The term digital card
can refer to a physical item, such as a memory card on a camera,
or, increasingly since 2017, to the digital content hosted
as a virtual card or cloud card, as a digital virtual representation of a physical card. They share a common purpose:
Identity Management,
Credit card
A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt (i.e., promise to the card issuer to pay them for the amounts plus the o ...
, or
Debit card
A debit card, also known as a check card or bank card is a payment card that can be used in place of cash to make purchases. The term '' plastic card'' includes the above and as an identity document. These are similar to a credit card, but u ...
. A non-physical digital card, unlike a
Magnetic stripe card
The term digital card can refer to a physical item, such as a memory card on a camera, or, increasingly since 2017, to the digital content hosted
as a virtual card or cloud card, as a digital virtual representation of a physical card. They share ...
can can emulate (imitate) any kind of card. Other common uses include
loyalty card
A loyalty program is a marketing strategy designed to encourage customers to continue to shop at or use the services of a business associated with the program. Today, such programs cover most types of commerce, each having varying features and ...
and
health insurance card; physical
driver's license
A driver's license is a legal authorization, or the official document confirming such an authorization, for a specific individual to operate one or more types of motorized vehicles—such as motorcycles, cars, trucks, or buses—on a public ...
and
Social Security card
In the United States, a Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents under section 205(c)(2) of the Social Security Act, codified as . The number is issued to ...
are still mandated by some government agencies.
[
A ]smartphone
A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...
or smartwatch
A smartwatch is a wearable computer in the form of a watch; modern smartwatches provide a local touchscreen interface for daily use, while an associated smartphone app provides management and telemetry, such as long-term biomonitoring. While ea ...
can store content from the card issuer; discount offers and news updates can be transmitted wirelessly, via Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
These virtual cards are used in very high volumes by the mass transit sector, replacing paper based tickets and earlier MagStrip cards.
History
Magnetic recording on steel tape and wire was invented by Valdemar Poulsen
Valdemar Poulsen (23 November 1869 – 23 July 1942) was a Danish engineer who made significant contributions to early radio technology. He developed a magnetic wire recorder called the telegraphone in 1898 and the first continuous wave radio ...
in Denmark around 1900 for recording audio. In the 1950s, magnetic recording of digital computer data on plastic tape coated with iron oxide was invented. In 1960, IBM used the magnetic tape idea to develop a reliable way of securing magnetic stripes to plastic cards
A debit card, also known as a check card or bank card is a payment card that can be used in place of cash to make purchases. The term ''#Plastic card, plastic card'' includes the above and as an identity document. These are similar to a credi ...
,[Jerome Svigals, The long life and imminent death of the mag-stripe card, ]IEEE Spectrum
''IEEE Spectrum'' is a magazine edited by the Institute of Electrical and Electronics Engineers.
The first issue of ''IEEE Spectrum'' was published in January 1964 as a successor to ''Electrical Engineering''. The magazine contains peer-revie ...
, June 2012, p. 71 under a contract with the US government for a security system. A number of International Organization for Standardization
The International Organization for Standardization (ISO ) is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in Ar ...
standards, ISO/IEC 7810
ISO/IEC 7810 ''Identification cards — Physical characteristics'' is an international standard that defines the physical characteristics for identification cards.
The characteristics specified include:
* Physical dimensions
* Resistance to b ...
, ISO/IEC 7811
ISO/IEC 7811 ''Identification cards — Recording technique'' is a set of nine (7811-1 to 7811-9) standards describing the recording technique on identification cards.
It comprises:
"Part 1" '' Embossing''
"Part 2" ''Magnetic stripe — Low coer ...
, ISO/IEC 7812
ISO/IEC 7812 ''Identification cards – Identification of issuers'' is an international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies "a ...
, ISO/IEC 7813
ISO/IEC 7813 is an international standard codified by the International Organization for Standardization and International Electrotechnical Commission that defines properties of financial transaction cards, such as ATM or credit cards.
Scope
...
, ISO 8583
ISO 8583 is an international standard for ''financial transaction card originated'' interchange messaging. It is the International Organization for Standardization standard for systems that exchange electronic transactions initiated by cardholde ...
