Giving currency to the Java Card API

The computer industry, more than any other, is built on the fundamental assumption of constant change. Moore’s law, for example, states that every eighteen months the number of transistors that can fit in a specific area doubles. Inexorably, and with almost assiduous precision, the industry experiences the obsolescence of an entire spectrum of products and the birth of a new generation, based on the latest generation of microprocessors. The newest generation of processors has yielded many well-recognized devices, including sub-notebooks, personal digital assistants (PDAs), and intelligent cell phones. It has also yielded a new generation of devices that, until now, have not been as well known, of which smart cards are only one example.

This article begins with a brief review of smart cards, a discussion of the benefits of the Java Card API, and an explanation of why the Java Card API has taken the smart card industry by storm. This is followed by a description of applications and services that will be demanded by companies trying to implement Java Card technologies. Finally, it discusses ways in which the Java Card is part of a larger trend in computing, and suggests ways for you to begin thinking about developing the skills necessary to succeed in an era of individualistic computers. For details on Schlumberger’s CyberFlex Java Card, see the current Java Developer column by Rinaldo Di Giorgio.

Why have smart cards received more attention than other new devices? Smart cards have existed in a variety of forms since 1974; they have had substantial success in parts of Europe (France and Germany, in particular); and this success has been driven by the development efforts of several notable companies (Bull/CP8, GemPlus, and Schlumberger, among others). You could even say that, in many ways, smart cards now have reached critical mass — not only in Europe, but in the United States and Asia as well. Today, 95 percent of all smart cards are sold in Europe. By 2001, analysts at Data Monitor, a market research organization that focuses on smart card markets, predict that well over 25 percent of the worldwide market for the 3 billion smart cards sold in that year will be outside of Europe. Much of the success that smart cards will experience in the next few years, and their increasing worldwide adoption, is directly related to one fundamental invention that is changing the nature of competition in the smart card industry: The Java Card API.

The Java Card API

The Java Card API is part of the smallest virtual machine specification for Java. The specification is designed to allow Java to run on an 8-bit microprocessor, with 14 kilobytes of electrically erasable and programmable read only memory (EEPROM), 8 kilobytes of read only memory (ROM), and 256 bytes (no we did not forget the “K”!) of random access memory (RAM). The specification was first released in November 1996. By the release of the Java Card API 2.0 one year later, every major vendor of smart cards in the world had licensed the technology. All these vendors are in the process of building working implementations. Both Schlumberger and GemPlus, companies that combined sell something like 75 percent of all smart cards, already have existing implementations and development toolkits for sale. By 2001, over 700 million of the 3 billion cards sold will run the Java Card virtual machine.

This rapid adoption rate for Java technology on a platform with which most Java developers have little familiarity has left independent software developers and system integrators wondering what smart cards, and Java Cards in particular, mean to their businesses. Is this an area they should be building competence in and, if so, what numbers and types of resources should be developed to take advantage of this new opportunity? Equally important, the more creative are asking what Java on small devices means to their businesses, and are beginning to make plans to succeed in the world of individualistic computing. Individualistic computers are portable devices containing a microprocessor with some specific functionality that is under the consumer’s control. Devices may be as large as personal digital assistants or cell phones, and as small as intelligent watches or rings.

What is a smart card?

A smart card is a card embedded with either a microprocessor and a memory chip or only a memory chip with nonprogrammable logic. The microprocessor card can add, delete, and otherwise manipulate information on the card, while a memory-chip card — the most common example of which are prepaid phone cards — can only undertake a predefined operation. Smart cards, unlike magnetic stripe cards, can carry all necessary functions and information on the card. Therefore, they do not require access to remote databases at the time of the transaction.

The problem with magnetic stripe cards

Smart cards have three unique benefits that have made them popular: increased data storage, security, and portability. A typical mag-stripe card can hold about 140 bytes of data — just enough space for a PIN number and critical data needed to log into a server-based system. In many situations, such as automating drivers’ licenses, this is not enough memory to meet the application’s storage needs. Mag-stripe cards have three other weaknesses.

First, they are not very secure. It is easy enough today to purchase the tools needed to hack into confidential data on a mag-stripe card. Any card — a phone card, for example — that requires storing value (money) on the card requires technology that is substantially more secure.

Second, mag-stripe cards require a host system to store and process all data. For mag-stripe cards to be useful, your card must always be connected to an online system. This is not necessarily a problem in the United States, where telecommunications costs are low. But in other countries (France, for example), high telecommunications costs make it uneconomical to keep a card reader continually online to process a credit-card or debit-card transaction. Taking the card reader offline and using a dial-up process for approving a purchase is not an option either as it takes too long. Thus, smart cards — in this case, chip cards — offer a unique solution for retailers who wish to accept credit cards or debit cards in a country with an expensive telecommunications infrastructure. A transaction can be processed and stored locally with a chip card, and then the entire batch of transactions can be downloaded to the bank’s system at the end of the day.

