Java Card Forum

The Java Card Forum is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.

Author Archives: Karen B


by

Christian Kirchstaetter Honoured with the 2025 Bertrand Award for Outstanding Contribution to the Java Card Forum

JCF President Jean-Daniel Aussel presents Christian Kirchstaetter with his Award

Munich, 18th November 2025 – The Java Card Forum e.V. (JCF) is proud to announce that Christian Kirchstaetter, Chairman of the JCF Technical Committee, has been awarded the 2025 Bertrand Award in recognition of his exceptional contribution to the Java Card Forum and to the development and evolution of Java Card technology.

The Bertrand Award, named in honour of Bertrand du Castel, one of the founding figures of the Java Card Forum and a pioneer in the field of smart card technology (who sadly passed away in February 2019), is presented annually to an individual who has demonstrated outstanding commitment, leadership, and technical excellence within the Java Card community. All JCF Members are eligible for nomination, and the winner is chosen through a vote of the entire membership.

A pioneer in the smart card industry, Bertrand du Castel played a crucial role in establishing the foundation of the Java Card Forum in the late 1990s. His work helped shape the standards and architecture that have made Java Card technology the trusted, interoperable platform for secure applications worldwide. The award bearing his name celebrates those who continue his legacy.

As Technical Committee Chairman, Christian Kirchstaetter has played a pivotal role in guiding the Forum’s technical work, fostering collaboration among members, and ensuring that Java Card technology continues to meet the evolving needs of the secure digital world. His leadership, expertise, and dedication have significantly contributed to the Forum’s mission to maintain and advance the interoperability, robustness, and innovation of the Java Card platform.

“I am deeply honored to highlight the outstanding contributions of Christian Kirchstatter, chair of our Technical Committee, who has been awarded this year’s prestigious Bertrand Award. Over many years, Christian has been a driving force in advancing the technical excellence and innovation of the Java Card ecosystem, leading with unwavering dedication, expertise, and leadership. His visionary work has not only shaped the Forum’s technical direction, but has profoundly influenced the broader industry standards and implementations that secure millions of devices worldwide. Congratulations, Christian, on this well-deserved recognition — your commitment inspires us all to push boundaries and innovate fearlessly.”

Upon receiving the award, Christian Kirchstaetter expressed his appreciation to his peers: “I’m deeply honoured to receive the Bertrand Award,” he said. “The Java Card Forum is built on collaboration and shared purpose, and this recognition reflects the collective effort of all our Members. I look forward to continuing our work together to advance Java Card technology.”

The JCF congratulates Christian on this achievement and thanks him for his ongoing contribution to the strength and success of the Java Card community.

About the Java Card Forum

Founded in 1997, the Java Card Forum is an industry association of leading companies involved in the development, manufacturing, and deployment of Java Card technology. Its mission is to promote the continued evolution and adoption of the Java Card platform, ensuring interoperability, security, and innovation across the smart card and secure element ecosystem.

For more information, visit www.javacardforum.org.

Media Contact:
Karen Brindley
Java Card Forum Secretariat
Email: karen.brindley@javacardforum.org
Website: www.javacardforum.org


by

Why Java Card is used by ST in their next generation payment solution

STMicroelectronics has unveiled STPay-Topaz-2, its next-generation contactless payment card system on chip (SoC). With Java Card providing the engine for critical aspects including multi-application coexistence, payment logic, and security, the new SoC’s arrival is a major advancement for the card industry and consumers. There is more flexibility to support a wider variety of payment brands, while a new auto-tuning feature ensures reader-independent connection quality for an enhanced user experience. In addition, advanced cryptography strengthens security and prepares the platform for upcoming, stronger industry standards.

ST has already supplied more than three billion STPay ready-to-use solutions to the payment market. STPay-Topaz-2 now introduces a specific feature which allows preloading the greatest quantity of payment applets per orderable part number in the market, which simplifies inventory management for card manufacturers. This innovation includes a unique product versioning which embeds the latest and most popular payment applets worldwide, including both VSDC2.8.1g1 and 2.9.2 Visa applets.

