Planning


national smartcard project logo

Are there different types of smart cards, and how should we choose which one is right for us?

Smart cards contain information that in order to be useful needs to be read by some sort of device and thereby gaining access to a display device or a network. There are two ways of doing this. Cards can either be plugged into, and therefore make physical contact with a reader, commonly referred to as a card terminal, or they can be read using RF radio frequencies. The way a smart card can be read is a key smart card differentiator:
  • Contact smart cards - are read when the reader contacts a small gold chip on the front of the card.
  • Contactless smart cards - are read via an antenna, eliminating the need to insert and remove the card by hand. Once such a card is in close proximity to a reader receiver, the card will begin communicating with it. Contactless cards can be used in applications in which card insertion/removal may be impractical or in which speed is important, for example almost all smart cards used for transport user applications are contactless - using a contact card would seriously slow down the loading of a bus.

Some cards ("hybrids) have two chips imbedded in them, one of each type, and there are now "Dual Interface Cards" that have one chip which can function either as contact or contactless, or both for different applications. Other key card differentiators are related to their capacity to hold information and their ability to process information or not. Some cards (memory) have a similar function to a floppy disc, they just store information, and others (microprocessor) are able to process information and run small programmes, such as Java Applets on contact cards.

What standards should we take into account for a smart card scheme?

WP3-03 - "Applicable Standards" focuses on this issue. It says: "Technical standards and operating rules are necessary to allow local authorities to purchase cost-effectively and with confidence that they will not be locked in to a restricted supply situation or implement systems that will become obsolete. Common sets of standards and rules are important to define and enable interoperability between local authority systems across the UK where such interoperability is felt to be desirable. Standards are needed as base level building blocks for the development of products and services; they are not detailed specifications. This is to encourage competition, diversity of design and new initiatives among suppliers. The balance between generality and detailed specification in standards is one which is difficult to achieve and different standards take different approaches. Nevertheless, a standard is not normally a specification." It goes on to describe those standards that apply to local authority smart card schemes.

WP3-02 - "Interoperability within the local authority sector" explains the need for standards in achieving interoperability. It says: "Interoperability requires both technical and business interoperability. The former can be derived from using common technical standards and specifications.."

WP3-10 - "Routemap Overview" offers a number recommendations related to standards including "The use of standards is highly desirable so as to avoid becoming locked in to any particular supplier and to ensure interoperability of services. In government work, where formal procurement takes place, standards should be mandated."

WP7-11 - "Analysis of Potential for Federating Identities" deals with the issue of standards compliance in this context.

WP9-03m - "Standards" is part of the NSCP Starter Pack and provides guidance for the use of standards at the implementation level.

What hardware and software is required and what products and services are available from which suppliers?

Depending on how your Local Authority chooses to implement their Smart card scheme, the quantity of hardware and software can vary. If the scheme is deployed as per the recommended guidelines there will be specific hardware required for each stage, for example: Database Server (Cardholder database), Web Server (National Smartcard website), Service Point outlets (Enrolment application, website), Smart card production bureaux (Print and Perso).

The National Smart Card Project Starter Pack will function effectively with different hardware, such as servers, Smart card readers and TWAIN compliant imaging devices. Smart card printers (Print and Perso) will require some tailoring of the software. Brands used during development and testing included: Microsoft Windows XP, 2000 Server, Compaq (Servers and clients), Fargo (Smart card printer), Orga (Smart card readers), Hewlett Packard and Logitech (TWAIN compliant imaging devices).

How can we benefit from the experience gained and investments made by other local authorities in smart card schemes?

Local authorities that have already been involved in planning and implementing smart card schemes are sources of enormous amounts of knowledge that could be valuable to other local authorities. The value may lie in general lessons learned but it could also be in the form of relevant products that have been developed. A local authority that uses a particular library system may have developed a smart card interface that could be used by other local authorities. Costly duplication could be avoided. Any local authority considering embarking on a smart card scheme should therefore initially consider joining an existing e-government partnership that is involved in smart cards, or even forming one, and identifying those local authorities that have or may have created relevant values.

