The home of secure mobile services
Secure application
A number of new, revitalized services
here is how CAPPGATE works
Customer selects a mobile application, service, which needs security.
The application is installed on a smart phone just like any other regular mobile application
A secure application differs from the regular ones because it also has a sensitive component which requires protection and needs to be stored in a secure chip. This chip may be a microSD card, a plastic chip card, or in the future even your SIM card in the mobile phone, if your operator lets you use it.
Loading of the sensitive component into the secure chip is integrated into the installation of the mobile application seamlessly and conveniently, hiding all the technical complexity from the end users and the service providers.
When deployment is completed, the mobile phone or the plastic chip card is ready to be used for payment, entry, identification, authentication, etc. The best thing is that even multiple of the services/credentials can be stored in the chip simultaneously.
Why is cappgate unique?
Card provided by the service provider
Single service preloaded on the card
Multiple cards – each for a specific functions
No addition or removal of apps
User buys a chip card or rents space on a chip
User decides which services to have on the card
Multiple applications on a single chip
Content can be dynamically configured

We claim that we change the way how traditional industries work. We provide new opportunities for market development and service delivery.
Using the CAPPGATE architecture service providers can reach all their present and potential customers remotely, anywhere, all the time. New services, and/or additional value added functions can be provided. Less office space, less counters, less terminals will be needed, there is uncompromised security, and customers will receive more efficient, more flexible, and personalized service.
We want to prove that secure mobile service delivery is a must have technology.

Our infrastructure CAPPGATE is based on a robust, modular cloud based infrastructure which can be accessed by service providers and secure element issuers using our published APIs. If for security or other policy reasons you prefer to have your own architecture it is also possible to deploy locally the modules you need. CAPPGATE complies with various industry specifications, primarily with that of the Global Platform and it satisfies EAL4 security requirements.

The components of the architecture are:


The Installation Controller is the workflow management component of the architecture. It is coordinating the overall confidential card content management procedure based on scripts composed by card and application specific parameters. The IC also performs the dynamic technical assessment of the target platform as well as the conflict rule assessment.


The Card Management System contains all information about the different types of chips (secure elements) managed by the CAPPGATE systems. It also records and monitors all card life cycle and in-life management activities of the individual chip cards, providing a valid, up to date status overview of all the cards enrolled into the service.


The Application Management System carries out all the application related activities on the chip cards. The module assures that the chip card platform and the application to be loaded onto the card are corresponding to each other. It also assures the security compliance between the chip and the application. The AMS also stores all the rules and service provider specific preferences which direct the loading procedure.


The Key Management System performs all the security functions, like key generation, key derivation, key query, encryption and decryption, key storage and key exchange, random generation, MAC calculation, signature and verification, token management and communication protection with secure channel which are related to the CAPPGATE architecture. It is connected to a HSM module using PKCS#11 interface.


The Loader performs the over the air, remote communication between the back office and the chip card in the smartphone. It composes all the low level APDU messages which are necessary to communicate with the chip card.
Loading the player...

How we do it?

  • Our distributed architecture comprises Secure Element Issuer (SEI) and Service Provider (SP) modules, which communicate seamlessly with each other. They can be configured to operate in-house or as a cloud based platform operated by CAPPGATE.
  • All the card content management procedures are performed real time, irrespective of the architecture configuration or the partners involved in the transactions.
  • All card content management activities are performed transparently in the background tied into the loading of the mobile application with minimum involvement of the end user.
  • The SEI and the SP do not need to know each other, they just need to follow our technical specifications.
  • All our card content management and security related activities are based on Global Platform specifications.
  • We perform simple, delegated as well as authorized deployment modes over the air, including the creation of new security domains, and secure key exchange.
  • Our SEI modules keep track of the whole life cycle of the Secure Element and manage detailed card profiles.
  • We manage different SE types transparently, including UICC, eSE, mSD, as well as plastic chip cards.
  • Our SP modules manage the applications, their life cycles and also record all details of all those cards where the applications are installed.
  • We manage multiple versions of the applications to assure that they can run on the designated SEs.
  • We establish real time the compatibility of the SE and the card application.
  • We use digital certificates to assure that the SE platform and the card applications have the necessary security credentials.
  • If necessary we perform a cross certification process to assure that technically compatible platforms and applications also receive compatible certificates.
  • We use RAM over Https to achieve secure remote connectivity as defined in GlobalPlatform Device Secure Element Remote Application Management Specification


Use Cases


Todays customers require ubiquitous „all the time / now” services. It is unacceptable that while a bank account can be opened in the branch or online and becomes operational right away, it takes days or even weeks until the associated bank card is delivered in the mail. This is user hostile and causes lost revenues. CAPPGATE provides the technology which lets banks issue bank cards real time, from the central card management system and in the branches only online connection, a printer and a card reader is required to securely personalize the plastic cards. The same architecture can be used to distribute bank cards to the chip in the customers’ mobile phones.


