Complex Cards are smart cards that conform to the ISO 7810 standard and include components in addition to those found in traditional single chip smart cards. Complex Cards were invented by Cyril Lalo and Philippe Guillaud in 1999 when they designed a chip smart card with additional components, building upon the initial concept consisting of using audio frequencies to transmit data patented by Alain Bernard. The first Complex Card prototype was developed collaboratively by Cyril Lalo and Philippe Guillaud, who were working at AudioSmartCard at the time, and Henri Boccia and Philippe Patrice, who were working at Gemplus. It was ISO 7810-compliant and included a battery, a piezoelectric buzzer, a button, and delivered audio functions, all within a 0.84mm thickness card.

The Complex Card pilot, developed by AudioSmartCard, was launched in 2002 by Crédit Lyonnais, a French financial institution. This pilot featured, acoustic tones as a means of authentication. Although Complex Cards were developed since the inception of the smart card industry, they only reached maturity after 2010.

Complex Cards can accommodate various peripherals including:

• One or more buttons,
• A digital keyboard,
• An alphabetic keyboard,
• A touch keyboard,
• A small display, for a dynamic Card Security Code (CSC)⁸ for instance,
• A larger digital display, for OTP or balance, QR code
• An alphanumeric display,
• A fingerprint sensor,
• A LED,
• A buzzer or speaker.

While first generation Complex Cards were battery powered, the second generation is battery-free and receives power through the usual card connector and/or induction.

Sound, generated by a buzzer, was the preferred means of communication for the first projects involving Complex Cards. Later, with the progress of displays, visual communication is now present in almost all Complex Cards.

Complex Cards support all communication protocols present on regular smart cards: contact, thanks to a contact pad as defined in the ISO 7816 standard, contactless following the ISO 14443 standard, and magstripe.

Developers of Complex Cards target several needs when developing them:

• One Time Password,
• Provide account information,
• Provide computation capabilities,
• Provide a means of transaction security,
• Provide a means of user authentication.

A Complex Card can be used to compute a cryptographic value, such as a One-Time Password (OTP). The One-Time Password is generated by a cryptoprocessor encapsulated in the card. In order to implement this function, the cryptoprocessor must be initialized with a seed value, which enables the identification of the OTPs respective of each card. The hash of seed value has to be stored securely within the card to prevent unauthorized prediction of the generated OTPs.

One-Time Passwords generation is based either on incremental values (event based) or on a real time clock (time based). Using clock-based One-Time Password generation requires the Complex Card to be equipped with a real time clock and a quartz.

Complex Cards used to generate One Time Password have been developed for:

• Standard Chartered, Singapore,
• Bank of America, USA,
• Erste Bank, Croatia,
• Verisign, USA,
• RSA Security.

A Complex Card with buttons can display the balance of one or multiple account(s) linked to the card. Typically, either one button is used to display the balance in the case of a single account card or, in the case of a card linked to multiple accounts, a combination of buttons is used to select a specific account’s balance.

For additional security, features such as requiring the user to enter an identification or a security value such as a PIN can be added to a Complex Card.

Complex Cards used to provide account information have been developed for:

• Getin Bank, Poland,
• TEB, Turkey.

The latest generation of battery free, button free, Complex Cards can display a balance or other kind of information without requiring any input from the card holder. The information is updated during the use of the card. For instance, in a transit card, key information such as the monetary value balance, the number of remaining trips or the expiry date of a transit pass can be displayed.

A Complex Card being deployed as a payment card can be equipped with capability to provide transaction security. Typically, online payments are made secure thanks to the Card Security Code (CSC), also known as card verification code (CVC2),  or card verification value (CVV2). The card security code (CSC) is a 3 or 4 digits number printed on a credit or debit card, used as a security feature for card-not-present (CNP) payment card transactions to reduce the incidence of fraud.

