Card, mobile credential, payment and security
Match-on-card technology marries biometrics with smart cards, enabling users to not only carry their biometric with them but also match it on the card. This means greater privacy for the cardholder and the ability to authenticate without connection to a backend database.
In a traditional fingerprint biometric implementation, a user first establishes an identity in order to be added to the system. To do so, personal information is provided and fingerprints are scanned to create a template or vectorized representation of the image. The template captures the core aspects of the image and turns them into a representation that is much smaller and can be matched quicker, says Shahram Orandi, supervisory computer scientist at the National Institute for Standards and Technology (NIST).
In traditional biometric systems, templates are then stored in a central system along with the identifying information, says Shahram Orandi, supervisory computer scientist at the National Institute for Standards and Technology.
When a person is challenged to prove his identity, a finger has to be scanned and sent to the server. A template is then created and checked against the previously enrolled template.
The fundamental difference between this traditional biometric process and a match-on-card process is all about location. With match on card, the template is locked on the smart card and never leaves, explains Orandi.
To conduct the verification process, a user presents the card to either a contact or contactless card reader.
On the other end of that communications channel is a biometric sensor. Typically this is an integrated fingerprint reader or peripherally attached fingerprint sensor, says Patrick Grother, computer scientist at NIST's Information Technology Laboratory.
When a user places his finger on the sensor, it produces an image of the finger. The reader then extracts information from that fingerprint image in the form of minutiae points, and those points are bundled up into data packet and sent to the card for matching, says Grother.
The card executes a fingerprint comparison algorithm and produces a score revealing how similar the fingerprint sent to the card is with the one stored on the card. The card then renders a decision as to whether or not it's the same person, explains Grother.
A difference between match-on-card architecture and traditional match-on-server architecture comes in the type of algorithm you can run. "Sometimes with a remote server you've got more computational power, so you can run a different class of algorithms. Richer algorithms can run on computers than on cards," says Grother.
This is due to the fact that smart cards have limited computational capability. Grother explains that over time cards have gotten faster and more capable, but so to have desktop computers. "A card has a limited amount of working memory, and that turns out to be important for certain algorithms," says Grother.
Two standards oversee the majority of match-on-card functionality, ISO/IEC 19794-2 and ISO-7816, Grother says. ISO/IEC 19794-2 defines the bits and bytes for fingerprints in both match on card and match off card, says Grother.
Commands must be used to send and receive data from cards. The ISO 7816-11 and 7816-4 standards regulate this transmission, Grother says.
Although standards exist for biometrics and match on card, organizations can utilize proprietary closed systems that do not abide by standards at all, says Grother.
An integrator can help an organization implement the match-on-card process. To do this, an integrator needs to be aware of and perform smart card personalization for biometric data. The fingerprint live capture devices for both enrollment and verification need template conversion tools in order to convert the live template into a viable match-on-card template.
Integrators also need to be aware that fingerprint templates still need to be captured in standard RAW formats for safekeeping. Also, depending on the application, an integrator may need to develop or procure an AFIS or ABIS to perform de-duplication at enrollment, says Jonah Adams, strategy and group coordination at Nigerian-based Interswitch.
A challenge with traditional match on server, says Orandi, is what happens if the biometric image is stolen or intercepted along the communication channel. Because biometric identifiers are permanently attached to a person, the credential can't be cancelled once it's compromised. "It's the biggest risk of a biometric system," says Orandi.
Because match on card locks the data in the chip, lost or stolen cards pose minimal risks. Additionally, the biometric is never stored on a backend database so compromise at this level is also a non-issue.
With match on card the likelihood of data being intercepted is virtually eliminated. Because there is still communication between the card and the reader, Orandi says it is still possible but greatly diminished.
Still, match on card does presents some challenges.Once the card architecture and algorithm have been designed and manufactured, there’s no easy way to change or upgrade that architecture, says Orandi.
The computer on the card is also not as powerful as a full blown computer so the speed to establish the identity is reduced. Servers operate much more quickly, 10-to-100 times faster than a smart card, says Orandi. "Smart cards lose the speed race," he says. "But to counter that, you are able to make a match even if you can't reach the server."
A potential problem with this method, however, is that in the case of offline matching, there is no central authority to dictate permissions. Orandi gives the example of 9/11 and different people trying to gain access to the site, from legitimate first responders to unscrupulous individuals. Match on card would verify the person is who they say they are, but without tapping into a central authority, it would not be able to say whether the person was allowed to be there. A card would be able to hold permissions, says Orandi, but it can't revoke the information. "The server has the revocation list or hotlist," says Orandi.
NIST has determined that algorithms are not quite as good for match on card as they are for match on server. NIST's MINEX, or Minutiae Exchange, program looked at the commercial viability, accuracy and speed associated with off-card and on-card matching.
"The answer is 'not quite, but almost,'" says Grother. "There are algorithms, fewer of them, commercially available that run with accuracy approaching that of off-card matching."
