Field of the Invention
The field of the present invention is chip cards with user interfaces. The user
interfaces may include one or more of a display, a keyboard, signalling LEDs,
and biometric sensors. In particular, embodiments provide a new display card
with keyboard (DCK) architecture that has improved functionality over known
DCK architectures.
Background of the Invention
The use of passive cards, comprising a magnetic strip and/or chip for storing
information, for applications such as payment devices (i.e. chip and PIN) and
travel passes, is well known. Advantages of using such cards include the cards
being cheap and easy to manufacture. In addition, their small size and low
weight makes them highly portable.
Developments in mobile telephone technology have allowed these also to be
used as payment devices, passes and other applications. The communication
and processing capability of mobile telephones provides many advantages over
passive cards, in particular an increased service availability for the cardholder.
However, a problem with using mobile telephones for applications such as
payment devices is that it is difficult to provide a secure device. Mobile
telephones are required to support a diverse range of applications and it cannot
be ensured that these are all from trusted sources. It is therefore necessary for
complicated techniques to be applied in order to protect the information on the
mobile telephone from any malware that may also be present. In addition, the
relatively large cost of a mobile telephone means that if it is lost, as sometimes
happens with items in common usage, then it is expensive to replace.
An improvement over the above-described passive cards is a display card with
keyboard (DCK). Figures 1 and 2 show known architectures of DCKs, Figure 3
shows the architecture of a known DCK at the level of its user interfaces.
As shown in Figure 3, a known DCK may comprise contact and contactless
interfaces, a specialised keyboard, simplified display and signalling LEDs. The
user interface provided by the keyboard and simplified display allow improved
security and functionality. For example, the card may generate a one time
password, OTP, that may be autonomously displayed by the DCK and used to
log onto an internet banking account.
Advantages of a DCK over a mobile telephone include the DCK being inherently
more secure since it is a lot harder for a malicious party to gain access to any
information stored by the DCK. A DCK is also not required to run the diverse
range of applications that mobile telephones are and so they do not experience
malware problems due to software from untrusted sources. Moreover, DCKs are
easily used for both contact and contactless information transfer with a terminal
whereas mobile telephones are only usable for contactless information transfer.
In addition, the relatively low cost of DCKs means that they are cheap and easy
to replace if lost.
The architectures of known DCKs are described below with reference to Figures
1 and 2.
Figure 1 shows a first known architecture of a DCK that is used as a payment
device. There are two separate processors, shown as Chip and Display Control.
The card also has interfaces for contact and contactless communication as well
as a specialised keyboard and a simplified display.
The Chip accommodates a typical payment application (P), and possibly other
applications as may be required for ticketing, loyalty, etc. The only way of
accessing applications in the Chip is through the external services interface,
either through contact or contactless communication with the DCK.
The Display Control (D) is connected to the specialized keyboard and to the
simplified display. There is no communication path on the DCK between the Chip
and the Display Control and accordingly these modules are not able
communicate with each other. In addition, the Display Control has no
connection to the contact and contactless interfaces, which can only be used to
access the Chip.
In the architecture shown in Figure 1, the Display Control implements a
Cardholder Authentication Program (CAP) Token Generation Service (CTGS),
with a separate cryptographic key for Application Cryptogram (AC) computation
and OTP generation. This requires the Display Control to be implemented as a
tamper resistant / tamper detective-responsive component and therefore
increases costs.
Another problem with the architecture of the DCK shown in Figure 1 is that the
Display Control can only provide services that do not require access to the
applications in the Chip. It therefore cannot provide services such as the reading
of an accumulator/counter of the balance of a payment application, or the
reading of a trace record in a log file.
Figure 2 shows another architecture of a known DCK. The architecture in Figure
1 has been modified to comprise a Sniffer in communication with the Display
Control so that further services can be provided. The Sniffer is able to read the
communication between the Chip and the contact and contactless interfaces.
From this information, the Display Control is able to deduce, for example, an
external account balance.
However, a problem with the architecture of Figure 2 is that the additional
services provided are limited to what can be achieved by reading the
communication between the contact and contactless interfaces and the Chip. In
practice, all that can be determined form this communication are updates of
accumulators/counters, their limits and balances. It is not possible for the
Display Control to directly access any of the information in the Chip.
Moreover, the architectures of the DCKs in Figures 1 and 2 are not scalable.
Their electronic circuitry is designed for specific functions; to provide a new
function, such as to temporarily disable information transfer over the contactless
interface, would require a change in the electrical and physical configuration of the
DCKs.
The DCKs in Figures 1 and 2 both comprise batteries. The battery in each DCK is
used to power only the Display Card and not the Chip. The Chip is powered by
the point of interaction, POI, terminal, either through the Chip's contacts or by
electromagnetic induction through an antenna. A further problem with known
DCKs is that their operation is restricted by the technique of powering the Chip.
Summary of the Invention
According to a first aspect of the invention, there is provided card for providing
one or more services, the card comprising: an external interface for
communication with a terminal external from the card; a Chip comprising one or
more servers for storing one or more applications, wherein the Chip is arranged
to communicate with the external interface; a user interface for interacting with a
user of the card; a micro-terminal for controlling the provision of one or more
services, wherein the micro-terminal is arranged to communicate with the user
interface; and the Chip and micro-terminal are arranged to communicate with each
other via an internal interface of the Chip.
Advantageously, the communication between the chip and the micro-terminal
allows greatly improved functionality over known cards since the micro-terminal
is able to obtain information from within the Chip.
Preferably, the external interface comprises: a contact interface for
communication with the external terminal over a non-wireless connection; and/or
a contactless interface for wireless communication with the external terminal.
Preferably, the user interface comprises one or more of: a keyboard; a display;
and LEDs.
Preferably the Chip is configured to send information to the micro-terminal via
the internal interface in response to receiving one or more commands from the
micro-terminal.
Preferably, the Chip is configured to send information to the external terminal via
the external interface in response to receiving one or more commands from the
external terminal.
Preferably, the one or more commands are Command Application Protocol Data
Units, C-APDUs, and the information sent in response to receiving the one or
more commands are Response Application Protocol Data Units, R-APDUs as
per ISO 7814-4.
Preferably, the card further comprises a battery arranged to provide the power
supply of both the Chip and the micro-terminal.
Preferably, the micro-terminal is a reconfigurable processor.
Preferably, the Chip comprises a plurality of servers.
Preferably, the Chip comprises an interception application for controlling the
operation of the servers of the Chip when providing the services of the microterminal.
Preferably, the interception application is arranged between the external
interface, the internal interface and the servers of the Chip.
Preferably, the interception application comprises an engine arranged to control
logical switching and filtering operations.
Preferably, the Chip has permanent electrical connections to the components of
the external interface; and the interception application is configured to logically
switch on and off communication between the Chip and the components of the
external interface without physically changing the electrical connections to the
components of the external interface.
Preferably, the micro-terminal is arranged to send one or more commands to the
Chip and to use the information received in one or more responses to provide
one or more of the following services: display an account balance of the card;
display a log of operations performed by the card; display a one time use
password generated by the card; and verify, by the card, a PIN of a user that is
input to the user interface of the card.
Preferably, the micro-terminal is arranged to provide a new service by
performing logical operations only and without changing the electrical
configuration of the card.
Preferably, the new service comprises disabling any of the components of the
external or user interfaces of the card, such as disabling contactless communication
with the card.
Preferably, a service is provided in response to the user interface of the card
receiving a selection of the service from a user.
Brief Description of the Drawings
Embodiments of the invention will now be described, by way of example only,
with reference to the accompanying drawings, in which:
Figure 1 shows a known architecture of a DCK;
Figure 2 shows a known architecture of a DCK that comprises a Sniffer;
Figure 3 shows a known architecture of a DCK, at the level of its user interfaces;
Figure 4 shows an architecture of a DCK according to an embodiment of the
present invention;
Figure 5 shows part of the architecture of a DCK comprising a plurality of servers
according to an embodiment of the present invention; and
Figure 6 shows the architecture of a DCK that comprises an interception
application according to an embodiment of the present invention.
Detailed Description
Embodiments of the invention improve the functionality of a DCK through the
use of a new architecture. The new architecture allows an increased range of
services to be provided by the DCK.
In a particularly preferred embodiment, a DCK is used as a payment card.
Services provided by DCKs used as payment cards according to embodiments
include one or more of:
- On-device Cardholder Verification Method, CVM - this service allows the
keyboard of the card to be used to input an on device CVM, i.e. m-PIN
(similar to that verified by a mobile phone), before being presented to a
POI terminal.
- On-card account selection - this service allows the pre-selection of an
application, such as an EMV application, from several, which gives a
Cardholder the ability to select between a debit or a credit payment
product, or to use "loyalty points" as private currency to pay at the POI
terminal, etc.
- On-card activation of the contactless payment functionality - this service
allows the Cardholder to activate the contactless payment functionality of
the dual interface card only when the Cardholder desires it. This avoids
the unauthorized use of a card without the Cardholder's explicit
acknowledgement. Such contactless payments may be made using
MasterCard's® PayPass™.
The improved services provided by the DCKs according to the embodiments
described herein are possible due to the design of the DCK being based on a
logical and programmable architecture rather than the electronic architecture of
known DCKs. That is to say, the functionality of DCKs according to embodiments
is reconfigurable without modifying DCK's hardware. For a DCK to provide a new
service, it is therefore only necessary to provide the DCK with a program for
implementing the new service. This differs from known DCKs that are not
reconfigurable and require modifications of their electrical circuitry in order to
provide a new service.
Figure 4 shows the architecture of a DCK 301 according to an embodiment. The
user interfaces of the DCK 301 are shown in Figure 3.
The DCK 301 comprises a micro-terminal 402, mT , that comprises a Display
Controller. The DCK 301 has contact and contactless interfaces 302, 303
through which communication with the Chip 401 is possible with Command
Application Protocol Data Unit (C-APDU) and Response Application Protocol
Data Unit (R-APDU) messages. The DCK 301 also has a specialised keyboard
304, simplified display 305 and signalling LEDs 306 that provide a user
interface in communication with the Display Controller. There is an internal
services interface 403 that allows direct communication between the Chip 401
and the micro-terminal 402 through ISO 781 6 commands, i.e. C-APDU and RAPDU.
The provision of an internal interface 403 between the Chip 401 and the microterminal
402 greatly increases the services that can be provided by the DCK
301 .
When the known architectures of DCKs were designed, the practical constraints
of Chip and battery technology resulted in it only being possible to supply power
to the Display Control and the Chip was not powered by the DCK's battery.
However, the inventors have determined that it is possible to provide a DCK 301
with the battery of the DCK 301 powering both a Chip 401 and a micro-terminal
402 comprising a Display Controller. Accordingly it is not necessary for the Chip
401 to be powered by a POI terminal.
A more detailed description of embodiments is provided below. Although the
embodiments are described with DCKs being used as payment devices, this is
purely exemplary and the DCKs according to embodiments are usable in a wide
range of applications including passes, such as travel passes.
Figure 3 is a view of a DCK 301 at the level of the card interfaces. Although the
components of the card interfaces are present on known DCKs, embodiments
improve the functionality of the card interfaces.
The DCK 301 has two categories of interface. These are:
- External services interface 302, 303. This is a known interface offered by
DCKs currently in use as payment cards. The interface processes
payment services such as credit, debit and pre-paid. The interface may
also process other services than payment, such as loyalty, transit, etc.
- User interface. This allows improved functionality from that provided by
known payment cards.
The external services interface 302, 303 comprises:
- Contact interface 302. This may operate according to ISO 781 6.
- Contactless interface 303. This may operate using NFC communication.
The interface supports a contactless communication protocol, such as the
EMV contactless communication protocol.
The DCK 301 is a dual interface card since both contact and contactless
communication are provided by the external interface.
The user interface comprises:
- Specialized keyboard 304. In embodiments, this allows the Cardholder to
key in a service choice, a PIN for authentication, etc.
- Simplified display 305. In embodiments, this allows a Cardholder to
retrieve service information concerning the status of a payment product
such as, for example, the balance of a bank account, or the balance of an
on-card account, or a one-time password that can be used for
authentication in remote card not-present transactions.
- Signalling LEDs 306. In embodiments, these may inform the user of an
on/off functionality, such as contactless functionality active/inactive, debit
or credit product selected, etc.
Figure 4 provides a high level view of a DCK 301 comprising a client/server
architecture according to embodiments. The client/server communication is
possible due to the new internal interface 403 that acts as a bridge between the
Chip 401 and micro-terminal 402 provided by embodiments. The architecture
consists of two functional modules:
- Server- This application runs in the Chip 401 and consists of a modified
payment application, mP.
- Client - This application is a service running in the micro-terminal (mT)
402. The micro-terminal 402 also hosts the Display Controller, D, that
interfaces with the keyboard 304, the simplified display 305 and the
signalling LEDs 306.
The Client and Server modules interact as follows:
- The Client sends a command C-APDU to the Server, according to the
logic implemented by the service.
- The Server interprets the command, performs the appropriate processing
required corresponding to the command, and responds with an R-APDU
to the Client. The Client uses the content provided by the Server to
execute the logic of the service.
The Chip 401 runs the modified payment application. This is a dual interface
application, such as MasterCard's® PayPass™ M/Chip 4 or M/Chip Advance,
that is modified with:
- A supplementary internal services interface. This is logically different
from the external services interface, but may be physically implemented
on the contact interface.
- A switching mechanism between various Application Modes. This
distinguishes whether the incoming commands are coming from the
external services interface 302, 303 or from the internal services interface
403 and adapts the processing of the application accordingly.
The modified payment application interfaces to:
- (externally) a POI terminal, via contact and/or contactless communication.
- (internally) a Micro-terminal 402, through the internal services interface
403. This allows C-APDU/R-APDU exchange with a service selected
through the user interface.
A service in the micro-terminal 402 implements a sequence of commands, CAPDU,
that are sent by the Client to the Server and the processing of each
response, R-APDU, returning from the Server.
The micro-terminal 402 interfaces to:
- (internally) The modified payment application through the internal services
interface 403.
- (internally) Keyboard 304 from where it captures Cardholder input and
service data. The Cardholder input provides service choice, e.g., balance
display, log display, OTP generation, on-device PIN capturing. The
service data, is, for example, a PIN for enabling the OTP service or for
on-device CVM.
- (internally) Display 305. This is used to provide service results, like the
value of the balance, the last record of the log, the OTP code, etc.
- (internally) Signalling LEDs 306 to inform the user about an on/off status
of a service, e.g., antenna not active, "debit but not credit".
The implementation of services by the Client is generic. That is to say, the
microelectronics in the DCK 301 is reconfigurable and not specific to each
service. The applications, once adapted for use in various Application Modes on
the internal services interface 403, are reusable and portable from one microterminal
402 to another. Therefore the architecture according to embodiments is
capable of providing a broad range of services.
Advantageously, the above-described DCK 301 architecture according to an
embodiment provides an increased range of services than possible with known
architectures of DCKs. In particular, the information transfer between the Chip
401 and micro-terminal 402 over the internal direct communication link between
them greatly improves the functionality of the DCK 301 .
In addition, a DCK according to embodiments is self-contained and able to
function as, for example, a secure payment device. The DCKs operate in a
closed environment and this greatly improves the security over devices such as
mobile telephones.
In the above-described embodiment, a DCK 301 comprises a payment server. A
further embodiment of a DCK 301 architecture is shown in Figure 5 in which there
are a plurality of servers provided in the Chip 401 of the DCK 301 .
In the shown embodiment, the OTP/CAP application is segregated from the
payment application, as is preferable for ensuring security.
A service may call on different servers, in a sequential order, by specifying each
time the application identifier, AID, of the required server.
The list below gives examples of services that may be delivered to the
Cardholder using the client/server architecture:
- Balance Display. This allows a user to visualize a specific on-card
account balance.
- Log Display. This allows a user to visualize a record of the log in modified
payment application.
- Cardholder Authentication Program (CAP) Service. Production and
visualization of OTPs for remote card-not- present payment transactions.