The Card Security Code (CSC) is to be given to the merchant by the cardholder in order to complete a card-not-present transaction. The CSC is transmitted along with other transaction data and verified by the card issuer. The Payment Card Industry Data Security Standard (PCI DSS)²⁷ prohibits the storage of the CSC by the merchant or any stakeholder in the payment chain. Although designed to be a security feature, the static CSC is susceptible to fraud as it can easily be memorized by a shop attendant, who could then use it for fraudulent online transactions or sale on the dark web.

This vulnerability has led the industry to develop a Dynamic Card Security Code (DCSC) that can be changed at certain time intervals, or after each contact or contactless EMV transaction. This Dynamic CSC brings significantly better security than a static CSC.

The first generation of Dynamic CSC cards, developed by NagraID Security required a battery, a quartz and Real Time Clock (RTC) embedded within the card to power the computation of a new Dynamic CSC, after expiration of the programmed period.

The second generation of Dynamic CSC cards, developed by Ellipse World, Inc.²⁸, does not require any battery, quartz, or RTC to compute and display the new dynamic code. Instead, the card obtains its power either through the usual card connector or by induction during every EMV transaction from the Point of Sales (POS) terminal or Automated Teller Machine (ATM) to compute a new DCSC.

The Dynamic CSC, also called dynamic cryptogram, is marketed by several companies, under different brand names:

• MotionCode, first developed by NagraID Security, a company later acquired by Idemia,
• DCV, the solution offered by Thales,
• EVC (Ellipse Verification Code) by Ellipse, a Los Angeles, USA based company.

The advantage of the Dynamic Card Security Code (DCSC) is that new information is transmitted with the payment transactions, thus making it useless for a potential fraudster to memorize or store it. A transaction with a Dynamic Card Security Code is carried out exactly the same way, with the same processes and use of parameters as a transaction with a static code in a card-not-present transaction. Upgrading to a DCSC allows cardholders and merchants to continue their payment habits and processes undisturbed.

Complex Cards can be equipped with biometric sensors allowing for stronger user authentication. In the typical use case, fingerprint sensors are integrated into a payment card to bring a higher level of user authentication than a PIN.

In order to implement user authentication using a fingerprint enabled smart card, the user has to authenticate himself/herself to the card by means of the fingerprint before starting a payment transaction.

Several companies offer cards with fingerprint sensors:

• Thales: Biometric card,
• Idemia: F.Code, originally developed by NagraID Security,
• Idex Biometrics,
• NXP Semiconductors,
• …

Complex Cards can incorporate a wide variety of components. The choice of components drives functionality, influences cost, power supply needs, and manufacturing complexity.

Depending on Complex Card types, buttons have been added to allow an easy interaction between the user and the card. Typically, these buttons are used to:

• Select one action, such as which account to obtain the balance, or the unit (e.g. currency or number of trips) in which the information is displayed,
• Enter numeric data via the addition of a digital keypad,
• Enter text data via the addition of an alphanumeric keyboard.

While separate keys have been used on prototypes in the early days, capacitive keyboards are the most popular solution now, thanks to technology developments by AudioSmartCard International SA.

The interaction with a capacitive keyboard requires constant power, therefore a battery and a mechanical button are required to activate the card.

The first Complex Cards were equipped with a buzzer that made it possible to broadcast sound. This feature was generally used over the phone to send identification data such as an identifier and One-Time Passwords (OTPs). Technologies used for sound transmission include DTMF (Dual-tone multi-frequency signaling) or FSK (Frequency-shift keying).

Companies that offered cards with buzzers include:

• AudioSmartCard,
• nCryptone,
• Prosodie,
• Société d'exploitation du jeton sécurisé – SEJS.

Displaying data is an essential part of Complex Card functionalities. Depending on the information that needs to be shown, displays can be digital or alphanumeric and of varying lengths. Displays can be located either on the front or back of the card. A front display is the most common solution for showing information such as a One-Time Password or an electronic purse balance. A rear display is more often used for showing a Dynamic Card Security Code (DCSC).