Third, portability is especially important for certain types of data — for example, personal identity data (also called your personal digital identity) and contact information — in a world of multiple devices, where data must be accessed on an “anytime, anywhere” basis. Some devices, like kiosks, will be networked; others, such as your PDA or a data pad for viewing secure information, may not be. Consumers will want certain types of information with them at all times, no matter which device is used, where it is, or whether it is networked. Smart cards, with their processing capabilities and increased memory capacity, provide a convenient solution for making data portable and universally accessible.

Java Cards offer extra benefits

Although smart cards have benefits over mag-stripe cards that make card issuers willing to spend substantially more for an individual card, smart cards have some limitations: portability of applications, the flexibility to download applications into a card, and a small universe of knowledgeable programmers. The Java virtual machine’s unique design offers the smart-card industry a solution to these limitations. Java’s most fundamental feature — the ability to write applications on one operating system platform and have them run on all platforms — allows a single application to run on all smart cards.

Just as important, Java’s design around applets — small code objects that are designed to be downloaded onto a client machine from a remote host — is perfect for allowing multiple applications to reside on a single card. Applets are small enough so that several can fit into the small amounts of memory available on smart cards. Because they are downloadable, applets also can be installed “in place” via card-accepting devices such as point-of-sale (POS) terminals. Java Cards’ functionality can be continually updated as new applications or updates become available.

Java provides a security model that lets applets from multiple sources reside safely on the same card. This is important because applets on smart cards may attempt access to data intended to be private only to that applet. For example, you would not want to allow one applet to get at critical purchasing histories from another application that might come from a competing company.

Java speeds and simplifies the development of smart-card applications. Because of its many time-saving features — automated memory management and automatic garbage collection, for example — Java can reduce coding time over traditional languages such as C++ by as much as 60 percent. The results are even more impressive when compared to the proprietary, assembly-language-like environment for smart card development. Applications compiled into machine code typically take many months (up to a year) to debug and deploy, because they need to be masked in ROM for security reasons. Applications written in Java, however, can be debugged much more easily and deployed almost immediately through Java’s dynamic applet download capability.

The reason for this improvement in speed has to do, in part, with the tools that can be used. Instead of having to learn a new proprietary tool, Java Card developers can build applications using standard, off-the-shelf, integrated Java development environments such as Symantec Café. Code written this way then runs through a post-processor, which shrinks the applet as much as possible and ensures that the code will run correctly in the limited Java Card environment.

Java solutions

Although it is still too early to know whether the ultimate model will be for individuals to carry a single card that holds all their private information or whether they will carry a variety of cards, there are some clearly defined markets that will adopt smart cards in the next few years. The most immediate areas in which Java Cards will find use include:

• Financial services — Financial institutions are looking to use smart cards to deliver higher value-added services to businesses and consumers at a lower cost per transaction. These services include money on a card, corporate card programs, and targeted marketing programs based on analysis of consumers’ buying patterns.

• Affinity programs — Airlines, retailers, and other companies that offer a range of ancillary services and loyalty programs along with their basic product want to use smart cards to deliver these programs with a higher level of service, improved ease of use, and at a lower cost. For example, airlines want to use smart cards not only as a vehicle for issuing and carrying tickets — even though the single benefit of being able to securely order/provide a ticket directly to chip cards via the Internet is substantial. Airlines also want to use the cards to provide tie-ins to their frequent-flyer programs and to cross-marketing deals with auto rentals and hotels, as well as to provide simplified access to private airline lounges.

• Cellular phones — Cellular phone services in the United States are losing .5 million per day because of fraud. Although smart cards offer a mechanism to secure cellular phones against fraudulent use, only Java Cards offer the ability to download new functions into a phone in real time.

• Set-top boxes — Subscription satellite and cable services suffer from fraud problems similar to those in the cellular phone business. Once again, Java Cards offer security and the ability to add/update customer functions available to consumers in real time.

• Secure network access — Smart cards can carry an individual’s digital signature. With this ability, they provide a special mechanism to secure access to computer networks within a corporation, they help ensure that only individuals with the proper authority can get access to specific network resources, and they reduce the likelihood that hackers can break into a system.

The figure below shows projected sales of smart cards by vertical market over the next few years. The figure shows that applications for phones, banking/finance, games, and security will create the greatest demand for cards. 1998 will be the year for pilot projects — small-scale implementations that test a technology to see if it is viable — as working versions of version 2.0-enabled Java Cards finally come to market in large numbers from multiple vendors. 1999 will see more pilots, and some of the pilot projects from the previous year will move into full production. 2000 and beyond? Well, that’s the upward curve on the “hockey stick.” That’s when demand for smart card programmers, applications, and services potentially will far outstrip the supply.