WP2-01 - "Business Case including social, political and commercial considerations" - in Section 3 describes the background to smart card use, some multi -application schemes.

WP9-02 - a market research report, list some of the local authority smart card schemes that were in progress in mid-2003.

WP5-05 - lists central government smart card schemes.

WP7-04 - describes existing smart card with e-purse schemes.

What should be the business objectives of the scheme, and how should we prepare a business case?

The whole of the business case section of the National Smart Card Scheme was devoted to addressing these issues.

WP2-01 - "Business Case including social, political and commercial considerations" - covers the subject in broad terms. It says "Smart cards have, for some time, offered a potential way of improving the delivery of services in a number of sectors. With the advent of widely available, lower priced, high capability cards, this potential is now beginning to be realised. Analysis of existing deployments shows that large schemes have both the capacity to address service delivery issues, and the potential to do this in a way that the investment can be recouped over a time period which makes schemes sustainable.

WP2-03 - consists of a spreadsheet and a report "Financial Model - Assumptions and Commentary" that illustrates in details the elements of cost and revenue that should be built into smart card scheme financial models. It says "This document accompanies the Financial Model, which is presented as a spreadsheet. It highlights a number of assumptions and considerations that should be well understood before using the spreadsheet model. It can also be used for reference when inputting data to the model.

WP2-04 - "Financial report on implementation set-up costs" says: "This document sets out the basic costs of an "entry level" local authority instigated multi-application smart card scheme. It is designed to inform local government decision makers and strategists of the cost involved for initiating a local scheme to the point that a single card can be issued to citizens for access to a "typical" range of local services. The selection of card applications is intended to be indicative rather than prescriptive, and is based upon information gathered from consultation and research conducted within the National Smart Card Project.

WP2-05 - "Business Models" provides a strategic business model approach, discusses options facing individual local authorities and sets out a practical business model approach for local authority instigated multi-application smart card schemes.

WP3-01 - "Considerations for Multi Application Multi Sector Smart Cards" describes policy issues.

WP4-08 - "Sources of Help and Information" provides valuable sources related to business case development assistance.

WP6-01 - "Commercial applications" considers the business case for private sector involvement.

What are the key legal issues we should take into account for our smart card scheme?

The Legal and Data Protection section of the National Smart Card Project deals in detail with legal issues, the main ones being indicated by the following report subject matter:

  • WP8-01 - "Financial Services Regulation
  • WP8-02 - "Card Governance"
  • WP8-03 - "Securities Issues, incorporating electronic signatures, PKI and certification issues
  • WP8-04 - "Information Law, incorporating Data Protection Toolkit"
  • WP8-05 - "Public Procurement Regulations"
  • WP8-07 - "Corporate Structures"
  • WP8-08 - "Risk Register"
  • WP8-09 - "Commercial Conditions of Contract"

Are there data protection issues related to smart card schemes?

E-Government policy recognises the need to safeguard citizens' rights in respect of Data held about them. There could be a complex web of relationships involved in a Smart Card Scheme. A Card Issuer needs to establish the data protection relationships involved in a Smart Card Scheme and deal with these appropriately by contracts with Data Processors or contracts or protocols with others, ensuring at the same time that Data Subjects are aware which Data Controllers Process their information. WP8-04 - "Data Protection and Information Law" deals with this subject in detail.

Data protection is also taken into account in WP7-11 - "Analysis of Potential for Federating Identities.

Can our smart card schemes enable holders to make payments (e-purse)?

Smart card E-purses are able to hold electronic money and can be used to pay for goods or services in particular smart card schemes. Several of the National Smart Card Project reports deal with various aspects of using smart cards to make payments and the nature of e-purses.

