Card, mobile credential, payment and security
By Andy Williams, Contributing Editor
Campus card programs in Europe are starting to accelerate, thanks in part to creation in 2003 of the European Campus Card Association. While Europe is often in the forefront of card usage in areas such as transportation and secure payments, it has lagged behind the U.S. when it comes to campus cards.
Eugene McKenna, general manager of auxiliary services for Waterford Institute of Technology in Ireland, and president of ECCA, suggests a possible cause: the 2002 failure of a large campus card company in the U.S., Cybermark, “sent shock waves throughout Europe,” he said. “Adding to that were the failures of several pilot projects in Europe.”
Other sources suggest less reactionary and more pragmatic reasons for Europe’s lag behind the U.S. in campus card implementations. While the desire for administrative efficiencies are common in both regions, key differences traditionally included the U.S. need for financial aid distribution, the more profit-oriented auxiliary service sector in U.S. colleges, and the extreme degree of competition for students that has always existed between institutions in the U.S. Beyond that the sheer size of institutions in the U.S. (e.g. state systems with 60+ schools and 1 million-plus students, individual schools with more than 100,000 students) led to a more lucrative business opportunity for vendors.
But all that seems to be changing as Europe moves more rapidly to campus card solutions. Evidence of this, according to Mr. McKenna, can be found in the growing ECCA membership. Currently at 40 institutions, it is expected “to double in the next few months,” he said. “We’re still in the very early stages.”
He said many university campuses across Europe are starting to introduce campus cards. “They’re becoming an important key at campuses.”
Many, he said, are using magnetic stripe and/or contactless cards linked to a back-end office database. “In Europe there are not many systems where money is stored on the chip. There is no big driver behind that at the moment,” said Mr. McKenna. “The way (European) campuses are wired up, the back office seems suitable to a campus environment.”
Waterford’s WITcard, (www.wit.ie/witcard) serves 10,000 students and is, according to Mr. McKenna, one of the biggest installations in Europe. “Across the UK there are a number of card systems, but there are only two or three applications on each card.”
There was also a tendency among colleges, he added, to go with mag stripe, “but in recent times, Mifare (Philips’ contactless technology) seems to be the technology of choice. We’re using that,” he said of Waterford’s card. Vending, building access, and e-purse, are among the card’s applications. “The latest application is our web revalue where you can load from any bank directly onto our card,” said Mr. McKenna.
Another application, pay-for-print, “is a huge profit center for us,” he added. “Students do a lot of printing off the web. About seven to eight years ago, printing was 25% and copying was 75 % (of total reprographics volume). That has almost reversed itself. There is a huge demand for printing. That’s where a campus card system can generate a profit.”
“All of our card services are managed by auxiliary services. It’s more profitable. I feel we have a very good model unique to us and many of our institutions.”
Bike sharing programs at university campuses aren’t exactly new. And the one that students at MIT in Boston have been operating for two years isn’t high tech despite its university being synonymous with cutting edge developments.
But the goal of these students is to take the program high tech, eventually linking it to MIT’s card program. While the program is called TechBikes, a more accurate term, according to one of its co-founders, Danny Shen, is “a no-tech communal bike” program … at least for now.
“It’s a work in progress,” added Atif Quadir, one of the program’s other co-founders who was a graduate student and an adviser to freshmen in 2003 when the subject of a bike share program came up.
The bike share program brought Mr. Shen, Mr. Quadir, and other students together in 2003 to form a club operated solely by MIT students.
The birth of TechBikes …
“The inspiration was the larger issue of conservation of resources,” said Mr. Quadir. “But the main reason, was that while there are a lot of forms of transportation around MIT – shuttles, the MTA, etc. – there was a gap in transportation services for on-demand and off-campus travel. We have a pretty long campus, about 1.5 to 2 miles, so we felt there was a specific transportation niche that wasn’t being filled.”
A long-term goal is to attach the bike program to the MIT ID card – which is used, like many campus cards, to check out library books and to gain access to dorms and offices. That could encourage greater use of the program, said Mr. Quadir.
Currently, a student goes to the front desk of MIT’s east campus dorm and a staffer signs the student in and loans him a bike. The student pays a nominal deposit that is refundable when the bike is returned. Students must return the bike in a day.
The bike share project is based on the Zip Car program, a national franchise that rents cars by the hour. But the comparison stops there, because Zip Car costs money and it is the goal of MIT’s bike share program to keep it free. Of course that means the club has to seek out sponsors or other grant money.
“We’re applying to get some money from the dorm itself; to buy maintenance materials; we’re also applying to the Deans for money and we’ve submitted an application to the Undergraduate Association, a group of students,” said Mr. Shen, an MIT senior. “We’re seeing if we can get some help from MIT’s transportation department, which covers shuttle buses.”
Said Mr. Shen: “The next step is to introduce some elements of technology and we’re working right now to set up a hub at the athletic center. We have about 20 users right now; we have two to three bikes depending on repairs.”
