The Mondex system
There are presently several large payment systems in the world that use smart cards as a key component. Very few of these systems are based on an electronic purse, in which monetary units are stored directly in the card and not in a background system. Of these, there is only one system that can claim to allow electronic payments that correspond to payments using normal money. This is the Mondex system [Mondex]. The idea behind this concept, which is currently unique, was born in 1990. After five years of development, the first field trial was carried out in July 1995 in the southern English city of Swindon. A wide variety of shops were included in this trial, including newsstands, snack bars, supermarkets and travel agents, as well as filling stations and telephones. The maximum amount in the purse was set at £500 (approximately €550) for the trial, but this value can in principle be set to any desired level. Following this trial, which was widely reported in the press, there have been additional field trials in many different regions, but up to now the system has not been introduced in any country as a national system. Mondex was a consortium of three firms: British Telecom, NationalWestminster Bank and HSBC. Its purpose was to create a means of payment that can be used like cash but does not have the disadvantages of cash. The result of this technical development was intended to be franchised to banks and other firms. After having had several intermediate owners, Mondex now belongs to the credit-card company MasterCard. Mondex is one of the few electronic purse systems to be offered as a complete system, from the cards to the background system. Despite immense marketing expenditures, the high initial expectations with regard to widespread use of the system have failed to materialize. Currently, Mondex is an electronic purse application in the Multos smart card operating system, and it is used in a few locations throughout the world. The smart card operating system used for Mondex is not limited to electronic purse systems. It is a multifunctional, general-purpose system that can be used for multiple applications in a single smart card. This operating system is called Multos, and it is marketed internationally by Maosco [Maosco], primarily in the card-based payment systems sector. A special feature of Multos is that it supports downloading software to cards in the field. This software is written using a language similar to C, called Multos Executable Language (MEL), which is processed by an interpreter in the smart card.

The system
Since the Mondex purse is designed to behave in the same way as real money, purse-topurse transactions are naturally possible. This allows cardholders to make payments among themselves without the intervention or knowledge of a bank or similar organization. The system is completely open and anonymous, and as many participants as desired can be involved. Figure 12.15 shows the system participants and the possible money flows. The electronic purse is located in the chip of a conventional ID-1 card with contacts. A matchbox-sized key fob with a display can be used to view the balance in the purse. If the card is inserted in this mini-terminal, the current purse balance and the last 10 transactions can be viewed. A ‘wallet’ is needed to transfer electronic money to the purse of another cardholder. This device, which resembles a pocket calculator, has a small keypad and display. It also has a built-in security module and a terminal for the electronic purse. To perform a purse-to-purse transaction, the user inserts the first smart card into the wallet and enters the amount to be transferred. This amount is then transferred from the electronic purse to the wallet’s security module. The second card is then inserted into the wallet, and the amount is transferred to it from the security module. This completes the transaction. Another device in this payment system is a telephone with a built-in terminal. It allows money to be transferred over the telephone line during a call. A typical application is ordering goods from a mail-order catalogue. In this case, payment can be made when the order is placed. Naturally, this technique can also be used to load the purse via the telephone, or to perform a transaction between two cardholders. If the card is loaded from a bank account, a four-figure PIN must of course be entered for security reasons, in order to protect the account holder against unauthorized withdrawals. Each electronic purse can accept up to five different currencies. As soon as the balance for a particular currency reaches zero, a different currency can be loaded into the card. The purse can be blocked with a simple command and unblocked by entering a four-digit PIN, in order to prevent unauthorized use. The merchant terminals contain security modules that use the same type of smart card as those used by customers. It would thus be possible to use such a security module to pay for other goods. Interestingly enough, this could make the theft of such a card worthwhile, as it could then be used just like a normal purse. However, this problem was recognized early on, and preventive measures were taken. Merchant cards can be configured to allow them to only receive electronic money, with debiting of the card only being possible during an online transaction with the merchant’s bank. As can be seen, electronic money is not necessarily immune to theft. It all depends on whether it can be used by a thief. If a merchant terminal has online access to the bank (possibly via a dial-up link), it can be configured to automatically transfer money from the merchant card to the merchant’s bank account whenever a particular balance is reached.

Security mechanisms and the payment procedure
All specifications related to transaction processes and the security model of the Mondex system are confidential. This makes it very difficult to obtain detailed technical information about the system and its individual components. We can therefore provide only a broad technical summary that illustrates some of the mechanisms and procedures used in the system. The microcontroller that is used is a Renesas H8/3102. For mass production, a processor specially developed for Mondex is planned, with a numerical coprocessor and a suitable amount of memory, since the application requires around 5 kB inEEPROM.Asymmetric cryptographic algorithm, such as DES, is probably used. As a special processor with a numerical coprocessor will be used in the future, it can be assumed that this will be replaced by an asymmetric algorithm for increased security. The RSA algorithm could be used, for example. In principle, though, the system is independent of the cryptographic algorithm used. It does not rely on special properties of a particular algorithm, but only uses (digital) signatures to protect data transmissions. In this regard, it differs little from multi-sector European electronic purse systems that are compliant with EN 1546. Since the Mondex system is operated in a completely decentralized manner, there must be a special procedure for switching key versions and algorithms. Each issued card contains at least two totally different cryptographic algorithms with several associated keys. If it is necessary to switch to another key version, or even to use a different algorithm, an appropriate parameter is set in all smart cards that make an online connection to the background system. These cards can in turn set the same parameter in all cards with which they conduct payment transactions. This snowball effect produces a system-wide switch to the new general parameters within a very short time, due to the exponential increase in the rate of data propagation. This would happen even if the background system only modified the parameter in a single card. This is a very effective, fast and simple method of changing global data in a decentralized payment system.

