Smart Cards, like many other technologies, have their own terminology which can be a bit obscure to non-specialists. I hope that the following glossary may be useful to users and others who have to deal with the topic. Definitions are brief and accessible rather than technically accurate in every respect; in some cases they will reflect my personal views (for example, of the major applications or benefits of a feature).
If you come across a term which you do not understand, or you disagree with my definitions, then please feel free to contact me by email - I will do my best to update the list.
Please respect the copyright notice: you may make use of this list provided that you do not alter it and that you acknowledge its source.
| AAC |
Application Authentication Cryptogram: generated by an EMV card for a declined transaction |
| Acceptor |
The organisation (usually a merchant) which accepts a card (e.g. in payment). |
| Acquirer |
The bank which processes a merchant's transactions and passes them into the clearing system. |
| AID |
Application Identifier: the unique code associated with a card application, which allows the terminal to select a suitable application within the card for a given operation. |
| ALD |
Application Load Certificate, used by Multos and similar technologies to authenticate an application being loaded to a card. The instance of an application being loaded is called an Application Load Unit (ALU). |
| Anti-collision |
A protocol that allows a contactless reader to identify and transact correctly with each of several cards in the reader's field at once. |
| Anti-tearing |
A card feature which protects the contents of memory if the card is removed before the end of the transaction. |
| Application |
The program within a smart card which governs its external functions |
| APDU |
Application Protocol Data Unit: the term used in ISO 7816 for a message to or from a card application. |
| API |
Application Program Interface: how a program communicates with, or uses, another program or service. |
| Applet |
A program written in Java; JavaCard applications are also called applets although they are not quite the same as normal Java applets. |
| ARPC |
Authorisation Response Cryptogram: the issuer’s response to an ARQC |
| ARQC |
Authorisation Request Cryptogram: generated by an EMV card where an online authorisation is requested by either the card or terminal |
| ASIC |
Application-Specific Integrated Circuit: a very large scale integrated circuit (a VLSI chip) designed for a specific customer and function (often on the basis of a Programmable Gate Array). |
| ATC |
Application Transaction Counter: a counter maintained within a chip card which increments by one for each transaction performed. |
| ATM |
Automated teller machine (cash machine) (or, for data networks, asynchronous transfer mode) |
| ATR |
Answer To Reset: the data sent by a card to the reader when the card is first powered up. |
| Authentication |
The process of verifying the identity and legitimacy of a person, object or system |
| Authorisation |
In card transactions, usually the process of asking a host system for its approval of a transaction. However, card schemes now also refer to "chip-authorised" transactions. |
| Biometric |
Identification of a person by a physical or behavioural characteristic (such as the way they sign their name, their fingerprint or the marks on the iris of their eye). |
| CA |
Certification Authority: a body able to certify the identity of one or more parties to an exchange or transaction. |
| CAD |
As well as Computer-Aided Design, may refer to a Card Accepting Device or smart card reader. |
| Calypso |
European standard for interoperable transport ticketing. |
| CAM |
Card Authentication Method: the method (usually Static or Dynamic Data Authentication) used to verify that a card has come from a valid issuer and has not been tampered with. |
| CAP |
In JavaCard, the converted applet file or CArdlet Package contains the classes in the format required for loading to the card. MasterCard also uses this acronym for its Cardholder Authentication Program, used for authenticating customers using e-banking or e-commerce. |
| CAT |
Cardholder activated terminal. Card schemes further subdivide CATs into groups, for example, low-value vending machines, limited-value (e.g. petrol pumps) and unlimited value on-line terminals (e.g. kiosks and ticket booking systems).See also UPT |
| Cardholder |
The person to whom a personal card was issued (not necessarily the person holding the card). |
| Card Security Code |
(Sometimes known as CV2) A further 3- or 4-digit cryptographic value (see CVV and CVC) printed on the card for authentication of the card during “Card Not Present” transactions |
