and profit is only one reason financial institutions are turning to smart cards. Bank executives also cited technology as a key factor driving their smart card decisions. For example, FleetBoston investigated several online technologies before moving forward with a smart card program, Lee said. "We wanted to put our bets on something that was going to bridge the gap between both online and offline. The smart card is the way that's going to happen."
FleetBoston wanted its initial foray into smart cards to take advantage of the post-issuance application loading capabilities of JavaCard 2.1 from Sun Microsystems, Lee said. Earlier versions of smart cards, including those widely used in Europe, had been shipped with applications essentially burned into the chip. With Java-Card, "we can give consumers new applications to update their cards, and delete applications if we let them," said Lee. "That's a big deal."
Smart card technology can also woo fraud-concerned consumers to electronic shopping. For instance, Blue cardholders can securely shop online using a PC-based card reader that provides access to an "online wallet" which communicates the cardholder's information to the merchant's Web site.
Amex appears unfazed by recent reports that the card's secure e-commerce capabilities have gone largely unused. "We're actually very pleased with the adoption that readers have had in the marketplace," said Martin Wittwer, vice president of smart card enterprise development at American Express.
Card readers on PCs are just the first step. "You could use the X.509 industry standard certification in a number of environments for making online transactions," said Wittwer. "A broad array of applications will offer a greater level of security when making online transactions through different devices, like set-top boxes or mobile handsets."
The technology and security components of smart cards also have value to banks beyond assuaging consumers' e-commerce fears. Because issuers provide reasonable assurance that its contents are secure, the chip's memory can safely store e-commerce credentials such as digital signatures and digital certificates. With credentials established, smart cards can serve as the focal point for applications made possible through the E-SIGN Act, such as online mortgage and insurance.
With an application such as health care, where requirements for privacy coincide with a critical need for quick access to information, a smart card could perform several complementary tasks. For example, it could store basic medical records; control the mobile phone used to schedule a doctor's appointment; allow the doctor to gain access to detailed online records; record a prescription; and pay the pharmacist according to the patient's insurance policy, with the co-payment automatically deducted from a debit account.
OPERATING SYSTEMS CHOICES
For such a system to truly work, a smart card needs an operating system that juggles multiple applications. Systems providers realize this need, and are already providing products to solve this problem.
Heeding the call for multiple application smart card platforms, Microsoft added the Windows for Smart Cards operating system to its software lineup. "We're prototyping this technology with banks, and working with our marketing department and technical department to make the multiapplication smart card a marketing tool to build bank loyalty," said Mike Dusche, product manager of the smart card group at Redmond, Wash.-based Microsoft.
"What we can do now is graft in business propositions that would be interesting to banks," said Dusche. "You're going to see Microsoft offer up all of its MSN properties (e.g., Passport, Instant Messenger, Expedia) as applications that can run on smart cards."
The arrival of Microsoft and Sun on the smart card scene is a "watershed event," said Visa's Gauthier. Through their networks of software developers, he noted, the two software giants provide the technology needed to build full smart card systems-from card creation to the processing server.
Visa has remained "OS-agnostic," leaving the choice of operating system to banks and their system integrators, Gauthier said. "You may even see, from one issuance to the next, a bank issuing a card on Sun and the next one on Microsoft. The back-end will not be affected."
The third major operating system choice for issuers is MULTOS, backed by a MasterCard-led consortium of several member banks. Although MasterCard doesn't mandate the use of MULTOS, it claims that MULTOS' 100 different applications are more than enough for any bank's needs. "MULTOS is driven by an open consortium of industry players," said Chris Rieck, vice president of marketing communications for MasterCard International. "The application loading is completely open."
Because the entire operating system is bundled into one package, "that makes it fairly airtight in terms of security," said Rieck, noting that the British government has certified MULTOS' level of security as being on a par with those of military weapons systems.
Although MULTOS provides higher levels of inherent security than Java, it is to some extent less flexible for development purposes, said Graeme Ward, chief strategy officer of ACI Worldwide, a systems integration subsidiary of Omaha, Neb.-based Transactions Systems Architects. "Although I doubt whether this would ever be visible to a user."
To ease the way to smart card acceptance by U.S. banks-most of which are dual issuers of both MasterCard and Visa-the card associations are developing a common smart card interface. Both the Global Platform consortium overseeing Open Platform-Visa's Java-based operating system-and the MAOSCO consortium, which oversees MULTOS, developed specifications allowing any merchant terminal to communicate with any smart card, including Amex.
"As we prepare messages to send to or from the card, we will take into account the target operating system," said Ward, "in the same way that an NCR ATM may speak a different language than a Diebold ATM."
