Java Card Forum

The Java Card Forum is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.

Author Archives: Karen B


by

Java Card at the Heart of Secured Wearable Payments

As contactless payment continues to expand beyond cards and smartphones, secured wearable devices are becoming an increasingly important part of the digital payments ecosystem. A recent announcement from Java Card Forum member Infineon Technologies highlights this trend, with the introduction of SECORA™ Connect X and SECORA™ Wallet with SECORA™ Token Requestor for enabling secured contactless payments in smart wearables.

Infineon’s release points to growing demand for NFC-enabled devices, including smart watches, smart rings, sports watches and fitness trackers. Its SECORA™ Connect X solution uses a Secure Element to store payment credentials directly on the chip, rather than in the cloud, helping to provide a strong security foundation for wearable payment services. Combined with SECORA™ Wallet and SECORA™ Token Requestor, the solution supports card digitisation, payment tokenisation and branded wallet applications.

For the Java Card community, this is a strong example of the benefits Java Card technology brings to modern secured applications. Infineon notes that Java Card and GlobalPlatform standards support seamless integration through development tools, while pre-certified applets and available memory help developerscreate customised NFC and Bluetooth-enabled applications.

Java Card’s proven strengths (security, interoperability, flexibility and a mature development ecosystem) make it well suited to applications where trusted credentials must be protected in compact, power-efficient devices. In wearable payments, these benefits help manufacturers accelerate innovation while supporting the standards-based security and certification requirements expected across the global payments industry.

Infineon also highlights its contribution to industry bodies including the Java Card Forum, GlobalPlatform, EMVCo, ISO and the NFC Forum. This collaborative standards-based approach is central to the continued evolution of secured digital services, from payments and identity to IoT and connected devices.

Read Infineon’s full press release here: https://www.infineon.com/market-news/2026/infcss202605-091

Application page SECORA™ one-stop-shop for wearable payments: https://www.infineon.com/applications/security-solutions/payment-solutions/one-stop-shop-wearable-payments

Product page SECORA™ Connect X: https://www.infineon.com/products/security-smart-card-solutions/secora-security-solutions/secora-connect-solutions/secora-connect-x

Product page SECORA™ Wallet and SECORA™ Token Requestor: https://www.infineon.com/products/security-smart-card-solutions/secora-security-solutions/secora-wallet-and-secora-token-requestor


by

Preparing Secure Elements for the Quantum Era

As quantum computing advances, it promises transformative breakthroughs, but also introduces serious risks to today’s cryptographic systems. In this insightful whitepaper, Infineon Technologies explores how emerging quantum capabilities could compromise widely used security methods such as RSA and ECC, and why organizations must begin preparing now. 

The paper outlines the growing importance of post-quantum cryptography (PQC), a new generation of algorithms designed to withstand quantum-based attacks, and highlights the critical role of Secure Elements in safeguarding sensitive data and digital identities. It also provides a practical overview of global standards, migration timelines, and the technical challenges involved in transitioning to quantum-safe infrastructures.

With regulatory deadlines approaching and long device lifecycles at stake, the message is clear: preparation cannot wait. This whitepaper offers a valuable roadmap for organizations looking to future-proof their security strategies in the era of quantum computing.

Click on the front cover below to download your FREE whitepaper.


by

Why Java Card Is a Natural Foundation for Secure Digital Cash

Digital cash is increasingly seen as a critical complement to existing forms of money, particularly in the forms of Central Bank Digital Currencies (CBDCs) or as an add-on to established payment schemes.

Unlike account-based digital payments, digital cash replicates essential properties of physical cash: it must be offline-capable, fungible, privacy-preserving, and peer-to-peer transferable.

Meeting these requirements places strong demands on the underlying technology; especially on the wallets that allows user to manage and transact their digital cash. Those wallets can come in many form factors, such as cards, smartphones, or wearable devices.

This is where Java Card technology plays a key enabling role.


Secure hardware for offline trust

As explained above, digital cash must function without continuous online connectivity. In offline scenarios, fraud prevention cannot rely on real-time backend checks; instead, trust must be anchored in tamper-resistant hardware, so-called Secure Elements (SEs).

Java Card has a long history as the execution environment for SEs used in many applications ranging from payments to identity, provided by a variety of stakeholders both from the public and the private sector.
Industry’s substantial experience in using Java Card to protect critical assets positions it as a suitable platform to safeguard digital cash against cloning, manipulation, and unauthorized extraction.

