Smart cards have a multitude of uses, from identification and security to payment and loyalty programs, plus a single card can do all these and more at the same time. What's holding the technology back from widespread use in Australia? Could it be that vendors haven't found the applications consumers really want?

Inside this story:
Still a hard sell
The customer promise
Smart cards in Australia
Planning an effective roll-out

Smart card enthusiasts are a patient bunch. Although the technology and its applications have been well understood for most of the past decade, the adoption of smart cards has consistently failed to live up to even the most conservative forecasts.

Early enthusiasm over the identification and payment cards once led analysts to laud their potential in reinventing commerce, but the cards have so far struggled to find an audience among businesses in Australia, the US, and most other places.

Smart cards are credit card-sized pieces of plastic with an embedded microchip and telltale copper contacts on the surface that provide an interface for reading and writing data.

Many cards are printed with photographs and individual identification details; many feature magnetic stripes (magstripes) so they can be used in existing card readers; and some "contactless" cards have embedded, invisible circuits that transmit information to devices such as door security controls whenever they're put close to a reader.

Years of development have advanced the state of the art to the point where smart cards are now as flexible, capable, and useful as they were once expected to be; electronic cash, passwords, personal preferences, past shopping information, digital certificates, health-related data, and mountains of other data can be securely stored on the cards using widely available applications.

So far, European companies have been the most enthusiastic, adopting smart cards in a range of financial, transport, and other applications. Thanks in large part to the coalescing of major financial powers around Europe's EMV (Eurocard MasterCard Visa) financial payment standard, smart cards are growing at a steady clip on that continent.

Analyst firm IDC, for one, has projected that shipments of smart cards would grow from 284 million units in 1999 to more than one billion in 2004. This makes Europe the world's largest market for smart cards, although other geographies--China in particular--are expected to catch up soon after that.

Despite its strong overall technology base, Australia still fails to rate a mention in analyses of smart cards' potential. Here, smart cards are mainly used in niche applications focused on a specific purpose applicable to a small number of people: as identification cards at NSW TAFEs, for example, and for controlling employee facilities access within some companies. On the whole, however, Australian businesses have been relatively disinterested in the technology.

Deborah Stanley, company secretary of industry advocacy group the Asia-Pacific Smartcard Forum, has watched interest in smart cards dwindle over the years despite early hype about their potential. "It has just not happened at all," she concedes.

"It's not the technology that everyone was excited about a few years ago; it was just another technology swept along by e-commerce enthusiasm. While we did have a lot of government support early in the piece, it seems to have gone cold."

While Europeans have quickly become accustomed to smart cards because of their ubiquity in high-profile financial applications, Stanley blames Australia's well-developed EFT (electronic financial transaction) networks for marginalising the cards' profile and importance here: "The business case to replace [EFT] with a smart card infrastructure would have been expensive. It's not going to be replaced just for the sake of having a smart card in our wallets that is a cash replacement. I think it has to fit in with some other applications, like digital signatures."

Even when used for multiple purposes, smart cards are far from a sure bet; trials in several academic settings have produced mixed results. Melbourne's La Trobe University, for one, runs financial competitions to encourage use of its La Trobe Card smart card ID card, which combines library, photocopying, ID, and access control functions with an electronic purse.

However, after trialling Telstra smart cards for three years, the University of Adelaide reverted to magstripe-based identification cards and began refunding money stored on the cards.

Still a hard sell

With some modifications, most business applications can be set up to read digital signatures stored on smart cards as an alternative or complement to password-based logons.

By inserting the card into a reader, then entering a PIN or scanning a fingerprint as well, users can provide virtually irrefutable proof of their identity.

Used correctly, this technology can deliver major improvements in security--a worthwhile goal for any company. For example, smart cards can provide strong enough employee authentication that they enable single sign-on to multiple business systems.

Smart cards are also invaluable in tightening up administration of security policies, since cards are centrally managed and can be revoked instantly if necessary.

When linked into a corporate directory service, smart card revocation can be set to happen automatically as part of the procedure followed when an employee is terminated.

They are particularly promising for remote access, which has traditionally been extremely problematic since there's no way to accurately confirm the identity of the person sitting at the other end of the connection.

By issuing those workers with smart card readers, companies can reliably ensure that the authorised cardholder is indeed sitting at the other end of the connection.

This opens up the scope for extending access to sensitive information systems over IPSec-compliant Internet virtual private networks, which have already resolved encryption issues but become far more viable when paired with strong smart card-based authentication.