“Contactless payment has been a huge hit with consumers and the technology must now move forward as card suppliers strive to meet growing customer demand and more diverse market requirements,” said Bruno Batut, Banking & ID Business Unit Marketing Director, Connected Security Division, STMicroelectronics. “STPay-Topaz-2 can consolidate the largest set of payment apps on one orderable part number to simplify inventory management for card manufacturers, paving the way for further expansion in contactless payment popularity. We’ve also added auto-tuning to ensure the best tap-anywhere user experience and upgraded security ready for future standards including the forthcoming EMVCo C-8 kernel.”

The STPay-Topaz-2 is based on the ST31R480 secure microcontroller (MCU), manufactured in ST’s secure and certified facilities in France. The secure MCU achieved EMVCo certification in November 2024 and recently completed Common Criteria EAL6+ certification.

This STPay solution is ready for the payment industry’s adoption of stronger digital security, ranging from RSA/3DES encryption to advanced encryption standard (AES) and elliptic curve cryptography (ECC): it is designed to comply with the forthcoming EMVCo C 8 kernel. The platform also meets GlobalPlatform and Java Card standards, making it suitable for payments, loyalty programs, and custom applications.

With enhanced wireless performance, STPay-Topaz-2 also simplifies antenna integration for card manufacturers and enables efficient connectivity even with smaller antennas, providing greater design flexibility.

STPay-Topaz-2 samples are available immediately, with production already launched.

For pricing and sample requests, contact your local STMicroelectronics sales office.

Please visit https://www.st.com/en/secure-mcus/banking-id-transport.html for more information or watch this video: https://youtu.be/3FzpA4KIgdY


by

Nicolas Regnault is announced as the 2024 “Bertrand” Award Winner

Nicolas is recognised by his peers for his exceptional contribution to the Java Card Forum’s work

To celebrate the work of Bertrand du Castel (one of the Founder members of the JCF who sadly passed away in February 2019), the Java Card Forum (JCF) has worked with his family to initiate an Annual Award in his memory. The JCF has been keen to showcase the “Bertrand Award” as a visible recognition of the continued drive and dedication still shown by its Members, over 25 years since its inception.

Nicolas Regnault (left) receives his Award from Jean-Daniel Aussel (right), President of JCF

A new voting process has been introduced this year, where all members were listed and could be voted for (rather than just 4 members nominated by the Technical and Business Chairmen). The top 3 then went through to a second ballot to produce a Winner. 

This year’s top 3 were:
Alexandre Frey (NXP)
Nicolas Regnault (Thales)
Christian Kirchstaetter (NXP)

“It was a great pleasure in Munich during our Java Card Forum Fall meeting to present on behalf of the Java Card Forum the 2024 Bertrand Award to Nicolas Regnault of Thales,” declared Jean-Daniel Aussel, President of the Java Card Forum. “As the Java Card Forum is preparing for the great challenge to keep up with ever evolving security attacks and the upcoming of quantum computers, Nicolas has been fully dedicated to work on a Java Card based cryptographic framework for crypto agility and the support of post-quantum cryptographic algorithms with the other members of the Java Card Forum Technical Committee. This year’s award was based on an open vote without nomination, and truly reflects the peer recognition of Nicolas for his outstanding work on the topic.”

“I am really honoured to receive the 2024 Bertrand Award and the recognition of my peers,” responded Nicolas Regnault. “You can still count on me for my commitment in the Java Card Forum to make the technology as good and secure as possible.”

Congratulations to all 3 of the selected members and in particular, to Nicolas for his win.


by

jNet Secure Joins Java Card Forum, Expands Role in Driving Secure Java Card Solutions for Fintech, IoT, and Biometrics

November 13th, 2024—jNet Secure, a leader in Java Card OS and security solutions, is pleased to announce its new membership in the Java Card Forum (JCF), a premier industry association dedicated to advancing Java as the leading technology for smart cards and secure devices. Through this membership, jNet joins global technology leaders in shaping the future of Java Card standards for high-security environments.

In addition to its foundational Java Card OS licensing expertise, jNet Secure has pioneered advanced Fintech, IoT, and Biometric solutions on Java Card technology, now deployed across multiple markets. These innovations empower clients to secure digital transactions, authenticate identities biometrically, and enable safe IoT integrations, all while leveraging Java Card’s secure and scalable framework.