Strong cryptography and PKI integration

Digital cash heavily depends on public key infrastructure (PKI) to authenticate issuers, wallets, intermediaries, and merchants. Java Card provides standardized cryptographic APIs and key management mechanisms that fit neatly with this architecture. This allows system operators to preserve the integrity of digital cash across its lifecycle: secure issuance, storage, transfer, and redemption.

Lifecycle control and wallet integrity

But not only the digital cash follows a lifecycle, the wallets do too. For example, user onboarding may be delegated to multiple payment service providers, as reflected in emerging standards like ISO 13133. Java Card’s application model supports secure state transitions and policy enforcement within the SE, helping issuers maintain confidence in wallet integrity even in long-lived offline scenarios.

Privacy by design

Like physical cash, digital cash must respect users’ privacy, while still allowing issuers to remain the ultimate authority. Java Card enables this balance by allowing sensitive credentials and cryptographic operations to remain confined within certified hardware, reducing data exposure and supporting privacy-respecting designs without sacrificing security.

Future readiness

Digital cash systems should stay resilient against the backdrop of cryptographic transitions (PQC) and evolving regulatory requirements. Java Card’s modular, standards-based architecture allows wallets and tokens to evolve independently of hardware, supporting updates and extensions without requiring a complete redesign of secure devices.

In summary, digital cash demands the same level of trust, durability, and security historically associated with physical cash. Java Card provides a proven, standardized, and future-ready platform that enables secure offline operation, strong cryptographic protection, controlled lifecycles, and preservation of privacy, making it a natural foundation for digital cash implementations.

You can find out more about Giesecke+Devrient’s solutions in this area here.

Written by Dr. Lars Hupel
Chief Evangelist, Central Bank Digital Currencies
Giesecke+Devrient


by

Advancing eSIM Applet Security 

By Guido Abate, Chair of the Trusted Connectivity Alliance Board

Over recent years, exclusive market data from Trusted Connectivity Alliance (TCA) has highlighted how eSIM technology is being harnessed across the global digital economy to offer flexible connectivity, advanced security and enhanced experiences.

And as eSIM adoption continues to build, so too does industry demand for using the technology’s proven security capabilities to host the applets that enable various value-added mobile services. These include highly sensitive use-cases where security is paramount, including payments, identity management and IoT services.

The Critical Importance of Applet Security

Yet to maintain the highest level of security, applets must be developed correctly. This has become even more critical with the evolution to eSIM.

A single eSIM can host several profiles, each containing third-party applets that must securely share the resources of the eSIM and the mobile device. If one of these applets contains malicious software or can be used as a backdoor by hackers, other applets could be compromised and the security and privacy of the communication with that device could be at risk. 

The good news for Java Card developers is that clear, industry-recognised guidance already exists to support the development of secure, high-quality applets that enable the delivery of powerful eSIM-based value-added services. 

Stepping Stones for Java Card Applet Developers  

In 2024, Trusted Connectivity Alliance (TCA) published Stepping Stones for Java Card Applet Developers. It marked the latest release in its acclaimed ‘Stepping Stones’ series, which provides recommendations and guidelines to support the development and deployment of SIM-based technologies.

The latest edition addresses the unique considerations presented by Java Card technology, offering harmonised best practices and security recommendations to maximise interoperability and ensure eSIM applet assets are sufficiently protected. 

The guidance includes security measures applicable to all applets, such as ensuring Java Card applets pass byte code verification to confirm code integrity before execution, as well as using standard APIs. Additional recommendations for protecting sensitive applets are also provided. 

Importantly, the recommendations are widely recognised as industry best-practice. For instance, in response to a recent vulnerability disclosure related to a malicious Java Card application where researchers described how Test Profiles could be misused to install malicious Java Card applications within eSIM profiles, GSMA released guidance stating: “Java Card Application developers should comply with “TCA Stepping Stones for Java Card Applet Developers” recommendations.”

A Checklist for Secure Applet Development

To provide developers with practical guidance and to promote compliance, Stepping Stones for Java Card Applet Developers consolidates all security recommendations into a comprehensive, accessible checklist. This enables developers – particularly those who are newer to the eSIM market – to more effectively address common challenges. 

The checklist can also be used by quality and test engineers, as well as end customers, to verify proper implementations. This can help identify issues prior to deployment and promote increased trust across the ecosystem. 

