A microchip in a plastic card

May 1, 1997 12:00 PM, By GEORGE PARTINGTON

If you read it, they will come. That could be the mantra of the smart card industry in the United States, especially as it relates to access control applications. Smart cards - credit card-sized pieces of plastic with an embedded microchip - are ubiquitous in most developed countries but are still a novelty here because there is no infrastructure - i.e., readers - in place.

In Europe and Asia, the smart card is a part of everyday life. Most smart cards are issued by banks as credit and stored-value cards, but they have a variety of other applications. Smart phone cards store account and PIN numbers to verify pay phone or cellular phone users. Smart cards are used in Europe's transportation industry as debit cards for tolls and transit fees, and they can store trucking records such as weigh station reports. In Germany medical insurance account information is stored on smart cards.

Smart cards have not caught on, however, for access control. Up until about six months ago, we were not using them (smart cards) in card access applications, mostly because there were no readers out there to read them, says Doug Morgan, marketing director at security systems integrator Mosler, Hamilton, Ohio. Now, says Morgan, they can go to American Magnetics, Carson, Calif., for smart card readers.

Ben Miller, head of the trade show CardTech/SecurTech, predicts it will be another five years before smart cards see wide use in the United States. I doubt that anyone hasn't read in the general media that smart cards are coming, says Miller, but it will be at least five years before your Visa card or driver's license changes.

Smart card origins Smart cards were invented in the early 1970s. In the mid-1980s, French banks began widespread use of the technology as retail transaction debit cards, according to Gilles Lisimaque, chief technology officer for Gemplus Corp. and co-chair of the Technology Committee of the Smart Card Forum. Founded in 1988, Gemplus, with headquarters in Gemenos, France, is a leading manufacturer of smart cards, producing 1.2 million cards per day. Like credit cards, smart cards have a finite life; most are used for two to five years before being replaced, says Lisimaque. The Smart Card Forum is a consortium of industry and government entities working to foster the continued growth of smart cards.

Smart cards caught on in Europe as credit cards because verification of accounts through telephone lines was either too expensive or unreliable, says Lisimaque. With smart cards, the certification of payment is generated by the card itself at the time of purchase, he says. Only from time to time will the terminal with the card go on-line to do some more checking. In fact, the card tells the terminal when to go on-line with the bank, after a certain number of purchases or length of time, for instance. The card can also be written to at the terminal, its account information updated.

According to Lisimaque, smart cards are now used in more than 70 countries.

Making the leap to access control At the global headquarters of financial services giant MasterCard in Purchase, N.Y., the future of smart cards is now. When the company moved into their new headquarters in October 1995, smart card readers were in place. The installation is one of the few early prototypes of smart card access technology.

MasterCard has been so pleased that they have installed the same system in regional offices in Wilmington, Del., Atlanta and Miami, and there are plans to install it in additional offices.

The system was designed for two immediate functions, says Dave Frimel, director, physical security, MasterCard International, physical access control and stored value for purchases in the company cafeteria.

Smart cards are similar to magnetic stripe cards in operation. At MasterCard, employees insert their cards in specially designed Casi-Rusco readers, which contain a pronged device that touches the chip and reads the encrypted information. The readers are connected to Casi-Rusco's Picture Perfect access control system. At MasterCard's global headquarters, the readers are integrated with Sony CCTV cameras and a Stentofon intercom system; both are automatically activated in an alarm condition.

An integrated keyboard on perimeter and high-security doors allows the added security of personal identification numbers. The PINs reside on the card, rather than the access control system, and are self-selected by the employee. The cards are manufactured by Germany's Orga Card Systems, which has U.S. headquarters in Paoli, Penn.

Suited for closed systems Frimel says smart cards are particularly well-suited for closed systems that call for multiple applications, such as university and corporate campuses. At a few schools and universities in the United States, the smart card is used for stored value, much like the widely used magnetic stripe card. A student has an account set up with the school; money is put in the account (by the students' parents, for example) and subsequently a certain amount is downloaded onto the chip. The student can then use the card for cashless transactions - in vending machines, cafeterias, book stores, copy and fax machines, just about anything that can accommodate a reader. So far, most smart cards still use a mag stripe or proximity for access control.

Adam Thermos, a consultant for Strategic Technology Group, Milford, Mass., who specializes in college and university security systems, believes the smart card could become the standard card key for dormitory rooms. I think the market is moving toward a new generation of stand-alone access control systems, says Thermos. It makes sense, because I cannot put on-line systems on every door but I can put an off-line access control device that reads the university card. Thermos says these door lock devices will be similar to the mag stripe systems used in many hotels. The distance between using a mag stripe card and a chip card is very little, says Thermos. Rich Krueger, director of marketing for Motorola Indala Corp., San Jose, Calif., agrees, noting, There are a lot of existing mag stripe applications today that would be appropriate for smart cards.

The technology Smart cards hold some key advantages over mag stripe - the ability to hold more information and to hold it more securely than any other card technology.

The microchip embedded in smart cards can be a simple memory-only device (also called IC cards for integrated circuit) or a complex read/write microprocessor (also called a central processing unit or CPU). The chips can store up to eight kilobytes, which can hold 1,600 words of text or a digital snapshot of a fingerprint, palm print or retinal scan. Thermos predicts that 16-kilobyte chips will be available soon and that a 64-kilobyte chip will be produced sometime in the next decade - the sky is the limit, he says.