If you need a train ticket and do not want to bother with queuing in the line at the ticket counter, and do not want to worry about forgetting the ticket at home, then you better buy the ticket using your smart phone, and have it delivered into your handset. When the ticket arrives you may decide, whether you want to use a microSD card to store this ticket, or regular plastic chip card, or eventually even your SIM card if your mobile operator supports this option. The ticket can be presented for entry or control by using the mobile phone.

Access Control

Many offices need some kind of entry card, or in case of visitors, registration at the reception in order to enter the premises of a company. With CAPPGATE you can distribute your company’s access credentials to your employees right onto their handsets. Also you can invite your visitors by sending their invitations, containing their temporary access permits to their phones, thus freeing up security personal from issuing and collecting the visitors’ entry cards. This is a convenient and efficient way to manage your access control function. The same technology can be used for sending out room keys to hotel guests or car keys for rental or shared cars.

ID card

ID cards, even multiple of them can be stored in a single chip. Issuing or renewing these cards can be done conveniently and securely by using CAPPGATE. After an initial authentication remote distribution is just as secure, as the regular procedure, when the person must appear at the issuing office, however introducing remote distribution is a lot more efficient and user friendly.

Personal credentials

If you have a chip card, you should be able to use it for your own purposes as well. Presently there is not any commercial service which would provide you this option. If you get a chip card it is usually tied to a service provider or authority and is closed. No one can add any content to it anymore. With CAPPGATE you can decide what you want to store on your own chip, and it can be any kind of personal information – like your health data - , or a password, or a car key, or even a private digital key, which you can use for personal authentication or authorization of remote transactions.

Smart Home

You probably have heard about digital signature. Having your secret key also stored on the chip, you can authenticate yourself remotely.
You may be one of the growing number of persons, who have a home surveillance system. If this system is state of the art, then besides just watching what is happening at home, you can also supervise certain functions. Turn the camera on or off, open or close the door, manage the thermostat. Without the right level of protection if you can do it, others can do it as well. Well, your secure credential on the chip in your mobile phone provides exactly the high level of security what you need for these actions.

Internet of Things (IoT)

Internet of Things (IoT) is the next big thing, it is revolutionizing technologies in many industries. Objects connected with each other, objects connected with a back office, sensors placed everywhere. You need a flexible, robust, secure solution which ensures that the communication between these objects is trusted and reliable but still flexibly manageable. Just think about the new remote health monitoring systems, or the connected cars which will impact the life of millions of people, and you will see how important it is what we are doing. We can guarantee the required level of security with CAPPGATE.

CASE Studies
A transport service operator in a European capital is piloting a mobile ticket service and will be using CAPPGATE to distribute the monthly certificates of its annual transport passes to selected users. The convenience and security is obvious for the travelers, and the ticket inspection is also automated with an application running on smart phones.
An ICT company is sending out its meeting invitations to frequent partners to their mobile phones including the one time credentials they need to use for entering the premises of the company. The new solution saves time both for the personal of the company and provides an innovative, convenient user experience for the visitors.
A regional transport company wants to assure that tourists have the opportunity to select the trips they want to make, and then they can use a regular transport card with loading the selected ticket type on the plastic chip card. CAPPGATE will enable the smart phones to top up the cards as required.
A Hotel wants to let its loyalty program members book their specific rooms, not just a room. What is more these guests would also receive their room keys online into their mobile phones, which then would be stored on a microSD or on the loyalty card of the guest. Upon arrival, having their keys already, these people can proceed directly to their rooms and do not need to show up at the front desk of the hotel.
In a major cultural development program the program manager wants to combine transport and visitor cards offering combined benefits/discounts for the participants. The Cultural Pass would be managed over the air, remotely, using the tourists’ smart phone, and could be topped up, refreshed with daily promotions, providing lower cost entry to museums and access to special programs.
Our Partners

Our clients have two options to benefit from the CAPPGATE service.

option #1
option #2
Using our cloud based multi hosted architecture
Our partners – service providers and secure element issuers – can rely on our robust architecture by registering their chip cards and applications with us.
As pricing is strictly transaction driven this option is beneficial for most of our partners.
In-house deployment of the core modules
In case of a large consumer base, high transaction volumes, or a large issued card portfolio it may be advantageous to deploy a local architecture. Service providers with specific security requirements or company policies may also prefer this option.
The monthly license fee covers all support and maintenance activities.

We are a young, talented and dedicated organization within Fornax ICT, having worked together for just over three years on various NFC projects, primarily on CAPPGATE. We have substantial experience in mobile communication technologies, wireless sensor networks, chip card and security technology as well as in large scale system development. We operate independently from the rest of the company, have our own budget, industry relations and partners. At this point we are half way between being an operational unit of a larger entity and an independent company. We are in the middle of preparing our organization to start operation as a new spin off company.

Contact |