, and ISO/IEC 4909
ISO/IEC 4909 is a 2006 international standard produced by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) for ''Identification cards — Financial transaction cards — Magnetic stri ...
, now define the physical properties of the card, including size, flexibility, location of the magstripe, magnetic characteristics, and data formats. They also provide the standards for financial cards, including the allocation of card number ranges to different card issuing institutions.
In 1960 IBM used the magnetic tape to develop a reliable way of securing magnetic stripes to plastic cards, the most common identification and payment method to date. As technological progress emerged in the form of highly capable and always carried smartphone
A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...
s, handhelds
A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Mobile devices typically have a flat LCD or OLED screen, a touchscreen interface, and digital or physical buttons. They may also have a physical ...
and smartwatch
A smartwatch is a wearable computer in the form of a watch; modern smartwatches provide a local touchscreen interface for daily use, while an associated smartphone app provides management and telemetry, such as long-term biomonitoring. While ea ...
es, the term "digital card" was introduced.[
On May 26, 2011 ]Google
Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
released its own version of a cloud hosted Google Wallet
Google Wallet (or simply Wallet) is a digital wallet platform developed by Google. It is available for the Android, Wear OS, and Fitbit OS operating systems, and was announced on May 11, 2022, at the 2022 Google I/O keynote. It began rollin ...
which contains digital cards - cards that can be created online without having to have a plastic card in first place, although all of its merchants currently issue both plastic and digital cards. There are several virtual card issuing companies located in different geographical regions, such as Weel in Australia and Privacy in the USA.
Magnetic stripe card
A magnetic stripe card is a type of card capable of storing data by storing it on magnetic material attached to a plastic card. A computer device can update the card's content. The magnetic stripe is read by swiping it past a magnetic reading head. Magnetic stripe cards are commonly used in credit card
A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt (i.e., promise to the card issuer to pay them for the amounts plus the o ...
s, identity card
An identity document (also called ID or colloquially as papers) is any documentation, document that may be used to prove a person's identity. If issued in a small, standard credit card size form, it is usually called an identity card (IC, ID c ...
s, and transportation tickets. They may also contain a radio frequency identification (RFID) tag, a transponder device and/or a microchip
An integrated circuit or monolithic integrated circuit (also referred to as an IC, a chip, or a microchip) is a set of electronic circuits on one small flat piece (or "chip") of semiconductor material, usually silicon. Large numbers of tiny M ...
mostly used for access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
or electronic payment.
Magnetic storage
Magnetic storage was known from World War II and computer data storage in the 1950s.
In 1969 an IBM engineer had the idea of attaching a piece of magnetic tape, the predominant storage medium at the time, to a plastic card base. He tried, unsuccessfully, and produced unacceptable results. The tape strip either warped or its characteristics were negativelty affected by the adhesive. After a frustrating day in the laboratory, trying to get the right adhesive, he came home with several pieces of magnetic tape and several plastic cards. As he entered his home his wife was ironing clothing. When he explained the source of his frustration, inability to get the tape to "stick" to the plastic in a way that would work, she suggested that he use the iron to melt the stripe on. He tried it and it worked. The heat of the iron was just high enough to bond the tape to the card.
Incremental improvements from 1969 through 1973 enabled developing and selling implementations of what became known as the Universal Product Code
The Universal Product Code (UPC or UPC code) is a barcode symbology that is widely used worldwide for tracking trade items in stores.
UPC (technically refers to UPC-A) consists of 12 digits that are uniquely assigned to each trade item. Along w ...
(UPC).. This engineering effort resulted in IBM producing the first magnetic striped plastic credit and ID cards used by banks, insurance companies, hospitals and many others.
Initial customers included banks, insurance companies and hospitals, who provided IBM with raw plastic cards preprinted with their logos contact information and the data which was to be encoded and embossed on the cards. Manufacturing involved attaching the magnetic stripe to the preprinted plastic cards using the hot stamping process developed by IBM. and 1973.
Further developments and encoding standards
IBM’s development work, begun in 1969
still needed more work. Steps required to convert the magnetic striped media into an industry acceptable device included:
# Creating the international standards for stripe record content, including which information, in what format, and using which defining codes.