In places where lack of infrastructure poses a problem, match on card can be an ideal solution. "In markets where infrastructure challenges impact a customer's ability to fully explore a server-side implementation, the preference is for the match-on-card options," says Interswitch's Adams. "Especially where flexibility of use and mobility in deployment is a critical factor."
The functionality and usability of student ID cards has come a long way over the years. When I attended college, our student ID cards weren’t nearly as valuable as they are today. In fact, I distinctly remember my card serving three main purposes: to pay for a meal at the student dining hall, check out a library book and access the stationary bike at the campus gym.
We’re fortunate that the times have changed and that university ID card programs afford so much more in terms of efficiency, safety and security. School ID programs, specifically those tailored to universities, spread across multiple applications from the identification of faculty, students and visitors to integration with parking programs and access control systems. Here are just some of the ways that modern universities are implementing ID badge systems:
Identification Purposes: With the right ID card system in place, universities can use these cards for identity verification at exams and student voting booths; entry to athletic/recreational events such as basketball games and on-campus concerts; access to campus health care programs or legal services; and as photo ID credentials for admissions, student records and financial aid.
Access to Facilities: Schools are harnessing ID systems to control access to classroom buildings, recreational facilities, labs, student halls and dormitories. With security at the front of everyone’s mind, making certain that only authorized individuals can enter a building is imperative to the overall safety of a university campus. Advancements in access control systems ensure that unauthorized visitors cannot enter a building without a validated ID badge, which they must swipe at the entrance. Many universities also distribute visitor badges to prevent unidentified visitors.
Funds Management: As alluded to previously, school ID cards at my alma mater – University of Portland – were primarily used for meal plans, but now, cards go much further with regard to managing funds. Examples of contemporary student card features include distribution of financial aid funds, copy machine funds, laundry service funds and even debit card functionality for both on and off campus use. Employing ID badge systems as a funds management tool can also greatly reduce paper waste.
Other Uses: ID cards can also serve as parking permits, transit access cards and event discount cards for use at local restaurants, shops and movie theaters. Moreover, photo ID cards can act as an excellent attendance tracker – with bar code scanning – to keep up-to-date records of who attends classes, exams and campus events.
When considering the above functions, it is clear that the school ID card is not just a piece of plastic to be buried in one’s wallet: it’s a legitimate way for universities to protect students and staff, disburse funds and become greener campuses.
CBORD, a provider of food and nutrition management, cashless card, and access control solutions, is pleased to announce that Larry Delaney has joined the company as vice president of CBORD Cashless Systems, effective June 17.
As a member of CBORD’s executive management team, Delaney will be responsible for the product management, engineering and product marketing teams driving CBORD’s cashless transaction systems business. Additionally, he will be the executive in charge of CBORD’s Student Advantage and Off Campus Commerce groups.
No stranger to Ithaca, Delaney is a Cornell graduate, and holds an MBA from the Simon Graduate School of Business Administration at the University of Rochester. Most recently, Delaney served as President of NCCIT, where he drove strong top and bottom line growth in datacenter/SaaS technology services solutions.
Previously, Delaney was vice president and general manager of Pitney Bowes Marketing Services Business Unit. He came to Pitney Bowes through the successful merger of MapInfo, where he served as vice president of Industry and Business Development. Earlier, Delaney worked in management roles at Xerox, in Production Publishing Solutions and DocuTech marketing.
Programs ideal for customer service, photos, document processing
Campus card offices typically run on tight budgets, putting strain on the day-to-day operations. However, some universities have found an inventive solution to bring in some extra revenue.
Card offices looking for extra income might want to consider adding a passport acceptance center so students and the local community can apply for the identity documents on campus. The demand for the travel documents has never been higher as required usage has expanded to include land border crossings, cruises and more.
An acceptance center is a location approved by the U.S. Department of State to facilitate the passport application process. The actual passport documents, however, are still issued by the Department of State at centralized production facilities.
Even if a school doesn’t make a profit, it’s still building good community relations and providing a valuable service to constituents. Campus card programs can be ideal as most already possess key elements and skills such as photo capture and printing equipment, skilled customer service professionals and application handling processes.
The University of Kentucky in Lexington started its passport program in January 2010, says Karen Doyle, the university’s student affairs coordinator for the Office of Student Involvement.
The University of Nebraska, Lincoln, began accepting passport applications in May 2009, says Julie Yardley, manager of the school’s NCard and Passport Acceptance Office.
At Nebraska the idea came from the school’s chancellor, explains Kim Phelps associate vice chancellor for business and finance. “Of the numerous reasons we had for pursuing this activity, the most important was meeting the needs of a student body and faculty members involved with study abroad programs and international student recruiting,” says Phelps.
So what must one do to become an approved acceptance center? Location, it seems, is key because the State Department doesn’t want too many facilities operating in close proximity. Then there’s the training. “We started the process in 2009 and it took us nine months to go through the process,” says Doyle.