Reaping the Java Card bounty

So, what opportunities exist in this looming bonanza for application developers, custom software developers, and application integrators? The answer is somewhat schizophrenic: lots and very few. Lots of opportunities will exist for those companies that take the time to understand the unique features of the smart card market, identify trends in that market that they can exploit, and build the skills needed to succeed. Very few opportunities will exist for the average Java programmer who treats Java cards — and for that matter any of the low-end Java platforms (for example, Personal Java and Embedded Java) — as just an extension of the desktop. Put it this way: “I can write a Java applet. Java Card is written in Java. Therefore, I can write Java Card applets” is not a formula that guarantees success. While substantial success with the low-end Java platforms is possible, like most business opportunities, success will require a reasonable investment on the part of any newcomer.

Let’s consider the smart card market for a moment to understand why this is true. Today, the smart card market consists of about 10 smart card manufacturers (mostly French), a host of terminal vendors (who make the card readers), about 50 smart card issuers worldwide, a handful of system integrators like Cards, Etc. in Australia, and (in the case of the financial services industry) card associations like VISA, Mastercard/Mondex, American Express, Europay, and JCB. About 200 smart card programmers worldwide, split between the manufacturers, the issuers, and the integrators, serve this market. This is a relatively small universe of participants who interact through an existing set of corporate relationships and individual networks. Because the technology is so detailed, the development environment is so arcane and difficult, and security is one of they key benefits of smart cards, issuers tend to turn to the well-established experts in the field, in combination with their own internal staff, to build their software and back-end systems.

Just because the Java Card API makes it possible for any Java programmer to write an applet doesn’t mean that the industry suddenly is going to change its approach to business. As with all new technologies, it will take time for industry thinking to catch up with the implications inherent in a new paradigm.

For one thing, security continues to be a concern, especially in the case of financial institutions issuing stored-value cards. These institutions are financially liable if a rogue applet is installed on their cards and ultimately manages to steal money or other confidential data from the financial institutions’ systems.

Therefore, you should not expect to be able to buy a blank card at your local computer warehouse store and install an applet — at least not in the next few years. In the near future, cards will continue to be distributed by issuers, who will act as the controlling bodies for the applications that are loaded onto their cards. The issuers will test and certify each applet before it is loaded. What this means is that the early opportunities around Java Cards will involve working hand-in-hand with the smart card issuers to develop their specific applications and systems.

I advise companies and individuals interested in beginning to build expertise in smart cards to follow a four-step process between now and the end of the millennium:

1. Begin playing with the technology and learning the market. Buy the toolkits that are in the marketplace and develop some initial applications to learn the process of writing software for this unique environment. Study the marketplace by subscribing to appropriate publications and talking to experts in the field (some of whom are listed at the end of this article).

2. Align yourself with existing partners who have substantial expertise in the field and who will be needing many more technologists in the next few years than they can hire. Don’t plan to make money on your first couple of projects, but do them well and establish your reputation with your early partners. Once you have established a good reputation with a single vendor, lots of business will begin to flow.

3. Build your brand identity in the marketplace. Once you have succeeded with one partner or a small set of partners, begin to develop a brand. Invest in a good logo, develop a clear statement of your brand values and market focus, and put together a good set of collateral. Combine this with a good marketing plan and some investment in marketing activities such as booths at trade shows, public relations, and seminars.

4. Establish good recruiting and training programs. Like your customers, your growth will be limited by the dearth of technologists who know anything about smart cards and other low-end devices. In order to grow, firms will have to recruit smart people with related experience (for example, embedded systems development) and retrain them to their specific needs. The firms that combine good marketing with an ability to maximize their human resources will ultimately become the new generation of successful smart card technology vendors.

Conclusion

Smart cards and the Java Card API represent a relatively new set of technologies with a great deal of promise. Smart cards provide a secure, portable platform for “any time, anywhere” computing that can carry and manipulate substantial amounts of data, especially an individual’s personal digital identity. The Java Card API allows applications written for one card to be downloaded “in place” into any other card. The Java Card thus allows smart cards to become a general-purpose computing platform and creates a potentially huge market for application software and development — especially for financial, telecommunications, television, and security applications.

By the year 2000, the demand for Java Card API applications and services will begin to outstrip the current supply of resources available to the industry, thus creating a potentially lucrative market for individuals and companies who wish to specialize in smart card application development. However, succeeding in this new market will require working today to establish your company’s expertise and reputation with the key players in todays market — including smart card manufacturers, terminal vendors, issuers, system integrators, and others. Companies that make this investment in the next 24 months will be positioned to take advantage of the rapid market expansion that will occur around the year 2000. By that time, the market will have evolved to a point where many new opportunities — standardized applets for cards, enterprise systems software, integration of card capabilities into “boxed” software, systems integration, to name a few — will become available. Those who are prepared will prosper and have the satisfaction of knowing they correctly anticipated and participated in the birth of an entirely new generation of computing.