Displays can be made using two technologies:

• Liquid-Crystal Display (LCD): LCDs are easily available from a wide variety of suppliers, and they are able to display either digits or alphabetical data. However, to be fitted in a complex smart card, LCDs need to have a certain degree of flexibility. Also, LCDs need to be powered to keep information displayed.
• Bistable displays, also known as Ferroelectric liquid crystal displays, are increasingly used as they only require power to refresh the displayed information. The displayed data remains visible, without the need for of any power supply. Bistable displays are also available in a variety of specifications, displaying digits or pixels. Bistable displays are available from E Ink Corporation among others.

If a Complex smart Card is dedicated to making cryptographic computations such as generating a One-Time Password, it may require a secure cryptoprocessor.

As Complex Cards contain more components than traditional smart cards, their power consumption must be carefully monitored.

First generation Complex Cards require a power supply even in standby mode. As such, product designers generally included a battery in their design. Incorporating a battery creates an additional burden in terms of complexity, cost, space and flexibility in an already dense design. Including a battery in a Complex Card increases the complexity of the manufacturing process as a battery cannot be hot laminated.

Second generation Complex Cards feature a battery-free design. These cards harvest the necessary power from external sources; for example when the card interacts in a contact or contactless fashion with a payment system or an NFC-enabled smartphone. The use of a bistable display in the card design ensures that the screen remains legible even when the Complex Card is unconnected to the power source.

Complex Card manufacturing methods are inherited from the smart card industry and from the electronics mounting industry. As Complex Cards incorporate several components while having to remain within 0.8 mm thickness and be flexible, and to comply with the ISO 7810, 7811 and 7816 standards, renders their manufacture more complex than standard smart cards.

One of the most popular manufacturing processes in the smart card industry is lamination. This process involves laminating an inlay between two card faces. The inlay contains the needed electronic components with an antenna printed on an inert support.

Typically battery-powered Complex Cards require a cold lamination manufacturing process. This process impacts the manufacturing lead time and the whole cost of such a Complex Card.

Second generation, battery-free Complex Cards can be manufactured by existing hot lamination process. This automated process, inherited from traditional smart card manufacturing, enables the production of Complex Cards in large quantities while keeping costs under control, a necessity for the evolution from a niche to a mass market.

As with standard smart cards, Complex Cards go through a lifecycle comprising the following steps:

• Manufacturing,
• Personalization,
• User enrollment, if needed by the application,
• Provisioning,
• Active life,
• Cancellation,
• Recycling / destruction.

As Complex Cards bring more functionalities than standard smart cards and, due to their complexity, their personalization can take longer or require more inputs. Having Complex Cards that can be personalized by the same machines and the same processes as regular smart cards allows them to be integrated more easily in existing manufacturing chains and applications.

First generation, battery-operated Complex Cards require specific recycling processes, mandated by different regulatory bodies. Additionally, keeping battery-operated Complex Cards in inventory for extended periods of time may reduce their performance due to battery ageing.

Second-generation battery-free technology ensures operation during the entire lifetime of the card and eliminates self-discharge, providing extended shelf life, and is more eco-friendly.

Since the inception of smart cards, innovators have been trying to add extra features. As technologies have matured and have been industrialized, several smart card industry players have been involved in Complex Cards.

The Complex Card concept began in 1999 when Cyril Lalo and Philippe Guillaud, its inventors, first designed a smart card with additional components. The first prototype was developed collaboratively by Cyril Lalo, who was the CEO of AudioSmartCard at the time, and Henri Boccia and Philippe Patrice, from Gemplus. The prototype included a button and audio functions on a 0.84mm thick ISO 7810-compliant card .

Since then, Complex Cards have been mass-deployed primarily by NagraID Security.

AudioSmartCard International SA was instrumental in developing the first Complex Card that included a battery, a piezoelectric buzzer, a button, and audio functions all on a 0.84mm thick, ISO 7810-compatible card.

