We discuss some possible requirements for an I/O-enhanced smart cards that would give a variety of security configurations. We make no attempt to discuss the technical or economic feasibility of I/O-enhanced smart cards; this paper is concerned with exploring various equivalences of security properties among different types I/O-enhanced smart cards.
Here are minimum requirements to accomplish a POS transaction: The customer must communicate to the smart card enough information to indicate the amount of the transaction. It is also necessary that the smart card know the merchant's identity so that it can verify it (in order to protect against Trojan horse attacks by untrusted POS terminals) -- the merchant identity information is important to avoid problems later with unrolling transactions, e.g., in order to return defective or otherwise unsuitable merchandise. The customer need not personally provide the requisite information to the smart card. The merchant may provide the information directly to the smart card which will then verify it with the user through trusted input and output. The smart card does not require user authentication, which is why ``trusted'' means to possessor of card, and with trusted I/O privacy is not required for transaction authorization. If either trusted input or output is unavailable, then, as we see below, we may require additional privacy conditions.
From the customer's perspective, the only absolute requirement is to provide proper information to the smart card. The minimal required mechanism is trusted input. As we have seen, trusted input can be implemented through a variety of combinations of input and output properties.
The merchant must be able to tell his POS system the amount of the expected transaction and know when the transaction completes. This requirement is satisfied if the merchant has trusted input to the POS system, which is trivial if the merchant controls the environment, and one bit of trusted output to indicate transaction completion.