# Field testing the proposed device and standards for market acceptance.
# Developing the manufacturing steps needed to mass-produce the large number of cards required.
# Adding stripe issue and acceptance capabilities to available equipment.
These steps were initially managed by Jerome Svigals of the Advanced Systems Division of IBM, Los Gatos, California
Los Gatos (, ; ) is an incorporated town in Santa Clara County, California, United States. The population is 33,529 according to the 2020 census. It is located in the San Francisco Bay Area just southwest of San Jose in the foothills of the ...
, from 1966 to 1975.
In most magnetic stripe cards, the magnetic stripe is contained in a plastic-like film. The magnetic stripe is located 0.223 inches (5.66 mm) from the edge of the card, and is 0.375 inches (9.52 mm) wide. The magnetic stripe contains three tracks, each 0.110 inches (2.79 mm) wide. Tracks one and three are typically recorded at 210 bits per inch (8.27 bits per mm), while track two typically has a recording density of 75 bits per inch (2.95 bits per mm). Each track can either contain 7-bit alphanumeric characters, or 5-bit numeric characters. Track 1 standards were created by the airlines industry (IATA). Track 2 standards were created by the banking industry (ABA). Track 3 standards were created by the thrift-savings industry.
Magstripes following these specifications can typically be read by most point-of-sale
The point of sale (POS) or point of purchase (POP) is the time and place at which a retail transaction is completed. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, may prepare an invoice f ...
hardware, which are simply general-purpose computers that can be programmed to perform specific tasks. Examples of cards adhering to these standards include ATM card
An ATM card is a payment card or dedicated payment card issued by a financial institution (i.e. a bank) which enables a customer to access their financial accounts via its and others' automated teller machines (ATMs) and to make approved point of ...
s, bank card
A bank card is typically a plastic card issued by a bank to its clients that performs one or more of a number of services that relate to giving the client access to bank account.
Physically, a bank card will usually have the client's name, the ...
s (credit and debit cards including Visa
Visa most commonly refers to:
*Visa Inc., a US multinational financial and payment cards company
** Visa Debit card issued by the above company
** Visa Electron, a debit card
** Visa Plus, an interbank network
*Travel visa, a document that allows ...
and MasterCard), gift card
A gift card also known as gift certificate in North America, or gift voucher or gift token in the UK is a prepaid stored-value money card, usually issued by a retailer or bank, to be used as an alternative to cash for purchases within a parti ...
s, loyalty card
A loyalty program is a marketing strategy designed to encourage customers to continue to shop at or use the services of a business associated with the program. Today, such programs cover most types of commerce, each having varying features and ...
s, driver's license
A driver's license is a legal authorization, or the official document confirming such an authorization, for a specific individual to operate one or more types of motorized vehicles—such as motorcycles, cars, trucks, or buses—on a public ...
s, telephone card
A telephone card, calling card or phonecard for short, is a credit card-size plastic or paper card, used to pay for telephone services (often international or long-distance calling). It is not necessary to have the physical card except with a st ...
s, membership card
Business cards are cards bearing business information about a company or individual. They are shared during formal introductions as a convenience and a memory aid. A business card typically includes the giver's name, company or business aff ...
s, electronic benefit transfer cards (e.g. food stamp
In the United States, the Supplemental Nutrition Assistance Program (SNAP), formerly known as the Food Stamp Program, is a federal program that provides food-purchasing assistance for Poverty in the United States, low- and no-income people. It ...
s), and nearly any application in which value or secure information is ''not'' stored on the card itself. Many video game and amusement centers now use debit card systems based on magnetic stripe cards.
Magnetic stripe cloning can be detected by the implementation of magnetic card reader heads and firmware that can read a signature of magnetic noise permanently embedded in all magnetic stripes during the card production process. This signature can be used in conjunction with common two-factor authentication schemes utilized in ATM, debit/retail point-of-sale and prepaid card applications.
Counterexamples of cards which intentionally ignore ISO standards include hotel key cards, most subway and bus cards, and some national prepaid calling cards (such as for the country of Cyprus
Cyprus ; tr, Kıbrıs (), officially the Republic of Cyprus,, , lit: Republic of Cyprus is an island country located south of the Anatolian Peninsula in the eastern Mediterranean Sea. Its continental position is disputed; while it is geo ...