| CB |
The French "GIE Cartes Bancaires" is an umbrella body controlling the card operations of the French banks. It sets standards as well as running the data network. The traditional CB chip card application (B0’) does not conform with EMV but a migration is underway. |
| CEN |
Centre Européen pour la Normalisation (European Standards Centre). See also EN. |
| CEPS |
Common Electronic Purse Specifications: CEPS was a joint initiative involving several electronic purse schemes round the world. CEPS specified a core set of functions for which all CEPS-compatible purse should be able to exchange information. It sat on top of, rather than replacing, other electronic purse schemes. |
| Challenge-response |
A form of authentication in which the system seeking authentication sends out a random "challenge". The object (e.g. the card or terminal) being authenticated performs a calculation on the challenge and responds with a result, from which the challenger can ascertain the authenticity or otherwise of the object. This method of authentication is much more secure than a simple password or other unvarying response. |
| Chip card |
A card which embodies a "chip" (an integrated circuit). Also commonly known as a smart card, but the term "chip card" is often used to include those types of card which are not really "smart", such as memory cards. |
| Chinese remainder |
A mathematical technique for performing modular arithmetic. It is used in smart cards for deriving digital signatures. |
| CLA |
The Class byte of an ISO command - see ISO 7816 part 4. |
| CLEF |
Commercial Licensed Evaluation Facility: a body licensed to carry out security evaluations using the ITSEC criteria |
| Cloning |
Making an identical copy of a card; in practice this term is often used if the copy appears identical to the original to the outside world, perhaps only under some circumstances (such as offline transactions). |
| CMOS |
Complementary Metal-Oxide Silicon: a way of forming semiconductor material which uses less power than most other forms. See also HCMOS. |
| CNP |
“Card not Present” or “Cardholder Not Present” – transactions such as mail order, telephone order and Internet.Chip cards can sometimes transform CNP transactions into Card Present transactions. |
| Combi card |
A card which uses both contact and contactless technology. |
| Contactless |
Smart card technology using radio waves rather than contacts to energise and communicate with the chip inside the card. |
| CRC |
Cyclic Redundancy Check: a check field often added to the end of a message, calculated as a polynomial from the rest of the message content. If a bit in the message is altered, then the CRC should alter. |
| Cryptogram |
The result of a cryptographic operation. |
| Cryptology |
The science of codes and ciphers (used in encryption) |
| Cryptoprocessor |
A processor optimised for cryptographic functions (e.g. variable-length arithmetic, modular exponentiation or DES encryption) |
| CVC |
Card Verification Code: the MasterCard term for a cryptographic value stored on the magnetic stripe to allow changes to the magstripe data to be detected (see also CVV) |
| CVV |
Card Verification Value: the Visa term for a cryptographic value stored on the magnetic stripe to allow changes to the magstripe data to be detected; an equivalent value (using slightly different parameters) is used within the “Track 2 equivalent data” field on the chip. |
| CVM |
Cardholder Verification Method: the signature, password, PIN or biometric used to check the identity of the cardholder, particularly for bank cards. |
| DDA |
Dynamic Data Authentication: authentication of a card using a challenge and response mechanism. |
| DES |
Data Encryption Standard (or Data Encryption Algorithm): the most widely used method for "symmetric" encryption (i.e. using the same key for encryption and decryption). The main source is ANSI X3.92. |
| DF |
Dedicated File: the intermediate level of a card's file structure. DFs can hold data, EFs or other DFs. |
| Diffie-Hellman |
Diffie and Hellman were the first to describe viable public-key distribution and signature cryptograms in a paper in 1976. Their method, which is based on discrete logarithms, is still used in some systems, but RSA is more widely used in smart card schemes. |
| Digital cash |
This term is applied to various schemes which represent money using electronic means. In the smart card world, value is usually stored on a card known as an electronic purse. Digital cash, however, normally consists of software "certificates" or tokens which can be stored on computer, or transferred to another party as payment. |