AudioSmartCard was founded in 1993 and specialized in the development and marketing of acoustic tokens incorporating security features. These acoustic tokens exchanged data in the form of sounds transmitted over a phone line. In 1999, AudioSmartCard transitioned to a new leadership under Cyril Lalo and Philippe Guillaud, who also became major shareholders. They made AudioSmartCard evolve towards the smart card world. In 2003, Prosodie, a subsidiary of Capgemini, joined the shareholders of AudioSmartCard.

AudioSmartCard was renamed nCryptone in 2004.

CardLab Innovation, incorporated in 2006 in Herlev, Denmark, specializes in Complex Cards that include a switch, a biometric reader, an RFID jammer, and one or more magstripes. The company works with manufacturing partners in China and Thailand and owns a card lamination factory in Thailand.

Coin was a US-based startup founded in 2012 by Kanishk Parashar. It developed a Complex Card capable of storing the data of several credit and debit cards. The card prototype was equipped with a display and a button that enabled the user to switch between different cards. In 2015, the original Coin card concept evolved into Coin 2.0 adding contactless communication to its original magstripe emulation.

Coin was acquired by Fitbit in May 2016 and all Coin activities were discontinued in February 2017.

Ellipse World, Inc. was founded in 2017 by Cyril Lalo and Sébastien Pochic, both recognized experts in Complex Card technology. Ellipse World, Inc. specializes in battery-free Complex Card technology.

The Ellipse patented technologies enable smart card manufacturers to use their existing dual interface payment card manufacturing process and supply chain to build battery-free, second generation Complex Cards with display capabilities. Thanks to this ease of integration, smart card vendors are able to address banking, transit and prepaid cards markets.

EMue Technologies, headquartered in Melbourne, Australia, designed and developed authentication solutions for the financial services industry from 2009 to 2015. The company’s flagship product, developed in collaboration with Cyril Lalo and Philippe Guillaud, was the eMue Card, a Visa CodeSure credit card with an embedded keypad, a display and a microprocessor.

Feitian Technologies, a China-based company created in 1998, provides cyber security products and solutions. The company offers security solutions based on smart cards as well as other authentication devices. These include Complex Cards, that incorporate a display, a keypad or a fingerprint sensor.

Fingerprint Cards AB (or Fingerprints) is a Swedish company specializing in biometric solutions. The company sells biometric sensors and has recently introduced payment cards incorporating a fingerprint sensor such as the Zwipe card, a biometric dual-interface payment card using an integrated sensor from Fingerprints.

Giesecke & Devrient, also known as G+D, is a German company headquartered in Munich that provides banknotes, security printing, smart cards and cash handling systems. Its smart card portfolio includes display cards, OTP cards, as well as cards displaying a Dynamic CSC.

Gemalto, a division of Thales Group, is a major player in the secure transaction industry.

The company’s Complex Card portfolio includes cards with a display or a fingerprint sensor. These cards may display an OTP or a Dynamic CSC.

Idemia is the product of the 2017 merger of Oberthur Technologies and Morpho. The combined company has positioned itself as a global provider of financial cards, SIM cards, biometric devices as well as public and private identity solutions. Due to Oberthur’s acquisition of NagraID Security in 2014, Idemia’s Complex Card offerings include the F.CODE biometric payment card that includes a fingerprint sensor, and its battery-powered Motion Code card that displays a Dynamic CSC.

Idex Biometrics ASA, incorporated in Norway, specializes in fingerprint identification technologies for personal authentication. The company offers fingerprint sensors and modules that are ready to be embedded into cards.

Founded in 2002, by Alan Finkelstein, Innovative Card Technologies developed and commercialized enhancements for the smart card market. The company acquired the display card assets of nCryptone in 2006. Innovative Card Technologies has ceased its activities.

Nagra ID, now known as NID, was a wholly-owned subsidiary of the Kudelski group until 2014. NID can trace its history with Complex Cards back to 2003 when it collaborated on development with nCryptone. Nagra ID was instrumental in developing the cold lamination process for Complex Cards manufacturing.

