A Card Management System (CMS), or Smart Card Management System (SCMS), is a platform for managing smart cards throughout their life cycle. The system can issue cards, maintain them while in use, and take them out of circulation when they reach their “end-of-life.”
Smart cards provide the base for secure electronic identity as they store the credentials for authenticating the cardholder. They can also control access to networks, computers, and facilities. Security requirements for CMS solutions are often elevated, which is why their vendors are part of the computer security industry.
Card management systems are typically deployed as software applications. Suppose the platform needs to be accessible to more than one operator or user simultaneously, which is standard practice. In that case, the software is provided as a server application accessible from different client systems.
What Is a Smart Card
Smart cards are physical cards with an embedded integrated chip that act as a security token. They are usually metal or plastic and the same size as a driver’s license or payment card. They are designed to be tamper-resistant and use encryption to protect in-memory data.
They connect to card readers by direct physical contact (chip-and-dip) or via short-range wireless connectivity such as Near-Field Communication (NFC) or Radio-Frequency Identification (RFID).
Chips on smart cards can be either embedded memory chips or microcontrollers. Cards with the latter technology can manipulate information in the chip’s memory and perform on-card processing functions.
Internation standards and specifications cover smart card technology. In the United States, smart cards must comply with ISO/IEC 14443 and ISO/IEC 7816. The Secure Technology Alliance backs both.
How Smart Cards Work
Smart card memory chips and microprocessors exchange information with card readers and other devices over a serial interface. The readers most often serve as an external power source for the cards.
The reader and the smart card communicate through direct physical contact or a short-range wireless connectivity standard (NFC or RFID). The data on the card is stored, transmitted, and protected via a basic operating system, which allows the reader to access the information.
Once the connection is established, the card reader passes the data to its intended recipient, most likely an authentication or payment system, over a network connection.
Types of Smart Cards
Smart cards are categorised through different criteria, such as how they read and write data, the type of their chips, and their functionalities. For more information, check the table below.
| Type of Smart Card |
Description |
| Contact Smart Cards |
The most common type of smart card. It works with card readers that connect directly to a conductive contact plate on the card’s surface. These physical contact points transmit card status, commands, and data. |
| Contactless Cards |
No direct contact is necessary as these cards require only proximity to the reader to be read. The card and reader have antennas that allow them to interact through radio frequencies over a contactless link. |
| Dual-Interface Cards |
This card type is equipped with contact and contactless interfaces, which allows secure communication with two kinds of readers. |
| Hybrid Smart Cards |
Containing more than one smart card technology, they are used for different applications, such as accessing restricted areas and conducting SSO authentication. |
| Memory Smart Cards |
Only have memory chips that can store, read, and write data. The information on these cards can be modified and overwritten, but the cards aren’t programmable. Memory smart cards can be configured to be disposable or rechargeable. Often used to store data like passwords, public keys, and PINs. |
| Microprocessor Smart Cards |
Developed with memory blocks and a microprocessor embedded in the chip, these cards manage the information through a smart card OS. The stored data can be deleted and altered, while new information can be added. |
Smart Card Applications
Businesses use smart cards for the following purposes:
- Payments – Commercial credit card companies, banks, and other businesses issue debit and credit cards enabling users to conduct cashless financial transactions.
- Transportation – Passengers use smart cards to access bus, train, and underground stations and validate their commute. Transportation service providers issue cards to minimise the necessity for paper tickets.
- Benefits Distribution – Government use smart cards to allocate various benefits, for example, the U.S. Supplemental Nutrition Assistance Program.
- Communication – Subscriber Identify Module (SIM) cards are a type of smart card used by telecommunication companies to store contact details, media, and other types of data. SIM cards can also be found inside tablets, digital cameras, and other devices.
- Healthcare Management – Hospitals and clinics use smart health cards to securely store patient medical records and limit access to medication dispensing machines.
- Access Control – Businesses, educational facilities, and government agencies are known to use smart cards to control access to physical locations.
Purpose of Card Management Systems
CMS solutions connect smart cards to other systems, such as:
- Connected and unconnected smart card readers;
- User directories;
- Hardware security modules;
- Card printers;
- Physical access control systems;
- Certificate authority platforms;
Smart Card Lifecycle
Smart cards change their state during their lifecycle. The procedure of taking a card from one state to another is the responsibility of the CMS platform. Different systems call these processes by various names. Below is a table of the most common terms.
| Procedure Name |
Brief Explanation |
| Register |
Add a smart card to the CMS |
| Issue |
Issues or personalises the card for the cardholder |
| Initiate |
Activates the card for first use by the holder |
| Deactivate |
Put a smart card on hold in the backend system |
| Activate |
Reactivates a deactivated card |
| Lock |
Blocks the cardholder’s access to the card |
| Unlock |
Unblocks a blocked smart card |
| Revoke |
Credentials stored on the card are made invalid |
| Retire |
The smart card is disconnected from the cardholder |
| Delete |
Permanently deletes the card from the system |
| Unregister |
Removes the card from CMS but could be potentially reused |
| Backup |
Creates copies of the smart card credentials and selected keys |
| Restore |
Restores the card’s credentials and selected keys |
