Java Card Forum

The Java Card Forum is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.

Smart Payment Association highlights the importance of Java Card technology for enabling secure payments

As part of the Java Card Forum’s 25 year celebrations in 2022, we asked the Smart Payment Association why the work of the Java Card Forum, and in particular the release of the Java Card 3.1 specification, is key to the evolution of payment security.

By Lorenzo Gaston, Technical Director, Smart payment Association

The IoT use case for card payments and Java Card v3.1 Specifications

IoT is a debated technology in the card payments industry since 2017. Different pilots are ongoing for a series of identified scenarios: Smart home, wearables and intelligent cars, as well as the next generation of petrol stations. Yet they still remain inconclusive.  Use cases in these scenarios assume that an IoT device may initiate a purchase and/or a payment on behalf of the end-user. These use cases are not that easy to categorize from a legal perspective.  IoT card payments also raise challenges in terms of legal compliance, with requirements for authentication, end-user consent and payment repudiation.

Moreover, IoT systems are cyber-vulnerable and shall be subject to specific design security certification procedures according to the EU Cybersecurity Act and the recent EU Cyber Resilience Act (“The CRA”). It’s still unclear how these EU Acts will impact card payment products implemented in different form factors. The reality is that (1) early compromise of IoT payments would kill the aforementioned uses cases and (2) security vulnerabilities exist in IoT because of the broad level of heterogeneous devices in field, with reduced memory and processing capabilities.

The deployment of IoT systems suffers from a lack of technical standards as well, especially if the payment processing back-office is hosted in the Cloud. These different legal and technical unknowns make the broad adoption of IoT by banks difficult. As a result, the payments card industry, is in a “wait and see” position, until IoT devices reach the level of maturity in terms of security, required to support card-based payment applications.

In this context, SPA can only welcome the effort provided by the Java Card Forum to release the Java Card 3.1 specifications, intended to also enable the development of an open and interoperable application platform for the security of IoT devices.  Java Card 3.1 introduces new APIs and updated cryptography functions to address IoT security needs. Java Card 3.1 also allows the development of security services that are portable across a wide range of IoT security hardware. Remote device attestation services as specified by the JC 3.1 will contribute to the early identification of IoT components that have been tampered with. IoT systems will feature a diversity of technical architectures and communication pathways between individual IoT devices, intermediate gateways and back-office payment authorization servers. The new extensible I/O model enables central applications to exchange sensitive data directly with connected IoT devices, over different physical layers and application protocols. In this context, the ability to address and fix individual IoT devices is a core security requirement. If IoT devices support JC 3.1 implementations, the monitoring capability of central banking facilities will be substantially improved.

SPA believes that the publication of JC 3.1 represents a key step forward to increase trust in IoT technology by the financial community. With that in mind, SPA draws your attention to the fact that PCI-SSC has just released its first bulletin including security considerations when deploying IoT in card payments. It includes with a definition for IoT devices, not specific to payments and more interestingly it provides a list of 10 “high level” security controls IoT “secure” devices should meet. These 10 security controls are mapped onto specific detailed requirements in a US ANSI/CTA 2088-A “Baseline Cybersecurity Standard for Devices and Systems”. Things are starting to move in the payments industry with respect to IoT technology and JC 3.1 appears as a timely enabler for this positive market evolution.

Is there a case for the implementation of Post-Quantum payment cards using JC v3.1 specifications?

Cryptographic extensions proposed by Java Card 3.1 significantly increases the potential for the card to provide security services to payment systems. Card payment systems are in the process of evaluating migration patterns towards stronger cryptography. A new generation of chips supporting more efficient Java Virtual Machines will allow the usage of more complex cryptographic algorithms. The challenges for the migration differ:

  • Migration to AES 256 bit will protect symmetric cryptography for card payment systems against quantum cryptanalysis. Given that, symmetric post quantum cryptographic algorithms are defined and standardized and can already be adopted. Domestic and International Card Schemes are already in the process of migrating from TDES to AES. JC v3.1 supports new cipher modes for AES and updated cryptographic packages to handle symmetric keys as trusted objects
  • The pathway for stronger asymmetric cryptography is more complex and different, as there are currently no post quantum cryptographic algorithms for the asymmetric use case defined or available. Furthermore, some of the proposed algorithms impose some challenges to current secure elements that implement Java Card technology, in terms of performance and available memory space. Within the payment industry, migration strategies are under discussion. SPA defends the use case of offline payment authentication using ECC according to:
  • The EMVCo recently released specifications: EMV Specification Bulletin 243 for contact cards and ECC C-8 Contactless Kernel specification for contactless payments and,
  • Backwards compatibility with existing RSA-based products

Therefore, in the short term, SPA outlines the need to specify methods for the ECC algorithms for both the EMV contact and EMV C-8 contactless specifications.

