Card, mobile credential, payment and security
By: Dan Gretz, Senior Director, Market Development, Blackboard Transact
Campus credentials and their various uses represent a rapidly expanding technology aiding colleges and universities in operating more efficiently while enhancing the student experience. Today, traditional magnetic stripe and prox cards – once the standard on campus – are being replaced in favor of more secure, sophisticated contactless cards and smart phones enabled with Near Field Communication (NFC).
Contactless cards and mobile credentials contain a computer chip with a connected antenna, enabling credentials to communicate with a reader over a wireless interface. They are “contactless” because the credential and reader don’t physically touch during operation, but instead data is shared between the two using radio frequency (RF) communication.
Sharing data via RF communication is extremely common. In addition to AM and FM radio signals, RF communication makes possible many modern conveniences including broadcast and satellite television, cordless phones, mobile phones, keyless entry for automobiles, garage door openers, wireless networking and more.
In most of these examples, both the sender and receiver rely on their own power supply. Contactless cards, however, don’t typically contain an on-board power source. Instead, the card accesses the power it needs to operate from the electromagnetic field created by the reader. This process is key to the operation of a contactless identification system as it enables cards to remain idle until they come in close proximity to a compatible reader.
Security, engagement and innovation are staples for universities when it comes to student recruitment and retention. Implementing an NFC-enabled contactless credential on campus helps universities to be at the cutting edge in those very same areas.
In addition, with more security, greater functionality, and multi-application support, institutions deploying contactless make ample strides in future-proofing their technology.
When purchasing new card stock, consider pre-printing the cards with the background elements so that only personalization data such as the cardholder photo and name are printed when issued on campus. Purchasing pre-printed card stock provides the most professional finish and also minimizes the chance of having surface imperfections resulting from the embedded chip, sometimes caused by card designs.
Other suggestions for contactless card issuance include adopting an ISO numbering scheme using a 16-digit card format with a 6-digit IIN registered with ANSI. Schools may also want to redesign or rebrand the card and card program materials to denote new functionality and leading technology. Campuses may also want to consider using their provider’s re-carding services to efficiently personalize new card stock with current cardholder information and avoid wear-and-tear on in-house card printers.
A campus-wide initiative to migrate to an NFC-enabled contactless card or mobile device requires thoughtful planning, involvement of cross-functional leaders, and changes to your overall credential program. But in making the decision to go contactless, a university will enjoy heightened security, greater interoperability and an innovative boost to campus that makes the conversion well worth the effort.
Concerns over student data security and identity theft were raised at the University of Southern Mississippi following a Feb. 15 writeup in the university's student publication, Student Printz. The story highlighted a policy at USM that enables individuals to acquire a student ID card by providing only their student ID number and basic information, rather than requiring a secondary form of identification at the time of issuance.
According to the Student Printz report, the ID issuance process has been a longstanding policy at the university. In response to the article, USM’s associate director of procurement and contract services stated that work was underway with university administration and the university police department to develop a new policy that would require students to provide state-issued IDs before being issued a USM student ID.
In addition to the ID policy, the story also alluded to a larger concern over identity theft and student data protection. In response to the story, USM officials have penned a letter to the editors to clarify the facts of the old ID policy and provide information regarding the new policy going forward.
University officials stated first that the potential fraudulent acquisition of a university photo ID should not be confused with the protection of individual student data and records, which are protected by the university’s information security measures.
The letter does acknowledge that a first-time student’s ID card could potentially be claimed by another individual, should that individual provide basic details of the student’s information. The functionality of a wrongfully issued card, as the letter goes on to clarify, would be disabled once the legitimate student claims the ID.
To correct the loophole, USM's Photo Services developed an internal procedure in late January that now requires photo identification at the time of new issuance of USM ID cards. The revised procedure implemented by Photo Services is as follows:
USM Photo Services also states that current USM ID cards have not been compromised, nor has there been any evidence of ID fraud as a result of the old process.