Using smart cards requires installation of hardware as well as software development to integrate them with existing business systems. Equipment is readily available, but becomes quite expensive when extrapolated across typical corporate installations of hundreds or thousands of computers.

There is also the expense and effort of defining project scope and smart card management plans; redeveloping applications to use smart cards; and, more ominously, the not-insignificant task of installing necessary infrastructure such as directory services.

Aiming to reduce the complexity of smart card solutions, some companies are offering corporate customers managed end-to-end security solutions built around the cards. Optus's OPI Trust service, for one, combines a smart card reader and management software with access to the Optus nationwide network to provide an outsourced, secure remote access solution.

Already being tested by at least three Commonwealth government departments and two Big-Four banks, OPI Trust highlights the growing role that service providers will play in getting smart cards into businesses in large numbers.

"It provides companies with a rapid approach to secure deployments, and is usually operational within weeks instead of months," says Chris Hancock, managing director of Optus Business.

"It's cost-effective, with low upfront costs, a pay-as-you-go charging model, and requires minimal user intervention. And for large businesses, the fact we have a national network guarantees there are no third-party handoffs or reseller agreements where you're not sure who's doing what. Trust and certainty are what customers are after."

Holistic approach

Combined with the tighter IT budgets occasioned by current economic uncertainty, it's unlikely that smart cards will become widespread within corporate environments any time soon.

Most businesses just can't build a good business case around the cards: since they offer no potential for increasing profits, they're still seen as an unnecessarily complex solution to problems that are adequately handled using cheaper magstripe technologies.

The customer promise

Where smart cards are gradually gaining ground, however, is in customer-facing applications such as loyalty programs or multi-function membership cards.

This is a field that was first explored in the mass market by American Express, which recently launched its Blue smart card-credit card combination and was soon challenged by ANZ Banking Group's First and Gold cards.

Both cards combine a chip-based smart card with traditional magstripe, allowing the cards to be used in existing point-of-sale machines while supporting additional applications as necessary. Blue is based on Gemplus smart cards and software built for Amex by an unnamed French company.

By combining the cards with high-tech capabilities like online billing and Internet fraud protection, American Express has targeted them at high-income, high-value customers who are likely to be most interested in ancillary offers.

"We started looking at a new credit card product twelve months ago, and we wanted to do something different," explains Mark Rayner, director of business development with American Express.

"It's not easy to differentiate in the credit card market. Surveys showed that loyalty was sexy and security taken for granted, so we went off and built the smart card in that way. It's gotten a very positive response in the marketplace."

Although he won't specify how many Blue cards have been issued so far, Rayner said upake is meeting the company's targets-particularly for retailers, who like the smart card's promise of supporting multiple applications in the future.

This will let Amex administer loyalty programs on behalf of retailers, or allow them to load their own applications if they prefer. Some 300 Amex Blue-capable terminals have been installed so far, but Amex is committed to growing this number quickly over time.

Because financial institutions play such a major role in customers' everyday lives, many believe initiatives such as Amex Blue and ANZ First are critical in raising the public's awareness about smart cards-and, by extension, justifying a business case for investing in the technology.

This will become even truer as banks begin to issue digital certificates compliant with the Commonwealth government's ABN-DSC (Australian Business Number Digital Signature Certificate) standard, which were recently accredited under the government's Gatekeeper authentication scheme.

Banks' strong role in promoting smart cards echoes the experience in Europe, where financial institutions have effectively set the pace of their rollouts by deploying terminals and offering compelling smart card applications.

Similar support in this country is likely to be a key factor in encouraging widespread use of smart card solutions.

"In the last three years in Australia, we would not have delivered any EFTPOS devices that don't have smart card readers," says Wens Brinkman, general manager of Intellect Australia, which has long offered smart card capabilities in its point-of-sale devices and derives 70 percent of its revenues from European customers.

"They're physically able to [handle smart cards] but there's still work to be done on the software side," Brinkman continues. "So far, there hasn't been that trigger to drive it; the problem is that we [in Australia] don't have a problem. But in the financial world, that trigger will be the combination of adopting the EMV standard and customer awareness of the higher level of security that smart cards provide."

Smart cards in Australia

With strong government and private sector cooperation, a single smart card could eventually serve as a non-repudiable card for online and offline identification, a traditional credit/debit card, a loyalty program membership card, government benefits card, and more.

