A Vision for Smart Cards
By Martin Reilly
Until recently the concept of a single citizen card only belonged to fiction. But now it has become reality. Today a smart card can act as proof of identity, carry entitlement to concessions, enable benefit payments, make it quick and easy to board public transport (and pay the fare without cash), pay for lunch, carry leisure centre membership and store loyalty points earned with retailers and fast food outlets.
All of the above has been delivered on a single smart card as part of a Government pilot in the North East of England. The pilot project has issued around 20,000 cards but the full regional rollout expects to issue some 3 million cards.
Local authorities in the North East have come together to form The North East Regional Smart card Consortium (NERSC). Transport operators, various government agencies and educational institutions are also active participants. The goal is to develop a governance framework for the implementation of a region wide multi application citizen smart card.
The UK target for the delivery of e-government by 2005 is a major challenge for local and national government. The ability to perform transactions through electronic channels requires mechanisms to authenticate citizens and verify entitlement. Central government’s vision is that smart cards will help the process of joining up services and securing access.
The current UK replacement of magnetic stripe bankcards with chip cards will put a smart card into most wallets by 2005. Yet in other parts of the world smart cards have already been rolled out in a number of areas such as public transport. For example Hitachi’s system for Japan Rail East handles some 16 Million gate transactions, 5 million cardholders, 424 stations and is probably the largest smart card ticketing system in the world. London will see the arrival of its own smart card on the London underground during 2003.
Dual role of smart cards
There are two distinct approaches to the use of smart cards for the delivery of government services. The first is where the card operates as a unique token, or key, for access to government services. All data is held in a database operated by each of the service providers. The chip is simply a secure means of storing one or more unique ID numbers. The approach assumes that points of service are able to access the relevant databases. This may be a reasonable assumption in a city library but not so certain in more remote locations.
The second approach is that of the smart card as a distributed computing device, capable of securely storing data and executing functions for a number of service providers. Such multi-application smart cards have security algorithms that allow secure offline transactions. Data and applications on the same chip are protected from each other with firewalls. Applications can be loaded and deleted during the lifetime of the card to reflect the changing needs or lifestyle of the cardholder. The greater cost of such cards can be offset against their flexibility, functionality and reduced dependence on expensive network infrastructure.
The NERSC pilots took the second approach and issued multi-application smart cards to adults, school children and young people in Newcastle and Gateshead. Hitachi’s card management system (CMS) is careful to partition and firewall the different data sets. The catering company might know your choice of meal for lunch but cannot know details of your bus journeys. The CMS pulls together multiple applications and services onto a single card.
The different applications loaded onto the chips reflect choices made by the cardholder or on behalf of a group of cardholders. A card should not tie all participants to a single supplier of a service. Different catering companies and different schools had already chosen or selected different cashless catering solutions. The same card has to carry applications for any of these providers and enable a migration of applications if service providers are changed.
It is important to build a practical business model for any card scheme. This means stakeholders within a project must seriously consider “What is in this for me?” Organisations are often looking for extra revenue, extra funding, reduced costs or better management reporting. Real practical and valuable benefits are required if an organisation is going to participate.
The formation of regional associations of local authorities and citywide groups is a positive step. Smart cards require a minimum volume and project size if they are to enjoy the economies of scale and added value of integrated services. In the future, cards should operate seamlessly across the nation and even across the borders of European countries but for this to happen it is vital that we have co-operation on a regional level.
Maintaining security
An important application to be carried on future government cards is PKI. Public Key Infrastructure provides a highly secure mechanism to authenticate users and validate transactions. The technology uses secret keys held securely on the smart card to digitally sign transactions and electronic certificates. These are validated with the matching public keys, usually accessible to all. Services such as the e-Envoy backed Government Gateway project uses PKI technology to secure access to government services, for example tax returns.
Hitachi’s most recent innovation is the µ-chip (“Mu-chip”), the smallest RFID chip in the world. This chip looks like a speck of dust and is small enough to be embedded into paper. The low cost of the chip with its high level of security makes it a good match for large volume deployments. The business case for replacing two or three easy to forge magnetic stripe cards with a more secure and speedy contact less µ-card is clear. The µ-chip can easily fit inside the plastic of a smart card alongside other more expensive chips. This is important where government staff or selected groups of citizens may require a card that carries more sophisticated applications such as an e-purse or PKI implementation.
The smart card future
The future population of government cards will be mixed. The choice of chip will reflect the needs of different groups and the realities of the costs and savings delivered. The card issued to school children for meals and bus travel will not be as expensive or as sophisticated as the card used by a business person to authenticate online transactions, such as tax returns. However, both cards will sit within a common framework of authentication and validation and follow shared standards on data sharing and data protection even when using different chip technologies.
Hitachi is now working to help local authorities in other regions make their smart card ambitions a reality. The company provides consulting and project management services, systems implementation, out-sourced service provision or simply the supply of hardware and smart cards.
Martin Reilly is Senior Consultant, Information Systems Group, Hitachi Europe Ltd.