1、T/SF 67 E Page 1 Recommendation T/SF 67 (Nicosia 1990 (CAC) IDENTIFICATION AND PAYMENT CARD SERVICES Recommendation proposed by Working Group T/WG 7 “Services and facilities” (SF) Text of the Recommendatior-t adopted by “Telecornmimicatiois” Commission: “The European Conference of Posts and Telecomm
2、unications Administrations, considering - the growth in the demand for a mechanism for identification and payment services based on intelligent card - the dangers to European commerce if national services for Identification and Payment Card services develop - the recognition that the Identification
3、and Payment Card services may be an essential element in many other - the desirability of promoting an Identification and Payment Card Service that is acceptable in the services provided - that services already exist which incorporate some elements of Identification and Payment Card services, but ha
4、ve recornmetids to mentber organizations that - the general definition of the Identification and Payment Card Service, annexed herewith, is adopted as a guide when implementing this service element, - new releases of telematic services and their applications, employing Identification and Payment Car
5、d Service elements, should aim to achieve commensurate cost-savings by striving towards greater conformance with the concept annexed herewith.” technology, separately along divergent paths that preclude mutual recognition and harmonization, telematic services provided internationally by CEPT Adminis
6、trations, by any organization via telematic means, developed in an un-coordinated manner, O 1. 2. 3. 4. 4.1. 4.2. 4.3. 4.4. 4.5. 4.6. 4.7. 4.8. 4.9. 4.10. 4.11. 4.12. 4.13. 4.14. 4.15. 4.16. 4.17. 4.18. 4.19. 4.20. 4.21. 4.22. O Contents list INTRODUCTION . 3 SCOPE 3 DEFINITION . 3 SERVICE CONCEPTS
7、AND USER REQUIREMENTS 3 Relationship between entities . 3 Cost of the card service . 4 Multi-service considerations . 4 Card issuer 4 Evolutionary potential 4 Service domain management . 5 Users own service domain 5 International use 5 Security,. 5 Audit . 5 Durability,. . 5 Simplicity of user/card/
8、terminal operation . 6 Simultaneous use of different services . 6 Card use at various terminal types 6 Directory of Applicable services 6 Lost or stolen cards . 6 Catastrophic failure . 6 Choice of PINS. 6 Orientation of Card/terminal physical interface . 7 Ability to remove card at any time 7 Requi
9、rement to remove card at end of transaction Premature termination of the transaction 7 7 Fuqf July 10, 1990 r CEPT T/SF*b7*E 70 = 232b414 0007548 4 T/SF 67 E Page 3 Annex 1. INTRODUCTION This Annex describes the Identification and Payment Card Service. It is a common service element that can be used
10、 in a range of International services, where identification is required to control the access by users to services and supplementary services, and to effect billing and payment in regard to the use of telematic services. This service element may be used either alongside or instead of - identificatio
11、n systems based on other procedures, - payment systems based on coin or note collection, or other forms of card service, e.g. pre-payment cards that do not require identification of the user. 2. O SCOPE The scope of this Annex is for the definition of an Identification and Payment Card Service eleme
12、nt, in so far as it affects International Telecommunications services, in which identification is an essential feature of determining the user?s access rights to services, the entitlement to the invocation of supplementary services and for the payment for the use of services. It is the intention tha
13、t the Identification and Payment Card Service should be used in conjunction with a wide range of telecommunications services. However, the detailed assimilation of this service into other services is beyond the scope of this Annex and should be addressed in the relevant Recommendations for these ser
14、vices. Included within the scope of this Annex is the definition of the service concepts and the user requirements. In addition to the identification of the user to the service provider, the Identification and Payment Card Service may also include identification of the service provider to the user.
15、Mutual authentication protects the user from entering into a transaction with the wrong semice provider or with an entity imitating the desired service provider. 3. DEmION The Identification and Payment Card Service is a service element in which identification of the user, and sometimes the service
16、provider, is an essential feature in determining the user?s access rights to services, the entitlement to the invocation of supplementary services and for the payment for the use of services. 4. 4.1. Relationship between enities SERVICE CONCEPTS AND USER REQUmEMXNTS There are five principal entities
17、 involved: a) The user who desires to be identified so that services can be provided and charges raised in respect of the services used. b) The card, which is a unique physical token, the possession of which may be part of the proof of identity. c) The terminal, which provides an interface between t
18、he user, the card and the network. d) The card issuer, who issues cards, manages access to the service domains in the most general way. e) The service providers, who use the Identification and Payment Service element to regulate access to the services that they provide. There will be a defmed contra
19、ctual relationship between: The card holder and the card issuer. The card holder and the service providers. The card issuer and the service provider. It is possible that the card issuer may be one of the service providers. The card holder, card issuer and service provider may be located in the areas
20、 of different PTOs. I -EUmdquly 10, 1990 .* I_ - CEPT T/SF*b7* 90 232b4L4 0009549 b W T/SF 67 E Page 4 4.2. Cost of the card service For the service to be viable, the cost of providing, issuing and using the card service, or the additional cost of managing a telecommunications domain in a multi-serv
21、ice card, must be small compared with: - the cost in relation to carrying out the function using other methods of identification and payments, - the transaction charges accumulated in its use for payments, - the potential losses that might arise if access control security were not implemented. Some
22、of the identified cost elements of the Identification and Payment Card Service are listed below: card production cost p-processor cost personalization costs terminal card interface card support administration card distribution (service management) network costs handling the bill/charges inter-Admini
23、stration payments non-collectable revenue cost associating the card with different services terminal overheads for card reading infrastructure card issue service maintenance 4.3. Multi-service considerations There may be advantages in seeking convergence of telecommunications Identification and Paym
24、ent Card services with other card services, for example with banking cards. - Only one card reduces production costs, unifies handling procedures for customer, offers the possibility - Cards should be usable in the services of all Administrations. - Use of various services may be charged to a common
25、 credit; debit or pre-payment account. - Multi-service repertoire. - Typical examples of card service identification and payment repertoire may include: of only one PIN for multifunctional aspects. public/private telephone banking mobile services telematic sesvices (e.g. Videotex, MHS, facsimile, te