By allowing banks to assume the complexity of establishing and maintaining a smart card infrastructure, other companies can focus on building innovative customer loyalty programs instead of worrying about logistical issues.

"Future expansion of the functionality of the chip is going to be based on solid business cases," says Rayner. "The ability to get new applications onto the chip is there, and we have to make sure those business applications make sense to the consumer. That's been the challenge in the past."

Banks aren't alone in their quest to define the platform for Australians' smart card usage; any large company could potentially do the same thing by pushing the cards out to its members.

That's the approach of NRMA, which has been actively working to broaden its product range since its demutualisation. In fact, NRMA is leading the way in the private sphere with plans to issue its more than two million members with smart card-based membership cards that will eventually work on toll roads, public transport, car parks, and other locations.

Although large companies have long accepted the promise of smart cards in conceptual terms, the fact that they're finally formulating plans to put cards into consumers' hands bodes well for the future of the technology. Once customers are empowered with the cards, the future will be open to whomever can develop the most innovative and relevant applications.

Planning an effective rollout

A broad variety of hybrid devices--for example, computer mice, keyboards, and fingerprint scanners with smart card readers built in--are readily available, providing a ready upgrade path for companies that want to gradually provide smart card capabilities for their workers.

Far more important when planning a rollout is to choose an appropriate scope for the project, warns Mick Smith, senior vice president of sales with Canberra-based Protocom Development Systems, which develops smart card-based security solutions for corporate customers.

"Because smart cards have the capability of solving so many business problems, projects too often try to include too much functionality," Smith explains. "By putting too much functionality in their set of requirements, companies think the project is too complex; it's very rare to find a project that's gone forward where there have been multiple applications in the business case."

"For a smart card solution to be a real success, it should be designed to focus on a particular area of business needs," he continues. "It can support multiple applications or processes, but it works best if all those processes have something in common. Where a card has multiple unrelated purposes, a lost card is a nightmare to manage. It comes back to project management."

Commonality between processes also helps improve management of data, since it provides better integration between the applications and allows them all to be managed through a single server application.

Conversely, putting a dog's breakfast of applications on a card will mean that individual applications each require their own interfaces to back-end systems; ignoring this is a sure-fire way to ensure you create an integration disaster.

Although customers now equate smart cards with increased security, providing this security still requires some thinking. Mondex Multos cards manage security centrally for all applications stored on the card; this limits the freedom of each application to manage its own security, but provides the benefit of a consistent security architecture.

By contrast, Java Card leaves security issues up to each individual application; this increases developer flexibility, but also shifts the security onus back to the company offering each application.

Another major issue is whether to store customer data on the card-an idea initially espoused by proponents of smart card-based health cards containing x-rays, prescription and other information--or to use a centralised architecture in which the smart card is effectively an access key to information stored on a central server.

The centralised approach could potentially be slower, since users would have to wait until a data query was processed, yet centralisation also increases data integrity and allows data to be retained even when a card is lost.

This approach is particularly appealing in situations where irreplaceable monetary units such as digital cash, for example, are to be stored on the card. Centralised environments also ease management of cards, since it's a simple matter to revoke a card in the field.

"A lot of people that run infrastructure prefer to dumb down the cards so they can manage, monitor, and control them," says Brinkman. "If you distribute your computing to hundreds of thousands of cards and need to do an update, it can be a fairly big headache."

Finally, it's important to pick the right kind of partners. With point-of-sale companies well versed in the complexities of smart card deployment, there's no point in trying to duplicate their efforts.

Choose a supplier that can provide terminals, smart cards and the software to tie them together, and let them do all the sweating to make sure the whole thing works.

For example, SecureNet recently partnered with APIR to provide a smart card solution tailored for financial services, while Telstra has partnered with the ANZ Bank and smart card vendor ERG to capitalise on ERG's strength in transport and financial applications.

SecureNet has also joined digital certificate company eSign and Sun-Netscape joint venture iPlanet to pursue opportunities in Identrus-related digital certificates.

By picking the right technology partners, you can spend your time building business cases and developing mutually beneficial smart card applications in conjunction with other companies that have a synergistic relationship with your own business.

With the right partnerships in place, you'll find it far easier to build a business case that justifies the upfront investment necessary to get into smart cards.

"The technology is there today," says Protocom's Smith. "Many people have been looking at it for a long time, but I think now is the right time to have an open mind. Take a fresh look and see what's available."

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.