In the medium term, hybrid cryptographic payment cards and terminals will support classical and post-quantum public key mechanisms in addition to AES.  Because of the traditional long term migration periods for devices in card payment systems, it matters that future versions of the Java Card API include methods for access of payment applets to Post-Quantum cryptographic algorithms, such as those under standardization by US NIST after the conclusion of the 3rd round in the NIST selection contest.

What new regulated payment instruments could benefit from JC v3.1 extended functionalities?

The current payment landscape is dominated by cash and card payments for retail and person-to person transactions. For online payments, there are additional methods established, mostly based on direct credit transfer. New methods, such as instant payment or central bank digital currencies are on the horizon.  Regulations, such as PSD2 for example, and the planned PSD3 from the EU, enforce higher security for all of these payment methods by mandating strong customer authentication (SCA). They also intend to open payment methods to independent players, so-called Payment Initiation Service Providers (PISPs) and Account Servicing Payment Service Providers (ASPSPs).

Java Card technology is well suited to support these new payment instruments and comply with SCA, by implementing the legally defined authentication factor “something you own”. This can typically be a Smart Card, a mobile phone with an embedded Secure Element or (embedded) UICC, or other form factors. When these secure elements are based on JC 3.1 technology, they offer a simple possibility to add on these platforms multiple payment applications for different payment systems, which can, for instance, share essential confidential personal authentication data, such as the PIN code. As a further extension, it can also provide biometrics as an on-device cardholder verification method supporting the authentication factor “what you are”. Finally, the highly standardized JCF technology also allows a simple usage of these applications on different product platforms, without the need to change the application in the form of a Java Card applet itself.

State of the global market for payment cards and how SPA is advocating the use of card technology as the preferred retail payment instrument 

The Smart Payment Association (SPA) includes the leading payment card vendors (AUSTRIACARD, IDEMIA, G+D, Thales DIS) and silicon manufacturers (Infineon, ST).  SPA is organized in eight different WG’s addressing key domains of the payments card industry. Four of these WGs are of a technical nature and support the activity of SPA in standards bodies (EMVCo, PCI-SCC, European Cards Stakeholders Group (ECSG), European Payments Council (EPC)), payments industry groups led by European Payment Regulators (i.e. Payment Systems Market Expert Group – PSMEG), as well as the close monitoring of the evolving regulatory context for payments and the corresponding security certification framework (e.g., ENISA). SPA is recognized by its partners by our high level of commitment and contribution.

The smart payment cards market continues growing:

  • 2.63 billion smart payment cards and modules were delivered worldwide in 2021 by SPA Members and Advisory Council participants
  • Contactless cards accounted for 76% of all shipments, hitting the 2 billion threshold for the first time.
  • Circa 100 million next-generation eco-friendly smart payment cards delivered globally

** The views expressed in this article are solely those of the author listed and do not necessarily reflect the views of the Java Card Forum, its Members or Oracle. **

Saqib Ahmad is announced as the 2022 “Bertrand” Award Winner during 25th Anniversary Year

Saqib is recognised by his peers for his exceptional contribution to the Java Card Forum’s work

To celebrate the work of Bertrand du Castel (one of the Founder members of the JCF who sadly passed away in February 2019), the Java Card Forum (JCF) has worked with his family to initiate an Annual Award in his memory: The “Bertrand”. The JCF was keen to showcase the “Bertrand” as a visible recognition of the continued drive and dedication still shown by its Members, 25 years since its inception.

Each year the Business and Technical Committee Chairs nominate up to four Members who have made a significant contribution to the Forum and voting is then open to each individual JCF participant. This year’s nominees were:

  • Saqib Ahmad (Oracle)
  • Nicolas Regnault (Thales)
  • Werner Ness (G+D)
  • Ettore Toscano (ST)

Although Saqib could not be at the Award ceremony held during the JCF Autumn Plenary meeting in person, he participated via Zoom and could be congratulated by his peers.

“Saqib is a well-deserved winner,” said Jean-Daniel Aussel, President of the Java Card Forum e.V. “In his position at Oracle, Saqib had a long history with Java Card technology, particularly in the areas of specification improvement, extension and protection profile maintenance and has significantly contributed to the specification extension with his considerable knowledge and experience. We are delighted to have this opportunity to formally recognize his hard work and expertise.”

