DEV Community

Alfred Zhang
Alfred Zhang

Posted on

Building a Custom Java Card Applet for Payment Cards

#java #hardware #security #payments

Our card runs a custom applet on a JCOP4 (Java Card Open Platform) chip. Here's what that actually means and how we built it.

What Is Java Card?

Java Card is a technology that allows Java-based applets to run on smart cards and secure elements. It's the platform behind most EMV chip cards, SIM cards, and government ID cards.

JCOP (Java Card Open Platform) is NXP's implementation. JCOP4 is the latest generation, supporting:

  • RSA up to 4096 bits
  • ECC including P-256 (secp256r1)
  • AES-256
  • Secure key storage
  • Multiple applet isolation

What Our Applet Does

The OpenPasskey applet:

1. Key Generation

On first use, the applet generates a P-256 key pair inside the card's secure element. The private key never leaves the chip. Not during manufacturing, not during use, not ever.

2. EMV Protocol

The applet implements the EMV contactless protocol (ISO 14443-4). When a terminal emits an NFC field:

  1. Card powers up from the RF field
  2. Terminal sends SELECT command with our AID
  3. Applet responds with card capabilities
  4. Terminal sends GET PROCESSING OPTIONS
  5. Applet prepares transaction data
  6. Terminal sends GENERATE AC (authorization cryptogram)
  7. Applet signs transaction data with P-256
  8. Returns signature + payment metadata

Total time: under 500ms.

3. Transaction Signing

For each tap, the applet:

  • Increments a transaction counter (prevents replay)
  • Builds a data structure: amount, merchant ID, counter, timestamp
  • Signs with P-256 ECDSA using the stored private key
  • Returns: signature (r, s), public key (x, y), transaction data

4. Multiple Interfaces

The same applet supports:

  • Contact interface (chip inserted into reader)
  • Contactless interface (NFC tap)
  • Both use the same key pair and signing logic

Host Card Emulation (HCE)

For mobile phones, we implement the same protocol in software using HCE (Host Card Emulation). The phone's NFC chip emulates a contactless card, speaking the same APDU commands.

The key difference: on HCE, the private key is stored in the phone's secure element or TEE (Trusted Execution Environment) rather than a Java Card chip.

Why Java Card?

  1. Hardware security: Private key in a certified secure element
  2. EMV compliance: Industry-standard protocol implementation
  3. Terminal compatibility: Works at any existing EMV terminal
  4. Tamper resistance: Physical + logical protection

The Result

A card that taps identically to Visa from the terminal's perspective, but signs with P-256 (stronger than Visa's 3DES) and settles on-chain instead of through banks.

3,200+ users, 20+ Sydney cafes. Zero complaints about tap speed or reliability.

OpenPasskey | @OpenPasskey

Top comments (0)