> Microsoft man thought that the card was being used as an
> authorisation token to start up a secure session between the
> browser and the host system - because he had only experienced
> that type of smart card use before.
Don't feel alone - a local project involving one of the US's larger credit
card
and ATM processors had essentially the same comments from their integration
team.
Regards,
Lyal
Virtual Business Associates ECommerce Strategies and Internet Security
ACN 083 334 052
Ph; 02 9712 0205 Fax; 02 9712 0467 Mobile; 0416 097 120
1/37 Walton Crescent Abbotsford NSW 2046 Australia
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Peter W Tomlinson
> Sent: 9 September 1999 21:02
> To: George Tasiopoulos
> Cc: [EMAIL PROTECTED]
> Subject: Re: [OCF] Readers via browsers
>
>
> George,
>
> Yesterday I attended a Workshop at CEN in Brussels, where the
> topic was secure card read/write units for use with EMV-style bank
> cards on the Internet (project name FINREAD). The immediate
> application is in producing a secure reader/PINpad/display for use
> on a PC, with the link to the host being via a browser and then
> across the Internet. Discussion with a Microsoft employee who had
> just got involved in this area showed that, before discussing
> methodologies, there has to be a clear understanding of what you
> want to do and what the cards currently defined now do.
>
> Payments from smart cards using the banking debit/credit
> application (the basic EMV application) are just that: a payment
> message is sent from the card to the host system (the acquiring
> system, in the jargon). The message contains the amount of
> payment along with all other necessary information. What the
> browser and the merchant say to each other is just the
> preliminaries: the purchase transaction. It is the card that makes
> the payment.
>
> In order to secure the rest of the transaction, the banks want us to
> use SET with 'wallet' software in the browser. In order to secure the
> payment message as it passes across the Internet, the banks
> wants us to use the Common Chip Extensions to SET. In order to
> be sure that the amount of payment transmitted to the card is
> correct, the banks want us to insert the card into a certified secure
> reader/PINpad/display - the amount will be shown on the display,
> and the cardholder will authorise the amount on the PINpad.
>
>
> Now we are aware that there are some merchants who register
> your credit/debit card number with them, and then they can issue
> you to you their own authorisation card, which allows you to set up
> a secure session so that you can purchase using your account
> with them. Actual payment will be made separately - probably by
> cheque or by direct debit, perhaps on a monthly account basis.
>
> One of the people at yesterday's Workshop was from Wave
> Systems (previously Nable Tech), and his company has been
> participating in a development programme for 'trusted clients'. This
> aims to produce a controller chip that can be embedded in a PC or
> peripheral to enhance security in an Internet environment. Details I
> don't yet have, but they point out that the FINREAD type secure
> reader can be made using their technology, and that electronic
> commerce businesses will shortly be announcing products using
> their silicon - in other words, to trade on-line, you (the customer)
> will have to have a trusted client device.
>
> How you handle the browser thing depends on what you want to
> do, but basically, for real payment on-line, the European banks are
> saying that you will only be allowed to do it using their software
> and their approved card readers.
>
> That's only a start, I know, but there's a lot of this basic education
> needed in the market.
>
> As for keeping up to date with all this, I don't know of any forum
> where you can. The industry associations (e.g. Smart Card Forum)
> should be helping, and our own UK Smart Card Club is about to
> launch a web site section giving general info. But real, at the coal
> face, developers, are, I know, having a hard time.
>
> Peter Tomlinson
> Iosis, Bristol, UK
> -------------------------------------------------------------------
> Forwarded by: "Post Master" <internet>
> Forwarded to: pm:pwt
> Date forwarded: Thu, 9 Sep 1999 11:35:38 +0100
> Date sent: Tue, 07 Sep 1999 10:57:54 -0400
> From: George Tasiopoulos <[EMAIL PROTECTED]>
> Organization: Factpoint, Inc
> To: [EMAIL PROTECTED]
> Subject: [OCF] Readers via browsers
>
> > This is a cryptographically signed message in MIME format.
> >
> > --------------msF8635FEC270FC1DBA93B4049
> > Content-Type: multipart/mixed;
> > boundary="------------277609FE7322B492587CEE3B"
> >
> > This is a multi-part message in MIME format.
> > --------------277609FE7322B492587CEE3B
> > Content-Type: text/plain; charset=us-ascii
> > Content-Transfer-Encoding: 7bit
> >
> > Hello all-
> >
> > I have been a little out of sync with the industry so...
> >
> > Can anyone feed me any detail of the capabilities and status
> > of the smartcard industry with regards to the usage of
> > card terminals via internet applications? Does the OCF help here?
> > Is there a framework that helps securly access the physical reader
> > device
> > via the browser, (an HTML UI application), or is there the need for
> > applets?
> > Consider an application that is internet-based and I want the end-users
> > to use their
> > home PC w/reader to securly exchange information from the card via their
> > browser application.
> > What are the limitations facing the industry today and what resources
> > are there to help
> > me stay on top of these changes, (besides this listserv)? :)
> >
> > Thanks in advance.
> > -george
> >
> >
> > --------------277609FE7322B492587CEE3B
> > Content-Type: text/x-vcard; charset=us-ascii;
> > name="George.vcf"
> > Content-Transfer-Encoding: 7bit
> > Content-Description: Card for George Tasiopoulos
> > Content-Disposition: attachment;
> > filename="George.vcf"
> >
> > begin:vcard
> > n:Tasiopoulos;George
> > tel;fax:(781) 221-0465
> > tel;work:(781) 221-0300
> > x-mozilla-html:FALSE
> > url:www.factpoint.com
> > org:Factpoint, Inc;Trust You Can CLICK On!
