Editing Smart card (section)

====Functionalities====

Complex Cards support all communication protocols present on regular smart cards: contact, thanks to a contact pad as defined [[ISO/IEC 7816]] standard, contactless following the [[ISO/IEC 14443]] standard, and magstripe.

Developers of Complex Cards target several needs when developing them: 
* One Time Password, 
* Provide account information,  
* Provide computation capabilities,  
* Provide a means of transaction security, 
* Provide a means of user authentication.

=====One time password=====

A Complex Card can be used to compute a cryptographic value, such as a [[One-time password]]. The One-Time Password is generated by a [[Secure cryptoprocessor|cryptoprocessor]] encapsulated in the card. To implement this function, the crypto processor must be initialized with a seed value, which enables the identification of the OTPs respective of each card. The hash of seed value has to be stored securely within the card to prevent unauthorized prediction of the generated OTPs.

One-Time Passwords generation is based either on incremental values (event based) or on a real time clock (time based). Using clock-based One-Time Password generation requires the Complex Card to be equipped with a [[Real-time clock]].

Complex Cards used to generate One Time Password have been developed for: 
* Standard Chartered,<ref>{{cite news |last1=Liau |first1=Yun Qing |title=MasterCard launching banking card with OTP capability |url=https://www.zdnet.com/finance/mastercard-launching-banking-card-with-otp-capability/ |access-date=12 May 2021 |publisher=ZDNet |date=8 November 2012 |archive-date=6 May 2021 |archive-url=https://web.archive.org/web/20210506072844/https://www.zdnet.com/article/mastercard-launching-banking-card-with-otp-capability/ |url-status=live }}</ref> Singapore,
* Bank of America,<ref>{{cite web |last1=GamerStuff |title=CES 2012: Interview Cyril Lalo NagraID Security |url=https://www.youtube.com/watch?v=xIEHHZH9br8  |archive-url=https://ghostarchive.org/varchive/youtube/20211211/xIEHHZH9br8| archive-date=11 December 2021 |url-status=live|via=YouTube |access-date=12 May 2021 |date=24 January 2012}}{{cbignore}}</ref> USA, 
* Erste Bank, Croatia, 
* Verisign,<ref>{{cite web |title=Mastercard, Symantec and NagraID Security team up to provide further payment card security features |url=https://www.nagra.com/media-center/press-releases/mastercard-symantec-and-nagraid-security-team-provide-further-payment |website=nagra.com |access-date=12 May 2021 |date=14 February 2011 |archive-date=12 May 2021 |archive-url=https://web.archive.org/web/20210512121504/https://www.nagra.com/media-center/press-releases/mastercard-symantec-and-nagraid-security-team-provide-further-payment |url-status=live }}</ref> USA,
* RSA Security.<ref>{{cite news |title=RSA SecurID SD200 – hardware token Series Specs |url=https://www.cnet.com/products/rsa-securid-sd200-hardware-token-series/ |access-date=12 May 2021 |publisher=CNET |archive-date=12 May 2021 |archive-url=https://web.archive.org/web/20210512101921/https://www.cnet.com/products/rsa-securid-sd200-hardware-token-series/ |url-status=live }}</ref>

=====Account information=====

A Complex Card with buttons can display the balance of one or multiple account(s) linked to the card. Typically, either one button is used to display the balance in the case of a single account card or, in the case of a card linked to multiple accounts, a combination of buttons is used to select a specific account's balance.

For additional security, features such as requiring the user to enter an identification or a security value such as a [[Personal identification number|PIN]] can be added to a Complex Card.

Complex Cards used to provide account information have been developed for: 
* Getin Bank, Poland,<ref>{{cite news |last1=Getin Bank |title=Getin Bank – poznaj nową Kartę Display do konta bankowego |url=https://www.youtube.com/watch?v=lek_px4wcXQ |access-date=21 May 2021 |via=YouTube |date=7 June 2013 |language=Polish |archive-date=21 May 2021 |archive-url=https://web.archive.org/web/20210521072345/https://www.youtube.com/watch?v=lek_px4wcXQ |url-status=live }}</ref>
* TEB, Turkey.

