Understanding ISO 7816
The 15-part standard governing contact smart cards.
Understanding ISO 7816
ISO 7816 is the multi-part international standard that governs contact smart card technology — from the physical card dimensions to the cryptographic authentication protocols. Compliance with ISO 7816ISO 7816StandardPrimary standard for contact smart cards.Click to view → is mandatory for virtually every contact-interface smart card: banking, identity, healthcare, and government programmes all build on this foundation.
Use the APDU Builder to construct and test ISO 7816-4 commands interactively, and the ATR Parser to decode reset response bytes.
Parts 1–15 Overview
| Part | Title | Key content |
|---|---|---|
| 1 | Physical characteristics | Card dimensions, bend/twist tests, UV/X-ray resistance |
| 2 | Cards with contacts | Contact pad layout, position, size |
| 3 | Electrical interface | VCC levels, clock, I/O signals, cold/warm reset, ATR |
| 4 | Organisation, security, commands | APDU structure, file system, AID selection |
| 5 | Registration of application providers | RID allocation by ISO |
| 6 | Interindustry data elements | BER-TLV encoding rules |
| 7 | Inter-industry commands for structured card query | Enhanced channel management |
| 8 | Commands for security operations | Cryptographic command set |
| 9 | Commands for card management | Card lifecycle commands |
| 10 | Electronic signals and answer to reset for synchronous cards | Sync card ATRATRProtocolInitial response from card after power-on.Click to view → |
| 11 | Personal verification through biometric methods | Biometric verification |
| 12 | Cards with USB | USB-ICC interface |
| 13 | Commands for application management in a multi-application environment | GP-aligned |
| 15 | Cryptographic information application | Key reference objects |
Parts 1–4 are the ones every developer must know; parts 5, 8, 9, and 15 become relevant when building security-sensitive applications or card management systems.
ATR — Answer to Reset
The ATR is the first data the card transmits after power-on reset. It is a sequence of up to 32 bytes that encodes:
- TS — initial character (convention: direct or inverse bit ordering)
- T0 — indicates presence of interface bytes TA1, TB1, TC1, TD1
- TAi/TBi/TCi/TDi — clock rate factor, voltage class, extra guard time, protocol type
- Historical bytes — free-form card info (issuer, card type)
- TCK — XOR checksum (present when T=1T=1ProtocolBlock-oriented smart card protocol.Click to view → is offered)
The T=0 protocol is byte-oriented and character-framed; T=1 is block-oriented with a three-byte prologue (NAD, PCB, LEN), an information field, and an error-detection epilogue. T=1 is preferred for modern applications due to its error-recovery and chaining capabilities.
APDU Structure
Application Protocol Data Units are the message format for card-host communication. A command APDUAPDUProtocolCommunication unit between card and reader.Click to view → has a four-byte header and optional body:
CLA INS P1 P2 [Lc Data... Le]
1 1 1 1 [1 n... 1 ] bytes
- CLA — class byte (industry, channel, chaining)
- INS — instruction code (SELECT = A4, READ BINARY = B0, VERIFY = 20, etc.)
- P1/P2 — parameters specific to INS
- Lc — length of command data field (absent if no data)
- Le — expected length of response data (absent if no response expected)
Response APDUs append a two-byte status word (SW1 SW2). 90 00 means success;
6A 82 means file not found; 69 82 means security conditions not satisfied.
File System
ISO 7816-4 defines a hierarchical file system:
| Object | Abbreviation | Description |
|---|---|---|
| Master File | MF | Root of the tree (always present) |
| Dedicated File | DF | Directory node; holds EFs or child DFs |
| Application DF | ADF | DF with an AID (selectable by SELECT AIDAIDProtocolUnique identifier for card applications.Click to view →) |
| Elementary File | EF | Leaf containing data |
| Internal EF | IEF | EF not directly readable; used for keys |
Applications are identified by AID — a 5-to-16-byte value whose leading 5 bytes are the RID (Registered Application Provider Identifier) allocated under ISO 7816-5, and whose trailing bytes form the PIX (Proprietary application Identifier eXtension).
Protocol Parameter Selection
After ATR, the host may send a PPS (Protocol and Parameters Selection) request to negotiate a faster clock rate divisor (F) and baud rate divisor (D), enabling communication up to 625 kbps — significantly faster than the default 9,600 bps. Most modern readers and cards support PPSPPSProtocolCard-reader parameter negotiation.Click to view → negotiation automatically.
Continue to ISO 14443 Deep Dive for the contactless equivalent, or APDU Command Reference for a complete command catalogue.
Questions fréquemment posées
ISO/IEC 7816 is the international standard governing contact smart cards. It is divided into multiple parts: Part 1 defines physical characteristics, Part 2 specifies the contact dimensions, Part 3 defines electrical signals and transmission protocols (T=0, T=1), and Part 4 specifies the APDU command structure, file systems, and security architecture. Part 4 is the most referenced by developers writing card applications.
T=0 is a byte-oriented, half-duplex protocol where each byte is individually acknowledged, making it simple but verbose. T=1 is a block-oriented protocol that transmits data in framed blocks with error detection (EDC), supporting chaining and a more efficient handshake. T=1 is the preferred protocol for JavaCard and most modern applications; T=0 is still widely used in SIM cards.
ISO 7816-2 defines eight contacts: C1 (VCC — supply voltage), C2 (RST — reset), C3 (CLK — clock), C4 (reserved, formerly VPP programming voltage), C5 (GND — ground), C6 (VPP in some legacy cards), C7 (I/O — bidirectional data), and C8 (USB D- or reserved). Only C1, C2, C3, C5, and C7 are used by nearly all modern contact smart cards.
The Answer to Reset (ATR) is the first data sequence transmitted by a contact smart card after power-on. It identifies the card's supported protocols (T=0, T=1), transmission parameters (baud rate, guard time), supported voltages, and optionally a historical bytes section containing vendor-specific information such as card type and issuer data. The ATR is defined in ISO 7816-3 and is used by readers to configure communication parameters.
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.