| Digital signature |
An encrypted field, normally encrypted using the sender’s private key, which is attached to a message to prove its source and integrity. |
| DPA |
Differential Power Analysis: a form of security attack that uses the chip's power consumption to make deductions about keys and secrets in the card. |
| DSP |
Digital Signal Processor: an integrated circuit or specialised computer for processing high frequency analogue signals. |
| EEPROM |
Electrically Erasable Programmable Read Only Memory: semiconductor memory which retains its memory without power, but can be changed at any time. |
| EF |
Elementary File: the lowest level of a card's file structure. An EF may only contain data. |
| EFT-POS |
Electronic Funds Transfer at Point of Sale: electronic payment. |
| Electronic purse |
A card which stores value in the form of digital cash. An electronic purse is normally issued by a bank and the value it holds is the strict counterpart of legal tender. See also Stored Value Card. |
| EMV |
The Europay-Mastercard-Visa specifications for chip-based payment cards. EMV part 1 corresponds with (and generally conforms with) ISO 7816 parts 1-5; the other parts of this specification cover the details of a standard credit/debit application and the requirements for terminals. |
| EN |
Euronorm or European Standard. Important ENs for smart cards include EN 726 (a multifunction telephone card) and EN 1546 (Inter-sector Electronic Purse). |
| Encryption |
Manipulating data to make it unreadable to anyone who does not possess the decryption key. |
| EPOS |
Electronic Point of Sale (terminal): a networked and programmable electronic till. |
| E2PROM |
See EEPROM |
| ESD |
Electrostatic discharge - the effect of discharging a high voltage but at a very low current, as when removing a woollen jumper or leaving a car after a long journey. ESD can be very harmful to electronic devices, particularly those using CMOS technology. |
| ETSI |
European Telecommunications Standards Institute |
| ETU |
Elementary Time Unit: the "clock tick" on which all chip card timings are based. |
| Fabrication |
The process of manufacturing the chip which is used in a smart card. |
| FAR |
False Accept Rate: the percentage of impostors accepted by a biometric or other identification check. |
| FERAM |
Ferro-electric RAM: random access memory covered with an additional layer in a patented process to make it non-volatile (i.e. it does not lose its memory when powered off). FERAM is much faster and uses less space than E 2PROM, but the FERAM process is proprietary. |
| FINread |
Specification for a secure personal smart card reader device with keypad and display, published by the European Standardisation Centre (CEN) as CEN Workshop Agreement (CWA) 14174. |
| Flash memory |
Semiconductor memory which can be written once, but can thereafter only be erased as a block. It is increasingly used for program storage, since it allows the program to be updated. |
| FPGA |
Field Programmable Gate Array: a semiconductor device which generates its outputs directly from its input states according to a "program" defined by the user. |
| FRAM |
See FERAM. |
| FRR |
False Reject Rate: the percentage of valid users rejected by a biometric or other identification check |
| Global Platform |
Cross-industry group of users and manufacturers that has developed a set of specifications for cards and terminals, allowing applications to share a card or terminal securely and with appropriate management controls. Global Platform specifications supersede, and incorporate, JavaCard, OpenCard and Open Platform specifications. |
| GSM |
Global System for Mobile Communication: international standard for digital mobile telephony. |
| HCMOS |
High-power CMOS: the technology used in most smart card microcontrollers. |
| HSM |
Host Security Module (or Hardware Security Module): a hardware device used for storing keys and performing cryptographic functions under control of a host computer |
| IAC |
Issuer Action Code: in an EMV card, the way an issuer sets its preferences as to how the card behaves in exception situations. |
| IC |
Integrated Circuit |
| IC card |
Same as "chip card". The banking industry prefers the term "IC card" or "ICC". |
| ID-1, ID-00 |
An ID-1 card is one having the format defined in ISO 7810. ID-00 is the alternative name for the "plug-in" form factor used in GSM SIMs and in SAMs. |
| IFD |
Interface Device: same as a Card Accepting Device or Read-Write Unit, the equivalent of a card reader. |
| IMSI |
International Mobile Subscriber Identity: the ID of a GSM subscriber. |
| Integrity |