As to student response to the program, Mr. Shen notes, “we have had some pretty positive responses. It costs them nothing to use the bike. They can email to determine availability. They can rent it for a day.”
The bikes won’t win any beauty contests. “We didn’t want them to be too shiny,” said Mr. Shen, “otherwise they’ll get stolen. He estimates it will take 100 bikes to cover the entire MIT campus. “We figure we’ll need eight to ten hubs, with each hub equipped with four to ten bikes.”
Next steps in the bike share program …
If the first version, the one in use now, is the “no-tech version,” the next iteration could be euphemistically referred to as the “some-tech” version, said Mr. Shen. This is what he’s working on now and involves a computer system in which people are registered. Students will be able to check availability and the club can track rental status and usage. “With that we can get card swipes working with a computer-based system,” said Mr. Shen.
The next version, what Mr. Shen calls the “full-on system,” will be an automated bike checkout station. “Giving you an idea of when that will happen is tough. I know I won’t be around, but we have juniors coming up we can pass the torch down to,” said Mr. Shen.
As to integrating the system with the MIT ID card: “We’ve talked to the card office, generally about what is needed to get their system integrated. And while we know the card office can give us a system that authenticates who the user is, we don’t know if it will tell us if the user is okay and we don’t know whether the registered users end up on our system or theirs.”
He said another possibility, if their system isn’t ideal, is “to set up our own card system. We could register people based on whatever card they have – credit card, MIT card, and issue our own cards.”
The MIT card office weighs in …
Dan Michaud, MIT’s campus card manager, said it would be possible to link TechBikes with the university’s card system. “It depends on what they want to do. Right now we do the Zip Cars, which is handled through the parking office. We have a program where you can create a Zip Car account. Anybody who has an account can be given access to the garage and be able to rent one of the cars, but this is more of a function of our parking and transportation, and the Zip Car account is linked to the person’s credit card.”
Mr. Michaud said there are actually two separate parts that the students should consider: “The financial transaction process and access control.” As to the latter, “the easy way is to put the bike in a room with a card reader.”
Another possibility is to attach a card reader, controlling a solenoid device, to the bike rack. Metal pins would go through the wheel “and if we can get a solenoid to retract those pins, then the system is doable. But you’re creating something that isn’t available now.”
He said students should also be able to go to a web site and type in their id number to check the availability of the bike. The transaction could then be handled through MIT’s TechCash system which debits the student’s account.”
Bottom line, according to Mr. Michaud: TechBikes is feasible. “It’s all eminently doable. You just have to line up the right people.”
A new low cost, compact card printer from Fargo called the Persona C30 is now available. The C30 is designed for environments needing “high-quality plastic ID cards without high-security features.”
New Persona C30 Card Printer Features Convenience and Simplicity
Single- or Dual-Sided Printer Offers Outstanding Value
Minneapolis, MN (September 9, 2005) – Fargo Electronics, Inc. (NASDAQ: FRGO), a global leader in secure technologies for card identity systems, today announced the introduction of the Persona C30 Card Printer. The Persona C30 is designed for organizations such as K-12 schools, small corporations, clubs or recreation facilities that need high-quality plastic ID cards without high-security features. The C30 will be marketed under the Persona by Fargo brand.
The C30 has been designed with customer convenience in mind. An easy-loading, all-in-one ribbon cartridge saves time and eliminates the mess and expense of torn, wasted ribbons. In addition, a card cleaning roller is integrated into the ribbon cartridge to assure clean card stock and high-quality prints.
With a Manufacturer’s Suggested Retail Price of $2295 for single-sided printing, and $3995 for dual-sided printing, the C30 is an affordable entry-level printer. An optional magnetic stripe encoder is also available.
“The Persona C30 provides performance and reliability in a card printer at a much higher level than its price would suggest,” said Andy Vander Woude, Fargo’s director of product marketing for secure printer/encoders. “With its convenience features and two-year warranty, the C30 is an outstanding value.”
About Fargo
Founded in 1974, Fargo Electronics is a global leader in the development of secure technologies for identity card issuance systems, including secure card printer/encoders, materials and software. The company has sold more than 100,000 systems in the U.S. and over 80 other countries worldwide. Fargo card issuance systems reduce vulnerabilities and potential for loss of time, money and lives by continually improving the security of identity credentials. Fargo provides physical, information and transaction security for a wide variety of applications and industries, including government, corporate, national IDs, drivers’ licenses, universities, schools and membership. Based in Minneapolis, Minn., Fargo markets its products through a global distribution network of professional security integrators. For more information about Fargo, visit www.fargo.com.
For many,the card printing process is limited to, ‘the blank card goes in here and the finished card comes out here.’ This is a testament to the reliability of these printers—they work so we don’t have to know how they work. However, as any mid- to high-volume user will tell you, a little understanding can go a long way when students are lined up and a printer has broken down.