WP7-03 - "E-purse Basics" - describes what e-purses are the types of e-purse available. It says: "E-purses divide into "Open" and "Closed" types. E-purses described as open are ones that can be used for a wide variety of transactions just like money, for example to pay for school meals and library rental and leisure activities etc. E-purses that are described as closed, on the other hand, are ones with their use restricted to only school meals or only travel etc, and therefore are more like tokens than money.

WP7-04 - "Existing E-Purse Schemes" - says: "The UK banks have incurred excessive costs in proprietary e-purse schemes with little or no return and can only be described as currently being very averse to hearing the word ‘e-purse’.

WP7-05 - "E-Purse Cross Regional E-Payments" - says "any Local Authority local or cross border e-payment scheme that represents cash values as opposed to tokens, must allow the cardholder to use that value in payment for a wide range of services and goods. A failure to do so will lead to the "ghetto-isation" of the payment method and ultimately its failure.

WP7-14 - "Retail Payments Sector Considerations" documents the business, operational, regulatory and payment system considerations that will affect the decisions of the retail banks, building societies and other financial institutions when they consider involvement in the provision of payment services to Local Authorities. It also highlights any obstacles to their involvement and describes potential means by which these may be overcome. Finally it identifies key requirements of any adopted national smart card scheme that would facilitate and encourage retail financial institutional involvement.

WP8-01 - "Financial Services Regulation" covers legal issues relating to e-purse and WP8-08 - "Risk Register" details risks associated with e-purse.

What legal issues are there related to smart card financial transactions (FSA)?

WP8-01 - "Financial Services Regulation" is the main National Smart Card Project report dealing with the subject. It investigates the key legal issues surrounding financial services regulation and consumer protection as it may impact on e-money, debit facilities and credit facilities if they were to be made available on a Local Authority Smartcard.

WP7-03 - "E-purse Basics" - describes the Financial Services Authority’s role in controlling who is able to issue e-money. Organisations issuing cards with open e-purses are in effect operating as banks and may be regulated similarly.

WP7-14 - "Retail Payments Sector Considerations" - says "With regard to the Regulatory Environment, Local Authorities need to be aware of the controls which will be exerted upon them if they wish to provide financial card products. Card products must conform to the legislation and requirements of controlling bodies. These include the Financial Services Authority - an independent body that regulates the financial services industry within the UK, the Consumer Credit Act 1974 - requires most businesses that offer goods or services on credit or lend money to consumers to be licensed by the OFT and compliance - The rules which govern the usage of the card are controlled and enforced by a number of bodies, all with different areas of responsibility and accountability.

Is information available on security issues such as authentication and Public Key Infrastructure?

WP8-03 - "Security Issues" - considers the legal issues connected with electronic signatures, PKI, biometric identifiers and the security measures set out in ISO 17799. It charts the legal background to the above issues, and considers the current position under English law. Section 7 of this report considers the issues in the context of a Smart Card Scheme and the way in which certain risks may be managed by means of contract.

WP3-04 - "Accessibility and Social Inclusion" deals with the subject of authentication in Section 5. It says: Authentication provides users with a secure way to prove their identity during a transaction. It can also prove the identity of the other participant (card reader and service provider) back to the user. However it is important that the level of authentication is appropriate to the application; users will get frustrated if they are required to provide information which they deem unnecessary.

WP7-09 - "Authentication" is a series of reports about the subject covering the requirements, which need to be met before a digital certificate can be issued; how the Certificate Policy will be practically implemented; the requirements for registering a citizen, organisation or application/device; an agreement whereby the citizen acknowledges that they too have responsibilities associated with holding and using a smart card; Local Authorities Application Form for Registration Authority and Local Registration Authority Officials; Local Authorities Endorser Agreement, which enables help to be gained by utilising "endorsers" in the process of signing up users in certain circumstances and Local Authorities Certificate Profile.

WP7-11 - "Analysis of Potential for Federating Identities" deals with the issue of authentication and PKI in this context.

WP7-01c - "Bolton Pilot Specification" deals with authentication in Section 3.