“We are thrilled to join the Java Card Forum and contribute to the evolution of secure, interoperable solutions that protect digital identities and transactions worldwide,” said Mikhail Friedland, CEO at jNet Secure. “Our commitment to innovation in Fintech, IoT, and Biometrics aligns perfectly with JCF’s mission, and we look forward to working together to set new standards in secure digital services.”

“The Java Card Forum is delighted to welcome jNet as a new member.”, declared Jean-Daniel Aussel, President of the Java Card Forum. “jNet has a strong Java Card expertise both in legacy segments, such as payment or identity, or more innovative applications such as crypto wallets. jNet is joining forces with the other leading member organizations collaborating in the Java Card Forum to foster the adoption and to advance the evolution of Java Card-based technology as the base for strong and interoperable digital security.”

As part of the Java Card Forum, jNet Secure will collaborate with other industry leaders to drive advancements in next-generation Java Cards, promoting a more secure and connected digital ecosystem.

For more information about jNet Secure and its solutions, please visit jnet-secure.com.

About jNet Secure
jNet Secure specializes in Java Card OS licensing and advanced security solutions for diverse finance, IoT, and biometrics applications, empowering secure digital experiences across industries.

About Java Card Forum
The Java Card Forum e.V. is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.


by

Java Card is platform of choice for STMicroelectronics STeID solutions for trusted e-Identity and e-Government applications

STMicroelectronics has revealed the STeID Java Card smartcard platform that meets state-of-the-art requirements for electronic identity (eID) and eGovernment use cases. As eID documents using secure microcontrollers continue gaining importance in the fight against identity fraud, the STeID platform now accelerates the deployment of advanced solutions. Certified to common criteria EAL 6+, the platform comprises a secure operating system, STeID JC Open OS, and a portfolio of proprietary applets.

The STeID JC Open OS is compliant with the Java Card 3.0.5 card application framework and the Global Platform® 2.3.1 security and card-management architecture. This Open Platform OS provides all the features needed to host important applications such as machine-readable travel documents (eMRTD) compliant with the International Civil Aviation Organization ICAO 9303 standard. It also supports the electronic driving license standard ISO 18013, and eIDAS QSCD for qualified digital-signature creation devices. It will include Match-on-Card support for secure offline biometric authentication.

STeID Java Card incorporates support for Near Field Communication (NFC) specifications thereby providing a secure framework for creation of digital identity on mobile devices. The platform is used in conjunction with secure ICs such as ST’s ST31 microcontrollers, which are based on the dual-core Arm® SecurCore® SC000™ core with additional hardware security features. These low-power devices contain non-volatile memory, support contactless communication, RF-energy harvesting, and biometry, and are available in smartcard industry chip-module form factors and wafer-level chip-scale packages.

ST eID Java Card will be available from www.st.com at the end of June 2024.

For further information please visit https://www.st.com/steid


by

Calinel Pasteanu is announced as the 2023 “Bertrand” Award Winner

Calinel is recognised by his peers for his exceptional contribution to the Java Card Forum’s work

To celebrate the work of Bertrand du Castel (one of the Founder members of the JCF who sadly passed away in February 2019), the Java Card Forum (JCF) has worked with his family to initiate an Annual Award in his memory: The “Bertrand”. The JCF has been keen to showcase the “Bertrand Award” as a visible recognition of the continued drive and dedication still shown by its Members, over 25 years since its inception.

Each year the Business and Technical Committee Chairs nominate up to four Members who have made a significant contribution to the Forum and voting is then open to each individual JCF participant. This year’s nominees were:
Calinel Pasteanu (Oracle)
Nicolas Regnault (Thales)

Although Calinel could not be present at the Award ceremony held during the JCF Autumn Plenary in person, he participated via TEAMS and could be congratulated by his peers.

“Calinel is a well-deserved winner,” said Jean-Daniel Aussel, President of the Java Card Forum e.V. “In his position at Oracle, he gave unwavering support to the JCF. His long standing active participation in the steering and advancement of the Forum’s activities was instrumental in shaping and making a success of the successive Java Card releases.”

