Card, mobile credential, payment and security
It was more than three years ago that US PIRG released its report damning the relationships between financial providers and academic institutions that provided payment card products to students. In its wake, other reports from the agencies like the Government Accountability Office, Congressional hearings and consumer protection efforts followed. Then came the Department of Education's efforts to revamp financial aid disbursement.
The DOE convened a 2014 Negotiated Rulemaking Process to gather input from a cross section of concerned groups. After months of meetings and drafts, negotiators reported that they thought they had successfully re-crafted the rules. But representatives from industry and the consumer advocacy groups failed to reach total consensus, leaving the DOE free to draft the rules as they saw fit.
In mid-May, the DOE’s final proposed rules were released, and they are not favorable for industry, campus administration or even students. They appear to be a win only for the consumer advocacy groups that have been pushing to have banks and payment cards completely removed from the process.
Since the Negotiated Rulemaking began, both the service providers and the campuses relying on them to disburse financial aid to students have been on proverbial pins and needles. The future of this line of business and peripheral services -- such as campus card and bank partnerships that deliver accounts and debit cards to students -- have been up in the air.
I have written about this many times before and have worked with associations, providers and campuses attempting to plan for the future. The goal has been to help the DOE develop productive regulations that protect students and grow these services. But from the beginning, the car has been driven by consumer advocacy bodies that seemed devoted to the banishment of these relationships from higher education.
Still I always believed that cooler heads and data-driven decision making would prevail. After all, I know that the vast majority of these services are beneficial for campuses and students alike – better in most cases because the campus is involved on the student’s behalf.
I kept this cautious optimism throughout the negotiated rulemaking process, loads of phone briefings, several years of conference sessions and a series of draft proposals and comment periods.
I am no longer optimistic.
I fear that the draft regulations released by the DOE in May are likely to pass without significant changes. I have heard no insider intel to suggest that the comment period that ends on July 2 will produce substantive change.
For the first time, this has me thinking about worst-case scenarios. What if the consumer groups get their wish and some or all of these relationships that both campuses and students rely on actually do go away?
As both a student and a university employee, I remember the “net check” process where everyone receiving aid had to get it via paper check. It was painful on both sides. Are we destined to relive it? As other federal programs from Social Security to Veterans Affairs totally eliminate checks, is the DOE pushing campuses backward?
Do they think forcing campuses to manage ACH processes in-house, increase the use of paper checks and push students to use their existing bank accounts really solves a problem students are facing? Many paper checks will be cashed at rip-off payday loan shops. The students’ preexisting bank accounts all charge non-sufficient fund and other traditional fees the DOE is trying to eliminate.
Sadly, many of the products the new regulations will curtail actually are better, as they offer low- or no-fee alternatives that help students access Title IV funds. In the rush to appease the consumer advocates, it seems the DOE has overlooked this reality.
NACUBO created a flowchart to enable a campus to determine whether or not they have a T1 or T2 relationship. In the interest of getting down to layman terminology and simplifying the subject, we have abridged that flowchart to a more basic version.
Do you have a T1 provider?
Do you have a T2 provider?
Lets make some assumptions and head down the path of worst-case scenarios. Assume that the proposed rules pass without substantive change or perhaps get even more punitive toward T1 and/or T2 entities. What might the implication be for your campus?
To state the question another way, “what if my provider goes away?”
When we think about issuing IDs to students, rarely do we consider those students who don't report to campus at all. Homeschool students require access to the same academic resources that their on-campus peers enjoy, but verifying their academic standing can be a challenge without the proper credential.
Now, a new initiative from Homeschool.com and IDCreator is hoping to put free ID Cards into the hands of homeschool students in time for the 2015-2016 school year, enabling them to gain access to valuable academic resources.
The idea behind the initiative is that the average homeschool student has less access to school-related resources that would otherwise be found in a typical on-campus library or classroom. Homeschool.com, an online community for homeschooling parents and students, and IDCreator.com have partnered to provide free ID cards -- which carry an estimated value of $10 -- to homeschool students to help them access local school resources.
The initiative will enable students to detail their homeschooling education, name, age and educational level in order to identify themselves to institutions like high schools and public libraries, as well as gain access to their academic resources. The partnership allows anyone to obtain the ID card by first visiting the Homeschool website offer page.
According to a spokesperson for IDCreator.com, designing cards is only half the story, with the more important half being what the cards will be used for. The company says the key is providing homeschool students the ability to make ID cards that they can then use to access local school resources, borrow books and further their learning.