) in which the balance is stored and maintained directly on the stripe and not retrieved from a remote database.
Financial cards
There are up to three tracks on magnetic cards known as tracks 1, 2, and 3. Track 3 is virtually unused by the major worldwide networks , and often is not even physically present on the card by virtue of a narrower magnetic stripe. Point-of-sale card readers almost always read track 1, or track 2, and sometimes both, in case one track is unreadable. The minimum cardholder account information needed to complete a transaction is present on both tracks. Track 1 has a higher bit density (210 bits per inch vs. 75), is the only track that may contain alphabetic text, and hence is the only track that contains the cardholder's name.
Track 1 is written with code known as DEC
SIXBIT
A six-bit character code is a character encoding designed for use on computers with word lengths a multiple of 6. Six bits can only encode 64 distinct characters, so these codes generally include only the upper-case letters, the numerals, some punc ...
plus odd parity. The information on track 1 on financial cards is contained in several formats: A, which is reserved for proprietary use of the card issuer, B, which is described below, C-M, which are reserved for use by ANSI Subcommittee X3B10 and N-Z, which are available for use by individual card issuers:
= Track 1
=
Format B:
*Start sentinel — one character (generally '%')
*Format code="B" — one character (alpha only)
*Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number
A payment card number, primary account number (PAN), or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situati ...
printed on the front of the card.
*Field Separator — one character (generally '^')
*Name — 2 to 26 characters, surnames separated by space if necessary, Surname separator: /
*Field Separator — one character (generally '^')
*Expiration date — four characters in the form YYMM.
*Service code — three characters
*Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), PIN Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVC, 3 characters)
*End sentinel — one character (generally '?')
*Longitudinal redundancy check ( LRC) — it is one character and a validity character calculated from other data on the track.
= Track 2
=
This format was developed by the banking industry (ABA). This track is written with a 5-bit scheme (4 data bits + 1 parity), which allows for sixteen possible characters, which are the numbers 0-9, plus the six characters : ; < = > ?
. The selection of six punctuation symbols may seem odd, but in fact the sixteen codes simply map to the ASCII
ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because of ...
range 0x30 through 0x3f, which defines ten digit characters plus those six symbols. The data format is as follows:
*Start sentinel — one character (generally ';')
*Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number
A payment card number, primary account number (PAN), or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situati ...
printed on the front of the card.
*Separator — one char (generally '=')
*Expiration date — four characters in the form YYMM.
*Service code — three digits. The first digit specifies the interchange rules, the second specifies authorization processing and the third specifies the range of services
*Discretionary data — as in track one
*End sentinel — one character (generally '?')
*Longitudinal redundancy check ( LRC) — it is one character and a validity character calculated from other data on the track. Most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader.
Service code values common in financial cards:
First digit
:1: International interchange OK
:2: International interchange, use IC (chip) where feasible
:5: National interchange only except under bilateral agreement
:6: National interchange only except under bilateral agreement, use IC (chip) where feasible
:7: No interchange except under bilateral agreement (closed loop)
:9: Test
Second digit
:0: Normal
:2: Contact issuer via online means
:4: Contact issuer via online means except under bilateral agreement
Third digit
:0: No restrictions, PIN required
:1: No restrictions
:2: Goods and services only (no cash)
:3: ATM only, PIN required
:4: Cash only
:5: Goods and services only (no cash), PIN required
:6: No restrictions, use PIN where feasible
:7: Goods and services only (no cash), use PIN where feasible
United States and Canada driver's licenses
The data stored on magnetic stripes on American and Canadian driver's licenses is specified by the American Association of Motor Vehicle Administrators The American Association of Motor Vehicle Administrators (AAMVA) is a non-governmental, voluntary, tax-exempt, nonprofit educational association. AAMVA is a private corporation which strives to develop model programs in motor vehicle administration, ...
. Not all states and provinces use a magnetic stripe on their driver's licenses. For a list of those that do, see the AAMVA list.
The following data is stored on track 1:
The following data is stored on track 2:
*ISO Issuer Identifier Number (IIN) - 6 digits
*Drivers License / Identification Number - 13 digits
*Field Separator - generally '='
*Expiration Date (YYMM) - 4 digits
*Birth date (YYYYMMDD) - 8 digits
*DL/ID# overflow - 5 digits (If no information is used then a field separator is used in this field.)