By: Todd Brooks, director of product management, ColorID
The topic of campus migrations, contactless cards and mobile credentials can seem overwhelming and present unique challenges for a university infrastructure. There seems to be as many opinions as there are options, and no one wants to be the one to make a technology decision only to find out that in a few short years the decision has already been rendered obsolete.
When contemplating a campus migration from magnetic stripes or proximity – 125 kHz Prox – cards to an advanced technology such as contactless cards or mobile credentials, there are many things that must be taken into consideration beginning with security, convenience and scalability.
The following are a few topics to keep in mind when starting this kind of project.
One of the largest issues we see within the university sector is the fractionalization that exists within institutions. Disconnects can be a common occurrence between people in the card office, housing, physical security, dining, and other key departments on campus, but decisions made by one entity will likely affect other parties on campus.
ColorID has worked with hundreds of universities to carefully navigate this migration process. Contactless migration should be a campus wide initiative, so one of the first things we recommend when starting the process is to call a meeting with all of these stakeholders. It is important that the contactless card or mobile credential must work with all of the different systems and readers on campus and therefore the best approach is to start with that end in mind.
During these stakeholder meetings, terminology is extremely important and can be very valuable. What one person thinks or understands of a technology could be entirely different from another colleague in a different department. Getting everyone on the same page early can avoid headaches, misunderstandings and costly delays down the road.
One of the most important decisions related to campus migrations is the preference of offline and/or wireless lock models. Housing typically has a very strong opinion about their residence hall locks and that will play a key role in the type of contactless technologies that are available.
Another important factor will be the Campus Card Integrator. Many of the popular integrators support specific contactless technologies and readers for their POS and other systems. Knowing answers to these questions can quickly narrow your focus to certain contactless technologies, readers and manufacturers.
Now that I have my new contactless card, there are many card issuance decisions that need to be addressed to streamline the card office operations, but these four considerations should make for a great start.
Contactless card programming: pre-encoded cards vs. encoding in a printer or at the desktop.
It is typically easier to purchase pre-encoded cards and then capture the number during the printing process, but some specific formats and number types aren’t suitable for this process. For instance, institutions utilizing randomized ISO numbers for access control may need to encode their own card data.
Encryption keys: manufacturer’s encryption key vs. custom key
Most manufacturers provide contactless cards with their standard encryption keys unless custom keys are requested. Over the last year, we have seen a trend toward institutions wanting to manage their own encryption keys versus using the manufacturer’s standard key.
Managing your own custom keys can add another layer of security to your credential, but it also brings along a management burden. What happens if you lose the key or it is compromised? Who has access to the encryption key? How is it stored and protected?
By Fred Emery, Director of Sales, Heartland OneCard
By now, most of us have heard about the “new” EMV payment cards. At least that’s the hope, as the transition to EMV in the United States is now well underway.
EMV, or Europay, MasterCard and Visa, is a set of worldwide standards for a payment card technology that uses computer chips embedded in credit and debit cards (called chip cards) to enable card payments.
EMV is focused on reducing fraud at the point of sale. EMV’s fraud protection enhancements are based on the chip card technology that adds dynamic data to the transaction stream, authenticating that the card is present at the point of purchase. Dynamic data is unique to each transaction.
The older magnetic stripe technology presents only static data that, once stolen, is easy to counterfeit. Because every card contains a unique chip, EMV cards are nearly impossible to economically counterfeit.
Another primary reason for EMV is the fact that credit card fraud has been on the rise in recent years. In 2014, the increase in the number of data breaches was notable, which led some to dub 2014 as “The Year of the Breach.”
These breaches were a result of attacks on point-of-sale (POS) systems for in-person payments. To help prevent fraud at the point of sale, a liability shift became effective on October 1, 2015. On that date merchants, who are considered the “weak link,” became responsible for fraudulent transactions that were made from an EMV chip card taken from a magnetic-swipe terminal instead of an EMV payment terminal. This upgrade in technology increases payment security and reduces the likelihood of fraud occurring with transactions at the POS.