Ohio University's libraries will now require students to pay with Bobcat Cash via their university ID cards in order to use on-campus printers.
According to The Post Athens, the change is set to take hold June 29, and will also include printers in the university's college of business, as well as Ohio's Athens and Dublin campuses of the Heritage College of Osteopathic Medicine. More buildings on campus will adopt the pay-to-print system later this summer.
In an announcement from the university's office of information technology, the new system will eliminate registration holds due to printing charges on student bills. Students will also be able to call up print jobs from anywhere by uploading documents to myprintercenter.ohio.edu or emailing documents to [email protected].
The university has been prepping for the change for some time, with one of Ohio's libraries replacing all of its old printers this past winter break. Another benefit to the change is that students will be able to print from their personal computers, tablets or phones without having to install new software. This will enable students to print from any library computer to any library printer.
Currently faculty, staff and guests of the university can only print at specified "vended” printers. Following the official switch to Bobcat Cash, these users will be able to use any printer at one of OU’s libraries. As with many other universities, Ohio students can add Bobcat Cash to their ID cards anytime using an eAccount and university web portal.
Purdue University has outfitted its campus card with a new aesthetic after announcing via Twitter that a new card would be rolling out for students, faculty and staff in time for fall 2015.
In a report from the Purdue Exponent, current students will keep their existing IDs, but will have the option to exchange their ID card for the new design at a standard replacement fee.
The card revamp is purely an aesthetic one, as the card technology will remain unchanged. The cards will feature colored stripes on the bottom front of the card that will designate the cardholder as faculty, staff or student, a feature that will carry over from the current cards.
The old PUID card design.
The previous card design featured a strip across the top and bottom of the card, with a picture of Purdue's Engineering Fountain. The new card design moves the ID photo block to the lower left corner of the card. Both cards display the University logo in white and have the identified person's first name, last name and PUID number.
The new background image will feature fall foliage behind the "Unfinished Block P" statue which stands in Academy Park on Purdue's Campus. Per the Exponent report, Purdue is joining a growing roster of universities that recognize preferred names on cards, and students have the option to have a preferred name printed on their new card.
Interns from the university's marketing and media staff conducted intercept surveys with students across campus, asking them to vote on one of three card designs, as well as to offer opinions on the new design options. The winning card design received a 72% approval rate.
The Purdue card office, along with university marketing and media staff, plan to design and print a new updated card design every five years.
Wireless payment processor and hardware provider, Apriva has established connections to its cashless payment gateway with all major campus card service providers, enabling vending operators to accept student cards for payment.
According to a report from Vending Times, Apriva recently completed a vertical integration of the company's payment hardware and cashless payment gateway with the card systems provided by the major card system vendors -- Blackboard, CBORD, Heartland Campus Solutions and Atrium. The integration enables Apriva to accept student cards as a form of payment for vending services at more than 2,400 campuses.
According to company executive vice-president Rinaldo Spinella, Apriva is the only cashless payment gateway that has established contracts with all major campus card providers. Apriva has also extended its efforts north to Canada, striking agreements with the University of British Columbia and similar universities that manage their own campus card systems.
Apriva ensures that the cashless readers from any of their hardware partners installed on each machine and connected to the Apriva gateway can securely read the student card, credit, debit and prepaid cards from all major brands. Apriva also establishes a secure, server-to-server connection with each student card brand via the campus card vendor, as well as with each credit and debit card brand's payment processors.
In addition to enabling fast and secure transactions for students, faculty, staff and visitors, Spinella says the increase in volume from the use of student cards for purchase could provide some relief from tight margins. "We can now 'productize' the student card as a payment source for vending operators," he says. "It took a lot of years, but we've done the heavy lifting and are ready to connect to virtually any campus that issues a closed-loop, payment student card."
There are a number of reasons for a university to consider changing its campus card whether it’s new aesthetic designs, new card technologies or a current system simply reaching the end of its intended lifespan.
Whatever the reason, however, when the decision involves a change of card technology, the contactless smart card always seems to be a topic of discussion. It’s a decision that many universities and colleges grapple with, weighing the pros and cons of a more robust card technology with the cost its implementation will require.
For many universities, the jump to contactless comes down to three main considerations. “It’s stronger card technology with encryption to prevent counterfeiting, additional functionality, and future proofing the campus,” says Brett St. Pierre, director of education solutions at HID Global.
Despite the more secure card technologies available to universities, many still rely on the so-called convenience technologies of mag stripe, bar code and prox.