Naturally, it must be possible to isolate particular cards in the system. This can be done in three different ways. First, suspect cards identified by blacklists can be recognized and retained by the machine into which the card is inserted, although this is usually only possible with cash dispensers, since only they have the technical resources to retain cards. Second, the blacklists are loaded into all of the terminals, which can block cards so that they can no longer be used for transactions. Third, all issuedelectronic purse cards allow only a certain number of transactions to occur, after which they are automatically blocked. This block can be removed by an online query after the card has been checked against the blacklist, so the card does not have to be replaced. This ensures that a card with an electronic purse cannot be used indefinitely without any control by the background system. A typical payment transaction between two smart cards in the Mondex system is divided into two stages, which are shown graphically in Figure 12.16. In the first stage, the current transaction is registered, which involves exchanging all of the data needed for the subsequent money transfer. This is followed by the second stage, in which the second smart card sends the desired amount to the first smart card. The complete data set is digitally signed, so it cannot be manipulated during the transfer. After receiving the data, smart card 1 checks the signature to verify both the authenticity of smart card 2 and the authenticity of the transferred data. If all of these verifications are successful, the desired amount is debited from smart card 1 and sent to smart card 2, together with a digital signature. Smart card 2 checks this signature to eliminate the possibility that the data have been manipulated, which also allows it to authenticate smart card. If all of these verifications are successful, the amount is credited to the purse. Following this, smart card 2 generates a confirmation that the amount was properly credited, adds a digital signature and sends this information to smart card 1. The transaction is completed when this confirmation of payment has been received and successfully verified. Both cards contain log files, and they have suitable mechanisms to allow a transaction to be correctly resumed from the appropriate point if it is interrupted. These error recovery mechanisms are very important, since otherwise electronic money would be destroyed if a transaction were interrupted. Each of the participating cards has three separate log files for storing transaction-related data. The first is the transaction log, which stores various data related to the 10 most recent successful transactions. The second is the pending log, which contains all of the data accumulated during a transaction that will be needed if error recovery becomes necessary. The third is the exception log, which stores all transactions that are not completed successfully. If all of the records in this file have been written, the smart card is automatically blocked. The cardholder must then unblock it via an online transaction, during which the log file entries are loaded into the background system and analyzed. After this, these entries are deleted.

Summary
The Mondex system is currently the only completely open electronic payment system using electronic purses. It supports all types of transactions that are possible with normal cash. In addition to this, it allows payments to be made via various telecommunications media, such as the telephone system. If the card containing the purse is lost, the money held in it is naturally also lost, just as with a real purse containing cash. However, this makes the system completely anonymous, which is sure to boost user acceptance. To a certain extent, the Mondex system is a simulation of a real money circuit. Since many central banks and government bodies have strong reservations with regard to direct card-to-card money transfers, a version of Mondex in which purse-to-purse transactions are blocked has also been developed. This yields a money circuit for the electronic purse system that is similar to that of EN 1546. Since it is in principle impossible to demand a fee for each individual transaction with such a system, a question that quite quickly arises is how the system operator can generate any revenue. After all, the investments needed to establish and operate the system are not exactly trivial. In the Swindon field trial, each electronic purse user was charged a relatively low fee of £1.50 (≈€1.70) per month. The merchants naturally also paid fees. Although it would be possible to charge clearing fees for the merchants’ turnovers, the completely open nature of the system naturally leaves merchants free to use their accumulated electronic money to make purchases from each other. The system operator could also generate revenue by offering various services to cardholders and merchants. A major advantage of Mondex is that the clearing costs are nearly zero, since clearing in the usual sense is not necessary. Particularly with very low-value payments (‘micropayments’), clearing costs in many systems can be very large relative to actual turnover. In some electronic purse systems, for example, the complete clearing costs, including transaction logging using shadow accounts, is around 5 eurocents per transaction. This means that the clearing cost for a pack of chewing gum bought from a vending machine (for 20 eurocents) is a hefty 25 % of the purchase price, which is totally unacceptable for the merchant. In the Mondex system, these costs would not arise. In the coming years, the Mondex system will influence the market for electronic payment systems in many ways. At the international level, several large banks are considering the introduction of such a payment system. The possibility of making card-to-card transactions, which is viewed by many national banks as a security risk, can be disabled in the latest version of the system. This has strongly increased its level of acceptance. We can hardly wait to see what will develop.