The process used by most card printers today is called ‘dye diffusion thermal transfer’ or ‘dye sublimation’ (dye sub). It involves the transfer of dyes from a ribbon to a plastic card via heat. The key pieces of this process are the print head and the ribbon.
The base for a dye sub printer ribbon is a thin, but durable, plastic sheet called a carrier film. The carrier film is stained with a waxy substance containing the dyes. In color processes, the ribbon has a series of different colored panels which, when combined in specific amounts on the card, create the full spectrum of colors. The printer applies the dye from these panels, one pass at a time. Most ribbons utilize four panels for applying images and text–cyan, magenta, yellow, and black–and another clear panel that serves as a protective overlay. With these distinct color panels, all colors in the visible spectrum can be created.
To envision the process, think of a painter mixing colors on a palette. A certain portion of cyan mixed with yellow will produce a green hue. Add more cyan and an aqua will emerge. The key is in how are the colors applied in different and controlled proportions. The answer leads us to a discussion of print heads.
The print head is the means by which the heat is applied to the ribbon, at specified locations and at specified temperatures, to produce the intended color transfers to the card. A typical print head consists of 6 separate heating elements per millimeter. Each element is capable of producing 256 temperature variations. Each variation transfers a corresponding amount of dye from the ribbon to the card. As an example, a mid-range temperature from an element transfers a mid-range intensity of dye from the color panel to the card.
Some printers transfer the dye to a clear overlay, rather than directly to the card. This overlay is then adhered to card as a single sheet with the images and text already included.
Each element creates or transfers dye to a single pixel or dot. Most card printers in use today print at 300 dots per inch (dpi). This means that in every square inch of card space, there are 9000 individual pixels (300 x 300). To create the accurate color specified in an image, a pixel may need dye from all three (or more in four and five panel ribbons) separate panels. As you can see, the printer must be a highly precise and reliable piece of equipment to control this process.
The majority of the card printers used on campuses are manufactured by Fargo, DataCard, Zebra, or one of handful of other makers. While most manufacturers will sell direct to end users, campuses frequently obtain printers via system integrators or resellers.
Each manufacturer offers a series of models with different feature sets. The key features to consider include:
Print speed - How much time does it take for the printer to accept data and produce a finished card? Be aware that the time listed by the manufacturer can vary greatly when placed in your operating environment. Talk to users of the printer to get their impression of the actual print speed.
Duplex printing capability - This is the printer’s ability to print both sides of a card in the same print cycle. For many campuses, this feature is unnecessary as the back of the card will be preprinted by the card supplier or via another print station.
Magnetic stripe encoding - Nearly every printer has this capability but it is not always included in the price of the printer. Make sure that you find out if this module adds any additional costs to the unit.
Smart card encoding - If you do currently, or may in the future, have a contactless or contact chip on your ID, you may wish to consider this option. Many printer models offer this capability as an add-on module that can be purchased and installed in the future.
Card sizes accepted - Will the printer accept only CR80 cards (standard ID size) or will it also print other sizes? Some card offices print badges for seminars and events onlarger cards.
Edge-to-edge printing - In the past, desktop card printers could not print images that extended all the way to the edges of the card. These cards had a thin white band around the card. Many printers currently offer this full-bleed or edge-to-edge capability enabling more flexibility in the design of the card.
Footprint/size - Depending upon the size of your card office the physical dimensions of the printer can make a difference in your workspace. Very compact printers are available today as well as the traditional large, heavy units.
Printer drivers - Ensure that the printer drivers (software) required for the specific printer you are considering are available for use with your card production system. If the drivers are not freely available, do not assume that the price to purchase them will be inconsequential. Some drivers can cost more than the price of a low-cost printer.
Price - The price range for dye sub printers is extremely broad ranging from less than $1000 to more than $10,000. Examine your individual needs in terms of throughput and functionality before shopping for a printer.
A great way to begin the shopping process is to talk with integrators, vendors, and end users. Manufacturer web sites can enable initial comparison shopping but often the best information comes from peers who are actually using the printer.
When the Grenada, Mississippi School District faced a lawsuit filed under the federal Fair Labor Standards Act, the district learned an important lesson: accurate calculation of regular and overtime rates for hourly workers is vital. In such litigation, the burden is on the employer to prove actual employee hours worked. Now, Attendance Enterprise from InfoTronics, Inc. automates time and attendance processing with useful functionality such as full compliance with the Fair Labor Standards Act and support for multiple job positions. Grenada School District benefits from biometric data collection and a flexible rules engine to calculate accruals, overtime, shift pay, and other federally-mandated rules.
Grenada School District serves the North Central Mississippi area with a lower and upper elementary school, a middle school, and a traditional four-year high school. The district also operates a career/technical center, Alternative Education program and a GED program based out of the Tie Plant School facility.
The Grenada Education Center is the home of the district’s Adult Basic Education Program, the Parent Resource Center, and the Grenada League for Adult Development. In all, 800 district employees serve nearly 5,000 students.