“I’m honored to be chosen the recipient of the Bertrand Award for the year 2022 by my peers at Java Card Forum,” declared Saqib. “I was part of the Java Card Forum, on and off, for about 20 years. During this time I had the privilege to work with great professionals like Bertrand Du Castel himself, after whom this award is named. Java Card is marvelous technology and the Java Card Forum is doing an excellent job steering it in the right direction and driving its market adoption. While I’m not part of the Java Card family anymore, I still remain a strong proponent and evangelist for the technology and I see a great future for it.” 

Congratulations to all of the selected nominees and in particular Saqib Ahmad for his win.

Java Card enables innovative biometric cards

To further improve the performance and production effectiveness of biometric payment cards, Infineon Technologies AG and its strategic partner Fingerprints™ are developing the all-in-one solution SECORA™ Pay Bio.

This turnkey solution will come with a pre-certified Java Card operating system including Mastercard and Visa bio-applets. It will enable a cost-efficient, scalable production based on state-of-the-art card manufacturing equipment.

SECORA™ Pay Bio will extend Infineon’s well-established SECORA™ Pay turnkey solution family (all based an Java Card technology) to address the fast growing segment of biometric banking cards. SLC39B is Infineon’s advanced system-on-chip (SoC) cryptoprocessor with integrated power source, large memory size and diverse peripherals as well as best-in-class contactless performance. The company’s BCoM is a tailored innovative dual-interface Coil on Module (CoM) for SECORA™ Pay Bio, which integrates Fingerprints’ advanced sensor and Infineon’s upcoming Secure Element into a single package. With the inductive coupling technology, no wire-connection between the card antenna and the module is needed. This allows to significantly improve the robustness and long-term reliability of biometric payment cards. With its innovative concept and enhanced capabilities, SECORA™ Pay Bio will make touchless payments more convenient without the need of  low transaction limits.

Java Card technology as a flexible smart card platform combined with GlobalPlatform card management features ennables fast innovation. With the standardized Java Card API, that separates the application layer from the operating system layer, payment networks can focus on the application design, whereas platform providers innovate at the operating system and chip level. The integration of new interfaces to sensors or libraries to extract and match fingerprint information does not result in a complete re-design of the system, but results in new Java Card APIs that can be used by all players in the industry. All this allows interoperability in the market andwill provide added value for all players in the value chain.

More information is available at Payments-in-Motion.

ETSI celebrates its collaboration with the Java Card Forum

As part of the Java Card Forum’s 25 year celebrations, we asked ETSI SET why collaboration with the JCF has been so important over the years and what topics the 2 organisations will be working on together in the future.

By Denis Praca, Chairman of ETSI SET group

Java Card is the de-facto standard referenced by ETSI in TS 102 241 since 2004, for the support of interoperable applications on the UICC platform. Java Card is currently implemented by billions of UICCs, aka SIM cards, probably making this one of the most successful standardin the IT industry. Close collaboration between ETSI SCP, now ETSI SET, has been a key factor for this success.

With the fast growth of the eSIM market, interoperability is becoming more stringent, because of the split between the eUICC platform on one side, issued under OEMs or eUICC manufacturer control, and the Profile issued under the MNO control on the other. Java Card is playing a crucial role in providing this interoperability, allowing the MNOs to continue to deploy their favorite applications in the eSIM ecosystem.

UICC standards are still under constant evolution, in order to adapt to new use cases. ETSI SET has recently issued a new release of its specifications supporting Multiple Logical interfaces allowing the UICC to host several virtual Secure Elements coexisting logically separated and addressed independently through the same physical interface. This offers the means to embed independent identity (e.g. eIDAS), payment or transport applications in the same physical secure element as the eSIM. These new use cases require evolutions of Java Card, especially isolation and management of the different logical SEs and support of new APIs.

Beside the UICC, another technology is emerging in TC SET: the SSP platform. SSP offers more flexibility for its integration in devices with the support of various physical and logical interfaces, as well as for the deployment of secure applications no longer relying on the APDU protocol. Support from the Java Card runtime environment is the next step, for which ETSI SET expect to collaborate with the Java Card Forum.

** The views expressed in this article are solely those of the author listed and do not necessarily reflect the views of the Java Card Forum, its Members or Oracle. **

25 Year Celebration Dinner

On 22nd November 2022, the Java Card Forum celebrated its 25th Anniversary during the Autumn Plenary in Bremen. We were delighted that Eduard Karel de Jong, who was part of the orginal Java Card development team, was able to join us and share some of his stories from “the good old days”! It was a very enjoyable evening, topped off with a delicious celbration cake. Congratulations to all of you who have been part of the Java Card Forum over the years, working hard to make it into the most pervasive technology for enabling certified security in end products.