Maximising eSIM Security and Interoperability

As the eSIM ecosystem continues to expand to encompass new use-cases and participants, TCA is committed to engaging with stakeholders across the industry on initiatives to maximise eSIM security and interoperability.  

For example, TCA recently participated in a joint session with the Java Card Forum to provide a technical deep-dive into how developers can utilise the recommendations and best-practices within ‘Stepping Stones for Java Card Applet Developers’ to advance the security of eSIM deployments. The session also explained how security can be bolstered by the TCALoader tool, which enables mobile operators and application developers to download, install and manage applications on the UICC / eUICC to test interoperability across different deployments.

Looking ahead – and as eSIM technology emerges as a key enabler of the global digital economy – TCA is exploring opportunities to bridge gaps across current standards and testing infrastructure to promote safe, reliable and consistent IoT deployments. 

‘Stepping Stones for Java Card Applet Developers’ is available to download here. To learn more about how TCA is advancing eSIM security, watch TCA’s webinar with the Java Card Forum here


by

Why Java Card Is the Logical Choice for SECORA™️ Pay M from Infineon

SECORA Pay M, FIDO, and the Role of Java Card

The new SECORA Pay M platform from Infineon brings together two high-security domains that traditionally lived on separate hardware: EMV-grade payment and FIDO-based authentication. By enabling both functions on a single secure element, SECORA Pay M targets devices such as payment cards and wearables that require seamless “tap-to-pay” and “tap-to-authenticate” behaviour.

To make this convergence practical, Infineon built SECORA Pay M on Java Card 3.1, and there are clear technical reasons why:

1. Multi-application secured co-existence— essential for EMV payment + FIDO on one chip

EMV payment applet and a FIDO authenticator (for passwordless login) have distinctly different threat models and certification paths. Java Card provides strict application sandboxing, ensuring that the FIDO applet cannot access or infer anything about the payment keys, and vice-versa. This isolation is fundamental when combining two high-value credential domains.

2. Standards-aligned platform for FIDO

FIDO authentication relies on modern cryptographic primitives, secure key storage, attestation, and anti-phishing protections. Java Card provides standardized crypto APIs and lifecycle management consistent with GlobalPlatform, making it easier to implement a certified FIDO authenticator while reusing proven secure-element infrastructure.

3. Future-proofing across rapidly evolving authentication standards

FIDO specifications evolve quickly, and authentication requirements (e.g., passkeys, enterprise attestation, hybrid credentials) continue to expand. Java Card’s applet-based modularity allows updates or new authentication functions without redesigning the secure hardware. This gives SECORA Pay M a longer, more flexible lifecycle.

4. Faster certification and deployment for customers

Payment schemes, banks, and authentication providers all rely on well-established certification frameworks. Because Java Card is a long-standing standard in smart cards, much of the security architecture is already audit-proven. This reduces time-to-market for SECORA Pay M deployments that must satisfy both EMVpayment and FIDO requirements.

In short: SECORA Pay M combines contactless EMV payments and modern “tap-to-authenticate” / passwordless login  in a single secure element, and Java Card is the enabling layer – providing isolation, cryptographic consistency, standardization, and an upgrade path that makes this dual-function design both secure and scalable.

More details can be found here on the Infineon site.


by

Christian Kirchstaetter Honoured with the 2025 Bertrand Award for Outstanding Contribution to the Java Card Forum

JCF President Jean-Daniel Aussel presents Christian Kirchstaetter with his Award

Munich, 18th November 2025 – The Java Card Forum e.V. (JCF) is proud to announce that Christian Kirchstaetter, Chairman of the JCF Technical Committee, has been awarded the 2025 Bertrand Award in recognition of his exceptional contribution to the Java Card Forum and to the development and evolution of Java Card technology.

The Bertrand Award, named in honour of Bertrand du Castel, one of the founding figures of the Java Card Forum and a pioneer in the field of smart card technology (who sadly passed away in February 2019), is presented annually to an individual who has demonstrated outstanding commitment, leadership, and technical excellence within the Java Card community. All JCF Members are eligible for nomination, and the winner is chosen through a vote of the entire membership.

A pioneer in the smart card industry, Bertrand du Castel played a crucial role in establishing the foundation of the Java Card Forum in the late 1990s. His work helped shape the standards and architecture that have made Java Card technology the trusted, interoperable platform for secure applications worldwide. The award bearing his name celebrates those who continue his legacy.