At its core, the 125 kHz prox card is created for the purpose of convenience. It’s great for providing a student quick access to an academic building, residence hall or rec center, but it’s doesn’t have the same security capabilities of a 13.56 MHz contactless card.
“Proximity is a 30-year old technology that does not have security built into the communication,” says St. Pierre.
Like bar codes and mag stripes, the lack of cryptographic capabilities leaves proximity cards susceptible to cloning and counterfeiting. Smart cards – both contact and contactless – contain integrated circuits or chips that virtually eliminate the potential for card cloning via cryptographic controls. “With contactless smart card technology, you get a hand shake that is much more secure,” explains St. Pierre.
St. Pierre goes on to explain that contactless smart cards also provide the ability to store multiple identities or credential numbers. “Multiple identities can provide a university ID for use on campus, a medical center ID and third-party research labs,” he adds.
This flexibility enables a campus to tether additional functionality to its credentials beyond just physical access. “With contactless smart cards, you open the door to many more uses on campus, including physical access control, payments, library, logical access, mobile and transit functionality just to name a few,” says St. Pierre.
In addition to the added functionality, the ability to add multiple applications helps an issuer to future proof the system. Building in flexibility to address unforeseen needs that may arise during the life of the program, provides peace of mind and improves the overall return on investment.
Northern Arizona University recently made the jump from prox cards to contactless smart cards. “As we became aware of vulnerabilities and limitations with proximity chip technology, we began to investigate options for a more secure and future-resistant technology,” says Joe Harting, systems administrator for campus services and activities at Northern Arizona University (NAU).
Last year, Northern Arizona was the subject of an on-campus demonstration wherein the university’s then-prox credentials were shown to be vulnerable to counterfeiting.
Harting says that he and the administration were aware of prox’s vulnerability to the “bump-and-clone” attack that made headlines, and that they had been making plans to migrate to contactless for some time. “Prox technology lends itself to cloning using inexpensive materials purchased on the Internet,” he says.
To better paint the picture, the bump-and-clone attack goes something like this:
Depending on the type of equipment used, a prox card can be read at varying distances, through wallets, purses, backpacks, etc. without the victim being aware their card was scanned. Once the prox data is read, it can be transferred to another prox card or prox-emulating device.
As long as the data from the victim’s card is identical, there is no need to decipher anything, says Harting. “Once the raw data from a credential is presented to a prox reader, it will treat it the same, whether it is the original credential or a clone.”
One of the security features of contactless smart cards prevents such attacks. By cryptographically challenging the card’s chip prior to any transaction, a reader can identify a cloned card and deny its attempted use.
While NAU was already planning a jump to contactless cards, the demo on campus expedited the transition. “We had no instances of anyone experiencing any theft or unauthorized access as a result of the vulnerabilities with prox, but we believe in taking a proactive approach to overall campus safety,” says Harting.
The request for proposals process can be a complicated and lengthy one, even when you're already partnering with the winning candidate. That's the case at the University of Vermont where following a lengthy RFP process, the university has signed a new, five-year dining services contract with current partner Sodexo. The new contract goes into effect on July 1.
Per a report on the The University of Vermont's official website, the 14-member Dining Services RFP Committee represented students, faculty and staff. En route to a decision, the committee held in-depth consultations with 32 campus constituencies and governing groups, conducted a student needs survey, and held over 40 committee meetings since the process began in January of 2014. the result of the work is a request for proposal that the university believes reflects the future of campus dining.
According to the report, two viable firms submitted bids last fall and presented their proposals publicly to the campus last November. The result of the RFP process may come as little surprise, as Sodexo has been Vermont's food service partner for the past 59 years. Nevertheless, the university embarked on an extensive selection process that began in December of 2013.
As part of the new contract, Vermont provided the following requirements:
The contract will cover 17 total University of Vermont venues, including dining halls, retail locations and concession sites. The contract grants the vendor exclusivity of services at all designated venues. The university, meanwhile, will receive a financial return to assist with facility upgrades, equipment maintenance and program enhancements.
The conversation surrounding smart cards on campus is one that is met with reticence by some, but the reality is that universities in other countries have been leveraging smart cards for decades.
It’s rare to see these programs in action, though, as the divide between both smart card opinion and geographical distance is often too great. In an effort to better understand how universities abroad are handling the campus card, the University of Cantabria, in Santander, Spain, shared its story.