Employee Litigation
Several years back, a group of Grenada School District employees filed a lawsuit that requested the school pay unpaid overtime, plus damages, attorney’s fees, and court costs. The workers citied the federally-mandated Fair Labor Standards Act which requires employers to keep accurate records of hours worked for nonexempt employees and pay them time and a half for hours worked beyond 40 hours in a workweek. The law also allows public employers to offer compensatory time in lieu of overtime pay.
Grenada was not the only district to experience such litigation. According to the Mississippi School Board Association, attorneys held meetings throughout the state to recruit support personnel, such as bus drivers, custodians, cafeteria workers, secretaries and teacher aides to file claims for unpaid overtime. In addition, the attorneys ran ads providing a toll-free number to employees who believed they were due back pay for overtime worked.
In most districts, it was unknown whether these employees actually worked overtime and were due back pay for overtime worked because the districts had no records to disprove the allegations. In wage and hour cases, the burden is on the employer to prove overtime hours were not worked. Accurate time sheets are necessary to prove actual hours worked.
Learning a Lesson
The Grenada School district, and other districts throughout the state, learned first-hand that the FLSA is a complex law. After these difficult issues were resolved, the district resolved to keep accurate time records for nonexempt employees; make sure employees were correctly classified as exempt or nonexempt for FLSA purposes; and ensure that nonexempt employees were paid overtime or given compensatory time off for hours worked over 40 in a workweek.
For Grenada District, proper compliance with FLSA regulations required moving from a manual time and attendance process to an automated calculation of employee regular and overtime rates. Thus, the District turned to Concept Electronics, Inc. (Baton Rouge, LA), who installed Attendance Enterprise™ from InfoTronics, Inc.
Attendance Enterprise is an integrated time and attendance system that automates complex pay and benefit rules to ensure accuracy and regulatory compliance. The system also optimizes employee resources and reduces labor costs with features such as flexible pay rules, employee scheduling, labor budgeting, automated benefit accruals, attendance-based merit points, web access for employees and managers, and extensive reporting and analysis capabilities. Grenada School District uses the program primarily for FLSA compliance.
The Road to FLSA Compliance
With Attendance Enterprise, the District easily set up groups for both exempt and non-exempt employees. The software automatically determines exactly what types of pay are to be included in the regular rate and applies the Fair Labor Standards Act correctly.
Employees start their shift by checking in at an InfoTronics hand reader. This biometric device eliminates “buddy punching” and accurately verifies employees’ identities while protecting their privacy. The system automatically polls 12 data collection devices throughout the day, and up-to-the-minute data is available at the district office, showing accumulated hours, overtime and regular rates, and data for those employees performing multiple roles (bus driver and cafeteria duties, for example) that in the past were difficult to track manually.
At the end of each pay period, the accumulated regular and overtime employee data time is automatically downloaded into the District’s payroll software for check processing via a custom routine developed by Concept Electronics.
New Methods Bring Benefits
Since switching to Attendance Enterprise, the district is in full compliance with FLSA regulations. The InfoTronics system accurately applies regular, overtime and credits to each shift, and accurately applies payment for multiple-role employees. Employee data is available instantly at the district office for departmental monitoring of overtime. Supervisors can make schedule adjustments as needed for cafeteria staff, bus drivers, maintenance, secretarial, clerical, and instructional assistants.
The new methods have also streamlined the district office operations. When employee data was tracked manually on paper time cards, district staff spent hours each month manually tabulating and verifying pay totals. Now it is a matter of minutes to compile pay period totals. Also, the district accumulates assistant teacher regular and overtime rates, which were not tracked at all in the past due to cumbersome manual methods.
Attendance Enterprise generates useful reports for the district, including overtime summaries per department that are used to determine future staffing needs; pay exceptions by job record numbers; and missed punch reports for ease of check generation. Tardy reports are also useful, and help the district monitor employee performance.
In all, the Grenada district office is confident that Attendance Enterprise provides full compliance with the Fair Labor Standards Act. The district has alleviated the burden of tracking employee time and attendance with biometric data collection devices, and automated processing of overtime, regular, and multiple-role pay. In the upcoming months, the district will automate employee scheduling, and implement Attendance Enterprise leave management features which makes it easier for employees and adniminitrative staff to track personal leave, vacation, and sick time.
Additional resources:
To visit Infotronics on the web, click here.
Student ID technology combining contactless palm vein authentication with a multi-function card, has made its debut at a Japanese high tech college. The extra layers of student protection will also help the school comply with tougher personal data security laws.
So far, the new ID system “is going well,” said Tomoko Inoue, press and public relations for Tokyo-based Dai Nippon Printing Co., Ltd., which is producing the cards for Chiba Institute of Technology. Dai Nippon has 33 plants in Japan and another eight overseas.