“The Java Card Forum has been designing the most advanced APIs to match up to date security requirements for billions of devices. Java Card technology has been and remains, the first choice for mass deployments in several markets, e.g. ID, Payment, Telco, and several IoT industrial profiles and fulfilling security requirements defined by different security schemes at different security levels (CC, FIPS, EMVCo, SESIP, etc.),” declared Calinel. “I am honoured to have been nominated for and to have received this Java Card Forum award. And I recommend joining the Java Card Forum to be part of designing the future – Java Card technology is getting more and more relevant as time goes on, due to the increasing importance of security requirements and the technology relevance reflected in setting standards organizations.”

Congratulations to both of the selected nominees and, in particular, Calinel for his win.


by

Smart Payment Association highlights the importance of Java Card technology for enabling secure payments

As part of the Java Card Forum’s 25 year celebrations in 2022, we asked the Smart Payment Association why the work of the Java Card Forum, and in particular the release of the Java Card 3.1 specification, is key to the evolution of payment security.

By Lorenzo Gaston, Technical Director, Smart payment Association

The IoT use case for card payments and Java Card v3.1 Specifications

IoT is a debated technology in the card payments industry since 2017. Different pilots are ongoing for a series of identified scenarios: Smart home, wearables and intelligent cars, as well as the next generation of petrol stations. Yet they still remain inconclusive.  Use cases in these scenarios assume that an IoT device may initiate a purchase and/or a payment on behalf of the end-user. These use cases are not that easy to categorize from a legal perspective.  IoT card payments also raise challenges in terms of legal compliance, with requirements for authentication, end-user consent and payment repudiation.

Moreover, IoT systems are cyber-vulnerable and shall be subject to specific design security certification procedures according to the EU Cybersecurity Act and the recent EU Cyber Resilience Act (“The CRA”). It’s still unclear how these EU Acts will impact card payment products implemented in different form factors. The reality is that (1) early compromise of IoT payments would kill the aforementioned uses cases and (2) security vulnerabilities exist in IoT because of the broad level of heterogeneous devices in field, with reduced memory and processing capabilities.

The deployment of IoT systems suffers from a lack of technical standards as well, especially if the payment processing back-office is hosted in the Cloud. These different legal and technical unknowns make the broad adoption of IoT by banks difficult. As a result, the payments card industry, is in a “wait and see” position, until IoT devices reach the level of maturity in terms of security, required to support card-based payment applications.

In this context, SPA can only welcome the effort provided by the Java Card Forum to release the Java Card 3.1 specifications, intended to also enable the development of an open and interoperable application platform for the security of IoT devices.  Java Card 3.1 introduces new APIs and updated cryptography functions to address IoT security needs. Java Card 3.1 also allows the development of security services that are portable across a wide range of IoT security hardware. Remote device attestation services as specified by the JC 3.1 will contribute to the early identification of IoT components that have been tampered with. IoT systems will feature a diversity of technical architectures and communication pathways between individual IoT devices, intermediate gateways and back-office payment authorization servers. The new extensible I/O model enables central applications to exchange sensitive data directly with connected IoT devices, over different physical layers and application protocols. In this context, the ability to address and fix individual IoT devices is a core security requirement. If IoT devices support JC 3.1 implementations, the monitoring capability of central banking facilities will be substantially improved.

SPA believes that the publication of JC 3.1 represents a key step forward to increase trust in IoT technology by the financial community. With that in mind, SPA draws your attention to the fact that PCI-SSC has just released its first bulletin including security considerations when deploying IoT in card payments. It includes with a definition for IoT devices, not specific to payments and more interestingly it provides a list of 10 “high level” security controls IoT “secure” devices should meet. These 10 security controls are mapped onto specific detailed requirements in a US ANSI/CTA 2088-A “Baseline Cybersecurity Standard for Devices and Systems”. Things are starting to move in the payments industry with respect to IoT technology and JC 3.1 appears as a timely enabler for this positive market evolution.

Is there a case for the implementation of Post-Quantum payment cards using JC v3.1 specifications?