However, this deadline is now being seen as a ramp up date for most, as experts estimate that 1.2 billion payment cards will have to be updated and 12 million POS terminals will require upgrades to accept them. Transitioning to EMV is complex and includes changes to merchants’ POS devices and payment software systems, as well as the software systems of their payment processors, acquirers and card issuers.
Unlike most payment security and fraud prevention upgrades, the transition to EMV cards is highly visible to the cards’ consumers. Not only does the EMV card have a visible symbol on the card (i.e. the chip), the consumer must change habits to use the new cards, as EMV cards are “dipped,” not “swiped.”
Now, instead of quickly swiping their card through a magnetic stripe reader, the consumer inserts the EMV card into the card device and leaves it there until the transaction has completed. Due to this new consumer behavior, almost all of today’s news in the public press centers on the shift to EMV for better POS security. So, in the public’s mind EMV may come to equal payment card security.
What’s more, there is a need for additional training to help staff and consumers adapt to a new style of “dipping” instead of “swiping” their cards. And the certification process to be EMV-compliant is a lengthy one. Each unique combination of card terminal device, device firmware level, payment software, and card brand and type must be certified individually.
Nonetheless, the combined benefits of reducing financial risk, improving data security, meeting student expectations and streamlining access to newer payment methods will quickly encourage institutions to transition to chip cards and the devices and systems that interact with them.
It is predicted that as national merchants move forward with implementing EMV, smaller to midsize businesses – including higher education – will become new targets for criminals. This means that your campus could be a prime target if you haven’t made the proper upgrades.
In the long run, colleges and universities will want to make the move to EMV to benefit from a reduction in card fraud, navigate fewer disputes, realize the opportunity to adopt new payment technology, and vitally, reaffirm to students and parents that their campus remains a safe place to conduct commerce.
Marshall University Housing and Residence Life is planning some changes for student meal plan policies starting with the fall 2016 semester.
As reported by the Marshall Parthenon, students currently have the option of an unlimited meal plan, a 15 meals per week package, or a 10 meals per week package with a choice of adding more flex dollars based on preference. The new policy will change the on-campus meal options available to students.
The changeover, according to Housing and Residential Life, will see Marshall keep the unlimited option, and move to block plans and do away with the 10 and 15 meals per week options.
The current unlimited plan offers students the additional option of $50, $150 or $250 in flex dollars, while the 15 meals per week plan has options of $100 or $200 in flex dollars. The 10 meals per week plan, available to only third year students or higher, comes with optional $400 or $50o flex dollar add ons.
"Flex is a lot more straightforward and easier to keep up with,” said Bob Dorado, manager of the campus ID office at Marshall, in an interview with the Parthenon. “In some ways more flex is more fair than the value that comes with the meal plans.”
The new meal plan structure is designed to offer student meal plans with an increased amount of flex dollars rather than more meal swipes. Following the changeover, Marshall will no longer support meal swipes in it's student center at any on-campus facilities other than campus dining halls. Instead, students with meal plans will be able to use the larger amount of flex dollars that will accompany the new block plans.
Each year, more than 600,000 U.S. college students ages 18-24 report experiencing some kind of violent crime while on campus, according to data published by a U.S. Department of Justice study of violent crime on college campuses.
Violent crimes include everything from robbery and rape to aggravated assault. Moreover, 84% of women who reported being sexually coerced experienced the incident during their first four semesters on campus – the period of time that most college students live in on-campus housing.
The statistics are troubling, but universities and vendors alike are working to implement solutions to make campus and campus housing safer for students. Of the many security measures available, visitor management systems offer a first line of defense.
To get a better idea of what’s being done on the visitor management front, CR80News spoke with Bob Lemley, director of software development for CBORD, about the visitor management challenges in higher education and how universities are navigating the issue.
