JDJ: For those readers who aren't familiar with Schlumberger Electronic Transactions, could you please give us a short history of your corporate background and structure plus your own responsibilities?
TL: Schlumberger has been in business since the late 1920s. The company was founded based on a new technology developed by Conrad and Marcel Schlumberger, two French brothers who invented a method to determine, through electrical measurements, the presence of oil and gas in subsurface rock formations. The technique, which became known as well logging, utilizes sophisticated instrumentation lowered into wells during and just after drilling; it's used in virtually all wells drilled today.
From this start, the company grew to be the largest oilfield services company in the world, providing well logging, testing, pumping, drilling and seismic services to the oil and gas industry. A major part of the business involves data collection, transmission and interpretation on a worldwide basis. New technologies have always been a major force in the success of the company.
Other divisions of the company include Schlumberger ATE, which is a leading supplier of manufacturing and test equipment to the semiconductor industry.
The parent company, Schlumberger Ltd, is headquartered in New York and Paris, and has about 60,000 people operating in over 100 countries around the world. Last year's revenue was over $10 billion.
Schlumberger's smart card activities are part of our Electronic Transactions business unit. We got into the smart card business in the late 1970s, investing in the development of this new chip card technology in France. The first commercial chip cards were memory cards used in the French telephone industry. Those of your readers who have been to Europe, particularly France, know that you can use a chip card to make calls from public pay phones. From that beginning, the technology was adopted by the French banks, and spread to other banks and telecom operators in Europe and elsewhere that found chip cards ideally suited for secure financial transactions. Schlumberger has played a role in the development of the technology to adapt to the new market segments, including the financial applications like credit and ATM cards, health care cards and digital wireless communications - the GSM (Global Standard for Mobile Communications) cell phones that are used around the world. These telephone applications have been the fastest growing area for smart cards recently. If your readers outside North America have a cell phone, there's probably a 90% chance that it has a smart card inside.
Today Schlumberger is a leading manufacturer of chip cards, and the largest manufacturer of secure cards, chip and mag stripe. We have ten plants in France, Spain, the United Kingdom, United States, Mexico and China producing over a million chip cards every day.
As for myself, I am the director of Schlumberger's Information Security and Multimedia business segment. I started in oilfield services as a field engineer doing oil well logging, and later moved into marketing and management positions in the company. I moved over to Electronic Transactions four years ago and am now directing our Java card marketing activities worldwide.
JDJ: What type of market do Cyberflex cards have now?
TL: Cyberflex is a Java card, a smart card with a Java Virtual Machine. Its invention has energized the card industry and is the major focus for new developments by chip manufacturers and card suppliers around the world. All of the major players in the financial and telecommunications industries, the two largest smart card markets, have strategies that involve Java cards. One very significant example is Visa's Open Platform project, now under development. It is a Java-based multiple application card tailored to the needs of the Visa issuing banks, and they expect to be in trials this year. That said, the market for Cyberflex cards is in the development stage, the technology having been invented less than 1-1/2 years ago. We have been selling Cyberflex Development Kits by the hundreds since the middle of last year, and many of your readers have been able to develop their own smart card applications and try them out on real smart cards, something they could not do before. We expect to see some announcements of major Java card programs this year.
Our studies indicate that Java cards will command a significant share of the growing market for microprocessor smart cards, particularly where multiple application cards are required and where companies need the capability to quickly introduce card programs and update or modify the smart card applications after the cards are issued. The prime markets are financial, retail (such as loyalty and frequency marketing applications), telecommunications, information security, health care and travel and leisure. Card issuers, merchants and operators in these segments are looking for ways to introduce quickly differentiated products and services, often with partners. These markets are international. Cyberflex meets these needs perfectly since it features inherent security between applications and fast development and deployment times.
JDJ: Could you describe the impact that the Cyberflex cards are having as a result of their having the Java Virtual Machine and operating system?
TL: Cyberflex is revolutionizing the smart card industry. Schlumberger's objectives in developing the technology were to expand the market for smart cards. We felt that we could do this by introducing technology that would improve the business cases for smart card programs, first by reducing the time-to-market for smart card-based products and services, then by enabling secure multiple application cards to bring opportunities for co-branding with partners. We also felt that it was time, after almost twenty years, that the smart card industry entered the world of mainstream computing by allowing developers to program cards with open, industry-standard languages and tools. Since our initial Cyberflex announcement in October 1996, just after Sun's Java Card announcement, industry response has been overwhelming.