The University of Cantabria is one of the most advanced smart card implementations in higher education, using both contact and contactless technology to facilitate virtually every campus card service. Founded in 1972, the university is located in Santander, Spain, and has been a 15-year flagship for Santander Bank. Together they have built a campus card scheme used by universities across the continent and the globe.
The university maintains two campuses with more than 13,000 students and 1,400 faculty and staff – each outfitted with a university smart card. Sharing a city with Santander Bank has had its advantages for Cantabria, and the university has provided the ideal proving ground for the bank’s higher ed division, Santander Universities.
“Cantabria has been critical to Santander Universities because everything started there,” says Vicente Prior, director of products and channels at Santander Universities. “Cantabria is where we had our very first agreement with a university, including academic, financial and technological collaboration with the smart card.”
Santander Universities issues smart cards to 302 universities in 12 countries, according to Prior. The program is supported by five university research centers, the first of which was established in Cantabria in 2000.
“Cantabria played a key role in communicating our collaboration to other universities, first in Spain and later in Portugal, the UK, Latin America, the U.S. and China,” says Prior.
Smart card services include access control, library patron ID, discounts at shops and, optionally debit, explains Prior. “Over time, universities have the choice to incorporate value-added services, such as digital signature and payments at public transit, or even use our university mobile app,” he adds. Cantabria’s smart card facilitates a full range of on- and off-campus services, with both contact and contactless options for all of the above functions.
European countries have been working with smart cards for nearly three decades. In fact, Cantabria has never used magnetic stripe, implementing chip cards as far back as 1995. “The smart card better suits our requirements for secure offline and online services,” says Jorge Lanza, assistant professor and director of the University Smart Card Technological Research Centre at University of Cantabria.
“We have Java Card, contactless MIFARE classic and at the same time DESFire,” explains Lanza. “It’s three technologies within the same card.”
Lanza hails the university for practicing a “do it yourself” method of deployment, rather than relying solely on external solutions. “We require open interfaces in order to be able to fine tune the services we provide so we can learn, implement, test and deploy them ourselves,” he adds.
The services supported by Cantabria’s smart card include library, access control, mobile apps, debit, ePurse (declining balance), print/copy, public transit, PC desktop login, online authentication and digital signature. These services are available using both contact and contactless technology.
Added value for students also comes in the form of EMV compatibility, which makes the Cantabria smart card a viable solution for both on and off-campus transactions.
The university and the city of Santander’s public transit body use the same contactless technology, so using the student card for transit access is another popular option.
For a university that is already working with an advanced smart card system, it’s hard to posit what the next step could be. As with other universities, however, Cantabria has its eye on the mobile device.
The ball is already rolling on the mobile front, as Cantabria maintains a campus mobile app that integrates a number of student services including:
The idea of a mobile credential is also in the cards for Cantabria, and Lanza is keen to leverage another of the smart card’s capabilities to add the service. “Our smart card is completely NFC compatible so that we can also use it in combination with our mobile phones,” says Lanza, adding that physical access via a mobile device is close at hand for the university.
The idea behind Santander Universities is to promote the idea of a cooperative network between their campus clients.
“The university decides what services are put in place, as the university smart card is their campus ID,” says Prior. “The role of the bank, as an outsourcer and partner, is to help the university enlarge the possibilities of services that can be added and help to implement them.”
“Now, getting the full set of services takes much less time – often less than 12 months – for a new university than it did for Cantabria, which has been a pioneer over the 20 years that we have been issuing their card,” adds Prior.
The work being done at Cantabria serves as a beacon for others in the Santander network … and vice versa. The ultimate goal is to enhance each university’s smart card ecosystem, based on the shared experience of the entire network.
Santander Universities is a global system, says Lanza. “As a member of that system, your problem is also theirs.”
Eastern Washington University's Dining Services has announced a soft launch for mobile-ordering app, Tapingo -- a solution designed to cut wait times and introduce greater variety in student dining. The university expects a full release in September when students and faculty return for the fall semester.
Per a repot from the university's student publication, The Easterner, students, faculty and staff who use the Tapingo app can remotely call up food orders for any partnering restaurants -- with the exception of the the university-run Tawanka Commons -- via the app and have it prepared while they are on their way to pick it up. This is a familiar formula that other Tapingo partnering universities are following.
Students can download the Tapingo app on their mobile device, create an account and choose their university. The app recognizes all restaurant locations on and around campus that accept Tapingo ordering, and students can select where they want to eat based on the estimated wait time Tapingo provides.