(of data or a message) Not having been altered since it was originated. |
| ISO |
International Standards Organisation. The main ISO standard relating to smart cards is ISO 7816: "Identification cards: integrated circuit cards with contacts". ISO 10536 and the draft standard 14443 cover, respectively, close-coupled and remotely coupled contactless cards. Many other standards covering aspects of security and computer systems operations are used by smart card systems. |
| ITSEC |
Information Technology Security Evaluation Criteria: European standard for evaluating the security of commercial computer products (see also TCSEC). |
| ITSO |
Originally the Integrated Transport Smartcard Organisation, ITSO now prefers to be called by its initials as it is not restricted to transport or to smart cards. |
| ITU |
International Telecommunications Union: the international body responsible for telecommunications co-ordination, the successor body to CCITT. See also ETSI. |
| Javacard |
Card that supports a cut-down version of the Java language, together with support functions for loading “applets” (Java applications) and for managing memory and multiple applications. See Global Platform. |
| JCOP |
JavaCard Open Platform: cards meeting the JavaCard and Open Platform specs. |
| Keys |
In a modern encryption system, the algorithm is generally assumed to be known, and what is kept secret is the key. There are many different forms of key, each of which can be regarded as a string of meaningless bits until it is used to encode or decode a message. |
| Key escrow |
One of the more emotive topics in cryptography is governments' desire to control the use of "strong" encryption, to prevent its use by criminals and enemies of the state. One method proposed to give this control, whilst still permitting the use of strong encryption, is key escrow: encryption users lodge a copy of their private keys with an accredited body, which agrees to surrender the keys to the Government on production of a court order. |
| MAC |
Message Authentication Code: a cryptographically derived block of data appended to a message to demonstrate that it has not been altered during transmission. |
| Mask |
The fixed program of a microprocessor smart card |
| M/Chip |
(formerly known as MCPA) MasterCard Chip Payment Application: the scheme which governs chip card based credit-debit transactions within the MasterCard system. |
| ME |
Mobile Equipment: the GSM name for a telephone or device used as a telephone. |
| MEL |
Multos executable language: the intermediate code form in which Multos programs are loaded and executed. |
| Memory card |
A chip card with memory, but controlled only by fixed logic rather than by a microprocessor. |
| MF |
Master File: the top level of a card's file structure. A card always has a Master File, which may contain data, DFs or EFs. |
| Microprocessor |
A semiconductor device which can execute a program. In a microprocessor-based smart card, the processor is combined with memory, power control and other functions on a single "chip" of silicon. |
| Mondex |
The electronic purse system developed by National Westminster Bank in the UK; it is now owned by MasterCard International, and is licensed to banks in several countries. Mondex is unusual amongst bank-owned electronic purse schemes in that the individual transactions are not reported back to the scheme owner, and transactions between purses are allowed. This makes it closer to a true cash substitute than other schemes. |
| NFC |
Near Field Communication: a standard (ISO 18092) for communication between two devices that must be very close to each other. |
| OpenCard, Open Platform |
See Global Platform |
| Payment Systems Environment |
The PSE is an EMV file that lists the payment applications in the card; it is used during EMV application selection. |
| PCD |
Proximity Coupling Device: the name used by ISO 14443 for a contactless card reader. |
| Personalisation |
Adding the individual card details to a card after manufacture. These will include the cardholder data in the chip's memory, usually the cardholder's name and an expiry date printed or embossed on the front. It may include other forms of personalisation such as magnetic stripe data or a photograph. During personalisation, any variable program (in addition to the mask) may be stored in the card, as well as cryptographic keys. |
| PC/SC |
The PC Smart Card architecture promoted by Microsoft and other smart card and PC operating system vendors, to standardise hardware and software interfaces for smart cards in PCs. |
| PED |
PIN Entry Device: a PINpad. |
| PGA |
Programmable Gate Array (see also FPGA) |
| PIN |
