Card, mobile credential, payment and security
Issuing the identification card
BY LOWELL ADKINS, ADKINS ASSOCIATES
This is the first in a series of articles about access control and security on campuses. These writings are an outgrowth of a series of seminars I have done over the last several years – and those seminars are the outgrowth of thepractical experience I received developing a comprehensive access control system while working at Duke University.
For some of you this will seem like pretty basic stuff; for some it will be new material. For all it will hopefully be a chance to consider, or re-consider, the issues at stake in this most important topic.
At the outset let me note that I understand that there is a difference between the term “access control” and the term “security.” Access control is generally the concept of who gets in where, when, why, and how. Access control is a subset of the larger concept of security – a system, program, organization, or plan for the general protection of life and property, usually in some defined area (e.g. a campus). I will always attempt to use these terms properly. Let me warn the purists now that I may stray occasionally.
These articles are going to focus on access control. They are going to focus on systems that automate access control primarily through the use of a card. That is, the way an individual interfaces with the system is via a card. I will attempt to be generic enough that the thoughts presented will apply to any type of card: magnetic stripe, proximity, or chip – and any flavors of those. Later, the discussion will include more thoughts about security.
The discussion will also later include thoughts about how access control systems using cards relate to card systems for business and finance.
For the typical user, the most basic element of a card access control system is the card itself. The process by which the card is issued will often set the tone for how the users relate to the system. It also is the first big step in determining the integrity of the system.
Make card issuance as easy and convenient as possible – but issue with care – and inactivate timely when necessary!
21st century humans, especially it seems those that populate institutions of higher education, expect the details of life to be as simple and convenient as possible. Thus, the card issuance process needs to be as easy and convenient as possible.
For students, this process is likely incorporated into the overall orientation procedure. For faculty, staff, and everyone else you must strive to make the card issuance process straightforward:
Remember, however, an easy and convenient process does not mean one without structure. With the heightened security status in the United States, card issuance procedures, even on campuses, are more important now than they have ever been. An institution can no longer assume that issuing a card is an innocuous activity whose consequences will be felt only on campus – or perhaps at a few local merchants. A campus issued card, particularly one with a photo and the institution’s name/logo, may become a part of an identification procedure in another setting that could eventually allow a person with a questionable identity to obtain valuable identity documents.
What does all this mean? Balance convenience with structure. Determine what process, documents, and verifications you will require in order to assure the identity of the person to whom you issue a card. Take a renewed look at existing processes in light of recent events. Then, publicize what your institution expects so that those seeking a card from your institution can be prepared to come to the issuance office with the documents your site requires.
Once a card has been issued several other situations come into play. First, cards get lost or stolen. One often hears the number 25% as the rate at which this happens with students. Assuring that an active lost/stolen card is quickly inactivated is just as important as issuing the card in the first place. This task needs to fall to a device or some staffed entity to provide this key service 24 hours a day, seven days a week. Simply permitting cardholders to call an answering service from which messages are retrieved periodically throughout the day is not an appropriate solution.
Lost/stolen cards must be replaced. If a person has a reason to get a card in the first place, then he or she has an equally important need to get a card back in their hands if it is lost/stolen. So, again, this is a task that needs to be accomplished 24/7 and needs to handled with the same care as the original issuance process!
Not getting a replacement card back into the hands of the cardholder may create security problems for that cardholder. It may also encourage “work arounds” to the system that you want to avoid. That is, if getting a replacement card is a difficult process, then it may be easier to borrow someone else’s card. And maybe their PIN, too. And maybe their identity as well! Difficulty getting a replacement may also be an incentive to prop open a door or defeat an alarm.
Cards may need to be inactivated for reasons other than being lost/stolen. The most obvious reason is that cardholders leave the institution.This usually occurs through some process, but not always; it usually occurs voluntarily, but again not always. All of these instances need to be addressed. For those who leave through a process (e.g. withdrawal, graduation, retirement) a standard notification procedure to the card issuing office needs to be established. And this procedure should be supplemented with a regular interface between the student information system, the payroll system, and the card issuing system to match active students and active staff with active cardholders. This enables any individuals who were missed through the standard notification process to be caught.
As with lost/stolen cards, cardholders whose departure is out of process need to be inactivated through a 24/7 process. These are often the individuals whose cards you most want to be assured are quickly inactivated.
In this article I have reviewed several of the key issues surrounding the responsible and timely issuance of cards. This is a fundamental element in access control, campus security and beyond. In future articles, we will delve further into other concepts that make your access control system both effective and efficient.
Mr. Adkins is a respected member of the higher education card and security community. Contact information: Lowell E. Adkins; Adkins Associates; 1270 E Voltaire Avenue; Phoenix, AZ 85022; 602-896-0107; [email protected]
