How to choose a smart card to buy ?

Do you need to store more than one certificate?

Manufacturers produce many types of cards, often tied to specific specifications:

PIV cards (HSPD-12) can store up to 3 certificates, but only some are usable for logon (one slot is reserved for physical access control)
OpenPGP v2 cards can store only one certificate, which supports authentication only (not encryption)

Recommendation: If you have no specific format requirement, buy a manufacturer card. YubiKey supports both PIV and OpenPGP applets with built-in Windows drivers, but certificate storage is limited.

Does the manufacturer provide drivers?

Always check that a Windows driver is included in the package. Some manufacturers require purchase of a separate SDK for driver access. Some applications (Firefox, TrueCrypt) also require a PKCS#11 driver, which is often not included for free.

PIV and GIDS cards have their driver built into Windows 7 and later — no installation required
OpenSC provides a PIV PKCS#11 driver
The built-in PIV driver is read-only

Recommendation: Check carefully what software is included — driver licensing costs can significantly exceed the card cost itself.

Do you actually need RFID?

Many cards are sold in dual-interface packages — combining smart card (contact) and RFID (contactless) into a single card, merging logical and physical access control. Common RFID interfaces include NXP Mifare/DESFire and HID iCLASS/Prox.

Important: These RFID interfaces do not expose the smart card cryptographic functions wirelessly — they are separate logical systems. Some PIV cards do support contactless access to the PKI applet over RFID, but this requires a shared secret to initialize the channel.

Recommendation: RFID adds value only if you plan to also implement Physical Access Control System (PACS). Even then, start with a contact-only card for testing — dual-interface cards complicate initial troubleshooting.