Germany is different from other countries with regard to card-based payment systems, in that traditionally debit cards (Eurocheque cards) have been used much more than credit cards. This type of card can be used in many places to make payments after the user has entered a four-digit PIN. The amount to be paid is immediately deducted from an account associated with the card. The merchant must pay a fixed fee for each payment transaction, but it is not particularly high. With credit cards, the fee is a percentage of the revenue, and for this reason credit cards have achieved only moderate acceptance in Germany. There is also a widely used option called POS ohne Zahlungsgarantie (POZ), in which the customer consents to have the amount of the purchase transferred from his bank account to that of the merchant via direct debit. In this case, the Eurocheque card serves only to provide a reference to the customer’s bank account, which is checked online to see whether the balance is sufficient to cover the amount of the purchase. However, in this case the merchant does not receive a payment guarantee, as he would with a credit card transaction or a normal Eurocheque card transaction (ec-Cash or Geldkarte). Since Eurocheque transactions usually have to be authorized online by a background system, the merchant must also pay the costs of the individual data transmissions or the rental for a leased line. Since this is only worthwhile for the merchant if there is a large sales volume and many purchases are made using Eurocheque cards, improvements to this system have been sought for some time. The acceptance of Eurocheque cards among merchants would increase dramatically if the high telecommunications costs could be eliminated. This means that a system that can work offline is needed. In 1993, the Zentraler Kreditausschuss (ZKA), which is a working group of the national associations of the German banking industry, issued a call for tenders for the design of a multifunctional chipcard (MFC)29 that would be suitable for electronic payment systems. Several firms offered solutions corresponding to the requested functionality, and one of them was selected and awarded the rights to the design by the ZKA. Due to changes in the general technical requirements, this design was then extensively revised. As a result of these revisions, there is nowa family of specifications for Eurocheque cards with chips, each of which addresses a particular area. Unfortunately, these specifications are confidential, so it is not possible to publish detailed information. However, we can present brief summaries of the various areas, which are:
–the SECCOS operating system
–ec-Cash with chips
–digital signatures
–electronic driver’s license
–electronic marketplace

These documents describe a payment card whose functionality corresponds to that of the current Eurocheque card and which also contains an electronic purse. It is also possible to load any desired supplementary applications into the card after it has been issued. Prior to the nationwide introduction of the new card, a large-scale field trial was conducted in a region around Ravensburg andWeingarten (near Lake Constance), which has a trading area with 250,000 inhabitants. The trial involved around 100,000 Eurocheque cards and approximately 500 terminals. Following this, wide-scale introduction of the card throughout Germany started in the fall of 1996. Up to now, around 50 million Eurocheque cards with chips have been issued in Germany, all of which must be replaced every three years. At the end of 1998, 250,000 terminals had been installed in Germany, with 300 million transactions taking place each year with these terminals. In 1999, the combined turnover for magnetic-stripe and chip-based transactions using ec-Cash and Geldkarte amounted to approximately 19 billion euros. Nearly all of the 41,000 automated cash dispensers in Germany are equipped with smart card terminals. There are presently around 30,000 loading terminals for Geldkarte in Germany. This field trial thus proved to be the precursor to one of the largest smart card payment systems in the world. In 2001, a statistical survey of the Geldkarte electronic purse system was conducted. The figures from the survey give a clear picture of the current usage of the system. Of the 50 million cards that have been issued with the Geldkarte application, only 4 million are actively used, resulting in approximately 14 million transactions in half a year. The average load amount was 30 euros, and the average payment amount was 2.30 euros.

User functions
The German Eurocheque card with a chip has a variety of user functions. It can be used to make online or offline payments at a suitable terminal after entering a PIN code. The amount to be paid is then deducted from the associated account by the bank that issued the card. This application is referred to in this chapter as ‘ec-Cash’, although there are also other designations for it. Naturally, it is also possible to use a Eurocheque card with a chip to obtain cash from the cash dispensers of various banks, but in functional terms, this actually belongs to the realm of ec-Cash. It goes without saying that the smart card also supports a variety of lobby-machine functions, such as printing an account statement. The card also contains a prepaid electronic purse called Geldkarte, which can be used to make payments without entering a PIN code. This purse is available in anonymous and non-anonymous versions. It can be repeatedly reloaded using suitable loading terminals (located at bank counters and cash dispensers), either against a cash payment or via an ec-Cash transaction. One of the capabilities of the Eurocheque card is downloading additional applications, with all of their associated files and commands, after the card has been issued to the cardholder. However, this capability has not been used very much up to now, since the coordination requirements and conditions for a new application are relatively complex.

