Coke vs. Pepsi. Windows vs. Mac. Visa vs. MasterCard.
These well-known rivalries are good for consumers because they create healthy competition. For many years, this seemed to be the case for smart card operating systems. The debate and battle was quite heated, but today, there’s little talk about the smart card OS. What happened the OS war?
In order to know why the smart card operating system was a hot topic, you need to look at its evolution. The smart card operating system took off in the ’90s when the memory card underwent a transition. The memory card, a product of the ’80s transformed when it became feasible to add microprocessors to cards, explains Jean-Louis Carrara, vice president of system development at Gemalto North America.
The addition of a microprocessor necessitated an operating system. In the early stages, the OS came from the card’s manufacturer. Each manufacturer had its own proprietary operating system and at times a manufacturer had a different OS for its different card types.
This meant that applications had to be written for the specific card on which it would ultimately be used. For the most part, this resulted in both cards and applications being purchased from the same vendor. This worked out great for vendors but made it difficult for the end issuers.
“In the late ’90s smart cards were controlled by manufacturers who developed native operating systems,” says Anna Fernezian, principle leader and subject matter expert at CSC. “The native operating system made a lot of sense. It constrained the buyer to get cards from some specific suppliers.”
The constraints on these operating systems extended to application development as each had to written specifically for a single, predetermined OS. “There was no development on the fly,” says Fernezian, “it was nothing like today’s applications.”
As smart card capacity grew, issuers wanted to do more with their cards without waiting on suppliers for application development. A standardized OS was needed.
Two main operating systems emerged to fill the gap: Sun’s Java Card, and MULTOS, an OS developed for the banking community. Then in the late ’90s, Microsoft jumped into the smart card operating system market with great fanfare surrounding its Smart Card for Windows OS.
The competitive landscape looked very much like the bankcard wars as Visa aligned with the Java Card and MasterCard backed MULTOS. “Smart Card for Windows was a Johnny come lately, a ‘me too’ operating system,” says Fernezian.
“As a developer, you prefer having fewer operating systems,” says Fernezian. Having to know fewer OS’s means development of applications becomes easier in terms of structure, commands and responses. “Where am I going to get the biggest bang for my time?” says Fernezian. “You develop to the operating system that’s most widely used.”
Over time, Java Card emerged as the system preferred by developers. By 2003 it was clearly the leading OS with 220 million units shipped versus just 8.3 million for MULTOS, according to Frost & Sullivan.
The key to Java Card’s victory was its simplicity, familiarity and portability. Developers knew Java, explains Carrara, and the Java Card applet was portable and could be loaded onto different systems.
Java Card’s simple structure also made it more acceptable to an industry where technology changes need to get to the market quickly. “Java Card makes time to market much simpler and faster,” says Fernezian. “(Applications) could be delivered in months instead of years.”
MULTOS’ predominant use has been in Asia-Pacific and Brazil. “(MULTOS is) an operating system ahead of its time,” says Fernezian, due to PKI being inherent in its development. “It’s more complicated than Java Card, and that scared people away,” she adds.
“The MULTOS organization has realized there’s complexity and has tried to simplify in the last five years or so, but Java Card has such a long lead and a huge development community that it’s hard to get (suppliers and vendors) to buy into it now,” says Fernezian.
As for Microsoft, it became an also-ran. “Since there wasn’t a lot of progress, Microsoft seemed to lose interest,” says Fernezian.
Java Card go-to OS for U.S. government
When the federal government’s FIPS 201 specification was first written there was much discussion around smart card operating systems. MULTOS, Java and a file-based system were all discussed.
Early on, many were concerned that NIST would ignore the Defense Department’s investment in the Java Card environment and create a specification that was purely for a file system based card.
FIPS 201 ended up being operating system agnostic, though implementations have all been based on the Java Card OS. There were MULTOS-approved systems when FIPS 201 first came out but agencies have exclusively deployed Java Card, says Neville Pattinson, vice president of government affairs at Gemalto.
To date U.S. government agencies have issued more than 4.8 million credentials running the Java Card OS.
The smart card OS war of the ‘90’s has turned into a more or less peaceful competition. Developers and manufacturers have been able to answer the security, performance and interoperability issues that were so important when the industry took off. “The challenges and the interoperability has been addressed,” says Carrara.
The industry has matured to a point where it can focus on usability and applications rather than the underlying platforms. “The operating system has become a commodity,” says Fernezian. “It is so standardized and readily available that they’re not interested in it anymore.”
MULTOS history and timeline
1993 National Westminster Bank or NatWest (UK) develops MULTOS to support the Mondex stored value e-purse scheme
2001 MasterCard International assumes control of Mondex and MULTOS
2006 StepNexus is formed by Hitachi, Keycorp and MasterCard take over control and development of MULTOS
2008 Keycorp (Australia) acquires StepNexus and MULTOS
2008 Gemalto acquires Keycorp’s smart card business including MULTOS and forms Multos International to manage system