The other half of the partnership is Fujitsu Limited, developer of the contactless palm vein authentication technology. It is used in conjunction with a dual interface Java-based smart card manufactured and issued by Dai Nippon. The smart card uses the FeliCa contactless format developed by Sony Corp.
“In light of the Personal Data Protection Law which went into full effect on April 1, 2005 in Japan and the gravity of personal information leakage, Chiba Institute … has worked to strengthen its information security for the entire school,” said Ms. Inoue. “By providing quick and secure access to personal data, the Institute has enhanced its level of service to its students.”
Since April 1, smart cards have been distributed to Chiba Institute students and faculty. The cardholder’s palm vein pattern data is incorporated into the smart card, which also includes the student’s ID number.
Since July, students have been able to view personal data, such as academic transcripts, from information terminals known as a Kyoumu Interactive Support System (KISS). These are installed at various locations around campus. By inserting their student ID cards in the terminals and placing their palms over the reader, secure access to records is achieved.
Students can also use the ID cards to log into their personal computers.
According to the college, for its next academic year (April 2006 - March 2007), the Institute intends to expand the system to include faculty. The Institute is also considering use of the cards to control room access to study halls, track class attendance, and control the lending of books and other reference materials.
Ms. Inoue could not elaborate on the system’s expense, “because its cost fluctuates depending on specifications of the ID systems or ID card.” As to offering the system at other schools, she said “details have not yet been decided.”
About the palm vein technology
The smart card system using the contactless palm vein authentication technology was developed using the SafetyMAM system from Fujitsu, which manages the smart card life cycle from issuance to termination, and the SafetyDomain application software, also from Fujitsu, which enables secure log-ins to PCs and administrative applications using smart cards.
Fujitsu’s technology allows an individual’s palm vein pattern to be read without direct contact with the reader. The palm is compared with a stored pattern from the individual’s file to verify the student’s identity. This lack of direct contact promotes hygiene, making it ideal for applications that allow public access, said Ms. Inoue.
Fujitsu’s palm vein authentication technology consists of a small palm vein scanner that’s fast and accurate, according to the company. A user simply holds his palm a few centimeters over the scanner and within a second the vein pattern is read, a vein picture is taken, and the pattern is registered.
According to Fujitsu, vein patterns are unique even among identical twins. Each hand is different, too. A person logging in with his left hand after registering with his right would be denied access. The scanner makes use of a special characteristic of the reduced hemoglobin coursing through the palm veins - it absorbs near-infrared light. This makes it possible to take a snapshot of what’s beneath the outer skin, something very hard to read or steal, according to the company.
The Bank of Tokyo-Mitsubishi’s ATMs in Japan are already equipped with Fujitsu’s palm vein scanners. Users access their accounts by having a scan of their palm compared to a pre-registered scan stored on their bankcard.
Fujitsu’s contactless palm vein authentication technology is also planned to handle front entrance security at a condominium complex under construction in Tokyo.
Since its introduction in Japan in July, 2004, Fujitsu has sold approximately 5,000 units of its palm vein scanners in Japan. Fujitsu also plans to introduce a compact version of the device that it aims to incorporate in consumer products, such as personal computers and mobile phones.
Architectures for card issuance systems can be categorized as either centralized or distributed in nature. Each scenario presents a unique set of opportunities, and perhaps more importantly, security risks that must be understood and addressed.
There is a macro and a micro distinction that can be made when defining the two types of issuance architectures. At a macro level, centralized issuance can refer to situations in which a third party issuer is handling the card production and distribution on behalf of the client. With distributed issuance the client controls its own card production and distribution.
In closed system environments (e.g. campuses, corporations), a more micro-distinction for centralized and distributed issuance can apply. When a campus has multiple branches or a corporation has multiple locations, centralized issuance has all cards produced from a single, controlled location. Distributed issuance deploys the technology and responsibility for issuance to the various sites.
In the case of both the macro and micro distinctions, the following discussion can apply.
In the past, centralized meant secure and distributed meant fast …
“We are seeing great opportunities and advances for distributed issuance,” says John Ekers, Director of Product Marketing for Systems and Software, Fargo Electronics. “In general, it is always better if you are controlling more of the process yourself.”
Certainly this self-control aspect is the key reason issuers choose the distributed model. Using the campus setting as the example, distributed issuance equates to instant issuance. The enrollment, authentication, imaging, production and distribution can be completed onsite, while the cardholder waits. Centralized issuance cannot accomplish this.
But, centralized issuance has traditionally possessed a major advantage over its distributed counterpart: added security. Blank card stock can be locked down and each piece accounted for at all stages in the process; staff access can be tightly monitored; fraudulent card creation can be curtailed via stringent checks and balances; etc.
“What we are seeing today,” adds Mr. Ekers, “is a migration of the security control procedures traditionally used in centralized issuance bureaus to the distributed environments.”
Categorizing the risks
A major shift in the nature of campus, corporate, and other ID card applications have been the primary driver for increased issuance security. A degree of risk has always existed but as the privileges and opportunities that an ID enables has expanded, the dangers arising from fraudulent cards have grown.
