What is a smart card? Chip cards explained

1. Smart card in one paragraph

A smart card is a plastic card — typically ISO 7810 ID-1 PVC — embedding an integrated circuit that can store data and run logic. The chip is either visible on the card surface (contact chip, inserted into a reader) or hidden inside the card body alongside an antenna (contactless, tapped against a reader). Smart cards are the modern reference for access control, transit, payment, identification and authentication, with a fast-growing footprint in corporate, government, transport and hospitality environments. Our smart cards product page covers the full range of available specifications.

2. How smart cards work

A smart card is much more than a data carrier. Unlike a magnetic stripe (which simply stores data on a magnetic film) or a barcode (which encodes data optically), a smart card runs an actual computer chip inside the PVC body. That chip has its own memory, processor and security logic.

2.1 the chip and its components

The chip integrates several components on a single silicon die:

• Memory — ROM (preloaded firmware), EEPROM or Flash (rewritable user data), RAM (temporary calculations).
• Microcontroller — runs the card's operating system and any installed applets.
• Cryptographic coprocessor — performs AES, 3DES, RSA or elliptic-curve operations efficiently and securely.
• Communication interface — either physical contacts (contact chip) or an antenna coil (contactless).

2.2 how the reader and card talk to each other

When the card is inserted (contact) or tapped (contactless), the reader supplies power to the chip and initiates a communication protocol. The chip and the reader exchange a sequence of commands and responses defined by international standards (ISO 7816 for contact, ISO 14443 or ISO 15693 for contactless). The exchange typically authenticates the reader to the card, then reads or writes specific data sectors, all within a fraction of a second.

2.3 the role of the secure element

On secure smart cards (banking, e-government, premium corporate access), the chip is a secure element — a tamper-resistant chip certified against physical and side-channel attacks. The secure element stores cryptographic keys and runs sensitive operations in an isolated environment, making cloning impractical even with physical access to the card.

3. The three physical types of smart card

3.1 contact chip cards (ISO 7816)

The classic format with a visible square chip on the front of the card. The reader has physical contacts that touch the chip pads when the card is inserted. Used historically for banking, e-government IDs, health insurance cards and corporate PKI authentication. Slower than contactless reads, but offers the highest physical security since the chip is only powered when fully inserted.

3.2 contactless cards (ISO 14443 and ISO 15693)

The chip is hidden inside the PVC body alongside an antenna coil. The reader generates a radio-frequency field; the antenna picks up that field, powers the chip and exchanges data. ISO 14443 (13.56 MHz, short range, the dominant standard for Mifare and bank cards) and ISO 15693 (13.56 MHz, longer range, vicinity cards) are the two main variants. Reading takes a fraction of a second and requires no insertion — the basis of the modern contactless user experience.

3.3 dual interface cards

A single chip with both a contact interface and a contactless antenna, sharing the same secure element. The card works both ways depending on the reader at hand. Modern bank cards are the most familiar example — insert for chip-and-PIN, tap for contactless payment, both backed by the same secure element. Increasingly common in corporate and government environments where mixed reader infrastructure has to be supported on one card.

4. Common chip families in B2B card production

"Smart card" is a generic term — the actual capabilities of the card depend on the specific chip family inside. The six families most commonly deployed in B2B card programmes:

4.1 NXP Mifare Classic 1K / 4K

The most widely deployed contactless chip in history. Used massively for transit, building access, corporate badges and event ticketing. Crypto-1 algorithm is now considered broken (1K cards can be cloned with off-the-shelf tools), so Mifare Classic is no longer recommended for new secure deployments. It remains common in installed bases that have not migrated yet.

4.2 NXP Mifare DESFire EV1 / EV2 / EV3

The modern successor to Mifare Classic. AES-128 encryption, mutual authentication, multi-application support (up to 28 applications in independent sectors on the same card). DESFire EV2 and EV3 are the safe modern default for new secure deployments — corporate access, transit, cashless payment, multi-service campus cards. Storage typically 2K, 4K or 8K.

4.3 NXP NTAG 213 / 215 / 216

NFC-friendly contactless chips designed for smartphone interaction (NFC Forum Type 2 tag). 144 to 924 bytes of user memory. Affordable, simple to program. Widely used for customer-engagement campaigns, smart business cards, product authentication and loyalty mechanics. Less secure than DESFire but matches the needs of consumer-facing applications.

4.4 NXP Mifare Ultralight EV1

Disposable contactless ticketing chip. 144 bytes of user memory. Cost-optimised for single-use or short-cycle tickets — public transport paper tickets, event single-day passes, parking. Limited security but enough for low-value, short-life applications.

4.5 EM Marin 4102 / 4200 and TK4100

125 kHz read-only legacy chips. The dominant standard for older corporate access control systems (Paxton, Tagsys, HID Prox). Still widely deployed in installed door access infrastructure. Replaced over time by 13.56 MHz Mifare DESFire on new deployments, but EM Marin remains the right answer when the readers are already 125 kHz.

4.6 Java card and contact chips with PKI

Programmable secure chips running Java applets. Used for enterprise SSO, qualified electronic signature, e-government IDs and any application requiring PKI (X.509 certificates, RSA, elliptic curve signatures). The most flexible chip family but also the most expensive and the most demanding in terms of provisioning workflow.

5. Security capabilities and limits

The security level of a smart card depends entirely on the chip family. Three tiers emerge in practice:

5.1 low security — read-only or weak encryption

EM Marin 4102, NTAG without password, Mifare Classic 1K. Suitable for low-value applications where convenience matters more than tamper resistance — gym access, event passes, marketing campaigns.

5.2 mid security — AES with mutual authentication

Mifare DESFire EV1/EV2, Mifare Plus. AES-128 encryption, mutual authentication between card and reader, multi-application support. The right level for corporate building access, university campus cards, modern transit cards and most commercial deployments. Practically resistant to attacks given a properly designed system.

5.3 high security — certified secure element with PKI

DESFire EV3, dual interface bank cards, Java Card with PKI applets, e-government ID chips. Tamper-resistant secure element, side-channel attack protection, certification under Common Criteria (EAL4+ to EAL6). The right level for payment, identity documents, qualified electronic signature and high-security access systems.

The security level is set at chip selection, not at production. Choosing the right chip family for the security needs of the application is one of the most important decisions when specifying a smart card programme.

6. Storage and multi-application support

Smart card storage capacity ranges from a few hundred bytes on basic chips (NTAG 213 at 144 bytes) to over a hundred kilobytes on high-end chips (DESFire EV3 at 8K, Java Card at 144K). The capacity matters less than the way the storage is structured.

The most valuable architectural feature is multi-application support. A DESFire chip can host up to 28 independent applications in protected sectors on the same card — building access in sector A, cashless payment in sector B, library borrowing in sector C, loyalty in sector D. Each sector has its own keys and access conditions. Different applications can be operated by different parties (the university operates the campus access, the canteen operator runs the cashless payment) without exposing one to the other.

This is the architectural backbone of modern campus cards, transport cards and corporate badges that consolidate multiple services on one physical credential.

7. B2b use cases by sector

7.1 corporate access and identification

Employee badges with Mifare DESFire for building access, parking, lifts and printing services — the modern corporate standard. See corporate card programmes for sector-specific patterns.

7.2 banking and payment

Dual interface bank cards with EMV-compliant chips — chip-and-PIN for contact transactions, contactless tap for payments under the relevant ceiling. The single most deployed smart card application worldwide. See banking and financial services card programmes.

7.3 transport and ticketing

Mifare DESFire for season tickets and contactless transit cards in major networks (Navigo, Oyster, OV-chipkaart). Mifare Ultralight for paper single-trip tickets. EM Marin for legacy systems still in service.

7.4 education and campus services

Multi-application DESFire campus cards combining building access, library borrowing, cafeteria payment, photocopier access and sometimes exam ID verification — all on one card. See education card programmes.

7.5 hospitality access

Premium hotel groups are migrating from magnetic stripe key cards to RFID smart cards (Salto, Assa Abloy Vingcard, Onity, Dormakaba). The chip family depends on the lock manufacturer. See hospitality card programmes.

7.6 events and accreditation

RFID smart cards for multi-day passes, cashless payment at festivals, exhibitor accreditation with re-entry control. Mifare DESFire or NTAG depending on the application. See event card programmes.

7.7 customer engagement and marketing

NTAG NFC chips on premium business cards, loyalty cards, product authentication tags — readable directly by smartphones. Used for tap-to-engage marketing campaigns, smart packaging and connected customer experiences.

8. Smart cards vs magnetic stripe

The choice between smart cards and magnetic stripe is one of the most important encoding decisions for any B2B card programme. Magnetic stripe remains relevant for legacy reader environments, hotel keys and re-encodable short-cycle cards. Smart cards dominate new secure deployments, contactless workflows and multi-application use cases.

The two technologies coexist in many real-world environments through hybrid cards (stripe on the back + chip on the front), especially during reader-migration projects. Our dedicated article magnetic stripe vs smart cards walks through the full side-by-side comparison.

9. How to choose the right chip family

The choice is driven by three questions, in this order:

9.1 what is the reader infrastructure?

The chip family is dictated by the reader, not the other way around. A Mifare reader will not read an EM Marin card; a 125 kHz reader will not read a 13.56 MHz card. The single most reliable way to identify the right chip is to share the reader model or a working sample card. We can then identify the exact chip and programming parameters required.

9.2 what is the security level required?

If the card protects valuable or sensitive data — payment credentials, employee identity, qualified signature — DESFire EV2/EV3 or a certified secure element is the right choice. If the data is low-value (gym day pass, event ticket, marketing tag), simpler chips suffice. Matching the security level to the actual application avoids both under-investment and over-investment.

9.3 how many applications on one card?

Single-application programmes (just building access, just transit, just payment) can use simpler chips. Multi-application programmes (campus card combining access + library + cafeteria + photocopier) require DESFire-class chips with independent application sectors. Designing the card with multi-app in mind from day one is cheaper than re-issuing the card stock when a new service is added later.

10. Frequently asked questions

What is the difference between RFID and NFC?

RFID is the broad category — any radio-frequency identification technology. NFC (Near Field Communication) is a specific subset of RFID at 13.56 MHz designed for short-range, two-way communication with smartphones. NFC tags use NFC Forum-compliant chips (NTAG family); RFID cards use a much broader range of chips at various frequencies.

Can a smart card be read by a smartphone?

Yes, if the chip is NFC Forum-compliant (NTAG 213/215/216, NTAG 424 DNA) or operates at 13.56 MHz ISO 14443 (Mifare Classic, DESFire and similar). Most modern Android and iPhone devices read these chips natively. EM Marin 125 kHz cards cannot be read by smartphones without an external reader.

How secure are smart cards compared to magnetic stripe?

Significantly more secure on properly chosen chip families. Mifare DESFire EV2/EV3 implement AES-128, mutual authentication and tamper-resistant secure elements — practically resistant to cloning. Magnetic stripe data is unencrypted and trivially copyable. For any application protecting value or identity, smart cards are the technically correct choice.

Can the same smart card host multiple applications?

Yes, on chip families that support multi-application — Mifare DESFire (up to 28 applications), Java Card with applet loading, dual interface bank cards. Each application sits in its own protected sector with independent keys. The card can be shared between multiple operators (the university, the canteen, the transport network) without exposing one application to another.

How long does a smart card last in daily use?

The chip and antenna inside a smart card last the mechanical lifetime of the PVC body — 3 to 5 years on standard 0.76 mm PVC, longer on composite stock. The chip does not degrade with use the way magnetic stripes do, because the read is contactless or chip-based with no mechanical wear on the data carrier itself.

Can your team programme the chip at production?

Yes. We perform full chip personalisation at production — UID programming, sector key loading, memory initialisation, applet installation and certificate injection — following your exact specification document. For high-security deployments where keys cannot leave your environment, cards can also be delivered with factory defaults for in-house programming.

What if i have an existing working smart card and want a reprint?

Share the working card and we identify the exact chip family and programming parameters needed to replicate it. This is the most reliable route when documentation is partial or missing. We can also test against your readers to validate the replication before dispatching the full batch.

Can i combine a smart card chip with other technologies on the same card?

Yes. Hybrid cards combining a smart card chip with a magnetic stripe, a barcode or a contact chip + contactless antenna (dual interface) are routinely produced. Modern bank cards are dual interface; many corporate badges combine chip access with a barcode for legacy systems. The combinations are validated at the proof stage.