The most straightforward way for a customer to establish trusted and private communication channels with a smart card is to insert the smart card into a reader/writer device trusted by the customer. These devices directly provide trusted input and output, and with the proper physical shields (e.g., to prevent shoulder-surfing), also provide private, and hence secure, input and output.
In POS applications, the merchant controls the reader/writer. Indeed, from the customer's point of view, the merchant's smart card reader qualifies as a potentially hostile environment. Hence, we need to consider techniques to achieve trusted and private communication with smart cards in hostile environments.
One approach is to put a keypad and display directly on the smart card. Such peripherals increase the cost of the smart card (and may violate assumptions about the smart card's physical security), but provide trusted communication for the customer; and, with physical shielding, can provide privacy as well. If keypads and displays on the smart card are infeasible, the customer could carry a trusted portable smart card reader [3]. In this sort of system, after the transaction parameters are transferred to the smart card, the customer would transfer the card from the merchant's terminal into the portable reader. Only if the customer approves the transaction would he move the card back to the merchant's terminal. However, using portable readers this way may be unacceptably awkward for many POS applications; certainly, if the customers are willing to carry portable smart card I/O devices, we might as well omit the smart card and have the trusted I/O devices communicate directly with the merchant terminal via some higher bandwidth channel than a smart card (e.g., infra-red link or a cable).
Another approach routes communications through the merchant's reader/writer, and protects those communications using information security techniques. For example, if the customer and the smart card shared knowledge of a large codebook, they could use this codebook to send messages to each other that intermediaries could neither understand nor forge. Alternatively, if the customer can perform cryptography in his head (such as digital signatures, or RSA or DES encryption) and can enter data using numeric keypads very quickly, then the customer and smart card could simply pass encrypted and/or signed messages to each other, achieving trust and, if encryption is used, privacy. However, doing operations with large codebooks from memory and performing RSA and DES encryptions in one's head appears to be beyond the ability of most normal human beings.