*End Sentinel - one character ('?')
The following data is stored on track 3:
Note: Each state has a different selection of information they encode, not all states are the same.
Note: Some states, such as Texas, have laws restricting the access and use of electronically readable information encoded on driver's licenses or identification cards under certain circumstances.
Other card types
Smart card
A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
s are a newer generation of card that contain an integrated circuit
An integrated circuit or monolithic integrated circuit (also referred to as an IC, a chip, or a microchip) is a set of electronic circuits on one small flat piece (or "chip") of semiconductor material, usually silicon. Large numbers of tiny ...
. Some smart cards have metal contacts to electrically connect the card to the reader
A reader is a person who reads. It may also refer to:
Computing and technology
* Adobe Reader (now Adobe Acrobat), a PDF reader
* Bible Reader for Palm, a discontinued PDA application
* A card reader, for extracting data from various forms of ...
, and contactless cards use a magnetic field or radio frequency (RFID
Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of a tiny radio transponder, a radio receiver and transmitter. When triggered by an electromag ...
) for proximity reading.
Hybrid smart cards include a magnetic stripe in addition to the chip—this is most commonly found in a payment card
Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner (the cardholder) to access the funds in the customer's designated bank accounts, or through a credit account and ma ...
, so that the cards are also compatible with payment terminals that do not include a smart card reader.
Cards with all three features: magnetic stripe, smart card chip, and RFID chip are also becoming common as more activities require the use of such cards.
Vulnerabilities
DEF CON 24
During DEF CON
DEF CON (also written as DEFCON, Defcon or DC) is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyer ...
24, Weston Hecker presented ''Hacking Hotel Keys, and Point Of Sales Systems.'' In the talk, Hecker described the way magnetic strip cards function and utilised spoofing software, and an Arduino
Arduino () is an open-source hardware and software company, project, and user community that designs and manufactures single-board microcontrollers and microcontroller kits for building digital devices. Its hardware products are licensed unde ...
to obtain administrative access from hotel keys, via service staff walking past him. Hecker claims he used administrative keys from POS systems on other systems, effectively providing access to any system with a magnetic stripe reader, providing access to run privileged commands.
Usage
Identification with a digital card is usually done in several ways:
# Displaying a QR code
A QR code (an initialism for quick response code) is a type of matrix barcode (or two-dimensional barcode) invented in 1994 by the Japanese company Denso Wave. A barcode is a machine-readable optical label that can contain information about th ...
on the customer's smartphone
A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...
to the identifying host (a cashier
A retail cashier or simply a cashier is a person who handles the cash register at various locations such as the point of sale in a retail store. The most common use of the title is in the retail industry, but this job title is also used in the ...
i.e.). The unique QR code ensures privacy for every customer.
# Engaging an NFC
NFC may refer to:
Psychology
* Need for cognition, in psychology
* Need for closure, social psychological term
Sports
* NFC Championship Game, the National Football Conference Championship Game
* NCAA Football Championship (Philippines)
* Nati ...
protocol connection by placing the smartphone
A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...
near the NFC
NFC may refer to:
Psychology
* Need for cognition, in psychology
* Need for closure, social psychological term
Sports
* NFC Championship Game, the National Football Conference Championship Game
* NCAA Football Championship (Philippines)
* Nati ...
Reader (using host card emulation
Host card emulation (HCE) is the software architecture that provides exact virtual representation of various electronic identity (access, transit and banking) cards using only software. Prior to the HCE architecture, near field communication (NFC) ...
method).
# Using IoB (Identification over Bluetooth, an obsolete method which is rarely used) or PoB (Payment over Bluetooth).
See also
References
External links
Magnetic Stripe Formats
A brief comparison of Mag stripe and RFID technology (2012)
A Brief History of Reprogrammable Card Technology (2012)
Magnetic Developer and Magnetic Encoding Standards
{{IBM
American inventions
Banking technology
Customer loyalty programs
Identity documents
Magnetic devices
Radio-frequency identification
1960 introductions
20th-century inventions