Once a student has chosen a dining location, they can order their meal from anywhere, and at Eastern Washington use either their Eagle card, debit card or credit card to pay. The student then receives a confirmation from Tapingo that the order has been received.
A notable feature of the Tapingo app is Active Cashier, a separate ticket printer within each partnering restaurant that keeps track of orders and lets students know when food will be ready for pickup. Active Cashier tracks when an order is entered and fulfilled and automatically provides the customer with the wait time for an order pickup.
When a Tapingo order is received at a dining location, it will print a ticket and once the order is completed, the restaurant will scan the order ticket, sending a confirmation via the app to the student who placed the order. From there, students visit a separate pick-up line at the restaurant and are on their way.
University officials say that though the campus-run Tawanka Commons is not currently included in the Tapingo app, a compatible menu is in the works.
As for security, Eastern Washington did it's homework and has been pleased with Tapingo's process. Eastern Washington University's director of dining services, Dave McKay said in an interview with The Easterner that Tapingo meets the university's PCI Compliance requirements. McKay went on to say that the Tapingo app runs on a different server than the university and all its security is done through a reliable third party.
The library – a university service as old as academia itself – has long afforded students the ability to check out materials to be returned in a timely fashion. At least that’s traditionally been the idea.
Over time, however, the resources students need to complete their coursework have evolved, and in many cases their value has skyrocketed.
At Philadelphia’s Drexel University and other campus libraries across the country, students can check out expensive equipment such as laptops and tablets. With such valuable materials available, questions arise with the security of the patron ID process in the modern library.
To check out these coveted devices, are students required to do anything more than swipe a card or hold it under the red glow of a bar code scanner?
A 2002 CR80News article on library patron ID explored how mag stripes seemed to be replacing bar codes as the gold standard for library identification. After nearly 15 years and the arrival of newer and more secure card technologies, it seems logical that things would once again have progressed. But are new technologies being used to drive credentials into library systems today?
“Although a large portion of libraries continue to use the bar code to retrieve patron data for book check out, we are seeing an increase in alternate technologies,” says Fred Emery, Heartland OneCard director of sales.
Contactless is making inroads at the library, says Kent Pawlak, Blackboard Transact’s director of product strategy. “There are still many libraries that request bar code on a card, but that is decreasing as they accept contactless and other identity verification methods,” he adds.
Still, bar codes are the tool of choice at the vast majority of libraries, says Grey Bartholomew, product manager for Odyssey PCS and Odyssey Direct at CBORD. “Anecdotally I would say 95-98% of our campuses are using bar code, 2-5% mag stripe and virtually none are using prox or contactless.”
Heartland’s Emery concurs, citing that about 85% of the company’s clients still use bar code, 10% use mag stripe and about 5% use some form of contactless technology.
Bartholomew believes that it less about universities opting for bar code than simply going with what they know. “I would say that bar code has been the standard for so long that campuses – library management specifically – takes the path of least resistance and sticks with what they know,” he explains. “However, campus card professionals see the benefits of card technology standardization and are beginning to educate library managers on other options.”
The example of checking out laptops and tablets is crucial to this education because it stresses the value of the materials that students have access to using their campus card.
While a vast majority will utilize a service like this properly and return the gear, the worst-case scenario could paint a very different picture. Suppose a student decided to produce counterfeit cards with valid identification numbers and use them to check out and resell expensive equipment.
The long-standing king of library check out remains the bar code. But it is an inherently insecure technology designed to expedite data entry and reduce human data input errors. Common bar codes are based on standardized symbologies so there is nothing secret or obscure about library codes, nor are they difficult to reproduce. Much like type fonts, most bar code formats are available for download online.
“Bar codes are primarily used to identify check-out materials, and as a result, every circulation station already has a bar code scanner,” says Pawlak. “The use of bar codes on cards at libraries has primarily been due to the simple fact that the reader was readily available.”
Over time, however, more libraries discovered that they could identify the patron in a different manner than the one they use identify books and materials. This realization, according to Pawlak, ushered in the acceptance of other card technologies.
“One driving factor is security. Bar codes are readily duplicable, providing for higher risk of fraud,” explains Pawlak. Additionally, the need for a bar code is often outweighed by the valuable card real estate it requires and the few demands for it beyond the library.
As for those valuable checkout materials, it seems that universities may be taking notice of the vulnerabilities of the bar code. “Quite often we see use of patron ID solutions other than the bar code – mag stripe or contactless – for check out of non-book items, such as laptops and AV equipment, particularly if the items are being managed in a system outside of the one used to check out books,” says Emery.