The latest generation of battery free, button free, Complex Cards can display a balance or other kind of information without requiring any input from the card holder. The information is updated during the use of the card. For instance, in a transit card, key information such as the monetary value balance, the number of remaining trips or the expiry date of a transit pass can be displayed.

=====Transaction security=====

A Complex Card being deployed as a payment card can be equipped with capability to provide transaction security. Typically, [[online payment]]s are made secure thanks to the [[Card security code|Card Security Code (CSC)]], also known as card verification code (CVC2), or card verification value (CVV2). The card security code (CSC) is a 3 or 4 digits number printed on a credit or debit card, used as a security feature for [[Card not present transaction|card-not-present (CNP)]] payment card transactions to reduce the incidence of fraud.

The Card Security Code (CSC) is to be given to the merchant by the cardholder to complete a card-not-present transaction. The CSC is transmitted along with other transaction data and verified by the card issuer. The [[Payment Card Industry Data Security Standard|Payment Card Industry Data Security Standard (PCI DSS)]] prohibits the storage of the CSC by the merchant or any stakeholder in the payment chain. Although designed to be a security feature, the static CSC is susceptible to fraud as it can easily be memorized by a shop attendant, who could then use it for fraudulent online transactions or sale on the dark web. 
 
This vulnerability has led the industry to develop a Dynamic Card Security Code (DCSC) that can be changed at certain time intervals, or after each contact or contactless EMV transaction. This Dynamic CSC brings significantly better security than a static CSC.

The first generation of Dynamic CSC cards, developed by NagraID Security required a battery, a quartz and Real Time Clock (RTC) embedded within the card to power the computation of a new Dynamic CSC, after expiration of the programmed period.

The second generation of Dynamic CSC cards, developed by Ellipse World, Inc., does not require any battery, quartz, or RTC to compute and display the new dynamic code. Instead, the card obtains its power either through the usual card connector or by induction during every EMV transaction from the Point of Sales (POS) terminal or Automated Teller Machine (ATM) to compute a new DCSC.

The Dynamic CSC, also called dynamic cryptogram, is marketed by several companies, under different brand names: 
* MotionCode, first developed by NagraID Security, a company later acquired by [[IDEMIA]], 
* DCV, the solution offered by [[Gemalto|Thales]],
* EVC (Ellipse Verification Code) by Ellipse, a Los Angeles, USA based company.

The advantage of the Dynamic Card Security Code (DCSC) is that new information is transmitted with the payment transactions, thus making it useless for a potential fraudster to memorize or store it. A transaction with a Dynamic Card Security Code is carried out exactly the same way, with the same processes and use of parameters as a transaction with a static code in a card-not-present transaction. Upgrading to a DCSC allows cardholders and merchants to continue their payment habits and processes undisturbed.

=====User authentication=====

Complex Cards can be equipped with biometric sensors allowing for stronger user authentication. In the typical use case, fingerprint sensors are integrated into a payment card to bring a higher level of user authentication than a PIN.

To implement user authentication using a fingerprint enabled smart card, the user has to authenticate himself/herself to the card by means of the fingerprint before starting a payment transaction.

Several companies<ref>{{cite web |last1=D'Albore |first1=Antonio |title=The rise of biometric cards |date=5-6 October 2017 |url=http://icma.com/wp-content/uploads/2017/10/The-Rise-of-Biometric-Cards10-4.pdf |website=International Card Manufacturers Association |publisher=Embedded Security News |access-date=26 October 2021 |archive-date=26 October 2021 |archive-url=https://web.archive.org/web/20211026234345/http://icma.com/wp-content/uploads/2017/10/The-Rise-of-Biometric-Cards10-4.pdf |url-status=live }}</ref> offer cards with fingerprint sensors, including: 
* [[Gemalto|Thales]]: Biometric card, 
* [[IDEMIA]]: F.Code, originally developed by NagraID Security,
* [[IDEX Biometrics]], 
* [[NXP Semiconductors]]