As Technical Committee Chairman, Christian Kirchstaetter has played a pivotal role in guiding the Forum’s technical work, fostering collaboration among members, and ensuring that Java Card technology continues to meet the evolving needs of the secure digital world. His leadership, expertise, and dedication have significantly contributed to the Forum’s mission to maintain and advance the interoperability, robustness, and innovation of the Java Card platform.

“I am deeply honored to highlight the outstanding contributions of Christian Kirchstatter, chair of our Technical Committee, who has been awarded this year’s prestigious Bertrand Award. Over many years, Christian has been a driving force in advancing the technical excellence and innovation of the Java Card ecosystem, leading with unwavering dedication, expertise, and leadership. His visionary work has not only shaped the Forum’s technical direction, but has profoundly influenced the broader industry standards and implementations that secure millions of devices worldwide. Congratulations, Christian, on this well-deserved recognition — your commitment inspires us all to push boundaries and innovate fearlessly.”

Upon receiving the award, Christian Kirchstaetter expressed his appreciation to his peers: “I’m deeply honoured to receive the Bertrand Award,” he said. “The Java Card Forum is built on collaboration and shared purpose, and this recognition reflects the collective effort of all our Members. I look forward to continuing our work together to advance Java Card technology.”

The JCF congratulates Christian on this achievement and thanks him for his ongoing contribution to the strength and success of the Java Card community.

About the Java Card Forum

Founded in 1997, the Java Card Forum is an industry association of leading companies involved in the development, manufacturing, and deployment of Java Card technology. Its mission is to promote the continued evolution and adoption of the Java Card platform, ensuring interoperability, security, and innovation across the smart card and secure element ecosystem.

For more information, visit www.javacardforum.org.

Media Contact:
Karen Brindley
Java Card Forum Secretariat
Email: karen.brindley@javacardforum.org
Website: www.javacardforum.org


by

Why Java Card is used by ST in their next generation payment solution

STMicroelectronics has unveiled STPay-Topaz-2, its next-generation contactless payment card system on chip (SoC). With Java Card providing the engine for critical aspects including multi-application coexistence, payment logic, and security, the new SoC’s arrival is a major advancement for the card industry and consumers. There is more flexibility to support a wider variety of payment brands, while a new auto-tuning feature ensures reader-independent connection quality for an enhanced user experience. In addition, advanced cryptography strengthens security and prepares the platform for upcoming, stronger industry standards.

ST has already supplied more than three billion STPay ready-to-use solutions to the payment market. STPay-Topaz-2 now introduces a specific feature which allows preloading the greatest quantity of payment applets per orderable part number in the market, which simplifies inventory management for card manufacturers. This innovation includes a unique product versioning which embeds the latest and most popular payment applets worldwide, including both VSDC2.8.1g1 and 2.9.2 Visa applets.

“Contactless payment has been a huge hit with consumers and the technology must now move forward as card suppliers strive to meet growing customer demand and more diverse market requirements,” said Bruno Batut, Banking & ID Business Unit Marketing Director, Connected Security Division, STMicroelectronics. “STPay-Topaz-2 can consolidate the largest set of payment apps on one orderable part number to simplify inventory management for card manufacturers, paving the way for further expansion in contactless payment popularity. We’ve also added auto-tuning to ensure the best tap-anywhere user experience and upgraded security ready for future standards including the forthcoming EMVCo C-8 kernel.”

The STPay-Topaz-2 is based on the ST31R480 secure microcontroller (MCU), manufactured in ST’s secure and certified facilities in France. The secure MCU achieved EMVCo certification in November 2024 and recently completed Common Criteria EAL6+ certification.

This STPay solution is ready for the payment industry’s adoption of stronger digital security, ranging from RSA/3DES encryption to advanced encryption standard (AES) and elliptic curve cryptography (ECC): it is designed to comply with the forthcoming EMVCo C 8 kernel. The platform also meets GlobalPlatform and Java Card standards, making it suitable for payments, loyalty programs, and custom applications.

With enhanced wireless performance, STPay-Topaz-2 also simplifies antenna integration for card manufacturers and enables efficient connectivity even with smaller antennas, providing greater design flexibility.

STPay-Topaz-2 samples are available immediately, with production already launched.

For pricing and sample requests, contact your local STMicroelectronics sales office.

Please visit https://www.st.com/en/secure-mcus/banking-id-transport.html for more information or watch this video: https://youtu.be/3FzpA4KIgdY