The overall system in brief
As is usual with large payment systems, there is no central clearing system for German Eurocheque smart cards. There are four computer centers for processing settlements among the accounts of the merchants, cardholders and participating financial institutions. Figure 12.21 shows an overview of the clearing process for the non-anonymous version of the electronic purse application. The clearing body in Germany is called the B¨orsenevidenzzentrale (BEZ). There are also approximately 25 loading centers that perform loading operations for Geldkarte cards in coordination with the BEZ. All transactions are based on two accounts: the purse settlement account, which always reflects the current balance of the electronic purse in the card, and the card account, which for example may be the cardholder’s current account. The purse settlement account is thus a shadow account, which is maintained in parallel with the electronic purse. If an amount of money is loaded into the electronic purse, a corresponding booking is made to the purse settlement account at the same time, since this transaction must always be performed online. Depending on whether the payment transaction occurs online or offline, the amount of the payment is booked against the purse settlement account either at the same time or at a later time. The main advantage of this account-linked system is that the purse balance can be reconstructed after a certain amount of time if the electronic purse is lost or becomes unusable. Of course, it is not possible to ensure that payments are anonymous with this approach. However, there is also an anonymous version of the electronic purse that uses a shadow account, with no reference to a customer account.

Eurocheque smart cards
Several different types of cards are used in the German Eurocheque system. However, smart cards for normal bank customers can be classified into several categories, as follows:
–Eurocheque cards (ec-Cash and Geldkarte, account-linked and thus not anonymous)
–Geldkarte linked to an account (non-anonymous)
–Geldkarte not linked to an account (anonymous)
There are two DFs in a Eurocheque card, one of which holds the ec-Cash application and the other the Geldkarte30 application. If the card contains an electronic purse application, the DF for ec-Cash is not present. The account reference, which determines whether the card is anonymous, is provided using only certain data elements. For merchants, there is merchant card in ID-000 format (plug-in) for use in their terminals. It contains all of the commands and files needed to conduct payment transactions. This card can be regarded as the security module of the terminal. One of the unusual and technically interesting features of this system is that it has both real and virtual merchant cards. A real merchant card is a normal smart card in plug-in format. A virtual merchant card is simply a software simulation of a real merchant card, which runs in the protected environment of a security module (SAM) in a merchant terminal. This solution was originally a compromise to allow terminals without sockets for plug-in cards to be used in the new system. In the meantime, it has turned out to have some very positive technical features. For instance, a virtual merchant card can easily be replaced via remote maintenance, since it consists only of software. In addition, its useful life is significantly longer than that of a real card, since it is not subject to the detrimental effects of a limited number of EEPROM write cycles. Finally, a good hardware security module is at least as secure as a smart card, since its security mechanisms are always active, thanks to its built-in power buffer. The entire informatics concept and the security module of the card are strongly based on the ISO/IEC 7816 family of standards. The original version, which is nowcalled Type-1 Geldkarte, included a few application-specific mechanisms, but they have been eliminated in more recent versions. A complete smart card operating system with PKI functions has now been specified. It is called Security Card Operating System (SECCOS), and it supports all of the essential mechanisms of the ISO/IEC 7816 standards. The security and access mechanisms of ISO/IEC 7816-9 have also been included in a very elaborate form, with the result that as of now, the German Eurocheque smart card probably represents the most complete implementation of this standard in the world. For reasons of compatibility, elements of the EMV specification for credit cards also contributed to the specification of the Eurocheque card. In terms of the general technical parameters prescribed by the specification, the card is based on many previously existing standards. Naturally, its dimensions match those of the ID-1 format and are thus the same as the present Eurocheque card. In addition, it is constructed as a hybrid card, with both a chip and a magnetic stripe, in order to avoid compatibility problems during the transition from terminals with magnetic-stripe readers to new terminals with smartcard contact units. The card uses the T = 0 transmission protocol with PPS. The triple-DES algorithm is used for the cryptographic processes. One of the interesting security aspects is that the entire software and hardware of the smart card must be certified in accordance with the ZKA criteria catalog. The file management system supports several levels of DFs, as well as file selection using short FIDs, FIDs and AIDs. The usual file structures (transparent, linear fixed and cyclic) are supported, and they can be implicitly selected in the appropriate commands. The maximum size of the two record-oriented file structures is 254 records of 255 bytes each. Naturally, no presently existing application fully exploits this maximum size. The file management system uses a special mechanism to assign EFs to specific applications. This function, which is implemented using two non-standard commands, allows EFs to be assigned to applications across DF boundaries. This makes it possible to use a short FID within a particular DF to select an EF located in a different DF. Consequently, a particular EF can be assigned to several different DFs. This corresponds in principle to the alias mechanism used in many PC operating systems. The objective is to make EFs containing general information available to several applications across application boundaries without using complicated selection procedures. An EF assigned to several applications in this manner can be selected using a short FID or a FID, and then read or written after the necessary security state has been attained. All files have specific access conditions, which makes reading and writing dependent on previously attained states (such as PIN entry). With this objectoriented system, it is also possible to make access to files depend on secure data transmission. This means that there are file attributes that can compel the use of secure messaging for any access. The available commands can be divided into four classes. The first class consists of commands that are compliant with ISO/IEC 7816-4, although they have reduced functional scope compared with the standard. The second class consists of Eurocheque-specific administration commands, which are used for management purposes in the card. They can be used to create new files, delete existing files and enter new commands into the card. The third class is extension commands, which are used to achieve the functionality needed for the ecCash and Geldkarte applications. The administration and extension commands are purely specific to Eurocheque cards, and in principle they have no connection to any international standards. The fourth class consists of the initialization and personalization commands. As can be seen from this brief description, the Eurocheque card has a relatively large range of functions. This unavoidably results in a large memory requirement. Consequently, the presently used target hardware predominantly consists of microcontrollers with 100 kB of ROM, 32 kB of EEPROM and 2 kB of RAM. A pure electronic purse card without the ec-Cash functions needs only roughly 48 kB of EEPROM, 16 kB of EEPROM and 1 kB of RAM. Altogether, such memory requirements mean that relatively large chips must be used to hold the extensive amount of program code, along with the 2.3 kB of application data for the Geldkarte electronic purse and 1.6 kB for ec-Cash.