The risks associate with issuance procedures can be thought of in three main areas and for each, according to Mr. Ekers, there are significant advances underway for distributed environments. The areas are materials, data, and personnel.
Materials:
In centralized issuance all card stock, printer supplies, and equipment are kept in one location making it easier to manage and track. When production is distributed, so too must the materials be distributed. This requires a more sophisticated system of control.
Off-the-shelf inventory management software, built-in security mechanisms in new printer models, and software prompts in both printers and imaging software are making it easier to manage materials in a distributed environment.
Personnel:
In centralized issuance, employees undergo background checks and can be closely monitored throughout the day. Monitoring is far more difficult in a distributed environment.
By requiring stringent login procedures, restricting the hours that an employee can print cards to appropriate times, and employing other system-controlled checks and balances, remote monitoring and control are becoming a reality. “In the near future,” says Mr. Ekers, “I expect to see biometric login to issuance systems become the norm.”
Data:
In terms of issuance data, both the personal information of your cardholders and the ongoing system operation data is crucial. Obviously, the security of the cardholder data is paramount to ensure individual privacy. The system operation data is key to monitoring efficient and appropriate use of the equipment and materials.
In a highly controlled centralized environment, data can be tightly held on a closed network with security controls appropriate to the need. The physical premises can be locked down and unauthorized access restricted. This is far more difficult in a distributed environment where open or pseudo-open networks are used and open access to the premises is required to facilitate customer service.
Advances in encryption techniques (e.g. hardware security modules that manage issuer keys) have made it possible to ensure that cardholder data is never transmitted “in the clear” thus reducing the risk of data compromise. High level encryption and high speed networking is enabling distributed access to centralized data repositories, thus allowing the cardholder data to be held securely in a single location and accessed only when necessary by a distributed site.
Distributed issuance: no longer be “less secure”
“We are nearing the point where the security benefits of centralized issuance are no longer sufficient to merit the loss of control,” says Mr. Ekers. “Distributed issuance can be technology-enabled such that its security matches, and potentially exceeds, its counterpart.”
He concludes with the following thought, “When an issuer switches from a centralized model to a distributed model they are forced to reexamine the controls employed for materials, personnel, and data. I have seen many cases where they find significant security holes in their former centralized processes that have been corrected in the migration.”
Editor’s Note: In a recent Banking Corner article, we asked the question “should your campus use the 16-digit ISO numbering scheme.” As a followup to this article, we look at part two of being ISO compliant. Special thanks to Taran Lent of CardSmith for the preparation of this important article.
By Taran Lent, CardSmith
A lot of attention has been given in recent years to the 16 digit ISO standard numbering scheme (ISO 7812) in connection with identification cards. This is particularly true in light of the migration away from using Social Security numbers for identification, which has obvious security concerns. There are many benefits to this long established internationally accepted card numbering standard. As a result, many campuses have already registered for their own unique IIN (Issuer Identification Number) and implemented card numbering schemes with 16 digit ISO numbers.
However, some campuses may be disappointed to learn that their campus card is only 50% ISO compliant. While registering and implementing a 16 digit ISO number is a step in the right direction, it is in fact only step 1 of 2 primary steps required for full compliance with ISO standards.
The second and equally important step to a fully ISO Compliant card is to comply with the lesser known standard, ISO 7811, which specifies how data is encoded on the magnetic stripe of the card. This standard is clearly defined and commonly used by hardware and software developers creating solutions that rely crucially on reading the magnetic stripe data according to exact specifications.
By strictly implementing encoding standard ISO 7811 in addition to numbering standard ISO 7812, card program administrators can ensure compatibility with a virtually unlimited range of current and future card technologies and eliminate the risk of being limited to using proprietary and more expensive terminal hardware and software. This will also give the card program complete flexibility to work with multiple solution providers and systems while keeping the door open to change technologies over time without needing to either change the card or re-card the campus.
The good news is that understanding and complying with ISO 7811 is not particularly difficult. The most critical aspect to the standard is the exact data field layout on Tracks 1 and 2 of the magnetic stripe, as described in the tables below.
Below are examples of valid Track 1 and 2 data given the following cardholder information:
Card Number: 6039 6044 4555 1057
Cardholder Name: Jane Doe
Expiration Date: 12/2008
ISO 7811 is not as well understood as ISO 7812 and is therefore routinely implemented incorrectly or ignored entirely. While following the standard is straightforward, there are some common pitfalls such as applying the standard to only Track 2 but not Track 1 (or vice versa), not using a valid expiration date, and/or omitting required fields altogether.
The primary problem for cards with these deviations is that they do not work properly with applications designed for use with ISO 7811 standard cards. Therefore, every application used by the card will require expensive custom development, driving up cost and reducing flexibility. Campuses with multiple card systems competing for magnetic stripe real estate are especially prone to non-compliant encoding mistakes. Below are the most common examples of track data schemes that do not comply with ISO 7811.