Both Yardley and Doyle found that only trained, full-time employees could handle passport applications and operate the center. “You couldn’t hire a temp or a student worker,” says Doyle.
The offices can take walk-ins, but they may be in for a wait if the correct staff members are not available. Thus, both offices encourage applicants to set up appointments.
To save time, Kentucky encourages applicants to fill out the paperwork online, print it and bring it to the office. “They must come to the facility,” says Doyle.
Passports cost the same whether you apply for one at a post office, the campus card office or another approved center.
Each document costs $110. If you want to shave several weeks off the process and receive it in two to three weeks, instead of five or six, tack on an additional $60 plus $12.85 if you want the passport returned by overnight delivery. If you want a passport card–good for ground transportation only between Mexico, the U.S. and Canada–that’s $30.
There’s also the $25 execution fee or agent-processing fee, which is where a card office or any passport acceptance center, makes its money. This is paid separately from the regular $110 passport application fee.
Another revenue opportunity for schools is with passport photos. Kentucky charges $10 for a set of photos while Nebraska charges $7.50. That compares to $15 charged by the post office or $8-12 that local retailers often charge, explains Yardley. “We didn’t want to drive anyone out of business. We wanted to be competitive and it more than covers our expenses.”
Nebraska has taken 4,200 sets of photos since it launched the service, says Yardley. She says people also use their photo service for visa applications or for graduate students submitting testing applications.
When Kentucky University first opened its passport acceptance center, the facility was housed in the card office. That changed in January 2013 due to State Department’s “operational” changes that restricted passport centers from sharing space with student ID or other service locations, says Doyle.
The major ongoing cost is employee salaries. “When we added this to existing employees duties, there was no additional overhead. It was done during less busy hours of the day and month. If someone was hired to do just passports the salary would have to be covered completely by these revenues. So, it’s a good idea to add it to an already existing office or service,” says Doyle.
The first year the University of Kentucky offered passports, it processed more than 600, with 700 the following year and more than 1,000 in 2012, says Doyle. The school made $13,000 the first year, $15,000 the second year and projeced $18,000 to $20,000 in 2012, says Doyle.
The university of Nebraska has processed 3,176 passport applications. That’s a $25 per application profit, or about $79,000 since the university started processing passports in 2009.
The application process takes 10 to 30 minutes depending on the complication of the application, says Doyle.
“A person brings a birth certificate and old passport if he has one. We witness the signature and send the package on to the regional center where processing occurs. The completed passports are then mailed back to the individual. We don’t retain any information about that person,” says Doyle.
“It provides a wonderful service for the university, the faculty and staff and the community at large … and it increases good will,” says Yardley. “It’s really not that hard to add this to our duties. We’re already a printing and copy center.”
If Yardley had it to do over again, she says she would have spent the initial couple of days at a post office observing the staff processing passport applications. “The first few times I was a little nervous, but after that it got better,” she says.
As to what Yardley can offer other schools considering becoming a passport acceptance facility: “Find your regional passport office, that’s your starting point.” She says it’s possible a school can get turned down if the Department of State believes there are enough agencies in the area already.
But if your card office is approved, it can be a great add-on service and revenue opportunity. “It has been a great experience,” says Yardley.
Camera & Printer: $1,500
Die Cutter: $100
Embosser Seal: $40
Safe for Transmittals: Varies
Boston University has announced that it is using CBORD’s CS Gold campus card system for its campus ID system. In the search for a secure, campus experience, Boston University officials decided on the CBORD solution and its iCLASS contactless cards for the university’s card production, meal plan management, discretionary spending, privilege verification, laundry and vending utilities.
CBORD’s card solution at Boston University will be used extensively as more than 75% of the student population lives on campus. The university has recently decided to cut the total number of dining venues, but has opened the Marciano Commons location to better serve its large student population.
To accompany the dining overhaul, Boston University has also incorporated measures to expedite service at the various dining locations.
Serving more than 5,000 meals daily, the new Marciano Commons location has been outfitted with six, access-controlled points of entry – turnstiles that combine the CBORD campus cards with biometric fingerprint readers. University officials say that the inspiration behind the implementation of a biometric modality was the prevention of meal plan sharing between students.
The biometric data is stored exclusively on the cards, not logged in a backend database. Moreover, the biometric factor is an opt-in function so students who wish to forgo the fingerprint capture – an uncommon choice thus far – can simply present their card to the cashier at the gate for further verification.
The new turnstiles are simple to operate as students first present their student IDs at the bioCLASS reader and are then prompted to place their finger to the reader to achieve the biometric authentication. Upon completing this, the bioCLASS reader then seamlessly interacts with CS Gold’s CS Access – CS Gold’s access control module – to determine the following:
Provided the above conditions are met, the turnstile opens and grants access to the hungry student – a process that takes only milliseconds.
