Security

Smart Card Lifecycle Security

Security considerations across the full smart card lifecycle: chip fabrication, personalization, deployment, and decommissioning.

| 4 min read
  1. Smart Card Lifecycle Security
  2. Lifecycle Phases Overview
  3. Phase 1: Manufacturing
  4. Phase 2: Pre-Personalisation
  5. Phase 3: Personalisation
  6. Phase 4: Issuance and Activation
  7. Phase 5: Active Use
  8. Phase 6: Suspension and Renewal
  9. Phase 7: End of Life

Smart Card Lifecycle Security

A smart card's security posture must be maintained not just during card use, but across every phase from silicon manufacturing to end-of-life destruction. Each transition between lifecycle states is an attack opportunity; standardised controls mitigate risk at each stage.

Lifecycle Phases Overview

[Manufacturing] → [Personalisation] → [Issuance] → [Active Use] → [Suspension] → [End of Life]

GlobalPlatformGlobalPlatformSoftwareCard application management standard.Click to view → Card Spec defines the card's lifecycle via the Card Life Cycle State (CLCS) byte, readable via GET STATUS (80 F2 80 00):

CLCS Value State Operations Permitted
01 OP_READY ISD personalisation
07 INITIALIZED Load security domain keys
0F SECURED Normal card operation
7F CARD_LOCKED Administrative recovery only
FF TERMINATED No operations — hardware reset required

Phase 1: Manufacturing

The silicon fabrication plant programs the Initial Card Content (ICC profile) and the unique Chip Serial Number (CSN / IC_SN) into non-volatile ROMROMHardwarePermanent mask-programmed OS memory on chip.Click to view →. The CSN is the root identifier used throughout the lifecycle.

Security controls: - Wafer-level testing in EALEALSecuritySecurity evaluation depth rating (1-7).Click to view →-certified cleanroom - CPLC (Card Production Life Cycle) data programmed under HSMHSMSecurityPhysical device for key management.Click to view → control - Pre-personalisation key injection uses a transport key — a per-batch secret shared between the fab and the personalisation bureau

The EEPROM is blank at this stage; only ROM code and the factory test applet are present.

Phase 2: Pre-Personalisation

Before brand-specific personalisation, the card issuer's security domain (ISD) keys replace the transport keys. This is done in a secure, access-controlled environment:

# EXTERNAL AUTHENTICATE with transport key → open SCP02 session
# PUT KEY (INS=D8): install issuer S-ENC, S-MAC, DEK
Command: 84 D8 00 01  [length]  [encrypted key data under DEK]  [C-MAC]
  SW1 SW2: 90 00

# Verify new keys work by re-authenticating

After ISD key installation, the transport key is deleted. From this point only the issuer's HSM can open a secure channel to the card.

Phase 3: Personalisation

The electrical personalisation phase injects cardholder-specific data:

Data Element Command Notes
Primary PAN STORE DATA under SCP03SCP03SoftwareAESAESCryptographyNIST symmetric block cipher for smart card encryption.Click to view →-based secure channel protocol.Click to view → Encrypted under DEK
Expiry date STORE DATA
PIN CHANGE REFERENCE DATA (INS=24) Under PIN encryption
Cardholder name STORE DATA
Application cryptogram keys PUT KEY EMVEMVApplicationGlobal chip payment card standard.Click to view → AC, SMC, DEK
X.509 certificate (PKI) PUT DATA (INS=DB) Full DER encoding

Graphical personalisation — printing the cardholder photo, card number, name — happens in a separate, physically controlled printer environment. The printed card surface must match the chip data.

Phase 4: Issuance and Activation

Cards are delivered in an unactivated state — the PIN is set to a default or a randomised PIN sent separately via PIN mailer. The first PIN change by the cardholder transitions the application to the ACTIVATED state.

Security controls during issuance: - Cards shipped with opaque security bags (tamper-evident) - Activation channel (IVR, mobile app, branch) requires multi-factor authentication - Card activation event logged in issuer system with timestamp and channel

Phase 5: Active Use

During active use, the card defends itself via:

  • Wrong PIN counter: after 3 consecutive failures, the card enters PIN-blocked state; after 10 PUK failures, the application terminates
  • Transaction counter (ATC): an incrementing counter prevents replay of old APDU sequences; the issuer verifies the ATC is within an acceptable window
  • Application lifecycle blocking: the issuer can remotely block individual applets via OTA script without destroying the card

Phase 6: Suspension and Renewal

Temporary suspension (lost/stolen report):

# GP LOCK CARD APPLICATION (via SD command)
Command: 84 F0 40 00  [length]  [AID of target applet]  [C-MAC]

Card renewal: a new card with the same cardholder data and PAN is personalised and the old card is remotely terminated before physical destruction.

Phase 7: End of Life

Card termination via GlobalPlatform:

# TERMINATE CARD USAGE (ISD lifecycle → TERMINATED)
Command: 80 F0 FF 00  00
  SW1 SW2: 90 00
# No further commands are accepted after this

Physical destruction: ISO/IEC 7816-1 mechanical stress tests confirm minimum bend force — cards must be cut at minimum twice across the chip area to ensure the secure element is physically destroyed.

For the key management infrastructure supporting this lifecycle, see HSM Integration and Secure Channel Protocols (SCP02/SCP03).

자주 묻는 질문

Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.