If you are curious or concerned about whether or not your card is ISO compliant, you can determine this easily by reading the track data on your card using a standard USB card reader. Once installed on your desktop computer simply open up a text application such as Notepad.exe or Wordpad.exe and swipe the card. The track data will print out on the screen and you can compare the result to the examples above and the ISO 7811 specification. If you are not currently ISO Compliant but are planning a project to become so, it is highly recommended that you purchase a copy of both the ISO 7811 and ISO 7812 specifications for your card implementation team to use as reference.
Remember, ‘almost’ only counts in horseshoes and hand grenades. You can’t ‘almost’ graduate, you can’t ‘almost’ be in love and you can’t ‘almost’ be ISO compliant. You either are or are not, and to be in the “are” camp, you have to implement to both standards – numbering and encoding. If you decide to implement ISO for your campus card, be sure to do it 100%.
Additional resources:
To purchase a copy of ISO 7811 or ISO 7812 from ISO, click here.
To register for a unique IIN number ($600) with ANSI, click here.
In light of a pending lawsuit and stalled legislative relief, Auburn University decided to cancel its off-campus card program until the situation is resolved. Its sister university to the west – the University of Alabama in Tuscaloosa – is holding firm still allowing students to use their campus cards at off-campus merchants.
The lawsuit is filed …
Two merchants last year filed suit against Auburn, claiming they were losing business because they didn’t accept Auburn’s Tiger Card. They also charged that the university was violating a law they believe restricts the university from offering the card acceptance to any vendor with the exception of off-campus bookstores. While the two merchants could have accepted the off-campus card, they claimed the transaction charges were too high, as much as 12%, according to some accounts.
Auburn’s position on the law that supposedly limits off-campus card usage to bookstores only is that while it does govern agreements made with these off-campus bookstores, it does not prohibit the development of relationships with other off-campus merchants.
Legislative change is sought …
A bill was filed by Rep. Alan Boothe of Troy, Alabama, in an effort to clarify the situation. The bill would have explicitly permitted state colleges and universities to operate debit card programs that allow for purchases at off-campus merchants other than bookstores. It would also have allowed them to charge more than the 3.25% transaction fee to merchants other than the off-campus bookstores that would continue to benefit from this fee limit. The bill had plenty of co-sponsors, but nevertheless, didn’t pass this legislative session as it was among a slew of bills that never passed because of lawmakers’ failure to adopt a budget. The Alabama bill will most likely be back, but the earliest it could pass is 2006.
Auburn suspends its off-campus debit program
After several hearings on the lawsuit, Auburn made the decision to disallow off-campus use until the Legislature acted. “We’re not going to spend any more money fighting this little lawsuit,” Auburn general counsel Lee Armstrong told the Associated Press. “We’re going to wait and let the Legislature do its work.” He said the suit did not attack the college’s credit card (ascending balance) plan, only the debit card part of the program, which is what the university is temporarily disallowing for off-campus use.
University of Alambama continues off-campus program
The University of Alabama, which was not involved in the suit, has, so far, decided to keep the status quo.
“UA values our partnership with our local community and have made no changes to our current Bama Cash program which is accepted at both on and off campus merchants,” Jeanine Brooks, Action Card director told CR80News.
“Our local merchants have demonstrated great interest in participating in the program. Bama Cash has become an important student service. It provides our students more accessibility to support local merchants, many times without requiring private transportation. It also provides students with more variety in shopping,” she added.
“UA supports the proposed debit card legislation regarding changes clarifying the right for public institutions of higher education to establish student debit card programs and partner with on- and off-campus merchants,” continued Ms. Brooks.
Editor’s Note: CR80News asked several industry veterans to comment on the recent acquisition of Diebld’s Card System Division by The CBORD Group. Bret Tobey has worked with several companies in the ID managment, security, and campus card industries including Diebold Card Systems. His observations on what the transaction may mean to the campus card market follow.
By Bret Tobey, Contributing Editor
As Wall Street trading wrapped up on Friday, July 1, Diebold employees gathered at facilities and over the phone to learn The CBORD Group had purchased the Card System’s Division of Diebold. Rumors flew all weekend and formal announcement came Tuesday, July 5.
Long time observers of the campus card markets recognize this as a culmination of years of consolidation within the industry. Two companies, Blackboard and CBORD, now have the bulk of campus card installations. They especially dominate larger campuses where large scale transaction processing and multiple applications are the norm.
Why Sell?
Beginning with their purchase of Advanced Network Technologies (AN&T) and Griffin in the mid-nineties, Diebold moved aggressively into the campus card marketplace. Diebold’s Card Systems Division was the only operational group within Diebold that combined their strengths of transactions and security. That synergy allowed the Card Systems group to maintain a higher profile within Diebold than their percentage of the company’s overall revenue might otherwise suggest. Higher education, however, operated very differently from Diebold’s core markets of financial institutions and large corporate customers. Long sales cycles and the demand for highly tailored solutions and contracts meant the Card Systems group always operated a little differently than other divisions within Diebold.
