Campus Cards: All That and a Bag of Chips
The latest campus ID cards provide increased security, convenience, and purchasing power--both on and off campus.
They can buy books, a candy bar, lunch (on campus or off), and a ride on the city bus. They open doors, provide admission to football games and the gym, even pay for a load of laundry. For schools that take advantage of them, the new breed of campus ID cards offers one-stop shopping for increased security and daily convenience.
For about 25 years, magnetic stripe cards, which resemble credit cards and follow ISO standards for security and privacy, have been the dominant players in the ID card market. These "swipe" cards are by far the most prevalent technology for making purchases on campus and at participating merchants off campus.
But contactless cards, which have a microchip and antenna embedded in them, are steadily gaining. With contactless cards, a user simply holds the card near the card reader to open a door or make a purchase, which means the card can stay in the user's wallet or on his belt clip. Contactless cards are less prone to damage (i.e., wear and tear from frequent use or exposure to weather and grime), duplication, and hacking.
Most experts agree that contactless cards will replace magnetic stripe cards over time. In the meantime, though, schools that want to take advantage of the new technology without abandoning their existing system have a third option: the mag stripe/contactless hybrid.
Taran Lent, vice president of product management and development and cofounder of CardSmith, a campus card solution company, recommends that schools not abandon mag stripe entirely--at least not yet.
"If you have an off-campus program, most of the terminals and POS systems of merchants on Main Street are really mag stripe based," explains Lent. "Trying to get those merchants to switch to contactless readers and incur those costs might be a big challenge. There's really no incremental cost in having the mag stripe there in case you need it. Once you're paying the $3 or $4 apiece for the contactless card, you can get a mag stripe on it for 10 or 15 cents."
Still, the cost of contactless cards can be a prohibiting factor: The cards cost from $3 to $10 each, depending on the number of applications that are included and the quality of the card. In comparison, magnetic stripe cards cost less than a dollar.
According to Lent, implementation of contactless technology is also slowed by the lack of a global standard, something that makes the mag stripe card efficient and easy. "The contactless card is still a bit of the wild, wild West," he explains. "A lot of technologies are competing to become the leading standard. It's tough for merchants because they only have so much counter space and the acceptance technologies can be expensive."
When local organizations do make the move to contactless cards, it's a good idea for universities to get involved up front to ward off possible compatibility issues. For example, American University (DC) is currently talking with the Washington Metropolitan Area Transit Authority about its impending move to a contactless card system. "Otherwise, Metro might switch to a card technology that isn't necessarily compatible with what we have, but could be if we did a little planning," says Michael McNair, director of public safety at American. "When Metro updates to its new card, our game plan is to have the student ID card serve the same purpose: Students will simply go to the Metro machines and dump money onto the card and use it as they would a Metro fare card."
Because there are so many options, adopting a contactless card program requires collaboration both on campus and off. "You need to get all the major players--all the people who would ever need to use the ID card--and make sure that you have a strong, collaborative program," says McNair. "You're going to need your IT section in there to handle the server issues, and you need to make sure everyone is on the same page; otherwise, you'll end up with one person changing a system around, and then the students have to get another card or another device."
Last year, American installed around 300 Salto brand locks on campus for use with MIFARE Classic contactless cards (MIFARE is NXP Semiconductors' trademark for a series of chips commonly used in contactless cards). Two hundred of the locks were installed in dorms, and the rest in buildings around campus.
McNair considers the contactless card program a big success--first and foremost because the cards improve security. With mag stripe readers, he notes, users tire of taking out their cards to swipe them, and start propping open high-traffic doors instead. Because the contactless cards are easy to use, door-propping has decreased--doors are essentially locked all the time, even when a student is just going down the hall to visit a friend. "We haven't had one theft from the rooms with the Salto locks," boasts McNair.
In addition, because the cards are tracked through a database, it's much easier to manage access privileges. When students leave campus, they take their IDs with them, but the cards are deactivated via the database. When students return, the cards can just as easily be reactivated. If someone loses a card, the card is turned off in the system, and a new card is issued. This system is also less costly to manage than the traditional lock-and-key system used on the rest of the American campus, McNair says, and if a card falls into the wrong hands, it's pretty much useless.
Security and Safety
Contactless cards are also much harder to hack, notes Diane Tatterfield, assistant director of CatCard Services at the University of Arizona. "The MIFARE Classic was hacked, but by a group of 30 students over a nine-month period," she says. And the next-generation MIFARE DESFire cards boast more hardware and software security features than the standard MIFARE Classic chips.
"The DESFire could get hacked one day, but it's very well encrypted," points out Tatterfield. "Right now, on MIFARE Classic, it's one stream of binary code. On the DESFire, it's three streams. So if you crack one, you still can't get in because you still have two more."
While nobody's going to hack an ID card just to get a 60-cent bag of chips from a vending machine, some campus cards provide access to sensitive facilities--requiring an extra layer of security. For example, the University of Arizona, which hosts the Steward Observatory Mirror Laboratory and a number of other prestigious research facilities, uses biometrics on MIFARE DESFire proprietary chips for access to high-security areas.
"The system takes 32 minutia points of the fingerprint and creates an algorithm so that the authentication takes place between the reader and the card and the fingerprint, and then the card number is shot off to the access control company," says Tatterfield. "If you're authorized to get in, the door opens. But the authentication takes place at the door, and not in a database," she adds, which means the biometric data are less vulnerable to hackers.
The security features of a card system can also contribute to overall campus safety. Campus card vendor CBORD, for instance, offers a notification system that can send messages by text, e-mail, and audio broadcast in the event of an emergency. "If something were occurring in a building and we needed to notify everyone who had gone into the building, we would know based on the access control log who had gone in and out in the last hour, five minutes--whatever we needed to look up," says Read Winkelman, vice president of sales for CBORD. "And with the right systems in place, we could send them a message."