Gemalto Ezio Web Connector (EWC)

 

Product Overview

A solution that makes it easy for the end-user to connect and use card readers for secure eBanking and eCommerce

 
 

Introduction

EWC is a middle-ware that provides connectivity between a browser and a Personal Card Reader (PCR) and is used for secure on-line banking. The product is divided in two parts:

  • A component (named SConnect) provides the local PCSC layer abstraction from the browser. It is installed once into the end-user browser
  • A server-based JavaScript library provides a high level API to perform all on-line banking operations. The library is integrated into the bank web application.

EWC integrates with the Ezio Shield Pro connectible PCR and the authentication Ezio Server.

 

overview

 

EWC supports all major platforms (Windows, Mac and Linux) and browsers (Windows Internet Explorer, Google Chrome, Mozilla Firefox and Apple Safari).

EWC supports Gemalto Ezio Shield Pro reader with Secure Channel, PPDU, SWYS and CAP features enabled.

EWC supports EMV and ISO chip cards.

When EWC performs an operation that requires multiple PC/SC commands, the PC/SC communication is locked to prevent other applications from interrupting the communication (atomic operations).

Each step of the user process is tracked down and can be used for future customer contact. The tracking log can be retrieve from the EWC API.

EWC detects when an issue occurs and displays specific messages & guidelines.

EWC is localized (errors, messages, step-by-step guides).Whenever user is requested to interact with the device instead of the screen, EWC provides a modal light-box with instructions to guide the user what to do. The EWC Man-Machine Interface is customizable.

EWC provides a customizable installation and upgrade guide for SConnect.

 
 

Software Development Kit

EWC includes a web demo framework. The framework provides a good user experience from a usability perspective, and gives the bank a skeleton that they can use to test, and use when integrating EWC into their system.

The SDK includes:

  • The EWC JavaScript library
  • The EWC API documentation
  • The sample code that demonstrates EWC integration, best practices of usability
 
 

JavaScript library

EWC is the high level interface on top of SConnect that provides knowledge on the Ezio devices, and makes it easier for customers (Banks) to integrate Ezio products, without having to have detailed knowledge on PC/SC, EMV, CAP or other TLV-protocols.

The following APIs are provided:

  • PC/SC API for handling of PCRs and chip cards (SConnect)
  • Sign-What-You-See API, and Ezio Shield contextual templates (SWYS)
  • CAP API compliant with the PLA2010 specification (CAP)
  • Secure Channel API
  • Secure PIN Entry API (SPE)
  • Pseudo-APDU API (PPDU)
 
 

PC/SC & SConnect

SConnect is a smart card browser extension for major web browsers running on Windows, Mac OS X and Linux operating systems. The primary purpose of SConnect is to provide a connectivity bridge between JavaScript that runs in a rendered web page in the browser and a smart card. SConnect is designed to be browser independent and of small footprint for quick installation. SConnect exposes the classical smart card communication APIs (PC/SC) available on Windows, Mac OS X and Linux operating systems in order to minimize the learning curve for developers.

SConnect API can be used directly to perform custom PC/SC operations.

SConnect has two security requirements:

  • The Web application server must run under HTTPS security
  • You must obtain and install a valid SConnect Connection Key
For testing and demonstrations that are limited to local-host access to a server, the HTTPS security and connection key are not required.

EWC is build on SConnect. validates the connection key, and the license file for each page load. And it verifies the connection key even when not needed, as SConnect have already done that. The validation takes a couple of seconds, and could be optimized in some instances, where the connection is already established.

Learn more about PC/SC
 
 

Secure PIN Entry (SPE)

The SPE mechanism (as defined by the PC/SC Part 10 IFDs with Secure PIN Entry Capabilities specification) allows the user to enter the PIN directly on the PCR PIN PAD. The PCR sends this PIN directly to the smart card for authentication, thus the PIN is never exposed to the untrusted PC or workstation.

Note that a Gemalto driver for the PCR (at least on Windows platforms) must be installed to perform SPE operations.

EWC API provides simple functions to perform SPE operations with the connected PCR to verify or modify the PIN.

 
 

Pseudo-APDU (PPDU)

The PPDU mechanism (as defined by the PC/SC Part 10 IFDs with Secure PIN Entry Capabilities Supplement specification) allows the user to perform the same SPE operation. But no Gemalto driver is required to perform PPDU operations.

EWC API provides simple functions to perform PPDU operations with the connected PCR to verify or modify the PIN and PCR language modification.

 
 

Chip Authentication Program (CAP)

CAP is an on-line process that leverages the cardholders authentication before allowing them access to an on-line banking service. The CAP authentication token, produced by a successful CAP authentication, replaces the static password on a login page.

CAP also provides the option of including transaction details (such as the amount and the account number for a bank transfer) in the authentication process. This provides explicit evidence of card-holder approval of these transaction parameters. This is similar to providing a password on a transaction confirmation page, but it involves the payment card and its security features in the process. This enhances the level of evidence and assurance provided by this confirmation.

EWC API provides simple functions to perform CAP operations with the connected PCR.

 
 

Sign What You See (SWYS)

SWYS is a security technique that improves on-line banking security. You are required to verify and sign off on any transactions made from your bank account directly from your PCR.

The device present information on the display and the customer must explicitly accept each screen, by pressing the [OK] button. The information can either be a predefined string present in the device that can be displayed together with a numeric value which is sent within the command data that is generated by the EWC API or by including entire screens (which can contain any character from the supported ISO8859 character set) in the command data or a combination of them.

EWC API provides simple functions to perform SWYS operations with the connected PCR.

 
 

Secure Channel

The Secure Channel is a on-line authentication process using a connectible PCR connected with the card holder web browser. Once the Secure Channel established, the on-line banking server sends directly secured commands (MAC & enciphered) to the PCR to interact with the card holder.

EWC API provides simple functions to perform Secure Channel operations with the connected PCR.