26、lex, teletex) invocation of supplementary services Pay TV access control EFTPOS However, while a service provider will be able to identify his own service domain on the card, this service provides should not be able to identify the other services supported by the card. Each service domain of a multi
27、-service card should be protected against alteration, retrieval or deletion by other service providers. 4.4. Card issuer Before an Identification and Payment Card can be used for access to a service, the card is personalized, issued and activated for each service. In general, the manufacturer, the c
28、ard issuer and the service provider will be different organizations. The service providers will activate their services only on cards which are issued by a trustworthy and reliable issuer. 4.5. Evolutionary potential The service concept is defined in the context of the long-term requirements for Ide
29、ntification and Payment Card services. In the short term, constraints of technology or limitations due to investment in current technology may prevent the service element from being provided in its entirety. However, each new release of telematic services, employing the Identification and Payment Ca
30、rd Service element, should strive towards a greater conformance with the overall concept. _- i -7 Edition of July LO, 1990 y-. T/SF 67 E Page 5 4.6. Service domain management In the case that a multi-service card used in more than one telematic service, where the services are possibly provided by di
31、fferent service providers, the Identification and Payment Card Service should permit each service provider to manage its own service-related information used in identification and payments : - adding new service data, for use in identification and payments, with a card that is already issued, - modi
32、fication of all service-related data (and software) relating to the card, - protection of this data (and programmes) from malicious or accidental change by other service providers, - cancellation by the service provider of the validity of the service-related data and de- activating the card for that
33、 particular service, - verification of the functionality of the card service and the authenticity of the associated stored data (and programmes), - managing data and programmes associated with the card service, but whose function is beyond iden- tification and payments. The definition of these funct
34、ions will be found in the relevant service Recom- mendations. 4.7. Users own service domain A private domain may be provided for the exclusive use of the card holder. This domain is for the local management of information, which may or may not be related to telecommunications applications. Examples
35、of telecommunications applications could include : - personal short-code dialling; - directories. Non-telecommunications applications could include an electronic purse. The users own service domain may include an overall access control procedure, e.g. a PIN, which must be satisfied before access can
36、 be obtained to any of the individual identification and payment facilities provided by the card service to telematic services. 4.8. International use Provision should be made in the service so that card holders may use their cards for access control and payments : - where the user and service provi
37、der are in the same country, - where the user and service provider are in different countries. The cards shouId have a unique international physical and logical label, so as to permit it to be returned to the issuer or to the owner, should the card be lost or mislaid. 4.9. Security The service provi
38、der should be able to define the minimum security requirements for use of the card in regard to their particular service. These minimum requirements for each service will be independent of the security requirements of other services facilitated by the card. 4.10. Audit For some applications, audit o
39、f the use of the card service may be required, so as to provide an independent corroboration of the transactions. The service provider will be the only entity that should have access to the audit records in his service domains within the card service. Only the card issuer will be able to access to t
40、he general audit record of the use of the card, but not to the details held in the domain of the service providers. 4.11. Durability Cards should be of rugged construction, able to survive a wide variety of adverse environmental conditions such as abrasion, bending, twisting, attack by solvents and
41、other chemicals, extreme high and low tem- peratures, burning, build-up of dirt and grime, contamination by grease and other substances. Cards are expected to last in good working order for a period of at least two years under normal usage conditions. I Edition of July 10, 1990 .- 7 7 CEPT T/SF*b7*E
42、 90 m 2326414 0009551 4 m T/SF 67 E Page 6 4.12. 4.13. 4.14. 4.15. 4.16. 4.17. 4.18. Simplicity of user/card/terminal operation A card service that is simple and easy to use is strongly required in order to contribute to the psychological acceptance of the operational procedures by the user. Most te
43、rminals, and particularly unattended ones, should give guidance in use (text or voice) with the ability for the user to select the language and presentation details at the time that the card service is personalized for each user and at the time when each application is loaded into a service domain.
44、Standardization should be required for structuring and formatting visual information at unattended terminals (signs, multi-language information, logos, definitions, etc.). Simultaneous use of different services The service should allow the card to be active simultaneously in more than one identifica
45、tion and payment application. Examples of simultaneous use of the service could be - access to a voice-mail service via a mobile telephone service, - simultaneous access to two independent databases, both which require identification for access and payments. Card use at various terminal types The ca
46、rd service should be usable with some (to be specified) services from - a variety of types of card reading terminals, - non-card reading terminals, provided that the overall service requirements are met. Thus, in practice, provision may need to be made for cards to carry more than one means of inter
47、action with the terminal. This in addition to the possibilities of smart-card with OS without contact pads, magnetic stripes, printed or embossed characters, there is also a requirement human input/output between the card and the terminal. Directory of Applicable services The user should have the ab
48、ility to determine for which services the card is configured to provide facilities for identification and payments, and for which of those services the card is currently validated. Depending on the services included in the card repertoire, it may be necessary to invoke an identification prologue to
49、gain access to this directory of information. It shall be possible for a user to obtain a list of activated applications available via the card. It may be that de-activated applications should also be shown. Lost or stolen cards In the event of a stolen or lost card, the user - may inform the card issuer so as to facilitate the return of the card, should it be found. As the card issuer has no day-to-day interaction with the card, and has no access to or direct control over individual service domains managed by the service providers, the user will also need to info