MXPA00009892A

MXPA00009892A - Method for indivisibly modifying a plurality of sites in a microcircuit card non volatile memory, in particular a contactless card

Info

Publication number: MXPA00009892A
Application number: MXPA/A/2000/009892A
Authority: MX
Inventors: Stephane Didier; Francois Grieu
Original assignee: Innovatron Electronique
Priority date: 1998-04-09
Filing date: 2000-10-09
Publication date: 2002-05-09

Abstract

The card is temporarily connected to a terminal while a transaction is being executed comprising the application by the terminal to the card of a plurality of modification commands each comprising at least an operation for posting, in the card memory, a respective information indicated by the command, the different data being thus posted mutually interdependent. Said method comprises the following steps executed by the card:a) on receiving from the terminal the corresponding respective modification commands, modifying the card memory content by provisional posting, in the card memory, each of said interdependent data without losing previous values corresponding to said data;then b) finalising said modifications, either by confirming all of them, or by denying them, such that for subsequent operations the commands executed at step a) are either all taken into account, or are all null and void.

Description

PROCEDURE TO MODIFY INDIVISIBLE MULTIPLE SITES OF THE NON-VOLATILE MEMORY OF A CARD WITH MICROCIRCUITS, ESPECIALLY FROM A CARD WITHOUT CONTACT FIELD OF THE INVENTION The invention relates to cards with microcircuits, more particularly, to cards with a microprocessor, which themselves make various modifications of their non-volatile memory.

BACKGROUND OF THE INVENTION When an operation is carried out, the memory is modified in general, once or several times, and then it is necessary, of course, to guarantee that all modifications have been made correctly, before being able to take advantage of the data recently entered, owing to ignore or erase recently entered data, in case of error or a lack of integrity of the entry. In this regard, U.S. Pat. A-4 877 945 describes the way to detect a fault occurred during a sequence of recording of several data to prevent the operation from continuing on erroneous bases.

In addition, it is advisable, in the case of failures, to be able to return to your stance, that is, that an operation must be able to act on the values of the data that were entered in the card before executing the incorrect operation. The U.S. Patent A-4 877 945 mentioned, does not present this advantage, because some of the values of the data will have been lost during the execution of the incorrect operation, so that it will not be possible to restore this data to its previous state, at least from of the only data contained in said card. The patent WO A-89/02140 describes said mode of execution, but only applicable in the case of a modification of a single data or several data modifications independent of each other. In many cases, however, it is necessary to modify several data during the same operation, and these data will be considered as "reciprocally interdependent", if it is necessary to process them as a whole for a good execution of all the modifications of the data set. The risk of an imperfect or inconclusive operation that exists with respect to multiple interdependent data is particularly high in the case of "contactless" type cards, in which the volume limits within which the card can work properly with the terminal They are not perceptible. In that case, there is a non-negligible risk of unexpected interruption of the communication between a card and a terminal due to the card's exit from the scope of a terminal before finishing the processing, or due to a temporary interference, for example , the passage of a metal body nearby. An example (of course, not restrictive) is the use of said card as a magnetic transport card (télebillétique) that is, to have access to a public transport network, in which the card fulfills the double function of passage and purse electronic In order to solve the presented problems, and to make a plurality of recordings or other interdependent data modifications "indivisible", several solutions have been proposed. In the application example already mentioned, the known systems begin by debiting the electronic purse, then enter the transport rights acquired by the user. If the user withdraws his card between the two operations, he must present the card again and the recording of transport rights is resumed. On the contrary, if he left without presenting his card again, he would be harmed. Obviously, it is impossible to proceed in reverse, because the user would then have an interest in removing his card before the electronic purse was debited. This solution implies that the terminal must be specially configured to allow, in case of interruption, that an exception processing is activated that manages the restart of the transaction (that is, the reinsertion of the card at the request of the terminal). In addition to the complexity of the terminal programThis solution is not completely satisfactory insofar as, as already mentioned, the user is also prejudiced in case of failure to restart the operation. Another solution is to use cross-data, keeping in the terminal data about the electronic purse status of the card, and vice versa. However, this solution is not satisfactory either, because, in addition to its complexity, it increases the volume of data exchanged between the card and the terminal, and delays the execution of the operation. In addition, it hardly applies to a significant number of recordings that must be made indivisible (three and more).

OBJECTS OF THE INVENTION One of the objects of the invention is to propose a method that allows to carry out multiple modifications of the memory of the card in an indivisible manner. Another object of the invention is to propose a method such that it can be fully administered by the card. This method can then be implemented without modifying terminals and without foreseeing exceptional processing for these terminals, using the syntax of existing instructions, and therefore, with great flexibility in the choice of orders.

DETAILED DESCRIPTION OF THE INVENTION The method of the invention is such that the card is temporarily connected to a terminal during the execution of an operation, consisting of the application to the card by the terminal of multiple orders of modifications , each composed at least by an entry operation, in the memory of the card, of the respective information designated by the order; being in this way the different data entered, reciprocally interdependent. As a characteristic of the invention, this method comprises the execution, by the card, of the following steps: a) upon receiving the corresponding respective orders received from the terminal, the modifications of the contents of the card's memory by a provisional entry , in the memory of the card, of each of the interdependent data without losing the previous values corresponding to these data; then, b) completion of these modifications, either by confirming them all, or by invalidating them, so that, for operations Later, the orders executed in stage a) are taken into account, or left without effect in their entirety. The basic principle of the invention then consists in grouping the plurality of modifications to carried out in an indivisible manner during the same stage a) and, after having carried out these modifications, validate them as a whole by means of the card. If the validation is effective, during the next operation carried out by the card (in the course of it) operation, or of a subsequent transaction), its accessible content will necessarily reflect the modifications made. On the contrary, any interruption in the functioning of the card that takes place in the The step of step a) will cancel the set of modifications made, and the data of the non-volatile memory will remain in its state prior to step a). In a particular embodiment, when a confirmation is made in step b), a token confirming the correct execution is entered in the card memory and, when the card subsequently receives an order that implies reading and / or modification of at least one of the data entered in stage a), or of the value corresponding to that stage, the card first examines the status of the witness and, if this has not been entered, the card ignores or cancels the provisional income made previously in step a), and execute the order on the basis of said previous values corresponding to the data. When the card examines the state of the witness, if it has been entered, the card can then perform operations of recovery of provisional recordings made in stage a). What is very convenient is the fact that the card can work in two ways, that is, a mode in session, in which the revenues are made by executing steps a) and b), and an out-of-session mode, in which the execution of the income is not confirmed in all stages a) and b).

The login can be implicit, for example, when the card is reset to zero (restart), or as a consequence of a double action command to execute a predetermined operation and interpreted as a login instruction. For example, when a certified income usually does not present a certificate, the card automatically opens a session that processes the entry in this session. Similarly, the session closure may be implicit, in response to a double-action order of executing a predetermined operation and interpreted as a session-end instruction. For example, a debit operation of the electronic purse ends the session, which also avoids having to defer the communication of the resulting certificate and allows confusing the session certificates with. those of electronic purse transactions. What is very convenient is the fact that the method comprises an authentication function combined with the completion function of step b), which requires proceeding to an invalidation in step b), if the authentication fails. In a first embodiment, this authentication is performed by the card that authenticates the terminal and / or the data exchanged between terminal and card, and the card controls an encoded certificate produced by the terminal and transmitted to the card, and only confirms the modifications of the card. Stage b) if this certificate is recognized as correct. In the case of a session mode, it can be established that, when the card receives orders from the terminal to modify the content of the memory, including the verification of an encoded certificate, this verification is carried out, if the order is received outside of the session, and it is not done, if the order is received during the session. In other words, those orders executed by card b) in step b) that usually (ie, out of session) would verify a coded certificate, no longer cover this verification when they are executed in the course of a session, while that the "session certificate authenticating the terminal" performs an equivalent function. In a second embodiment, the authentication is performed by the terminal that authenticates the card and / or the data exchanged between the terminal and the card, and the card produces and transmits to the terminal a conditionally coded certificate, if, and only if, it is have confirmed the modifications in stage b). In the case of a session mode, it can be stated that, when the card receives from the terminal in step b) orders to modify the content of the memory, including the production of an encoded certificate, this production takes place, if the Order is received out of session, and is not made, if the order is received during the session. In other words, those orders executed by the card in step b) that usually (ie, out of session) would produce a coded certificate, no longer cover this output when they are executed in the course of a session, whereby the "certificate of 2 = ior that authenticates the terminal" performs an equivalent function. In addition, it is possible to establish that, when the card receives orders from the terminal to modify the contents of the memory, which include the production of multiple encoded certificates, these certificates are memorized in stage b), then transmitted as a whole to the terminal, if, and only if, the modifications in stage b) have been confirmed. In other words, it is foreseen to defer the communication by the card of the coded certificates produced in general by the instructions of step b). In particular, if a certified recording order produces a certain recording certificate, it is convenient that it be issued by the card, only when the recording has been made irrevocably. In a particular embodiment, at least certain orders that can be executed in step b) comprise an eventual inhibition function and, if the card executes said order during the course of a session in stage b), the modifications made by this order will take effect, regardless of the result of stage b). In other terms, the function defines if the order is executed during the session (that is, it will be canceled if the session has not ended), or out of session (that is, it will take effect immediately, as if the order were executed out of session, even though the order will be chronologically in session). Conveniently, the method further establishes, after step b) and in case of confirmation of the modifications, the following sequence of steps: d) the execution by the terminal of an action in response to confirmation by the card; e) in the case of a correct execution of said action by the terminal, the entry into the card of a ratification information, subsequently accessible by reading. This "ratification" of the session indicates the card that the terminal has been able to effectively make the decisions (for example, the start of an automatic gate, in the case of an application of access to a common transport network), as a consequence of the execution of the session. It will be noted that this ratification is managed by the card without the need for a complementary recording (the collection of provisional recordings being an operation that, anyway, must be carried out sooner or later). In addition, this collection will only be done by the card, if the action is performed correctly by the terminal, that is, only if the entire operation is compatible. As the card manages the set of operations, it is possible to conveniently foresee that the entry order of step e) is an implicit order, and any order received by the card after stage b) is interpreted as an entry instruction on the card of a ratification information.

Other features and advantages will be apparent from the following description of the two embodiments of the present invention. In these examples, as in the rest of the text, the term "designate", interpreted in the invention in the sense of "determine one of several", refers to the action that consists in characterizing a particular data between the different data contained in the card. This designation may be implicit, because the order addresses itself to particular information; for example, the command "debit an amount x of the electronic purse" designates the memory location containing the value of the information "electronic purse balance". The designation can also be. explicit, as, for example, in the following example I, where recording orders are established with an address or sector identification, indexed by an index i.

Example I We propose to make a card that stores 100 values of eight octets each, and that supports the instructions: - Reading a value v of 8 octets, designated by its index i from 1 to 100. Recording a value v of 8 octets, designated by its index i from 1 to 100. - Login. - Session term. The card must allow up to three recordings in the same session. By convention, uppercase letters will be used to designate the values in the non-volatile memory (for example, EEPROM) and lowercase letters to designate the values in the volatile memory (for example, RAM, whose content is lost when it is not subjected to voltage) . A non-volatile memory area is affected in the main storage of card data (final recordings). • V [i], i from 1 to 100: 1O0 x 8 octets. Another zone of non-volatile memory is affected to the session mechanism, and comprises: • T [k], j from 1 to 3: 3 x 8 octets containing the values recorded during the session (interim recordings). • I [k], j from 1 to 3: 3 x 1 octet containing the indices of the values recorded during the session.

• C: 1 count octet that will be recorded at the end of the session. C encodes the number of recordings made in the session; an appropriate redundancy mechanism (which associates, for example, the complement of this value) makes it possible to guarantee that the case in which the value stored in this count octet is uncertain is detected. The development of the operations is as follows: Stage 0: at a time between the power-up of the card and the first executed order, examine C. If it has a true value of 1 to 3, then for k from 1 to 0 the value T [k] is copied to the index I [k] of table V [i]. Then C is set to 0, and an internal variable j to -1 (to indicate that a session has not been started). Stage 1: during the reading, it is examined if j > 0; if so, the requested i Index is compared to the values I (k) for k of j of 1 when decreasing, if there is an identity, T (k) is recovered, and in all other cases, V [i] is recovered Stage 2: when the session starts, j = 0 is initialized (it must be taken into account that if a session is started, it is canceled).

Stage 3: during each recording, if j = -1 (session not started), the value v informed in T [0] is recorded, the index i reported in I [0], then C = 1 is recorded, then it is recorded v in V [i], then C = 0 is recorded; yes 0 = j < 3 (recording during the session), increase j of 1, write v in T [j], record i in I [j] if j = 3, the operation is rejected (when the limit of recordings in the course of the session). Stage 4: when the session ends, if j > 0, record j in C, then for j from 1 to C, the value T [j] is copied in the Index I'j] of table V []. Then C is set to 0, and j to -1. It is shown that, at any time, the power of the card can be cut off and that the read values will be correct, that is, for each index i, the last value recorded out of session, or recorded in a finished session (the recording has place, or the session ends at the moment when a non-zero value is recorded in C). In addition, the encoding prevents certain operations if a coded certificate provided to a card is incorrect, and / or causes the card to produce coded certificates upon completion of certain operations. The encoded certificates are based on a coding of known type. For example, the "session certificate authenticating the card" (respectively, the terminal) is obtained when both the card and the terminal apply the algorithm Al gori tmo of Safe Alert Test (SHA) to the data provided by the card (respectively, the terminal) and a random number provided by the terminal (respectively, the card) when the session starts; The resulting Authentication Message (MAC) Code is signed by the card (respectively, the terminal) by Algorithm Signature Signature Algorithm Algorithm.

(DSA) with a secret key contained in the card (respectively, the terminal); the terminal (respectively, the card) verifies this signature with a public key. A symmetric coding algorithm, such as the Data Coding Standard (DES), can also be used for MAO production and / or signature preparation. According to an alternative of the invention, the MAC production stage is common to both authentication senses, and covers the data set of the session. And, in the case of a symmetric encoding, both the certificate that authenticates the card and that which authenticates the terminal are obtained by a single MAC coding stage, and the respective certificates of the card and terminal are deduced by an operation elementary, such as the extraction of certain predetermined bits.

Example II In this example, the memory data is organized into sectors, each of which covers four fields: 1. data; 2. identification (access key that allows selecting a sector); 3. relevance: allows to determine the respective sector if two sectors have the same identification; 4. control: allows to verify the integrity of three preceding fields (for example, a parity type control). A sector will be designated by its identification, a notion that substitutes the notion of direction. The procedure of recording a sector has as parameter an identification and data to relate to that identification. The procedure of reading a sector has as an identification parameter, and returns the data related to this identification at the time of the last recording made with that same identification (or an appropriate indication, if this identification has never been used). That is, an associative type access is carried out, instead of an indexed access. When a sector is read, the card searches for the sectors whose identification has the requested value, and which are complete (based on the control field). In the case that several sectors respond to these two criteria, the card retains one of the values based on the field of relevance. When a sector is recorded, the card records, in an available sector, the fields indicated and the identification requested, the field of relevance, as it will be that sector, for the reading procedure, the most pertinent of the integral sectors that possess that identification, and the control field, according to the three preceding fields (in other words, the recording is managed in such a way that the subsequent reading can be carried out correctly). Advantageously, the recording procedure takes place when the indicated non-pertinent sector is erased by the recording of the new sector, thus creating a new available sector. A (complementary) system of type of data collection is conveniently established, that is, of recovery of useless sectors, even if they are not integral or not pertinent. It is advantageously provided a system that distributes the deterioration resulting from the recording avoiding always using the same sectors, for example by randomly choosing a sector among the available sectors. A generally advantageous variant of the sector search procedure consists in taking advantage of this research stage to erase the sectors with respect to which it has been determined that they are not complete, and / or that they are not the most pertinent, thus recreating free sectors (this process takes time during this reading, in favor of the speed of the readings and subsequent recordings). As an advantage, before deleting a sector that has been determined to be intact but not relevant, the relevant sector will be recorded again, whose recording may be imperfect. The useful size of the memory is equal to the number of available sectors, less a sector that must be erased. All sectors (including deletion) are dynamically distributed in memory. If the data must be structured in files, for example, according to ISO / IEC 7816-4, the sector identification is broken down into two subfields, a file identification and a sector identification in this file. We will give below an implementation (not limitation) of read / write operations that use this particular structuring in sectors: The control field contains, in binary code, the number of bits in zero in the other three fields; it is shown that if a problem such as a recording or an interrupted deletion modifies any number of bits of the sector all in the same direction, the control of the value of the control field always allows the detection of the problem. - The relevance field is an integer from 0 to 3, coded in 2 bits. The reading procedure sequentially traverses all sectors until finding a first sector that has the identification sought and is complete. If no sector is found from this search, the procedure is terminated with a "sector not found" report. If such first sector is found, its position, its data and its relevance are memorized p. The search continues. If a second sector is detected that possesses the sought and integral identification, it is verified if its relevance q is the rest of the entire division of p + 1 by 3; if so, the second sector is recorded again, the first is deleted and the second data is returned; if not, the first sector is written again, the second is deleted and the data of the first one is returned. If a second sector is not found and if the relevance of the first sector is p = 3, this sector is deleted and the "sector not found" report is given, in the other cases, the data of the first sector found is returned. - The recording procedure begins as the aforementioned reading procedure. If the sector that returned the reading procedure for the supplied identification has been found, the position of this sector and its relevance p (which is worth 0, 1 or 2) is memorized; if it has not been found, a free sector is selected (by the procedure that will be described later) and the fields that identify data, relevance p = 3 and control are recorded in this sector, and the position and relevance of this sector. In both cases, we continue, selecting a free sector (by means of the procedure described below). The fields that identify data are written in this sector, relevance q (calculated as the rest of the entire division of p + 1 by 3) and control. Then the memorized sector is deleted.

For the search for a free sector, the number n of free sectors found is initialized to zero. The sectors are examined sequentially. For each sector, if it is not virgin and is not complete, it is erased and remains virgin (thus contributing to the collection of useless data mentioned above); if it is complete and if its relevance is p = 3, it is deleted (idem); if it is complete and if its relevance is not p = 3, then it is searched in the area not yet covered by another integral sector that is also identification, and if one is found, the one that is not pertinent is deleted, proceeding the same as for the reading; if at the end of this process the sector is virgin, the number n of free sectors found is increased, and the random draw of an integer from 0 to n-l is made; if this integer is 0, the position of the virgin sector is memorized. When all the sectors have been traversed, all the non-virgin sectors are intact, there are no two sectors with the same identification, the number n of virgin sectors is known and if one of them has been memorized randomly in an equally probable manner. If no free sector is found, the recording procedure is interrupted. Next, the way in which the card can administer sessions of indivisible modifications with this particular structuring in sectors will be indicated. To store the indivisible modifications, the card has N sectors deleted in the non-volatile memory (corresponding N to the number of indivisible modifications that can be made in the course of a same session). In addition, it manages a zone of the non-volatile memory (outside sectors) dedicated to the management of the session and called "session descriptor". This implementation example does not include any authentication of the session. A session descriptor is defined, consisting of 3 fields: List of references of the indivisible sectors (LRSA). - Creation value of the list of references of indivisible sectors (VCC). - Value of control of consideration of the list of the references of the indivisible sectors (VCPC), which will allow to know if a session has been closed or not). Step 0: initialization: before the first access to the data since the last interruption of the card's operation, for example in reset (re-zeroing), the card must do so that the session descriptor is effective. There are several cases to consider, depending on the status of the session descriptor: - It is completely deleted: the card leaves it in that state. It is not completely erased, and the VCPC is correct: the card searches and deletes (if necessary) all the obsolete sectors by the new engravings (among those referred to in the list), then deletes the session descriptor. - It is not deleted completely, the VCPC is deleted or is incorrect and the 'VCC is correct: the card deletes the sectors indicated in the LRSA, then deletes the session descriptor. - It is not deleted completely, the VCPC is deleted or is incorrect and the VCC is deleted or is incorrect, the card deletes the session descriptor. Stage 1: login the card looks for N deleted sectors, then write down the list of your reference and its VCC in the session descriptor (which is supposed to have been deleted). Stage 2: in course of session: the card receives orders. When one of them causes one or several indivisible modifications, the sectors used to record these modifications are those recorded in the LRSA, until N modified sectors are reached.

Stage 3: closing session: to close the session, the card records the VCPC, which ensures that the LRSA and its VCC have been taken into account. Then, search and delete all sectors that were obsolete by the new engravings (among those referenced in the list). Finally, delete the session descriptor. If, in addition, the card manages the ratification, the management of the sessions includes the following modifications: Stage 0: initialization: in the case where the session descriptor has not been completely deleted and the VCPC is correct, the card searches and deletes ( if necessary) all the sectors that were obsoleted by the new engravings (among those referred to in the list), but does not delete the session descriptor. Stage 1: login: the card records in volatile memory that a session has been opened. If the session descriptor is not virgin, the card indicates that the previous session has not been ratified, and can even, analyzing the LRSA, indicate which data is not ratified. In any case, it does not modify the session descriptor. Stage 2: in course of session: during the first order with indivisible modifications, the card deletes the session descriptor if necessary, looks for N deleted sectors, then writes the LRSA and its VCC. Stage 3: closing session: the card records in volatile memory that there is no session open. In any case, it does not delete the session descriptor. It is noted that in relation to this date, the best method known by the applicant to carry out the aforementioned invention, is the conventional one for the manufacture of the objects to which it relates.

Claims

CLAIMS Having described the invention as above, the content of the following claims is claimed as property. A method for modifying the content of the non-volatile memory of a card with microcircuits, especially a contactless card, a procedure in which the card is temporarily coupled to a terminal during the execution of a transaction, especially a transaction with a magnetic card for transportation, comprising the application by the terminal to the card of multiple orders of modifications that each comprise at least one entry operation, in the memory of the card, of a respective information designated by the order, mutually interdependent the different information thus entered, procedure characterized in that it comprises the execution, by the card of the following stages: a) with the receipt of the corresponding respective orders received from the terminal, modifications of the contents of the memory of the card by provisional registration, in the memory of the charge, of each of said interdependent information without loss of previous values corresponding to this information; then b finalization of these modifications, either confirming them all, or rejecting them all, so that for further operations, the orders executed in stage a) are considered in full, or left without effect in their entirety. The method according to claim 1, characterized in that: - in the case of confirmation in step b) a good execution confirmation token is entered in the memory of the card, and - when the card subsequently receives an order that implies the reading and / or modification of at least one of the information entered in step a) or of the value that corresponds to it, the card previously examines the status of the witness, and if this has not been entered, the card ignores or cancels the provisional income previously made in stage a) and executes the order based on said previous values corresponding to the information. 3. The method according to claim 2, characterized in that when the card examines the state of the witness, if it has been entered, the card performs operations of recovery of the provisional recordings operated in stage a). The method according to one of claims 1 and 2, characterized in that the card is able to operate according to two modalities, namely: a session mode, in which the revenues are made by executing steps a) and b), and - an out-of-session modality, in which the realization of the income is not confirmed in all stages a) and b). The method according to one of claims 1 to 4, characterized in that it comprises an authentication function combined with the completion function of step b), forcing the rejection in step b) in case the authentication fails . The method according to claim 5, characterized in that said authentication is carried out by means of the card that authenticates the terminal and / or the data exchanged between terminal and card, controlling the card, an encoded certificate produced by the terminal and transmitted to the terminal. the card and that only confirms the modifications in stage b) if this certificate is recognized as correct. The method according to claims 4 and 6 considered in combination, characterized in that when the card receives orders from the terminal to modify the contents of the memory that include the verification of an encoded certificate, this verification occurs if the order is issued. receives out of session and is not done, if the order is received in session. 8. The method according to claim 5, characterized in that said authentication is performed by the terminal that authenticates the card and / or the data exchanged between terminal and card, producing the card and transmitting to the terminal a conditionally coded certificate, if and only if the modifications have been confirmed in stage b). 9. The method according to claims 4 and 8, considered in combination, in which, when the card receives from the terminal, orders of modifications of the contents of the memory that include the production of an encoded certificate, this production is performed if the order has been received out of session, and it is not done if the order was received in session. The method according to one of claims 1 and 2, characterized in that when the card receives from the terminal in step b) orders to modify the content of the memory including the production of multiple encoded certificates, these certificates are memorized in this step b) then they are transmitted together to the terminal if and only if the modifications have been confirmed in step b). The method according to claims 1 and 4 considered in combination, characterized in that at least some of the commands that can be executed in step b) comprise a function of eventual inhibition, and because if the card executes such order in session in a step b), the modifications made by this order take effect independently of the result of step b). The method according to any of claims 1 and 2, characterized in that, further to step b) and in case of confirmation of the modifications, the following sequence of steps is provided: d) execution by the terminal of an action following the confirmation by the card; e) in case of good execution of said action by the terminal, entry of a ratification information subsequently accessible by reading it into the card. The method according to claim 12, characterized in that the entry order of step e) is an implicit order, with any order received by the card being interpreted after step b) as an entry order on the card of a ratification information.