Nagra ID manufactures Complex Cards that can include a battery, buttons, displays or other electronic components.

Nagra ID Security began in 2008 as a spinoff of Nagra ID to focus on Complex Card development and manufacturing. The company was owned by Kudelski Group (50%), Cyril Lalo (25%) and Philippe Guillaud (25%).

NagraID Security quickly became a leading player in the adoption of Complex Cards due, in large part, to its development of MotionCode cards that featured a small display to enable a Dynamic Card Security Code (DCSC).

NagraID Security was the first Complex Cards manufacturer to develop a mass market for payment display cards.

Their customers included:

• ABSA, South Africa,
• Banco Bicentenario, Venezuela,
• Banco MontePaschi, Belgium,
• Erste Bank, Croatia,
• Getin Bank, Poland,
• Standard Chartered Bank, Singapore.

NagraID Security also delivered One-Time Password cards to companies including:

• Bank of America,
• HID Security,
• Paypal,
• RSA Security,
• Verisign.

In 2014, NagraID Security was sold to Oberthur Technologies (now Idemia).

nCryptone emerged in 2004 from the renaming of AudioSmartCard. nCryptone was headed by Cyril Lalo and Philippe Guillaud and developed technologies around authentication servers and devices.

nCryptone display card assets were acquired by Innovative Card Technologies in 2006.

Oberthur Technologies, now Idemia, is one of the major players in the secure transactions industry. It acquired the business of NagraID Security in 2014. Oberthur then merged with Morpho and the combined entity was renamed Idemia in 2017.

Major references in the Complex Cards business include:

• BPCE Group, France,
• Orange Bank, France,
• Société Générale, France,

Set up in 2009, Plastc announced a single card that could digitally hold the data of up to 20 credit or debit cards. The company succeeded in raising US$ 9 million through preorders but failed to deliver any product. Plastc was then acquired in 2017 by Edge Mobile Payments, a Santa Cruz-based Fintech company. The Plastc project continues as the Edge card, a dynamic payment card that consolidates several payment cards in one device. The card is equipped with a battery and an ePaper screen and can store data from up to 50 credit, debit, loyalty and gift cards.

Stratos was created in 2012 in Ann Arbor, Michigan, USA. In 2015, Stratos developed the Stratos Bluetooth Connected Card, which was designed to integrate up to three credit and debit card in a single card format and featured a smartphone app used to manage the card. Due to its Lithium ion thin film battery, the Stratos card was equipped with LEDs and communicated in contactless mode and in Bluetooth low Energy.

In 2017 Stratos was acquired by CardLab Innovation, a company headquartered in Herlev, Denmark.

SWYP was the brand name of a card developed by Qvivr, a company incorporated in 2014 in Fremont, California. SWYP was introduced in 2015 and dubbed the world’s first smart wallet. SWYP was a metal card with the ability to combine over 25 credit, debit, gift and loyalty cards. The card worked in conjunction with a smartphone app used to manage the cards. The Swyp card included a battery, a button and a matrix display that showed which card was in use. The company registered users in its beta testing program, but the product never shipped on a commercial scale.

Qvivr raised US$ 5 million in January 2017 and went out of business in November 2017.

Complex Cards have been adopted by numerous financial institutions worldwide. They may include different functionalities such as payment cards (credit, debit, prepaid), One-Time Password, mass-transit, and dynamic Card Security Code (CSC).

Complex Card technology is used by numerous financial institutions including:

• ABSA, South Africa,
• Banca MontePaschi Belgio, Belgium,
• Bank of America, USA,
• BPCE Group, France,
• Carpatica Bank, Romania,
• Credit Europe Bank, Romania,
• Erste&Steiermärkische Bank, Croatia
• Getin Bank, Poland,
• Newcastle Banking Society, UK,
• Orange Bank, France,
• Paypal, USA,
• Sinopac, Taiwan,
• Société Générale, France,
• Standard Chartered Bank, Singapore,
• Symantec,
• TEB, Turkey.