Value-added services
The operating system of the Eurocheque card includes commands and mechanisms for downloading executable program code. However, this code must be tailored to each type of microcontroller and operating system being used, since only machine code (which is address dependent) can be downloaded. The resulting amount of logistical overhead for downloading new commands is the main reason why this mechanism is presently not used. However, value-added services do not necessarily require loading programs into the smart card. In most cases, it is sufficient to have files available that have suitable access privileges. The Eurocheque card specification includes commands for creating files. However, the administrative overhead for implementing supplementary applications for individual cards via a clearing center is very large, so this mechanism is also very seldom used. Instead, several files are stored in the Eurocheque cards when they are personalized, in order to provide space for storing new applications some time after the cards have been issued. The savings bank association has given the name ‘Space Manager’ to this technique for managing files for supplementary applications.

The German Eurocheque card system is presently one of the largest and most complex payment systems using smart cards. This applies not only to the transaction procedures, but also to the logistics of chip fabrication, card personalization and card distribution. After all, every three years approximately 30 million cards must find their way into customers’ hands within less than three months. The security evaluations of the microcontroller hardware, operating system software and application software have also set newstandards, since the acceptance criteria are severe and are constantly adapted to new circumstances (such as DFA, DPA and the like). Another interesting aspect is the technically sophisticated compatibility tests, which must ensure that software produced using a variety of masks on a variety of microcontrollers works smoothly with a wide variety of terminals. The original figures of more than 20 different masks used with more than 10 different microcontrollers have now been reduced to only six masks and three microcontrollers, and in all likelihood only two mask makers will survive. This is a clear sign of the tendency toward consolidation exhibited by all large systems. Field trials for Geldkarte have been conducted or are planned in France, Luxembourg and Iceland. An additional prospect for this system is shown by several pilot experiments in which Geldkarte is being used as a payment medium in the German portion of the Internet. All that the customer needs is a simple, inexpensive terminal connected to his home PC, along with related software. The merchant’s counterpart is a security module or a special terminal connected to the customer’s PC via the Internet. The fact that more than 50 million smart cards are in use in the German Eurocheque system has an effect on all payment system projects based on smart cards. The experience gained from using this multiapplication smart card in Germany will provide the stimulus for considerable further refinement of smart card operating systems and related microcontroller hardware.