Personal Identification Number: a code (usually 4 to 6 digits) used as a password by a cardholder. |
| Pocket |
In an electronic purse, a single store of value (e.g. one currency). A purse may have several pockets. |
| POS |
Point of Sale |
| PPS |
Protocol and Parameter Selection: the process by which a card and terminal agree a communication protocol and speed. |
| Public key |
A public key encryption algorithm is one in which one key is published and the other kept secret. |
| PUK |
PIN Unblocking Key (or Personal Unblocking Key): a numeric code used to release a blocked application or card |
| RAM |
Random Access Memory (the equivalent of normal computer memory) |
| RFID |
Radio Frequency Identification: a technology which allows an object or person to be identified at a distance, using radio waves to energise and communicate with some form of tag or card. |
| RISC |
Reduced Instruction Set Computer: a computer or microprocessor which, by operating with a smaller range of instructions, is able to achieve higher instruction speeds than conventional processors. |
| ROM |
Read-Only Memory |
| RPK |
A new algorithm for public-key encryption and authentication which operates at higher speeds than other algorithms. |
| RSA |
The Rivest-Shamir-Adleman algorithm is the form of public-key encryption most widely used today, particularly for digital signatures and key exchange. |
| SAM |
Security Application Module: a chip normally used as part of a terminal to store keys and encryption algorithms securely. SAMs often use the same smart card technology as the associated cards, or a more specialised cryptographic chip. |
| SDA |
Static Data Authentication: authentication of a card by means of a digitally signed copy of selected card data. |
| SET |
Secure Electronic Transactions: a standard for credit-card payment across networks. SET has been largely replaced by the “Verified by Visa” and MasterCard SecureCode programmes. |
| SIM |
Subscriber Identity Module: the personalisation chip card in a GSM telephone |
| SMS |
Short Message Service: a form of transmission used in GSM telephony for short data messages. |
| Smart card |
A card which incorporates a microprocessor chip and some form of storage. By extension, and in common usage, any form of chip card. |
| Stored Value Card |
A card which is used to store value such as loyalty points or credit for canteen meals. In Europe, the term is used to denote a card which is issued and redeemed within a closed circuit, in contrast with an electronic purse, which can be used to buy goods and services in the open market. In the USA, the term "stored value card" is used more widely, and can denote an electronic purse. |
| T=0 / T=1 |
The asynchronous character and block protocols respectively defined by ISO 7816 part 3. |
| TASI |
Terminal Application Services Interface: the way that an application interfaces with the outside world (for use in testing an application or service). |
| TC |
Transaction Certificate: a value derived cryptographically from other transaction parameters, which enables the integrity and source of the transaction to be verified at a later date. |
| TCSEC |
Trusted Computer Security Evaluation Criteria: the US "Orange Book" requirements for evaluating the security of computer systems |
| TTP |
Trusted Third Party: an organisation (usually Government appointed or registered) which holds keys used for authentication purposes. |
| UAT |
Unattended Acceptance Terminal – another term for a UPT |
| UPT |
Unattended Payment Terminal – a vending machine, toll booth or other device that accepts cards without a cashier being present. |
| USIM |
Universal Subscriber Identity Module: the card that maintains the secure user authentication and further user data in a ’third generation’ (3G) telephone. |
| VIS |
Visa IC Card Specification: the specification which governs chip card based credit-debit transactions within the Visa system. |
| VOP |
Visa Open Platform: Visa’s version of the Open Platform specifications, including some payment-specific functions and issuer controls. |
| VSDC |
Visa Smart Debit – Credit: a product using the VIS specifications |
| Windows for Smart Cards |
Microsoft's multi-application card platform (cf. JavaCard), now no longer offered as a product |
| WORM |
Write once read many times (form of semiconductor memory) |
| Zero knowledge |
A form of authentication in which the object demonstrates that it knows a secret, without disclosing that secret to the challenger (who may not know the secret). Most zero knowledge tests make use of public key cryptography, where the secret represents the private key or a function thereof. See also "challenge-response". |