While the idea of visitor management sounds all encompassing, the challenge for colleges and universities isn’t how to manage guests on the campus as a whole, but rather their access to specific locations within the campus. And no location is more crucial than the residence halls.
Think of it as compartmentalized visitor access.
Another facet to visitor management is the issuance of temporary cards or visitor badges. It’s standard fare for a number of market verticals, but higher ed doesn’t always lend itself to these types of solutions.
Campuses rarely issue temporary cards or badges to student guests, but official campus visitors, vendors and contactors are almost always issued some kind of temporary credential, says Bob Lemley, director of software development for CBORD.
Official university visitors are typically handled the same way as a student or faculty member. “They are issued a card that’s valid for a limited amount of time with limited privileges,” explains Lemley. “That’s a very common set of requirements.”
Where it gets more challenging, though, are summer camps where you’re dealing with the housing office where management systems can be very diverse, explains Lemley. “We have been, and are still, building systems that will make the whole camp experience easier to manage from an auditing point of view,” he says. “And frankly, a lot of it comes back to the residence hall and making sure people can get into the right room.”
“We haven’t built fully fleshed out visitor management solutions for an entire campus, but rather we have focused specifically on residence halls,” says Lemley. “One of the things that you’ll find with visitor management is that the rules and implementations are extremely diverse. It makes the rest of the things we do seem simple.”
The first challenge with visitor management in residence halls, albeit an obvious one, is that people actually live in the building. “It’s not an 8:00 a.m. to 5:00 p.m. clock-in, clock-out scenario,” explains Lemley. “When someone comes to visit a dorm, they’re visiting someone’s home, and you’re managing that home.”
The typical college campus also tends to be open in terms of general access, making visitor management at the residence hall level all the more important. “Universities have to balance how much protection they provide for students, while also providing the convenience and comfort of a home,” explains Lemley.
Rather than a set of best practices that can be applied across the board, every implementation is highly customized to that institution and the rules are fragmented, explains Lemley.
“Policies typically don’t fit into a standardized set of algorithms like meal plans or the rest of what a campus card system would do,” he says. “You get into all kinds of little detailed things that take a lot of business logic to implement.”
Universities can, for example, have special policies for the handling of minors that requires them to always be accompanied by a parent or guardian. Other universities have a family pass system where residents have two passes each semester for a group of visitors. And it’s not that University X has a specific rule and University Y has another specific rule, rather each tends to have a whole set of unique and complex rules.
By: Angelo Faenza, General Manager, PERSONA and Vice President of Campus Electronic Access Control Security Solutions, ASSA ABLOY Door Security Solutions
As colleges and universities are faced with the challenges of securing their campuses, there is inevitably, and unfortunately, a need to prioritize activities based on the available budget. Though this may seem like an impossible choice to make, campuses need to ask themselves, "What is most important to protect?"
The answer is, of course, the students. While every member of a campus community is critical to the institution’s success, students are the core of the community. Students and their families trust the college or university to provide a safe and enriching environment in which they can learn and grow. As such, any discussion about security on a college or university campus must begin with the residence halls. This is the place students call home in their time on campus, and it should offer the same sense of security as any other home.
If you work at an institution of higher learning, whether large or small, urban or rural, you know that the decision to upgrade security is one that is never made lightly. In fact, the process can be truly overwhelming, one that starts with lots of questions that often lead to even more questions. Where should you start? How many buildings can be upgraded at once? Should the upgrade be campus-wide or should it be done in phases? Finally, and perhaps most importantly, what sort of technology should be deployed?
Before we delve into these questions, it is important to acknowledge that every campus is unique. For that reason, there are no absolute, one-size-fits-all rules when it comes to upgrading security. There are, however, a number of guidelines used by many institutions of higher learning.