Encryption makes access control applications more secure, says Barry Clarke, manager of card and reader development, Casi-Rusco, Boca Raton, Fla. You can set up your reader so that it requires a cryptogram to be correctly passed between the card and the reader - like a challenge and response, says Clarke. The reader will challenge the card with a number and the card has to encrypt it and send it back to the reader. The reader checks the response to see if it is correct. Only an authentic card will know how to encrypt it because it is the only one that knows the particular encryption keys that have been set up for that application.

The information on the card can be secured as well, says Clarke. The card can allow access to only certain areas, or certain amounts of information, while keeping the rest secure until it receives the correct password. So an access control reader might only gain access to the card ID number, while another reader in a vending machine, for instance, can gain access to stored-value information.

But smart cards share some of the disadvantages of magnetic stripe's contact technology, since they are read primarily by a reader that makes contact with the chip. Dirt, position in the reader and wear can negatively affect reads. And the chips are engineered to last for about 100,000 reads, according to Don Small, vice president of marketing for HID, Tustin, Calif.

Gearing up Although most customers in the United States are not yet asking for smart card systems, access control companies are anticipating demand for the technology. I believe there is a tsunami wave about to occur in the market, says Kevin Wine of security systems integrator Lenel Systems International, Fairport, N.Y. Just as in Europe, Wine sees smart cards first proliferating as bank cards.

HID is offering a proximity card that either has a microchip already embedded or has the capacity to add one in the future. Called the SmartProx, the card is designed for use with radio frequency proximity readers for access control, and the chip gives the user the ability to interface with other smart card applications. So far, says Small, the market for the SmartProx is primarily outside the United States. Diebold, Northern Computers, Eyedentify, Westinghouse, among others, have also entered the market.

Proximity Contactless smart cards - proximity cards that use radio frequency energy to interface with the microchip for all applications - have had less than two years of real development, say Lisimaque, although Gemplus, Philips, Motorola and Racom Systems Inc., Denver, among others, have begun to offer them. Like the radio antenna in a proximity card, the microchip is encased in the plastic rather than exposed to the elements.

Amtron Security Devices, St. Louis, has developed a reader to pair with the Racom card, according to James Willis, director of security division, Amtron. Racom's contactless smart card operates on the same premise as other proximity, the big difference is the ability to store RAM, says Willis. Another advantage, says Willis, is a card lifespan of more than 1 billion read/write events.

Motorola introduced SmartLink, a contactless smart card, last year. Krueger says systems integrators can develop their own applications to write to and read from the memory chip inside the plastic card. In addition to access control, applications for the card include stored value, time and attendance management, parking and photo ID.

Software problems A small number of successful installations notwithstanding, smart cards can be problematic. There are no standards for the operating platforms used by the half a dozen card manufacturers, so a number of different platforms are competing in the marketplace. Mosler's Morgan compares it to the battle between VHS and Beta when videotape technology was emerging.

What we need to do to take advantage of what the card can do is have a cryptographic comparison between the card and reader, says Miller of CardTech/SecurTech. The card could compare a PIN number or a biometric identifier, he adds, and then send the information to the host system using the Wiegand or mag stripe language.

But for the past few years, when security managers inquired about smart cards, the access control industry has not been prepared to supply readers that can interface with the cards and the host system, says Miller.

Casi-Rusco developed such a reader for the MasterCard system; the reader translates the smart card data to Casi-Rusco's F/2F protocol. Now, says Clarke, they are developing a reader that can read most major manufacturer cards and translate the data to common access control system languages such as Wiegand and RS232, in addition to F/2F. The reader is expected to be ready this fall.

At the hardware level there are few problems with smart card readers, because ISO standards have been in place for years. The smart card business was defined by ISO specifications before there was a smart card business, which is unusual in technology development, says Small. Everybody is singing off a common hymn sheet at the physical level.

The MARC card The United States Department of Defense has taken a proactive stance regarding smart cards, initiating the multi-technology automated reader card (MARC card) program. Rather than wait, the DOD is testing smart cards at the Marine Corps base in Kaneohe Bay, Hawaii. Another pilot program has been initiated at several

Naval sites. According to Steven Kirchner, Marine Corps electronic engineer, the base is installing Gemplus GCR400 readers for use with Gemplus MPCOS cards. The system will be used in conjunction with biometric fingerprint readers and keypads for access control to explosives and ammunition. The reader will compare the image from the biometric device to a fingerprint image digitally stored on the chip.

In addition to the smart chip, the cards use a bar code and a magnetic stripe to make them compatible with the infrastructure that is already in place. Those will probably disappear in the coming years, and the chip will take over their functions, says Kirchner.

Ready and waiting Two of the latest smart card readers The MVF motorized card reader from Omron, Schaumburg, Ill., is a compact unit with a double roller drive mechanism designed to ensure accurate reading and encoding of IC and magnetic stripe cards. Sold primarily in Europe, according to Mark Fogle, Omron product specialist, the device is used in banking applications such as ATM machines and in retail point-of-sale transactions. The reader's RS232 interface has built-in chip card protocols for handling of ISO-7816-compliant cards. Other features include automatic activation and deactivation of chips and capability to read and write to ISO tracks 1, 2 and 3 simultaneously.

The Authenticator from Productivity Enhancement Products (PEP), Laguna Hills, Calif., is a smart card reader that interfaces with a PC to eliminate transaction interception and hacker decoding. It provides security by isolating the keyboard from the computer when entering secret information, such as account numbers when banking via computer. By encrypting messages between the depositor's PC and the bank, the reader authenticates the user's identity to both transaction parties, ensuring the message is not viewed or altered.

The Authenticator can also be used to control access to personal computers by requiring the user to insert a smart card into the reader and enter a PIN.We expect smart card readers will someday be on every PC, says Dan Beadle, PEP president.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue