Smart Cards in Payment Systems
The original primary application of smart cards with microcontrollers was user identification in the telecommunications sector. In recent years, however, smart cards have established themselves in another market sector, namely electronic payment systems. Due to the large number of cards in use, the market potential of this sector is enormous. This is underscored by the fact that more than one billion credit cards have been issued throughout the world.1 The future applications of electronic purses include replacing conventional means of payment (banknotes and coins), shopping via global networks and pay-per-view television. Smart cards are by nature particularly suitable for payment system applications. They can easily and securely store data, and their convenient size and robustness make them easy for everyone to use. Since smart cards can also actively perform complicated computations without being influenced by external factors, it is possible to develop totally new approaches to performing payment transactions. This is very clearly illustrated by electronic purses in the form of smart cards, which are possible only with this medium. Electronic payment systems and electronic purses offer significant benefits to everyone involved. For banks and merchants, they reduce the costs associated with handling cash. Offline electronic purses largely eliminate the costs of data telecommunications for payment transactions. The risk of robbery and vandalism is reduced, since electronic systems contain no cash to be stolen. For merchants, the fact that transactions are processed more quickly is also a persuasive argument, since it means that cash management can be optimized. Vending machines and ticket dispensers can be made simpler and cheaper, since assemblies to test coins and banknotes are not needed. Electronic money can be transferred via any desired telecommunications channel, so it is not necessary to regularly collect money from the machines. Customers also benefit from the new payment methods, although to a lesser degree. It is not necessary to always have change on hand, and it is possible to pay quickly at a vending machine or ticket dispenser. Ultimately, the success or failure of a payment system is determined by its potential users. If the benefits for them are too marginal, they will not use the system and will choose other means of payment. After all, an electronic purse is just a new means of payment that complements rather than replaces other existing means of payment, such as credit cards and cash. There is no reason to fear that these means of payment, which have provided reliable service for many years, will be entirely supplanted by electronic purses in the form of smart cards.

The simplest approach to using cards for payment transactions is to use magnetic-stripe cards holding data for online authorization. After the user’s card has been checked against the blacklist and solvency has been verified, funds can be transferred directly from the cardholder’s bank account to that of the merchant. With smart cards, the scenario is slightly different, but in principle it remains the same. The smart card is logically linked to a bank account, and after unilateral or mutual authentication of the background system and the card, a previously entered amount is transferred. Naturally, PIN verification is also performed in the smart card or background system during the transaction. Both of these scenarios are based on a background system that makes all of the decisions. They do not by any means fully exploit the capabilities of smart cards. However, there are other means and methods of making payments that can be implemented by exploiting these capabilities. Some of them are described in this chapter.

Electronic payments with smart cards
There are three fundamental models for electronic payments using smart cards: (a) credit cards, in which payment is made after a service is rendered (pay later), (b) debit cards, in which payment is made when the service is rendered (pay now) and (c) electronic purses, in which payment is made before the service is rendered (pay before).2 These models are described below, as well as a variation on them.

Credit cards
The original idea of using a plastic card to pay for goods or services comes from credit cards. The principle is simple: you pay using the card, and the corresponding amount is later debited from your account. The cost of this process is borne by the merchant, who usually pays a fee that depends on the amount of the transaction. This fee is usually around 2 to 5 % of the purchase price. Up to now, most credit cards have not included chips. The disadvantage of such cards is that they have a relatively low level of protection against forgery. Consequently, card issuers experience significant losses due to counterfeit cards, since the merchant is guaranteed payment. Evidently, up to now, these losses have been lower than the cost of introducing cards with chips. However, credit cards will probably be supplemented with chips in the not too distant future, in order to reduce the steadily increasing cost of fraud.

Debit cards
The country in which debit cards are most widely used is Germany. A debit card, which may be a magnetic stripe card or a smart card, allows the amount of the payment to be transferred to the account of the merchant or service provider as a direct part of the payment process. With both debit cards and credit cards, the actual payment process is normally authorized by a credit check via a background system. There is usually a threshold level above which this must occur, so it is not always necessary to make a connection to the background system for small purchases. The threshold level is on the order of €200.

Electronic purses
With an electronic purse, ‘electronic money’ is loaded into the card before any payment is made. This can be done in exchange for cash or using a cash-free process. When a purchase is actually made, the balance in the card is reduced by the amount of the payment, and at the same time the balance of the electronic purse of the second party (who is usually the merchant) is increased by the corresponding amount. The merchant can later submit the electronic money received in this manner to the operator of the electronic purse system and be credited with the corresponding amount of real money. The user of an electronic purse thus exchanges real money for an electronic form of money that is loaded in his or her smart card. When a purchase is made, the cardholder exchanges this electronic money for goods or services. This system has three significant drawbacks for the user. The first is that when the card is loaded, the user receives electronic money in exchange for real money. Financially, the user thus gives the operator of the purse system an interest-free loan, since it could take several weeks for the user to actually spend the electronic money, while the real money immediately becomes the property of the system operator. The amount of interest may be small for an individual user, but in total it represents a substantial source of supplementary income for the operator of the purse system. In many field trials conducted up to now, it has been found that in industrialized countries the average amount in an individual electronic purse is around 75 euros. The total average amount of money in an electronic purse system is called the ‘float’. Assuming that 10 million cards are in use and the interest rate is 5 %, the total annual interest on the float amounts to 37.5 million euros, without any offsetting costs. In this example, the amount of interest lost by an individual cardholder is only 3.75 euros, which he or she will not regard as a major disadvantage. In addition to the interest income from the float, the purse system operator receives additional income in the form of unspent electronic money, due to cards that end up in collections and defective cards that are not returned for refund.

A second drawback is that a real problem arises if the purse operator goes bankrupt. This is because the card user has exchanged real money, whose value is guaranteed by the state within certain limits, for electronic money in a smart card. If the purse operator goes bankrupt, the electronic money can suddenly become worthless, and the user will have lost his or her money. Consequently, efforts are now being made in some countries to restrict the operation of electronic purse systems to banks and similar institutions. At minimum, lodging a security deposit with a government agency is required, so that the amount of money loaded in the smart cards is covered in the event that the card issuer goes bankrupt. There is yet a third significant drawback for the user. What can the holder of an electronic purse do if it no longer works? If the purse is anonymous, not even the purse system operator can determine the amount of money that was last loaded into the card. The purse holder will also find it practically impossible to provide convincing proof of how much money was still in the card. If the chip is ruined, the electronic money is thus irrevocably lost. Unfortunately, a smart card is much less robust than banknotes or coins, for understandable reasons. In practice, a compromise is presently used to deal with this problem. Since the last amount loaded into the card online is known, as well as the purse balance at the time of this transaction, the approximate amount in the purse can be calculated. This amount is then paid to the client. However, if a particular client frequently makes claims due to faulty smart cards, the system operator will curb his goodwill. The customer, who ultimately bears the risk, is thus denied any further compensation in the hope that he or she will take better care of the smart card in the future.

Open and closed system architectures
A distinction must be made between open and closed architectures for electronic payment systems. An open system is fundamentally available to multiple application providers, and it can be used for general payment transactions among various parties. In contrast, a closed system can be used only for payments to a single system operator. The technical aspects of this can be briefly illustrated using a telephone card with a memory chip as an example. With memory cards, all that happens when a payment is made is that a counter is irreversibly decremented. The terminal does not have to keep an exact account of the number of units that have been deducted; it only has to ensure that the counter in the card is always properly decremented whenever the service is used (that is, whenever a call is made using the card). In this case, the terminal is a sort of machine for destroying units of electronic money. Of course, in practice a balance is kept for each terminal, but the deducted amounts are only booked to the internal accounts of the purse system operator. Fraud in settlement of the deducted amounts between the terminal owner and the purse system operator is impossible in principle, since both parties are part of the same organization (in this case, the telephone company). In an open system, the terminal owner and purse system operator can be completely different bodies. The purse system operator must therefore be able to verify that the accounts for the terminal receipts are correct and not manipulated. This must be taken into consideration from the very beginning in the system design, since otherwise account settlement between the terminal owner and purse operator will be very difficult or impossible. In the above example using a memory card, the system concept makes it impossible for the terminal operator to convincingly guarantee the purse system operator that the claimed amount is correct. This is because the terminal operator can only present an invoice for a certain number of units, instead of forgery-proof signatures for the amounts paid, as would be possible with a genuine electronic purse system.

System architecture and terminal connections
The system architecture of an electronic payment system using smart cards can be either centralized or decentralized. With payment systems in particular, system security is the most important issue. There is thus frequently a tendency to use centralized systems, since this gives the system operator complete control of the system. In concrete terms, a centralized system means an online system in which every payment transaction is performed directly and online by the background system. If a communications link cannot be established, payment is not possible. Nevertheless, a centrally operated system has certain advantages. For instance, incoming transactions can be directly compared with the current blacklist in real time. Key exchanges can be carried out directly by the background system without any delays. The software in the terminals and the general parameters in the cards can be updated directly and with little additional effort, since a direct link to the background system must be established for each transaction. However, these advantages are offset by several major disadvantages. In many countries, telecommunication charges are so high that it is not reasonable for merchants to have permanent links to background systems or to dial up a background system for each transaction. In some areas, the telephone network is not sufficiently reliable to allowan online link to the higher-level computer to be established at any desired time. Due to their active nature, smart cards are excellent for use in decentralized systems, since they contain part of the system security ‘in house’. This is also their main advantage relative to passive magnetic-stripe cards, which cannot force the system to perform specific procedures.

In particular, using electronic purses with automated equipment, such as vending machines and ticket dispensers, compels the use of a decentralized system, since electronic purses can operate completely independently for weeks or months and do not have any means to connect to an existing communications system.Adecentralized system is thus often preferred. In addition, a decentralized system has significantly better characteristics with regard to robustness. If the background system fails in a centralized system, all electronic payments are blocked. In a decentralized system, by contrast, the consequences of a temporary failure usually do not even reach as far as the merchant terminals. Decentralized systems also have certain disadvantages, primarily in the area of system management. This is because online connections can only be established at certain times, and as a rule only by the terminals. However, it is essential for system security that the terminals always use the current blacklist. This is one of the reasons why many systems require each terminal to establish an online connection to the background system at least once a day. This is used to transmit the accumulated transaction data to the background system, with various types of administration data being transmitted to the terminal in return. Some examples of this administration data are new terminal software, new key sets, the current blacklist and data to be loaded into customers’ cards.

In practice, mixed solutions that are neither fully centralized nor fully decentralized are often used, in order to combine the advantages of the two architectures while avoiding their disadvantages. A mixed solution consists of allowing both the terminals and the smart cards to compel online connections under certain conditions. If an online connection cannot be established, the payment does not take place. Some typical conditions are: (a) online authorization is required for payments above a certain amount, which can usually be set individually for each smart card by the system operator; (b) the number of offline transactions and the amount of time since the last online transaction can be used to decide whether to go online; (c) a random number generator can be used to force a certain percentage of all transactions to take place online. Some systems also have a special button on the terminal that forces an online transaction. This button can be pressed by the sales staff if they suspect that the customer is using a manipulated card. All of these criteria ensure that on average, every card makes a direct connection to the background system within a defined and statistically computable time interval. The system operator thus recovers direct control over the system, which he initially lost by using a decentralized system. Terminals and automated machines having only a small turnover can be excluded from these online constraints, since even in the case of fraud only small losses can occur. This saves the cost of a link to a communications network, since data exchange can be performed manually by service personnel.