Campus ID News
Card, mobile credential, payment and security

Addressing security concerns in centralized and distributed card issuance environments

Chris Corum   ||   Jul 28, 2005  ||   , ,

Architectures for card issuance systems can be categorized as either centralized or distributed in nature. Each scenario presents a unique set of opportunities, and perhaps more importantly, security risks that must be understood and addressed.

There is a macro and a micro distinction that can be made when defining the two types of issuance architectures. At a macro level, centralized issuance can refer to situations in which a third party issuer is handling the card production and distribution on behalf of the client. With distributed issuance the client controls its own card production and distribution.

In closed system environments (e.g. campuses, corporations), a more micro-distinction for centralized and distributed issuance can apply. When a campus has multiple branches or a corporation has multiple locations, centralized issuance has all cards produced from a single, controlled location. Distributed issuance deploys the technology and responsibility for issuance to the various sites.

In the case of both the macro and micro distinctions, the following discussion can apply.

In the past, centralized meant secure and distributed meant fast …

“We are seeing great opportunities and advances for distributed issuance,” says John Ekers, Director of Product Marketing for Systems and Software, Fargo Electronics. “In general, it is always better if you are controlling more of the process yourself.”

Certainly this self-control aspect is the key reason issuers choose the distributed model. Using the campus setting as the example, distributed issuance equates to instant issuance. The enrollment, authentication, imaging, production and distribution can be completed onsite, while the cardholder waits. Centralized issuance cannot accomplish this.

But, centralized issuance has traditionally possessed a major advantage over its distributed counterpart: added security. Blank card stock can be locked down and each piece accounted for at all stages in the process; staff access can be tightly monitored; fraudulent card creation can be curtailed via stringent checks and balances; etc.

“What we are seeing today,” adds Mr. Ekers, “is a migration of the security control procedures traditionally used in centralized issuance bureaus to the distributed environments.”

Categorizing the risks

A major shift in the nature of campus, corporate, and other ID card applications have been the primary driver for increased issuance security. A degree of risk has always existed but as the privileges and opportunities that an ID enables has expanded, the dangers arising from fraudulent cards have grown.

The risks associate with issuance procedures can be thought of in three main areas and for each, according to Mr. Ekers, there are significant advances underway for distributed environments. The areas are materials, data, and personnel.

In centralized issuance all card stock, printer supplies, and equipment are kept in one location making it easier to manage and track. When production is distributed, so too must the materials be distributed. This requires a more sophisticated system of control.

Off-the-shelf inventory management software, built-in security mechanisms in new printer models, and software prompts in both printers and imaging software are making it easier to manage materials in a distributed environment.

In centralized issuance, employees undergo background checks and can be closely monitored throughout the day. Monitoring is far more difficult in a distributed environment.

By requiring stringent login procedures, restricting the hours that an employee can print cards to appropriate times, and employing other system-controlled checks and balances, remote monitoring and control are becoming a reality. “In the near future,” says Mr. Ekers, “I expect to see biometric login to issuance systems become the norm.”

In terms of issuance data, both the personal information of your cardholders and the ongoing system operation data is crucial. Obviously, the security of the cardholder data is paramount to ensure individual privacy. The system operation data is key to monitoring efficient and appropriate use of the equipment and materials.

In a highly controlled centralized environment, data can be tightly held on a closed network with security controls appropriate to the need. The physical premises can be locked down and unauthorized access restricted. This is far more difficult in a distributed environment where open or pseudo-open networks are used and open access to the premises is required to facilitate customer service.

Advances in encryption techniques (e.g. hardware security modules that manage issuer keys) have made it possible to ensure that cardholder data is never transmitted “in the clear” thus reducing the risk of data compromise. High level encryption and high speed networking is enabling distributed access to centralized data repositories, thus allowing the cardholder data to be held securely in a single location and accessed only when necessary by a distributed site.

Distributed issuance: no longer be “less secure”

“We are nearing the point where the security benefits of centralized issuance are no longer sufficient to merit the loss of control,” says Mr. Ekers. “Distributed issuance can be technology-enabled such that its security matches, and potentially exceeds, its counterpart.”

He concludes with the following thought, “When an issuer switches from a centralized model to a distributed model they are forced to reexamine the controls employed for materials, personnel, and data. I have seen many cases where they find significant security holes in their former centralized processes that have been corrected in the migration.”

Subscribe to our weekly newsletter


CampusIDChat: HID adds to higher ed team

HID Global's Director of End User Business Development for Higher Education, Tim Nyblom introduces the newest member of HID's higher ed team, Amy Surprenant. The pair also discuss the latest in mobile credentials and how administrators can prepare their campuses for the jump.
Jan 26, 23 / ,

Baylor adds Starship robot delivery

Baylor University has added robot delivery from Starship Technologies to its dining services offerings with the help of Grubhub. The initiative will see Baylor deploy a fleet of 20 delivery robots on the Waco, TX campus.
Jan 26, 23 /

NACCU Annual Conference registration now open

The National Association of Campus Card Users (NACCU) has opened registration for its Annual Conference. This year’s conference will be held April 16-19 in Austin, Texas and will feature a packed schedule of informative events and sessions with both campus card professionals and corporate vendors.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

As supply chain issues in 2021 persist, identity solutions provider @ColorID discusses ways campuses can to overcome potentially troublesome delays until the situation eases.

A dining services push at the @UBuffalo is reinforcing the utility of self-service checkout. @CBORD is improving the food service experience using the GET app, as well as Nextep kiosks and Oracle’s Micros Simphony POS.

Did you miss our recent webinar? No worries - watch it on-demand. Leaders from @NAU and the @UAlberta joined Ryan Audus, Touchnet, and Andrew Hudson, @CR80News, to discuss innovative mobile services and the future of mobile tech in higher ed. Watch now:

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.