Java Card – A Foundation for the Future

As part of the 25 Year Anniversary celebrations, the JCF has produced an Infographic to demonstrate the unique benefits of the Java Card platform in providing secure solutions across converging industry segments.

To view the Infographic as a PDF, please click here.

ENISA Lead Certification Expert reflects on JCF longevity & future of Java Card

In the fourth interview of the 25th Anniversary series, Eric Vétillard, Lead Certification Expert at ENISA explains ENISA’s certification mandate and discuses how Java Card certification schemes are related to the ENISA scope. He also reflects on his time as the JCF Technical Committee (TC) Chairman and how it has shaped his career path since.

It’s been a while since you were the Technical Committee Chairman of the Java Card Forum. What have you been working on since then?

The last time I joined the Java Card Forum was when I was with Oracle; I was Product Manager for Java Card. I’ve had a few jobs since, that included a stint at NXP, where I stayed in touch with the JCF through present members like Christian Kirchstaetter [current Technical Committee chairman] and Alexandre Frey, but my focus was actually more on IoT processors and certification.

In 2019, I joined ENISA, the EU Cyber Security Agency, as a Certification Expert, so here I’ve been continuing the work I was actually doing at NXP – working on Cyber Security certification, but focusing more on a scheme on cloud services. So, this is not very close to Java Card, but thanks to my experience with Java Card and more generally with Secure Elements, I’ve also been involved in other schemes that we’re developing in ENISA on Common Criteria and also on 5G, where we’re also on the Embedded UICC. We’re working as a team, so it’s very nice to have this experience and it definitely helps.

What is ENISA doing with certification?

In 2019, the Cyber Security Act made ENISA a permanent agency in the EU and, maybe most importantly, assigned new tasks to the agency. One of these tasks is to design European Cyber Security certification schemes. Our role here is to prepare the schemes, in collaboration both with the industry and with the Member States. When we’re done with that, we’ll actually give these schemes to the Commission, who will derive an implementing Act and they become part of the EU law. 

The first scheme that ENISA worked with is called EUCC – it’s a European scheme for Common Criteria. This one should be quite important for the Java Card community, as most Java Card products are certified with Common Criteria. This scheme will of course be used by at least European chip and card developers, hopefully starting next year with the first certification activities. ENISA will also continue in helping and guiding through the deployment of this scheme and other schemes that we are working on.  

How are Java Card certification schemes related to the ENISA scope?

Java Card is not something that we explicitly talk about, but it often is in the background. For instance, many of the Java Card licencees are represented in our working groups on Common Criteria and 5G, and every time we consider examples of certified products, Java Card platforms are somehow cited. They are such an important component of the supply chain in smart cards’ Secure Elements. I’m also quite confident that some Java Card products will be among the first to be certified with both the EUCC and the EU5G – maybe we’ll be lucky enough to have a Java Card product being the first one to actually be certified.

Of course, with my work on cloud services, we are much further from Java Card and smart cards in general, but it’s interesting to see that there’s always some kind of a surprise reference that comes up every time we talk about access control or authentication. We rely on products, and these products rely on Java Card technology, so the link is indirect, but it’s always there, because the technology is so present everywhere. 

Do you miss the Java Card Forum?

Well, yes I do! I’m not missing the interactions, because my work includes many interactions with the industry, with governments…But the cloud community is very large – discussions have a tendency to grow political at some points. So, what I really miss here is also the lower profile of the Java Card Forum, where you have a limited number of members; most of them are not even known to the general public and what we’re working on still remains in the background, yet we’re collaborating on the design of a product that just about everyone on the planet is using. It’s like we have the impact, but with maybe less visibility. And when you’re actually working on defining the next version of a specification, it’s easier when you work like this – a little bit hidden, especially for the technical people. For the business people this is not always seen as positive!

I’m sometimes missing the excitement of the Java Card Forum’s early days, back in the 1990s, where we were designing the first versions and all our companies were still wondering whether this would work or not. Well, 25 years later and there are a number of Billions of cards being sold every year with Java Card – I guess that now they know the answer to that question and I am very happy to see that the Java Card Forum is still here and that the technology still remains dominant. There hasn’t been another technology coming along and replacing it, and it doesn’t look like this will happen in the near future. I think the Java Card Forum is definitely a nice adventure! 

View the interview in video format here