Large chip manufacturers, too, have benefited from this move toward standardization. Smart card issuers in financial services use the same cards as those deployed as Subscriber Identity Modules (SIMs) in the mobile phones widely used in Europe. The end result: production costs have fallen to the point where both Visa and MasterCard are filling bulk orders of entry-level cards for $3 apiece.
But costs aren't limited to the cards and readers themselves. Banks must update existing systems to effectively load smart cards, process transactions and manage accounts, which often requires integration with legacy systems. There are also incremental marketing and support expenses. "For banks, a good rule of thumb is $20 per card," said Ravi Bhojwani, an analyst at Datamonitor.
In addition to controlling costs, banks also face the challenge of how to inexpensively take advantage of the empty space on the smart card. "If you're going to run a program and do it well, you've got to have at least three or four applications on the card," said ACI's Ward.
One way to subsidize the content and cost of smart cards is to enter into co-development partnerships with interested businesses. However, only certain banks may have an edge in inking deals with desirable co-brand partners. "Banks that have co-branding and affinity expertise, in opposition to the ones that have not really invested in that, certainly also have an ability to deliver a certain type of partnership," said Visa's Gauthier.
So for now, the smart card game is being played at the high-stakes table. "As you dig deeper and deeper, it is going to be at this stage an expensive proposition," said Gauthier. "It would be unfair to portray the smart card right now as something a community bank should dive into."
Yet Microsoft's Dusche described a scenario in which smaller banks can manage geographically-focused loyalty programs for merchants in its acquiring portfolio. "In addition to your Hertz and your Hyatt and your United Airlines, you've got the curry shop up the street from where you live on your smart card," he said. "Merchants may be interested in doing cross-couponing and promotion, and the bank can be the facilitator for that."
"We could very well see a model whereby a large bank deploys the smart card infrastructure, and then smaller banks basically act as agents for the large banks," said Gauthier. "After all, we're also seeing this in the traditional card business."
Other observers are more cautious. "There's always going to be some overhead in managing the cards and managing a loyalty application," said Accenture's Cornelius. "Does it create enough merchant and consumer value that merchants and/or consumers are willing to pay for it?"
"Look back over the past year," Cornelius said. "If you throw enough money at something, technology will enable a lot of very interesting things, but the business case isn't always there."
Yes, It's a Computer
Chip-based smart cards place the computational power of an early-1990s personal computer onto a wallet-sized piece of plastic. Although lacking a motherboard, peripherals, expansion slots or audio-video adapters, the smart card qualifies as a computer by virtue of having a silicon chip processor with a dollop of random-access memory (RAM).
A chip-based smart card inserted into a card reader acts like a computer connected to a peer-to-peer network. The card reader cannot access the card's storage area directly; rather, the card reader has to negotiate with the chip for all such requests for information.
In contrast, magnetic-stripe stored value cards, such as the MetroCard used to ride New York City's subways and buses, are the functional equivalent of miniature floppy disks. The contents are scrambled to prevent read/write access except from a limited number of special-purpose disk drives (i.e., turnstiles and card dispensers).
Gaining unauthorized access to data becomes far more difficult when pitted against a computer chip. A malfeasant would have to "persuade" the chip to fetch and relinquish the contents of memory, bypassing technologies such as public key infrastructure (PKI) encryption. This involves more than just cracking a code to unscramble a string of numbers. "If you really wanted to get into a smart card and money was no object, then you could attack it," said Graeme Ward, chief strategy officer of ACI Worldwide. "But you couldn't clone it in the way that you can a stripe on a magnetic card." - Ivan Schneider
The Embodiment of Moore's Law
Intel founder Gordon Moore gave technologists a handy rule of thumb when he observed that computing power tends to double every 18 to 24 months. "Moore's Law has been pretty kind to the smart card industry," said Microsoft's Mike Dusche, noting that Microsoft employees are issued smart card badges containing 64KB of storage, a 10 MHz 8-bit processor and a crypto co-processor.
Yet Moore's Law has a flip side. As almost anyone who has ever purchased one can testify, computers tend to obsolescence shortly after being plugged in. Still, observers don't expect this to have as pronounced of an effect in the smart card world. "People aren't going to upgrade that fast with credit cards and debit cards," said Jerome Svigals, director of MIS at ApolloSmart, a Los Angeles consulting firm, and head of the Smart Card Institute.
Even if card upgrades become commonplace, bankers see the glass as half-full. "We're hoping that Moore's Law really works so that we can continually put out better cards or better chips," said Jay H. Lee, senior vice president of e-business strategy development at FleetBoston. "If consumers want to have more memory or want to have more firepower, it's an opportunity for us." - Ivan Schneider