ISO/IEC 7816-4

ISO/IEC 7816-4
Standard	ISO/IEC 7816-4
Title	Identification cards — Integrated circuit cards — Part 4
Year	1995/2005/2013
Status	Published

ISO/IEC 7816-4

ISO/IEC 7816-4 specifies application-level protocols, file structures, command sets, responses and status semantics for integrated circuit cards used in systems such as payment, identification and telecommunications. It defines how Euromoney-style industry implementations interoperate with issuers, terminals and back-end systems including Visa, Mastercard, American Express, Diners Club International and national schemes. The standard is commonly implemented alongside physical and electrical specifications described in ISO/IEC 7816-1 and ISO/IEC 7816-3 and interacts with cryptographic frameworks from NIST, FIPS, Common Criteria evaluations and banking protocols governed by SWIFT and central banks such as the European Central Bank.

Scope and Purpose

ISO/IEC 7816-4 defines APDU (Application Protocol Data Unit) command-response pairs, file organization, selection mechanisms and data object encoding for smart cards used by schemes such as EMVCo, EFTA, Interac, UnionPay and government identity programs like eIDAS and national identity projects in Germany, France, Spain and Estonia. The scope covers logical data structures supporting application life-cycle functions relevant to issuers such as Mastercard Worldwide and operators such as GSMA for mobile SIM applications, while excluding contactless transport layers standardized by ISO/IEC 14443 and lower-level electrical interfaces managed by ISO/IEC 7816-2.

Card and Application Management

The standard prescribes mechanisms for selecting applications, managing application life-cycle and associating dedicated files with application identifiers in environments used by Apple Inc., Google LLC, Samsung Electronics and device manufacturers adhering to GlobalPlatform specifications. Application selection conventions involve AIDs compatible with registries maintained by ISO, registration authorities and payment networks including Discover Financial Services and clearinghouses like EBA CLEARING. Interaction models are used in service deployments by organizations such as Deutsche Telekom, Orange S.A., Vodafone Group and public administrations like Gov.uk and US Department of Homeland Security.

File and Record Structure

ISO/IEC 7816-4 defines a hierarchical file model with master files, dedicated files and elementary files—structures referenced in implementations by Gemalto (Thales Group), Infineon Technologies, NXP Semiconductors and STMicroelectronics. File types include transparent, record-oriented and cyclic files; record structures are used in identity credentials issued by agencies like Identity Ireland, drivers licenses in California Department of Motor Vehicles and social security cards in programs administered by Social Security Administration. The standard’s file identifiers and FCP (File Control Parameters) interact with directory services in payment systems operated by PayPal, Square, Inc. and point-of-sale vendors such as Ingenico Group.

Data Elements and Command Messages

Commands such as SELECT, READ BINARY, READ RECORD, UPDATE BINARY, and VERIFY are defined with APDU formats used across ecosystems including EMVCo payment terminals, SIM Alliance modules, and ePassport systems implemented for ICAO standards in countries like United Kingdom, Canada and Australia. Data element encoding often uses BER-TLV conventions influenced by work from ASN.1 committees and standards organizations including ITU-T and IETF. Implementers such as Oracle Corporation and IBM integrate these command sets into middleware stacks for identity management, while financial terminals from Pax Technology and Verifone implement status word handling for transaction flows involving SWIFT-connected banks.

Security and Access Control

The standard specifies access conditions and security attributes for files and applications, commonly combined with cryptographic services from RSA Security, OpenSSL Foundation, and governmental certifications like FIPS 140-2; card-level PIN verification and mutual authentication are used in systems deployed by HSBC, Goldman Sachs, Bank of America and mobile wallet providers such as Apple Pay. Access control frameworks integrate with secure element architectures championed by GlobalPlatform and are evaluated in labs accredited by ISO/IEC JTC 1/SC 17 and testing agencies such as Underwriters Laboratories. Implementations must interoperate with public key infrastructures operated by certification authorities including DigiCert, Entrust and Let’s Encrypt in broader identity ecosystems.

Error Handling and Status Words

ISO/IEC 7816-4 defines status words (SW1-SW2) conveying response conditions such as successful execution, wrong length, wrong data and security status not satisfied—semantics reflected in payment transaction logs for networks like VisaNet and terminal diagnostics used by suppliers such as Ingenico, VeriFone Systems, Inc. and PAX Technology. Status word semantics inform exception handling in middleware products from Thales Group and HID Global and aid forensic analysis by agencies such as Europol and FBI during incident investigations concerning card fraud and counterfeit detection.

Conformance and Interoperability Testing

Conformance testing suites for ISO/IEC 7816-4 are provided by certification bodies including EMVCo test laboratories, national standards organizations like BSI and AFNOR, and private labs such as Intertek and SGS. Interoperability programs involve vendors such as NXP Semiconductors, STMicroelectronics, Infineon Technologies and payment schemes Mastercard, Visa and UnionPay. Test cases validate APDU exchange, file handling and security conditions and are incorporated into accreditation processes by Common Criteria evaluation laboratories and procurement requirements used by governments like Netherlands and Belgium.

Category:Standards