The first and often most critical step in your upgrade will be your selection of partners. As is the case with almost any purchase, any manufacturer you speak with will focus the conversation on the benefits of the products and solutions they offer. That’s his job. Your job, however, is to dig a little deeper by asking questions.
To get those conversations started, request details on the company’s support offerings. Ask for examples of challenges encountered during the installation process and how they were addressed and resolved by the company. Another important area to probe is whether or not the company will work directly with the integrator to ensure that you can quickly overcome issues as they occur.
Regardless of the question you’re asking, follow up by asking for examples. Then take it a step further and ask for references. You wouldn’t hire an employee without first speaking to people who have experienced working with the individual, and it’s not wise to select something as important as a security solution without the same degree of scrutiny.
The next area to consider is timing. It’s important to map out a comprehensive schedule, which will of course be influenced by whether you’re upgrading all at once or in phases.
Regardless, the scheduling of an upgrade has become more complex as colleges are increasingly using their residence halls to house summer conference attendees. That’s all but rendered the long summer breaks that used to be perfect for maintenance and improvement projects a thing of the past.
To make the most of the time you do have, schedule at the granular level, calculating how many locks will be installed per day. With the proper communications and respect for students’ time and space, it is even feasible to upgrade security with the students present in the resident halls.
Even though you’re just starting, now is the time to think about the upgrade path. Technology changes rapidly, more so every day. As you know by now, upgrading the security in any building is a major undertaking, one you likely don’t want to repeat in a couple of years when you discover that the technology has become obsolete. Be sure to select a solution that can support your growth and future technologies.
Walk your buildings. This is critical, since looking at one door and then assuming every door is the same is a mistake that often throws an upgrade off course. A thorough walk through will alert you to a host of issues, particularly in older buildings, that may present serious challenges and even set your project back significantly if not accounted for properly.
Finally, regardless of your security upgrade’s scope, remember that you are not just selecting a technology. You are also choosing a manufacturer and an integrator to go through the process with you, embarking on what will hopefully be a long-term and productive partnership. That’s why it’s so important that everyone shares the same objectives and works together as a team whether things are going smoothly or, more importantly, if you encounter glitches along the way. It’s those challenges that will really showcase your entire team’s commitment to the success of your upgrade. Take your time, do your due diligence and choose wisely.
Students at Central Michigan University are now able to enjoy the convenience of mobile food ordering, following the university's decision to implement the Tapingo app on the Mount Pleasant campus.
Per a report from Central Michigan Life, students can enjoy the full range of Tapingo services, including the standard pick-up option and the newer delivery option, on campus. Students can then enter their student ID numbers and use their student ID and FLEX Dollars accounts for payment. Credit cards can also be used as payment through the app.
At Central Michigan, FLEX Dollars can be used at all 18 dining of the university's on-campus dining locations. Additional FLEX Dollars can be purchased any time, and any unused FLEX Dollars at the end of fall semester will roll over to spring. At the end of spring semester, any unused FLEX Dollars will roll over throughout the summer. At the end of summer, FLEX Dollars expire and are not transferable to the next academic year.
Starbucks, Papa John’s or Java City are among the on-campus locations at which Central Michigan students can place orders via the mobile app. CMU's Campus Dining also played a large role in bringing Tapingo to Central Michigan, as it was looking for a way to make lives easier for students by offering the ability to order food on the go.
Campus Dining officials report that the app went live at CMU on January 25. “Tapingo has the potential to increase through output," says Nikki Smith, Marketing Manager for Campus Dining at Central Michigan University. "For example, if six students that normally stand in line to order at Starbucks start using Tapingo instead, we could then accommodate more students in line, while maintaining our high standards of customer service."
The Social Security numbers, ID numbers and names of some 63,000 former and current students and employees at the University of Central Florida have been compromised in a breach of campus records conducted by hackers.