Cryptographic extensions proposed by Java Card 3.1 significantly increases the potential for the card to provide security services to payment systems. Card payment systems are in the process of evaluating migration patterns towards stronger cryptography. A new generation of chips supporting more efficient Java Virtual Machines will allow the usage of more complex cryptographic algorithms. The challenges for the migration differ:

  • Migration to AES 256 bit will protect symmetric cryptography for card payment systems against quantum cryptanalysis. Given that, symmetric post quantum cryptographic algorithms are defined and standardized and can already be adopted. Domestic and International Card Schemes are already in the process of migrating from TDES to AES. JC v3.1 supports new cipher modes for AES and updated cryptographic packages to handle symmetric keys as trusted objects
  • The pathway for stronger asymmetric cryptography is more complex and different, as there are currently no post quantum cryptographic algorithms for the asymmetric use case defined or available. Furthermore, some of the proposed algorithms impose some challenges to current secure elements that implement Java Card technology, in terms of performance and available memory space. Within the payment industry, migration strategies are under discussion. SPA defends the use case of offline payment authentication using ECC according to:
  • The EMVCo recently released specifications: EMV Specification Bulletin 243 for contact cards and ECC C-8 Contactless Kernel specification for contactless payments and,
  • Backwards compatibility with existing RSA-based products

Therefore, in the short term, SPA outlines the need to specify methods for the ECC algorithms for both the EMV contact and EMV C-8 contactless specifications.

In the medium term, hybrid cryptographic payment cards and terminals will support classical and post-quantum public key mechanisms in addition to AES.  Because of the traditional long term migration periods for devices in card payment systems, it matters that future versions of the Java Card API include methods for access of payment applets to Post-Quantum cryptographic algorithms, such as those under standardization by US NIST after the conclusion of the 3rd round in the NIST selection contest.

What new regulated payment instruments could benefit from JC v3.1 extended functionalities?

The current payment landscape is dominated by cash and card payments for retail and person-to person transactions. For online payments, there are additional methods established, mostly based on direct credit transfer. New methods, such as instant payment or central bank digital currencies are on the horizon.  Regulations, such as PSD2 for example, and the planned PSD3 from the EU, enforce higher security for all of these payment methods by mandating strong customer authentication (SCA). They also intend to open payment methods to independent players, so-called Payment Initiation Service Providers (PISPs) and Account Servicing Payment Service Providers (ASPSPs).

Java Card technology is well suited to support these new payment instruments and comply with SCA, by implementing the legally defined authentication factor “something you own”. This can typically be a Smart Card, a mobile phone with an embedded Secure Element or (embedded) UICC, or other form factors. When these secure elements are based on JC 3.1 technology, they offer a simple possibility to add on these platforms multiple payment applications for different payment systems, which can, for instance, share essential confidential personal authentication data, such as the PIN code. As a further extension, it can also provide biometrics as an on-device cardholder verification method supporting the authentication factor “what you are”. Finally, the highly standardized JCF technology also allows a simple usage of these applications on different product platforms, without the need to change the application in the form of a Java Card applet itself.

State of the global market for payment cards and how SPA is advocating the use of card technology as the preferred retail payment instrument 

The Smart Payment Association (SPA) includes the leading payment card vendors (AUSTRIACARD, IDEMIA, G+D, Thales DIS) and silicon manufacturers (Infineon, ST).  SPA is organized in eight different WG’s addressing key domains of the payments card industry. Four of these WGs are of a technical nature and support the activity of SPA in standards bodies (EMVCo, PCI-SCC, European Cards Stakeholders Group (ECSG), European Payments Council (EPC)), payments industry groups led by European Payment Regulators (i.e. Payment Systems Market Expert Group – PSMEG), as well as the close monitoring of the evolving regulatory context for payments and the corresponding security certification framework (e.g., ENISA). SPA is recognized by its partners by our high level of commitment and contribution.

The smart payment cards market continues growing:

  • 2.63 billion smart payment cards and modules were delivered worldwide in 2021 by SPA Members and Advisory Council participants
  • Contactless cards accounted for 76% of all shipments, hitting the 2 billion threshold for the first time.
  • Circa 100 million next-generation eco-friendly smart payment cards delivered globally

** The views expressed in this article are solely those of the author listed and do not necessarily reflect the views of the Java Card Forum, its Members or Oracle. **