Although the integration efforts of AN&T’s ICAM and Griffin’s Series5 platforms caused some serious stumbles in profits and market share in the late 90’s, they were a profit center in the 2000’s. In it’s 4.1 release, the CS Gold platform has been a very robust large scale transaction processing platform. Over the past several years product launches in the access control, video integration and alarms have strengthened Diebold’s offering on the security side of campus cards. Upgraded and expanded product offerings allowed Diebold to increase revenues while their market share increasingly focused on large institutions.
In the meantime, the privately held CBORD Group brought in outside capital from Oak Investment Partners and Sterling Investment Partners in the summer of 2004. CBORD openly mentioned their plans to use the new capital to grow through acquisition, and they took a major step in that direction with this transaction.
A Good Match?
Until last week, each of the three major providers of campus card systems had clear strengths in the market while remaining roughly comparable in many areas. Blackboard’s Internet capabilities complemented their broad transaction suite. Diebold led in security and access control. CBORD had a strong track record in the food & nutrition groups on campus. The addition of Diebold’s access control & security expertise to CBORD’s portfolio addresses one of the biggest gaps in their product line. When responding to bids requiring an access control solution, CBORD has had to rely on partners to offer product. At best, they did not capture all of the business possible. At worst they lost control of a critical component of the response. Expect to see at least basic integration in the short term that allows Odyssey customers to leverage Diebold’s strengths and vice versa.
Beyond the relative areas of expertise, both company’s current lead platform utilizes Oracle as the underlying database. Diebold exclusively uses Oracle and CBORD can leverage their ODBC capabilities for institutions that utilize Oracle for other campus applications. A common database platform makes basic communication efforts more realistic, but not necessarily easy. “Best of breed” integration efforts rarely turn out to be as simple as they might first appear.
Challenges and Opportunities
Managing the acquisition will be critical to CBORD’s ongoing growth, but they might be able to learn from difficulties in the last round of acquisitions. Diebold’s customer base still consists of Series 5 and CS Gold platforms. Blackboard maintains completely separate UNIX and Windows transaction platforms. The nature of campus card installation requires that CBORD maintain each of the platforms in their new customer base for at least several years. But, the perceived synergies of the investment will demand that they move forward with a platform that combines CBORD’s food service expertise with Diebold’s security expertise.
On a functional side, CBORD has operated as a systems integrator, shying away from manufacturing their own products. Diebold Card Systems brings an extensive history of manufacturing components. Those require two completely different organizational structures. The respective sales forces reflect this with Diebold having about a dozen account managers servicing a third of the customers that CBORD’s smaller staff does. Reports indicate that CBORD will retain all Diebold employees, but some turnover can be expected simply because of simple conflicts in culture and practice.
Over the course of the next year competitors may see a small bump as some institutions attempt to avoid the transition difficulties seen in past industry acquisitions. Reduced competition may make room in the market for smaller players to leverage a few key wins into a broader market share. However, with hundreds of campuses each, it’s unlikely that either Blackboard or CBORD will be unseated anytime soon.
Both CBORD and Diebold offered very robust housing management systems with dedicated customers. Convincing either set of customers to migrate will be difficult. However, managed appropriately CBORD may now have a critical mass that allows them to dominate the university housing management market. Over time, that might translate into markets beyond higher education for their housing and judicial applications.
That critical mass represents the largest opportunity for CBORD in all the application areas. As they eventually migrate towards common platforms, they will have a much larger customer base to support their engineering efforts. That should allow them the flexibility to continue enhancing their product sets as they pursue new opportunities. Unlike Blackboard, CBORD already has a strong presence outside of higher education. Pushing a broader application suite beyond higher education could allow CBORD to grow faster and bigger than any previous campus card provider. This acquisition provides the technology and talents to move in that direction.
A reported purchase price of $38 million makes it an extremely significant transaction for this industry. Initial reports state that Diebold employees will be retained and offices will be maintained in Farmington, NY, Green, OH, Waco, TX, and Cypress, CA with retention of the staff in Atlanta, GA but a closing of that office.
Customer & Industry Reaction
Having seen this before, customer reactions are somewhat tempered. The simple size of campus card installations precludes rapid migrations to new platforms, so it is not surprising that the customers of Diebold and CBORD that I spoke with expect to see only minor changes for some time. Kent Pawlak from the University of Texas at Arlington, a long time Diebold Card Systems customer, typified customer sentiment. While their overall reaction seems to be generally positive they would be taking a “wait and see” approach to the new organization. Another longtime customer observed that ten years ago the big players in the market included Harco and Griffin. Now, it appears, the Harco and Griffin descendants (Blackboard and CBORD respectively) are poised to battle for market share once again.
