Campus ID News
Card, mobile credential, payment and security

Addressing security concerns in centralized and distributed card issuance environments

Chris Corum   ||   Jul 28, 2005  ||   , ,

Architectures for card issuance systems can be categorized as either centralized or distributed in nature. Each scenario presents a unique set of opportunities, and perhaps more importantly, security risks that must be understood and addressed.

There is a macro and a micro distinction that can be made when defining the two types of issuance architectures. At a macro level, centralized issuance can refer to situations in which a third party issuer is handling the card production and distribution on behalf of the client. With distributed issuance the client controls its own card production and distribution.

In closed system environments (e.g. campuses, corporations), a more micro-distinction for centralized and distributed issuance can apply. When a campus has multiple branches or a corporation has multiple locations, centralized issuance has all cards produced from a single, controlled location. Distributed issuance deploys the technology and responsibility for issuance to the various sites.

In the case of both the macro and micro distinctions, the following discussion can apply.

In the past, centralized meant secure and distributed meant fast …

“We are seeing great opportunities and advances for distributed issuance,” says John Ekers, Director of Product Marketing for Systems and Software, Fargo Electronics. “In general, it is always better if you are controlling more of the process yourself.”

Certainly this self-control aspect is the key reason issuers choose the distributed model. Using the campus setting as the example, distributed issuance equates to instant issuance. The enrollment, authentication, imaging, production and distribution can be completed onsite, while the cardholder waits. Centralized issuance cannot accomplish this.

But, centralized issuance has traditionally possessed a major advantage over its distributed counterpart: added security. Blank card stock can be locked down and each piece accounted for at all stages in the process; staff access can be tightly monitored; fraudulent card creation can be curtailed via stringent checks and balances; etc.

“What we are seeing today,” adds Mr. Ekers, “is a migration of the security control procedures traditionally used in centralized issuance bureaus to the distributed environments.”

Categorizing the risks

A major shift in the nature of campus, corporate, and other ID card applications have been the primary driver for increased issuance security. A degree of risk has always existed but as the privileges and opportunities that an ID enables has expanded, the dangers arising from fraudulent cards have grown.

The risks associate with issuance procedures can be thought of in three main areas and for each, according to Mr. Ekers, there are significant advances underway for distributed environments. The areas are materials, data, and personnel.

In centralized issuance all card stock, printer supplies, and equipment are kept in one location making it easier to manage and track. When production is distributed, so too must the materials be distributed. This requires a more sophisticated system of control.

Off-the-shelf inventory management software, built-in security mechanisms in new printer models, and software prompts in both printers and imaging software are making it easier to manage materials in a distributed environment.

In centralized issuance, employees undergo background checks and can be closely monitored throughout the day. Monitoring is far more difficult in a distributed environment.

By requiring stringent login procedures, restricting the hours that an employee can print cards to appropriate times, and employing other system-controlled checks and balances, remote monitoring and control are becoming a reality. “In the near future,” says Mr. Ekers, “I expect to see biometric login to issuance systems become the norm.”

In terms of issuance data, both the personal information of your cardholders and the ongoing system operation data is crucial. Obviously, the security of the cardholder data is paramount to ensure individual privacy. The system operation data is key to monitoring efficient and appropriate use of the equipment and materials.

In a highly controlled centralized environment, data can be tightly held on a closed network with security controls appropriate to the need. The physical premises can be locked down and unauthorized access restricted. This is far more difficult in a distributed environment where open or pseudo-open networks are used and open access to the premises is required to facilitate customer service.

Advances in encryption techniques (e.g. hardware security modules that manage issuer keys) have made it possible to ensure that cardholder data is never transmitted “in the clear” thus reducing the risk of data compromise. High level encryption and high speed networking is enabling distributed access to centralized data repositories, thus allowing the cardholder data to be held securely in a single location and accessed only when necessary by a distributed site.

Distributed issuance: no longer be “less secure”

“We are nearing the point where the security benefits of centralized issuance are no longer sufficient to merit the loss of control,” says Mr. Ekers. “Distributed issuance can be technology-enabled such that its security matches, and potentially exceeds, its counterpart.”

He concludes with the following thought, “When an issuer switches from a centralized model to a distributed model they are forced to reexamine the controls employed for materials, personnel, and data. I have seen many cases where they find significant security holes in their former centralized processes that have been corrected in the migration.”

Related Posts

Subscribe to our weekly newsletter


facial recognition in college classroon

Is facial recognition on campus moving from access control to the classroom?

Facial recognition already unlock phones, expedites airport passage, and replaces IDs for door access, but now it’s efficacy is being testing in college classrooms. Chafic Bou-Saba teaches information systems at Guilford College. He believes he can improve student academic performance via cameras and AI. He and a team of students are designing a facial recognition […]
Feb 28, 24 /

Cal Poly pilots reusable dining containers to curb waste

Students at Cal Poly have been pushing for green initiatives on the San Luis Obispo campus, and dining services is listening. A new pilot program will test reusable containers in an effort to reduce waste from disposable take-out boxes. “The program greatly reduces resource consumption on campus while diverting single-use containers from landfills,” says a […]
Door access reader
Feb 23, 24 /

Migrating from prox to contactless from a student perspective

At the end of 2023, the Elizabethtown College campus card was upgraded from proximity to contactless technology. As campus card, security, and auxiliary service professionals, we understand that this is positive step to replace an outdated technology with a modern, secure option. It is a mistake, however, to assume that students have the same level […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Join Jeff Koziol and Robert Gaulden from @AllegionUS as we explore how mobile credentials and proptech are changing on- and off-campus housing.

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.