Little Cards, Big Payoff

Apr 1, 2003 12:00 PM, by JAMES GOMPERS

The ID badge, or card, is one of the most insecure aspects of security in popular use today. Counterfeiting and fraud take place at all levels of security when it comes to credentials, and they can be difficult to control.

The introduction of the smart card has enabled tremendous strides in creating more secure environments, and more effectively protecting identity and privacy. How does this smart card protect us, and what is so special about this new technology?

A smart card is a plastic card embedded with a computer chip that stores data for transactions between users and systems. A card's data is associated with either monetary value or information or both, and is stored and processed by the card's chip (memory or microprocessor). Smart cards come in a variety of formats and capabilities. They are available in contact and contactless versions. Card data is transacted via a reader that is part of a computing system. There are several different types of smart cards:

The Basic Memory Card

Memory cards have no sophisticated processing power and cannot manage files dynamically. They communicate with the card reader through synchronous protocols. There are three primary types of memory cards:

• Straight memory cards are the least expensive — they only store data and have no processing capabilities. These types of cards function similarly to a floppy disk with no write-protect tab. Systems accessing these cards need to be able to determine what type of memory card is being accessed, and since these cards have no way of identifying themselves, their applications for integration are limited.

• Protected or segmented memory cards have logic built in to control access to the memory of the card. A card can be set to write-protect and restrict reading access for some or all of its memory, usually through a password or key. Segmented memory cards can be divided into logical sections for multiple storage functionality such as medical information, insurance information, biometric files, class schedules and other data.

• Stored value memory cards are designed for the specific purpose of storing monetary value. They are either disposableor rechargeable. Most cards of this type incorporate permanent security measures, including password keys and logic that are hard-coded into the chip at the time of production. The memory arrays on these devices are set up as decrements or counters. Aside from this function, there is little or no memory left for any other function. Stored value cards are used for phone cards and for loyalty programs that track repeat customers. These cards have some powerful uses and advantages for issuer and user:

• Stored value is more convenient and safer than cash.

• For issuers, “float” is realized in unspent balances and residuals on balances that are never used.

• For multi-chain retailers that administer loyalty programs across many different businesses and point of sale (POS) systems, these smart cards can centrally locate and track all data.

• Applications are numerous, from parking and laundry to gaming, as well as all retail and entertainment uses.

Multi-function Cards

Multi-function cards have dynamic data processing capabilities. They allocate card memory into independent sections assigned to a specific function or application. The card contains a microprocessor or microcontroller chip — similar to those found in personal computers — that manages this memory allocation and file access. When implanted in a smart card, the chip manages data in organized file structures using a card operating system, thus permitting multiple functions and applications to reside on the card. For the card user, multi-function capability means greater convenience and security and, ultimately, consolidation of multiple cards to a select few.

Multi-function cards come in a variety of styles or types — contact cards that require the card to physically come into contact with the reader or contactless smart cards, which send the data by RF (radio frequency) to a reader without the need for physical contact. Hybrid cards have both contact and contactless capabilities. These multiple technology cards, often referred to as combi cards, can be equipped with proximity, bar code, magnetic stripes and other technologies.

The Smart Card in Action

Let's look at an application example that uses a hybrid card, which I believe will eventually become the standard in the credential market. The card's contactless capabilities will be used for access and parking control, and its contact capabilities will be used for production tracking, time and attendance, secured computing, document accountability, guard tour and vending/POS.

The smart card application takes place at a pharmaceutical company that produces controlled prescription medications. The company operates several plants nationwide, but multi-facility integration is an issue for another column. The focus here is on one plant with objectives to bring a higher level of security to the facility, provide safety benefits and production tracking, and give employees a friendlier workplace by helping to ensure better nutrition. We have all gone to work and forgotten money for lunch, and a hungry employee is not a productive employee. This facility has several risks and liabilities that must be factored into the system design:

• Highly-sensitive clean rooms and labs needing positive identification for access;

• Lab equipment that should only be operated by trained and qualified personnel;

• Controlled substance loss that must be minimized and ideally eliminated; and

• In the event of emergency or threats, the facility must be locked down.

These are the higher priority concerns when looking for an integrated security solution for this facility, but they are not the only ones. Access control for the labs and clean rooms is the first concern. By implementing contactless smart card readers with biometric fingerprint authorization for all labs and clean rooms, fool-proof identification of personnel entering is ensured. To guarantee accountability, contactless smart card readers with no biometric are installed for the exits.

To address the concern that only qualified personnel operate sensitive equipment and ensure accountability for chemicals and production products, contact smart card readers for all lab and production equipment were implemented. This has a three-fold effect: First, training certificates were placed on a sector of the smart card that enable only qualified personnel to operate any equipment. Second, chemical quantity and production numbers were tied into the smart chip's RAM for accountability in use of controlled substances. Third, the implementation of smart cards has created an integration opportunity to utilize middleware — allowing the creation of custom reports on subjects such as employee efficiency, production, loss and scheduled equipment calibration. The reports will assist management in future decision-making. An anti-passback feature was also implemented in all facility, lab and production areas, creating an efficient facility lockdown system in place for an emergency or threat situation. (“Anti-passback” prevents a user from giving his or her code or card to someone because the card must be used to enter and then exit before it can be used to enter again). This ensures a higher level of safety for the employees and surrounding communities in the event of a chemical contamination or similar situation.

With widespread implementation of hybrid cards, the contact smart card can also be used for time and attendance. In so doing, all the information stored on the smart card's RAM during an employee's shift can be downloaded and processed upon clocking out. If there are production or other discrepancies, they can be addressed immediately by investigation personnel. This capability will help bring losses down to zero.

We also implemented a smart card vending and POS system to enable all employees to purchase snacks and soft drinks from vending areas and to purchase meals in the cafeteria. Expenses are automatically deducted from payroll for employee convenience. The card system was also used for basic access control to grant access to the secured employee parking lot.

About The Author

James Gompers is founder of Gompers Technologies Design Group Inc. and Gompers Technologies Testing and Research Group Inc. He has more than 20 years of expertise in the security industry as a consultant from the end-user perspective. E-mail him at jgompers@gtdgrp.com. This is another in a series of columns he is writing for Access Control & Security Systems.

IT'S IN THE CARDS

Implementation of smart card systems enables companies to leverage their investment in these systems for multiple uses; thus, creating enormous advantages not available before smart card technology. Here are just some of the examples of smart card applications:

• Public transport
• Parking
• Vending machines
• Retail
• Telephones
• Cinemas and theatres
• Sports events
• Museums
• Libraries
• Web access
• Vehicle hire
• Administrative services
• National ID, other official documents
• Access control
• Road tolls
• Air transport
• Rail transport
• POS
• Educational

Smart cards in the “credentials” arena have tremendous potential, and with advances in technology these capabilities and applications will only grow in use and efficiency. When you look at your next card deployment or access control implementation, look to smart card technology and the incredible range of integration potential it offers to your organization.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue