ISO/IEC 7816-13:2007

INTERNATIONAL ISO/IEC
STANDARD 7816-13
First edition
2007-03-15
Identification cards — Integrated circuit
cards —
Part 13:
Commands for application management
in a multi-application environment
Cartes d'identification — Cartes à circuit intégré —
Partie 13: Commandes pour la gestion d'application dans un
environnement de plusieurs applications

Reference number
©
ISO/IEC 2007
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2007 – All rights reserved

Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Abbreviations and notation . 2
5 Multi-application environment and application life cycle. 2
5.1 Multi-application environment. 2
5.2 Application life cycle . 3
5.3 Memory resource assignment data objects for interoperability. 5
6 Card management service recognition . 6
6.1 Card management service template . 6
6.2 Card management service template retrieval . 7
7 Commands for application management . 7
7.1 APPLICATION MANAGEMENT REQUEST command. 8
7.2 LOAD APPLICATION command . 9
7.3 REMOVE APPLICATION command. 10
7.4 Application management considerations . 11
Annex A (informative) An example of card application management on an independent card
issuer and application provider model. 12
Annex B (informative) A practical example of card application management. 14
Annex C (informative) A further practical example of card application management . 18
Annex D (informative) A further practical example of card application management . 21
Bibliography . 23

© ISO/IEC 2007 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 7816-13 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and personal identification.
ISO/IEC 7816 consists of the following parts, under the general title Identification cards — Integrated circuit
cards:
⎯ Part 1: Cards with contacts — Physical characteristics
⎯ Part 2: Cards with contacts — Dimensions and location of the contacts
⎯ Part 3: Cards with contacts — Electrical interface and transmission protocols
⎯ Part 4: Organization, security and commands for interchange
⎯ Part 5: Registration of application providers
⎯ Part 6: Interindustry data elements for interchange
⎯ Part 7: Interindustry commands for Structured Card Query Language (SCQL)
⎯ Part 8: Commands for security operations
⎯ Part 9: Commands for card management
⎯ Part 10: Cards with contacts — Electronic signals and answer to reset for synchronous cards
⎯ Part 11: Personal verification through biometric methods
⎯ Part 12: Cards with contacts — USB electrical interface and operating procedures
⎯ Part 13: Commands for application management in a multi-application environment
⎯ Part 15: Cryptographic information application
iv © ISO/IEC 2007 – All rights reserved

Introduction
ISO/IEC 7816 is a series of International Standards specifying integrated circuit cards and the use of such
cards for interchange. These cards are identification cards intended for information exchange negotiated
between the outside world and the integrated circuit in the card. As a result of an information exchange, the
card delivers information (computation result, stored data), and/or modifies its content (data storage, event
memorization).
Five parts are specific to cards with galvanic contacts and three of them specify electrical interfaces.
⎯ ISO/IEC 7816-1 specifies physical characteristics for cards with contacts.
⎯ ISO/IEC 7816-2 specifies dimensions and location of the contacts.
⎯ ISO/IEC 7816-3 specifies electrical interface and transmission protocols for asynchronous cards.
⎯ ISO/IEC 7816-10 specifies electrical interface and answer to reset for synchronous cards.
⎯ ISO/IEC 7816-12 specifies electrical interface and operating procedures for USB cards.
All the other parts are independent of the physical interface technology. They apply to cards accessed by
contacts and/or by contactless methods.
⎯ ISO/IEC 7816-4 specifies organization, security and commands for interchange.
⎯ ISO/IEC 7816-5 specifies registration of application providers.
⎯ ISO/IEC 7816-6 specifies interindustry data elements for interchange.
⎯ ISO/IEC 7816-7 specifies commands for structured card query language.
⎯ ISO/IEC 7816-8 specifies commands for security operations.
⎯ ISO/IEC 7816-9 specifies commands for card management.
⎯ ISO/IEC 7816-11 specifies personal verification through biometric methods.
⎯ ISO/IEC 7816-13 specifies commands for application management in a multi-application environment.
⎯ ISO/IEC 7816-15 specifies cryptographic information application.
ISO/IEC 10536 specifies access by close coupling. ISO/IEC 14443 and ISO/IEC 15693 specify access by
radio frequency. Such cards are also known as contactless cards.

© ISO/IEC 2007 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 7816-13:2007(E)

Identification cards — Integrated circuit cards —
Part 13:
Commands for application management in a multi-application
environment
1 Scope
This part of ISO/IEC 7816 specifies commands for application management in a multi-application environment.
These commands cover the entire life cycle of applications in a multi-application integrated circuit card, and
the commands can be used before and after the card is issued to the cardholder. This part of ISO/IEC 7816
does not cover the implementation within the card and/or the outside world.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 7816-4:2005, Identification cards — Integrated circuit cards — Organization, security and commands
for interchange
ISO/IEC 7816-9:2004, Identification cards — Integrated circuit cards — Commands for card management
ISO/IEC 8825-1:2002, Information technology — ASN.1 encoding rules: Specification of Basic Encoding
Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
application
structures, data elements and program modules needed for performing a specific functionality
[ISO/IEC 7816-4]
3.2
application provider
entity providing the components that make up an application in the card
[ISO/IEC 7816-4]
3.3
card platform
on-card component responsible for basic card functions
© ISO/IEC 2007 – All rights reserved 1

3.4
card manager application
card application providing card application management functionality and supervising assignment of the card's
resources
4 Abbreviations and notation
AID application identifier
APP application
DF dedicated file
DO data object
ICC integrated circuit card
P1-P2 parameter bytes (inserted for clarity, the dash is not significant)
RID registered application provider identifier
5 Multi-application environment and application life cycle
5.1 Multi-application environment
A multi-application environment in the context of this document has the following characteristics.
a) An application is a uniquely addressable set of functionalities on a multi-application card that provides
data storage and computational services.
b) An application may be added to the card before or after the card is issued to the cardholder.
c) More than one application may be added to the card.
d) The card platform provides mechanisms for managing card resources e.g. memory.
e) The card platform provides a security boundary mechanism for each application to prevent unauthorized
interaction and security violation from any other application on the card.
f) An application provider is an entity that provides services to the cardholder using a card's application and
is responsible for the application's behavior.
g) An application provider for an application on a card may be distinct from the card issuer.
h) The life cycle of an application is independent from the life cycle of any other application in the same card.
i) The life cycle of an application is independent from the life cycle of the card except when the card is in the
termination state, as defined in ISO/IEC 7816-9.
j) All applications shall be at least selectable using the SELECT command by specifying its AID as the DF
name, as defined in ISO/IEC 7816-4.
k) A card manager application shall be present, unique, and selectable using the SELECT command by
specifying its AID as the DF name. Other applications on the card may offer application management
functionality.
2 © ISO/IEC 2007 – All rights reserved

l) The default AID of the card manager application is “E8 28 BD 08 0D”.
Figure 1 is a conceptual representation of a possible structure of a multi-application IC card.
Security Boundary
Card Card Card
Card
Application Application Application
Manager
(APP 1) (APP 2) (APP 3)
Application
Card Platform
Figure 1 — Possible structure of a multi-application card
5.2 Application life cycle
A life cycle status shall be associated with each application. An application may use its life cycle status, in
combination with its security attributes, to ensure that any operation it performs complies with that
application's security policy. The card manager application shall provide a life cyc
...