In an official statement from UCF, university officials first became aware of the breach in early January but opted not to publicly address the hack until it had worked with the proper authorities to determine the source and extent of the breach. UCF's IT department insists that there has not yet been any attempt to use the Social Security numbers for the purpose of identity theft, fraud or other financial means. The university also stresses that no credit card information, financial records, medical records or grades were compromised in the hack, however student and employee ID numbers, names and other information were all compromised.
University officials have confirmed that current and former student-athletes who last played for the university in 2014-15, along with student staff managers for university teams and other related positions were affected by the hack. The remaining effected individuals consist of current UCF employees and those who worked at the university as far back as the 1980s. The total number of people whose information was included in the hack is a reported 63,000.
For the student-athletes and student staff members supporting those teams, compromised information included first and last names, Social Security numbers, student ID numbers, sport, whether they were walk-ons or recruited, as well as the number of credit hours taken and in progress. For the group of employees, compromised information included first and last names, Social Security numbers and UCF-issued Employee Identification Numbers.
Undergraduate student employees including those in work-study jobs, graduate assistants, resident assistants, adjunct faculty, student government members and general faculty were among the positions affected by the hack.
Officials with the university's information technology department say that it remains unclear as to who executed the hack, but it is suspected that the attack was the work of multiple individuals over time.
The individuals affected by the hack were initially notified via letter, while a call-in phone center will also be available for individuals to verify if their information has been compromised. The university also launched a website to answer questions at www.ucf.edu/datasecurity.
The university says that those people whose information was compromised will receive one year of free credit monitoring and identity-protection services, though it is recommended that those effected should also consider freezing their credit accounts so as to eliminate the opportunity for hackers to take out credit cards or loans.
UCF says it is taking actions to enhance user account and password security, as well as strengthening data security processes and protocols on the university’s computer network. The university will also expand its information-security education and training in attempt to ensure that a data breach of this magnitude doesn't happen again.
By: Jeremy Earles, credentials business leader, Allegion
Smart cards are a growing trend, and we’re anticipating acceleration in their usage within the next year or two for a number of reasons.
Access control and adjacent applications on campus have been driving adoption in the past, but now there are other motives – technological and societal – that are showing value and will lead to more smart card transitions on campuses across the country in 2016.
This transition is being propelled by a number of factors, including:
The credit card industry is encountering an alarming amount of fraud – it’s in the news almost every week – and changes are evident in the fact that consumers have smart chip embedded cards designed to protect transactions and identity.
Card technology in the financial world is often an indicator of, and in many ways drives, what is and will continue to happen in access control. Credit card companies are making the switch because older technology like the magnetic stripe is not secure.
This transition to smart technology on credit cards will also push faster migrations in the access control and campus card arenas.
With the move to smart cards comes an unprecedented change: the merging of physical and logical access through system interoperability. This wasn’t previously possible with magnetic stripe technology because it lacks the functionality and security to provide a robust end-to-end system.
With most current card systems, logical and physical identities typically reside in separate systems. Cardholder roles determine their access privileges (for example, students and faculty members have different privileges), which are created and stored in the enterprise network directory. Synchronizing access privileges between logical directory and physical access control systems involves proprietary, error-prone, time-consuming and expensive manual processes.
In transitioning to system interoperability, cardholder identities will be managed from a single source, as opposed to the current standard of a separate piece of software for each of the card’s applications.
This software change and new ways of management will take a little time and adaptation, but will ultimately have great benefits.
Additionally, as campus administrators combine each of the physical pieces into one or multiple head end systems, the solution’s architecture needs to be chosen for its robustness.
The need for interoperable systems and intelligence/data sharing is being standardized by the Physical Security Interoperability Alliance (PSIA), which has developed a Physical-Logical Access Interoperability (PLAI) specification.
Released as a draft proposal in 2014, it will provide a standard way for enterprises to ensure the logical and physical access privileges associated with a cardholder’s role are always in sync. That synchronicity makes it easier and more cost effective to create solutions, such as confirming that a cardholder is physically present before permitting access to an application or database.
