The IT Law Wiki


A smart card (also called a chip card, integrated circuit card or smart card) is

a pocket-sized card that resembles a credit card and contain a microprocessor that allows it to store and retain information.[1]
a plastic device[ ] — about the size of a credit card — that use integrated circuit chips to store and process data, much like a computer. This processing capability distinguishes these cards from traditional magnetic strip cards, which store but cannot process information. Interoperability is the ability of two or more systems or components to exchange information and to use the information that has been exchanged.[2]
a credit card-sized device that contains one or more integrated circuits (ICs) and also may employ one or more of the following machine-readable technologies: magnetic stripe, bar code (linear or two-dimensional), contactless radio frequency transmitters, biometric information, encryption and authentication, or photo identification.[3]
essentially is a plastic card with an embedded micro-processor chip which is capable of storing significant amounts of data and performing basic computing operations. The large memory capacity implies that stored data can be encrypted and better protected than on a magnetic stripe card. In addition, smartcards provide the user with greater convenience, accelerating checkout or authentication processes.[4]


There are two broad categories of smart cards:

The integrated circuit chip (ICC) embedded in the smart card can act as a microcontroller or computer. Data are stored in the chip's memory and can be accessed to complete various processing applications. The memory also contains the microcontroller chip operating system (COS), communications software, and can also contain encryption algorithms to make the application software and data unreadable. When used in conjunction with the appropriate applications, smart cards can provide enhanced security and the ability to record, store, and update data. When implemented properly, they can provide interoperability across services or agencies, and enable multiple applications or uses with a single card."[6]

"Smartcards contain a processor capable of performing complex cryptographic operations and can be used to store credentials (e.g., digital certificates) that can be unlocked via a memorized secret token, such as a PIN."[7]

Consumers purchase smart cards and load them with e-cash at a vending machine, bank, automated teller machine, personal computer (over the Internet), or through a specially equipped telephone. Once the e-cash is loaded on the card, the money can be spent over the Internet or through other communication devices.

A smart card can also be used by inserting it into a compatible reader attached to a computer or network input device. Information from the card's chip is provided to the computer only when the user also enters a PIN, password, or biometric identifier recognized by the card.

Thus, the user authenticates to the card, making available electronic credentials which can then be used by the computer or network to strongly authenticate the user for transactions. This method offers far greater security than the typical use of a PIN or password, because the shared secret is between the user and the card, not with a remote server or network device. Moreover, to impersonate the user requires possession of the card as well as knowledge of the shared secret that activates the electronic credentials on the card. Thus, proper security requires that the card and the PIN or password used to activate it be kept separate. This is not a concern if a biometric is used for the latter purpose.

The unique advantage that smart cards have over traditional cards with simpler technologies, such as magnetic strips or bar codes, is that they can exchange data with other systems and process information, rather than simply serving as static data repositories. By securely exchanging information, a smart card can help authenticate the identity of the individual possessing the card in a far more rigorous way than is possible with traditional ID cards. A smart card’s processing power also allows it to exchange and update many other kinds of information with a variety of external systems, which can facilitate applications such as financial transactions or other services that involve electronic record-keeping.

In addition to providing ways to enhance security of physical facilities, smart cards also can be used to significantly enhance the security of a computer systems by tightening controls over user access.

Smart cards and biometrics[]

Even stronger authentication can be achieved by using smart cards in conjunction with biometrics. Smart cards can be configured to store biometric information (such as fingerprints or iris scans) in an electronic record that can be retrieved and compared with an individual's live biometric scan as a means of verifying that person’s identity in a way that is difficult to circumvent.

An information system requiring users to present a smart card, enter a password, and verify a biometric scan uses what is known as "three-factor authentication," which requires users to authenticate themselves by means of "something they possess" (the smart card), "something they know" (the password), and "something they are" (the biometric). Systems employing three-factor authentication provide a relatively high level of security. The combination of a smart card used with biometrics can provide equally strong authentication for controlling access to physical facilities.


  1. Electronic Crime Scene Investigation: A Guide for First Responders, at 60.
  2. Government Accountability Office, Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards 1 n.2 (GAO-11-751) (Sept. 2011) (full-text).
  3. Government Smart Card Handbook, at 15.
  4. Electronic Money Institutions: Current Trends, Regulatory Issues and Future Prospects, at 7 n.12.
  5. Government Accountability Office, Personal ID Verification: Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards 1 n.2 (GAO-11-751) (Sept. 2011) (full-text).
  6. Government Smart Card Handbook, at 15.
  7. NISTIR 8080, at 16.

See also[]