One way to understand the impact is by comparing conventional cards to Java cards in the areas of development and distribution. Conventional microprocessor smart cards have a CPU, RAM, ROM and EEPROM memories for native functions, application programs and data. The operating system and application programs are hard-masked into ROM at the time of manufacture, and the EEPROM is rewritable memory used for data. This architecture has allowed the industry to maximize the functionality of a card even when faced with very limited memory and CPU resources, a few KILO bytes of ROM and often less than one K byte of EEPROM in the early days. But the limitations have not been so bad when you consider that smart cards have been used as peripheral devices, with no GUI or overly complex I/O involved.
The conventional architecture has had an unfortunate result, though. Applications for conventional cards are chip-specific and not at all portable. If you developed your application on a particular smart card and later wanted to move it to a similar one from another manufacturer, you had to change the application to match that company's operating system. This has been one of the factors in limiting the growth of smart cards, lack of interoperability between cards at the API level.
Time-to-market is another concern. A new smart card program can take easily 9 months to a year to introduce, allowing for the development, masking and validation time required. You can't make too many mistakes and hope to have your application introduced on a card in any reasonable length of time. Fortunately, there are a few skilled professionals, mainly in the smart card companies, that are up to the task. But even if the code is perfect, there is still a chance that the features of the application might need to be changed after the cards have been introduced. This means another pass through the process and several months lost with new cards to manufacture and distribute.
A Java card is also a microprocessor card, with hardware that is similar or even identical to today's higher-end conventional cards. It has a CPU, RAM, ROM and EEPROM memories for native functions, application programs and data. The card operating system, virtual machine and interpreter are installed in ROM when the card is manufactured. Applications and data are stored in the rewritable non-volatile memory (EEPROM), and the RAM is used for instructions and data during operation.
The impact of this architecture on smart cards is enormous because they now start to look a lot like regular computers. With Cyberflex, the applications are developed in Java using standard tools and bytecodes are loaded onto the card. You don't have to be an expert in 6805 or 8051 assembly languages. You don't even have to know about them. What's more, if you change your mind while validating the application in a test or pilot program, or even after introducing hundreds of thousands of cards, the application can be modified and downloaded onto the cards.
JDJ: How do you distribute the changes to the cards?
TL: It depends on the type of application and the infrastructure that the card issuer has in place. If you are talking about a financial card, for example, the card issuing bank will have a system to download new applications when the card is used at an ATM, for example, or at home through an online banking Web site. For a card issued by a GSM telecom operator, the application upgrade would be done over the air, right into your cell phone handset.
Security is extremely important. For a bank card, for example, neither you nor the card issuer would want unauthorized applications to get onto the card, so there are safeguards being built into the systems to keep rogue cardlets off cards. Java's security model is a major benefit too. In fact, it's the main reason that we chose Java initially over other high level languages. Java applications cannot interfere with other applications or data, and it has been tested a lot.
JDJ: You've come out with a new upgrade, Cyberflex 2.0 Multi8K. How has this affected new development?
TL: Our previous Cyberflex version had a 4K EEPROM space and only about 2.8K of that was available. We were very limited in what we could do in single applications and there was little chance of loading multiple applications. 8K gives us a lot more room. In addition, there are improvements in the programming itself that reduce the amount of space that applications take up. We allow a couple of new methods to access the default processing on the card so that you don't have to write all of the code in the application. You just invoke a method to access those functions. It is a real improvement in terms of the space available from a physical point of view as well as from a logical point of view.
JDJ: How do the smart card terminals impact the Cyberflex development cycle?
TL: When we talk about a terminal, we are talking about a device that has an application running in it that requires a smart card for execution. A terminal can be anything from a pretty simple device, such as card readers that attach to PCs, all the way to a PC or an ATM. In between are the point-of-sale terminals used with cash registers and vending machine terminals.
Existing terminals can use Java cards since a Java card application can be developed that emulates exactly the existing smart card used with the terminals. This means that Java cards and conventional cards can co-exist in a system. To take advantage of the power of a Java card, though, one might want to use the terminal to interact with the card in a more innovative way; for example, dynamically loading applications.
Integrated development environments are coming that will allow the developer to work on the applications on both the terminal and card sides interactively, so that the applications can be tested as developed.