> > adr:;;10 Burlington Mall Road;Burlington;MA;01803;USA
> > version:2.1
> > email;internet:[EMAIL PROTECTED]
> > title:Director - Consulting Services
> > fn:George Tasiopoulos
> > end:vcard
> >
> > --------------277609FE7322B492587CEE3B--
> >
> > --------------msF8635FEC270FC1DBA93B4049
> > Content-Type: application/x-pkcs7-signature; name="smime.p7s"
> > Content-Transfer-Encoding: base64
> > Content-Disposition: attachment; filename="smime.p7s"
> > Content-Description: S/MIME Cryptographic Signature
> >
> > MIIKHwYJKoZIhvcNAQcCoIIKEDCCCgwCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
> > B6swggR1MIID3qADAgECAhAcfh6ejvZIx3w1dS6Y/IZDMA0GCSqGSIb3DQEBBAUAMIHMMRcw
> > FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
> > azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
> > IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
> > dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MDgyNDAwMDAw
> > MFoXDTAwMDgyMzIzNTk1OVowggEZMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
> > CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
> > ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
> > UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO
> > ZXRzY2FwZSBGdWxsIFNlcnZpY2UxGzAZBgNVBAMUEkdlb3JnZSBUYXNpb3BvdWxvczEjMCEG
> > CSqGSIb3DQEJARYUZ2VvcmdlQGZhY3Rwb2ludC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
> > MIGJAoGBAJml3F8Og4yJbnWEROHhSbbjENj0Vp/CJxjsssY3576geKa2/p6w6iqlfhu2BI9R
> > Grrqnrj0UgRZ4p3w6mCdSMp53DjnINrRxUhGjXejVmqLTUpB8OVLkdc7511WTl8SpY5Z5/W1
> > mjVZbxBPcw3r+1v6Ahw5StygBHeX1pyNFy2pAgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMIGs
> > BgNVHSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3
> > dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIB
> > ARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5
> > NyBWZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov
> > L2NybC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQClGkaSbThc
> > hcIYf401k1t5svxEZq3GX0YPPZ2LTiGvX4sQ7T8T0d6uTbSdlqyMsV2hBr0x/1pCD5WMhkzy
> > UdPXqTRUp3iZWqxFuuHt+ZTmGpHkNDVWLttR4zkoJd6WmlptHUV/n5dDdNUDWzuIu2yPpWWC
> > Oa8whcPxqxbxFjtwAzCCAy4wggKXoAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3
> > DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UE
> > CxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
> > ODA1MTIwMDAwMDBaFw0wODA1MTIyMzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j
> > LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz
> > aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFI
> > MEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVy
> > c29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7WkSKBBa7
> > Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFLuUgTVi3HCOGEQqvAopKrRFyq
> > QvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+HthzjzMaajn9qJJLj/OBluqex
> > fu/J2zdqyErICQbkmQIDAQABo3wwejARBglghkgBhvhCAQEEBAMCAQYwRwYDVR0gBEAwPjA8
> > BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv
> > cnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBAgUAA4GB
> > AIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/LSzd
> > mkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDl
> > X4KmsaiSxVhqwY0DPOvDzQWikK5uMYICPDCCAjgCAQEwgeEwgcwxFzAVBgNVBAoTDlZlcmlT
> > aWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13
> > d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxU
> > RChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2Ny
> > aWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEBx+Hp6O9kjHfDV1Lpj8hkMwCQYFKw4DAhoF
> > AKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw05OTA5MDcx
> > NDU3NTRaMCMGCSqGSIb3DQEJBDEWBBRtSG7RBeOv6kMGyC+hYO9jQB0j9zBSBgkqhkiG9w0B
> > CQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0D
> > AgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgEGtUwCPdebFEGfzBYfpK7X6
> > kiBEo/sz1LyivY3VdMAvA39CqLH+k6jjCwBRrERB7kr61j620FMHP81+ktpvkjSBe4kiEQgS
> > UMcBrHxxrcBGwoA+5iPIarbD7Qyn/1j7SfOUuectK6gHQQhJiwPrVv3ze4ow2eU67J3oibvg
> > qcM1
> > --------------msF8635FEC270FC1DBA93B4049--
> >
> > Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for
> > access to documentation, code, presentations, and OCF announcements.
> >
> ------------------------------------------------------------------
> -----------
> > To unsubscribe from the OCF Mailing list, send a mail to
> > "[EMAIL PROTECTED]" with the word "unsubscribe" in
> the BODY of the
> > message.
> >
>
>
> Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for
> access to documentation, code, presentations, and OCF announcements.
> ------------------------------------------------------------------
> -----------
> To unsubscribe from the OCF Mailing list, send a mail to
> "[EMAIL PROTECTED]" with the word "unsubscribe" in
> the BODY of the
> message.
>
Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for
access to documentation, code, presentations, and OCF announcements.
-----------------------------------------------------------------------------
To unsubscribe from the OCF Mailing list, send a mail to
"[EMAIL PROTECTED]" with the word "unsubscribe" in the BODY of the
message.
