14/05/2026
Running a public or semi-public charging network in the EU means every session carries a billing obligation. When the credential that authorizes that session can be cloned in under 30 seconds with a €15 device, your revenue model has a structural vulnerability — not a theoretical one.
The Alternative Fuels Infrastructure Regulation (AFIR) sets interoperability and authenticated access as mandatory requirements for public charging infrastructure. Legacy 125 kHz tokens do not meet that bar. This guide covers what 13.56 MHz smart transponders — compliant with ISO 14443-4 Type A and ISO 14443-3A — deliver operationally, and what matters when sourcing them at network scale.
125 kHz tokens broadcast a static, unencrypted ID. Any reader within range captures it. Any captured ID can be replayed. For a CPO operating 50+ stations across multiple cities, this creates direct financial exposure: fraudulent sessions billed to legitimate driver accounts, disputes, chargebacks, and reputational damage with fleet customers who expect accurate cost reimbursement.
13.56 MHz smart transponders eliminate this attack surface by design. The chip never transmits raw credentials. It participates in a cryptographic exchange — the reader validates a session-specific cryptogram, not a static number. Intercepting the RF signal produces nothing actionable.
ISO 14443-4 defines the application-layer communication protocol that enables encryption, mutual authentication, and session integrity verification. These are the capabilities that make automated billing defensible.
Session data is protected by a 128-bit AES key stored in tamper-resistant hardware. The key never leaves the chip. What the reader receives is a session cryptogram derived from that key — mathematically verifiable, non-replayable. AES-128 is the same standard used in EU banking infrastructure and government identity documents.
The card and the Wallbox reader authenticate each other before any session data is exchanged. The reader rejects cards it cannot verify. The card refuses to respond to readers it cannot authenticate. This matters operationally: it closes the vector where a rogue reader harvests driver credentials at a competitor's station or in a public parking structure.
Every charging session generates a Message Authentication Code tied to that specific transaction. This creates a tamper-evident audit trail: each session record can be cryptographically verified as genuine. For CPOs managing automated cost reimbursement for corporate fleet customers, this is the technical foundation that makes per-session billing documentation credible.
Networks expanding through acquisition or phased rollout may operate a mixed estate of terminals — newer readers running AES, older hardware still on Triple DES. Cards that support both allow credential infrastructure to stay unified while terminal upgrades happen on a realistic timeline. Forcing simultaneous replacement across a large estate is rarely operationally viable.
Card memory is partitioned into cryptographically isolated applications, each with independent access keys. A single card can carry EV charging credentials linked to the CPO's OCPP backend, corporate building access, and transit or parking entitlements. For CPOs targeting corporate fleet accounts, this is commercially significant: the EV credential can be provisioned on an existing employee badge. The fleet operator manages one card per driver, not two.
Virtual Card Architecture (VCA) conceals the card's primary identifier from unauthorized readers. Even the UID used during RF anti-collision is protected. This prevents cross-site tracking of drivers and closes the cloning vector at the hardware level.
Transaction MAC generates cryptographic proof at the point of tap, not just session authorization — a distinction that matters in dispute resolution.
ISO 14443-3A governs the initialization and anti-collision layer — the protocol a card uses to identify itself in a reader field. For CPOs serving corporate clients, this standard matters because it is the same layer used in most enterprise building access systems.
Fleet accounts where employees already carry ISO 14443-3A-compatible badges can have EV charging entitlements added to existing cards through the OCPP backend — no new physical credential, no parallel issuance process. This reduces onboarding friction for large fleet customers and strengthens the CPO's position as a managed service provider rather than a utility.
Standard CR80 format. Full-surface UV printing available for CPO branding, driver name, and card number. Suitable for high-volume issuance — driver onboarding kits, fleet account packages, or public subscription programs. Cards can be personalized and issued in batches, with credentials provisioned remotely via the OCPP backend.
Molded from weather-resistant ABS or sealed epoxy resin. Designed for EV drivers specifically: the fob clips directly to the car key ring, which eliminates the separate-card friction that increases loss and replacement rates. For fleet managers, lower loss rates mean lower reissuance costs and fewer credential gaps in the driver base.
Both form factors use identical chip technology and deliver equivalent security performance.
These transponders are fully compatible with OCPP 1.6 and OCPP 2.0.1 and integrate with embedded HF readers across all major EU-market commercial Wallboxes. Authorization happens within the existing OCPP stack — no proprietary middleware, no additional integration layer.
Credentials are provisioned and revoked through the CPO's backend management system. Remote revocation takes effect at the next reader heartbeat. For networks where physical card retrieval from a driver is impractical, this is the operationally correct recovery path after a lost or terminated credential.
Both card and key fob formats carry full CE and RoHS certification — a hard requirement for public tender compliance across most EU member states. Non-EU-sourced components require independent certification testing before they qualify, which adds timeline and cost to procurement.
Orders shipped within the EU carry zero customs tariffs. With a valid EU VAT number, cross-border B2B transactions are processed under intra-community supply rules — no import declarations, no port delays, no broker coordination.
Ground shipping from our production facility in Romania reaches Western, Central, and Southern European destinations in 2 to 4 business days. For unplanned replacements or urgent rollout phases, this delivery window is operationally meaningful.
Hardware compatibility verification should happen before volume procurement, not after.
We provide a free sample kit for CPOs conducting infrastructure rollouts or evaluating credential upgrades: 5 contactless smart cards (ISO 14443-4 Type A), 5 industrial key fobs (ISO 14443-3A), and custom printing samples for both formats. Shipping is covered. No minimum order is attached to the sample request.
Complete the form below to receive your kit. Most CPOs use the sample phase to validate reader compatibility across their Wallbox estate and confirm OCPP provisioning flows before committing to volume.