JDJ: Microsoft and Schlumberger have made some announcements in the past few months about smart cards and Windows 95 and Windows NT. How do these relate to Java Card?
TL: Microsoft and Schlumberger, along with several other companies, have worked together in the PC/SC Workgroup to establish specifications for smart card readers and smart cards themselves to interact with personal computers. This effort started in the middle of 1996 and the first version of the specifications was issued at the end of that year. Then, at the end of 1997, final specifications were released. In the meantime, all of the companies involved in PC/SC were developing products that would use the specifications. Microsoft announced their Smart Card SDK for Windows in September of last year, and Schlumberger announced their smart card and smart card reader drivers for that architecture.
PC/SC establishes the specifications for drivers that reside on the PC. While the specs are designed to be platform-neutral, Microsoft is the only company to implement them in their OS. The smart card drivers, called Smart Card Service Providers, allow the developer of a PC application that uses smart cards to avoid writing drivers for each variety of smart card that he or she wants. PC/SC standardizes the interface to the application above the Service Provider and therefore makes the development of smart card-enabled applications much easier.
Java Card and PC/SC are complementary. Schlumberger has actively supported PC/SC for some of the same reasons that we became involved with Java card. The smart card industry has a strong need to open itself up to the world of mainstream computing and standards for smart cards to meet their potential as a computing platform.
JDJ: Security is a major issue and cards with a cash capability are the biggest target. Have you found any need for additional security beyond the native Java security?
TL: The native Java security is wonderful because it isolates applications from each other. This is very important if money or sensitive information is involved, such as with financial applications, network access, or health care, among others. There are other areas that are addressed besides this aspect of security, too. For example, earlier we talked about loading applications securely onto the cards. Java cards will incorporate mechanisms to allow only signed applications to be loaded.
But in addition to application-level security, there are other security aspects that must be considered, an important one being user authentication. This is typically done with PIN codes - something you know - but, depending on the level of security required, higher levels of security may be warranted, such as biometrics - something you are. Smart cards are capable of supporting biometrics.
JDJ: What about shipping the Developer's Kit outside the US? Do you have any problems with the encryption algorithms being exported?
TL: The Cyberflex Development Kit is exportable outside the US, plus we fulfill orders from plants both in the US and France.
JDJ: What are the risks of losing a smart card if it has cash value?
TL: You're speaking of a smart card that has a stored value, or e-purse, application on it. The risks depend on the way the issuer has developed and implemented the program, and there are trade-offs involved. In principle, any stored value card can be PIN protected, but requiring the user to enter a PIN at the point of sale can slow down the transaction considerably. You would want to avoid this for low-dollar purchase, such as at soda vending machines and fast-food restaurants. With most the of the programs, such as Visa Cash, if you lose the card, you've effectively lost the cash. On the other hand, during stored value trials around the world, consumers report feeling an increased level of security since they do not expose cash at the point of sale, and initial fears about losing cards have not been a significant issue. Besides, the amount of cash that you carry on the card is up to the user. If you are not comfortable carrying $100, you can load $20 or $50 instead.
JDJ: What technical innovations do you see affecting smart cards in the future?
TL: The most important innovations will be in chip memory capacity and CPU performance. Java card, public key cryptography and GSM applications are putting demands on the existing devices and the chip suppliers are responding with faster chips with co-processors and bigger memories, with even smaller die sizes. The evolution will be similar to what we saw in personal computer technology in the 80s and early 90s. If you don't have the memory you need today, don't worry, it'll be there before you know it.
JDJ: Could you tell our readers about Schlumberger's Smart Village? What kind of market do you see for the kinds of smart card applications that you have described for the Smart Village?
TL:The Smart Village is Schlumberger's vision of the role of smart cards in the future, where these cards are used to help make people's lives more productive, convenient and safe. The vision builds on the three fundamental attributes that make smart cards ideal for many applications. They are secure, portable and personal. What does this vision mean practically today? It means that credit and ATM applications on a smart card are more secure than conventional cards. It means that an issuer can implement a stored value program because the security and convenience of the card make it practical. It means that health care information can be stored securely, so that only the cardholders and their health care providers can get access.
And in the near future, it means that people will be using multiple application cards in a variety of new and innovative ways, such as to pay for goods in person or over the Internet, to store and track frequent flier miles and electronic coupons at the supermarket, to authenticate themselves for single system sign-on to their company's Intranet, and so on.