- On-device Cardholder Verification Method (CVM), i.e. m-PIN, for
contactless high value transactions and for fraud reduction at ATMs.
These services are described in more detail below.
The on-card account balance display service allows the reading of an on-card
account balance and its display on the DCK 301 .

Claims
1. A card (301) for providing one or more services, the card (301 ) comprising:
an external interface (302, 303) for communication with a terminal
external from the card (301 ) ;
a Chip (401 ) comprising one or more servers for storing one or more
applications, wherein the Chip (401 ) is arranged to communicate with the
external interface (302, 303);
a user interface (304, 305, 306) for interacting with a user of the card
(301);
a micro-terminal (402) for controlling the provision of one or more
services, wherein the micro-terminal (402) is arranged to communicate with the
user interface (304, 305, 306); and
the Chip (401 ) and micro-terminal (402) are arranged to communicate
with each other via an internal interface (403) of the Chip (401).
2. The card (301 ) of claim 1, wherein the external interface (302, 303)
comprises:
a contact interface (302) for communication with the external terminal
over a non-wireless connection; and/or
a contactless interface (303) for wireless communication with the external
terminal.
3. The card (301) according to claim 1 or 2, wherein the user interface (304,
305, 306) comprises one or more of:
a keyboard (304);
a display (305); and
LEDs (306).
4. The card (301) according to any preceding claim, wherein the Chip (401 ) is
configured to send information to the micro-terminal (402) via the internal
interface (403) in response to receiving one or more commands from the microterminal
(402).
5. The card (301) according to any preceding claim, wherein the Chip (401 ) is
configured to send information to the external terminal via the external interface
(302, 303) in response to receiving one or more commands from the external
terminal.
6. The card (301 ) according to any of claims 4 or 5, wherein the one or more
commands are Command Application Protocol Data Units, C-APDUs, and the
information sent in response to receiving the one or more commands are
Response Application Protocol Data Units, R-APDUs.
7. The card (301 ) according to any preceding claim, further comprising a battery
arranged to provide the power supply of the Chip (401), the micro-terminal (402)
and the user interface (304, 305, 306).
8. The card (301 ) according to any preceding claim, wherein the micro-terminal
(402) is a reconfigurable processor.
9. The card (301 ) according to any preceding claim, wherein the Chip (401 )
comprises a plurality of servers.
10. The card (301) according to claim 9, wherein the Chip (401 ) comprises an
interception application for controlling the operation of the servers of the Chip
(401) when providing the services of the micro-terminal (402).
11. The card (301) according to claim 10, wherein the interception application is
arranged between the external interface (302, 303), the internal interface (403)
and the servers of the Chip (401 ) .
12. The card (301 ) according to claim 10 or 11, wherein the interception
application comprises an engine arranged to control logical switching and
filtering operations.
13. The card (301 ) according to any of claims 10 to 12, wherein:
the Chip (401 ) has permanent electrical connections to the components
of the external interface (302, 303); and
the interception application is configured to logically switch on and off
communication between the Chip (401) and the components of the external
interface (302, 303) without physically changing the electrical connections to the
components of the external interface (302, 303).
14. The card (301) according to any preceding claim, wherein the micro-terminal
(402) is arranged to send one or more commands to the Chip (401 ) and to use
the information received in one or more responses to provide one or more of the
following services:
display an account balance of the card (301 ) ;
display a log of operations performed by the card (301);
display a one time use password generated by the card (301 ) ; and
verify, by the card (301), a PIN of a user that is input to the user interface
(304, 305, 306) of the card (301 ) .
15. The card (301 ) according to any preceding claim, wherein the micro-terminal
(402) is arranged to provide a new service by performing logical operations only
and without changing the electrical configuration of the card (301).
16. The card (301 ) according to claim 15, wherein the new service comprises
disabling any of the components of the external or user interfaces of the card
(301), such as disabling contactless communication with the card (301 ) .
17. The card (301 ) according to any of claims 14 to 16, wherein the card (301) is
arranged to provide a service in response to the user interface (304, 305, 306)
receiving a selection of the service from a user.