As an example, a new smart card technology, contactless cards, is now being introduced that will bring a new level of convenience to people using urban mass transit systems. These cards operate much like a stored value card and replace the paper or coin tokens common in most transit systems today - convenient and secure.
The applications that are needed to implement the vision come from the minds of developers who understand their customer's businesses and who want to be part of the smart card computing wave.
The Smart Village also relates to the product offer from Schlumberger. The different divisions of Schlumberger Electronic Transactions supply smart cards, smart card readers for personal computers, terminals for the banking and retail industry, automatic vending terminals, pay telephones and transportation-related applications, and all of these devices accept smart cards.
JDJ: You advertise for developers who "could assume the responsibility for end to end development of Java cards on families of microprocessors." You listed a number of skills, but what skills do you see as necessary for developers who want to be involved in smart card technology?
TL:The ad you are talking about was one that we were running to attract people to work on our system software, the operating system. The software business and those skills are different from the ones that developers are going to need to write applications.
The most important thing is that if you want to write smart card applications, you have to know what to do not only from a technical viewpoint, but from the business viewpoint. You have to know how real people are going to use the application. People who can translate that business model into the design of the program and from that into code are in real demand.
JDJ: What training do you have available for smart card developers here and in Europe?
TL: Schlumberger provides training courses as part of a strategy to increase the usage of smart cards, providing people with technology, tools and training. Our Cyberflex training program is part of an overall training program that we sponsor for Schlumberger Business Associates and smart card developers. We have put on several Cyberflex classes, starting with three in Europe and one in the US since last fall. Another one is scheduled for the US this spring. Our Web site has the information (www.cyberflex.slb.com).
JDJ: What is the most interesting smart card application you have come across?
TL: It's hard to choose, but I think from a business point of view the GSM digital telephone application would get my vote. GSM is tailor-made for Java smart cards for the developer, the operator and the user. In the GSM world, they already have two-way communications between the smart cards and the servers. The present day SIM (Subscriber Identity Module) smart cards that are used in GSM phones are loaded with the user's account information and preferences. With a Java-based SIM card, telecom-based multiple applications become a reality, such as loyalty programs, network access or banking. And the applications can be downloaded onto the cards over the air. This has real power for differentiating services and offering new levels of convenience to consumers.
If I could choose another, I think network security is one of the most obvious applications for smart cards that there is. When companies want to implement public key security for their internal and external networks, there is really only one choice for storing keys and certificates: the smart card. It is the most secure place to store a private key, and it never needs to be exposed during digital signature or challenge/response sequences. The usual alternative to smart cards is to store them on hard drives or floppies and this is just unbelievable. After implementing a strong public key infrastructure, to leave the keys on a hard drive or floppy is like leaving them under the doormat. In the past year or so, smart cards with strong RSA cryptographic capabilities have come onto the market. Schlumberger brought out the Cryptoflex card at the end of 1996; it features 1024-bit digital signature and 4K EEPROM for key and certificate storage.
JDJ: Many of our readers are interested in the people behind the products. Could you tell us a little bit about your group? Some of the people we interview are risk takers. They not only start new businesses, but also like sports such as mountain biking, snow boarding and sky diving.
TL: We try to keep these guys from taking any physical risks at all. Just kidding. The smart card group in the Austin Product Center comprises a dozen people out of about three hundred professionals altogether. We are devoted to innovation in smart card technology, especially at the operating system and language levels. Our team provides support for Schlumberger's application development teams in Montrouge, France, San Jose and Hong Kong, as well as for the developers in other companies.
The smart card team has the best people we can find. In fact, we have a very high portion of the top software scientists and engineers in Schlumberger assigned to the team. Nationalities represented include American, French, Indian, British, Chinese and Vietnamese. It's really a world class team.
JDJ: Do you see a super card in the future that will replace your wallet and let you do everything from a single card?
TL: That's down the road a bit. The technology will be there before the business cases, probably. While having a super card that does everything has a lot of intellectual appeal, the ownership of the card and the control of the applications that go onto the card could get a little complicated. In the short term, I think that it will be the individual applications that catch hold and are put together on multi-app Java cards where it makes sense to do so. Which applications? Well, the best applications that really ignited the market for any computer platform you can name didn't come from the technology providers. For PCs, Visicalc and 1-2-3 came from designers and developers with a vision of how the new technology could best be used in ways not imagined before. I think the same will be true with smart cards, maybe even coming from readers of Java Developers Journal.