Regarding ID Fall 2006 by AVISIAN

Fall 2006

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

the next generation access card does more than access FIPS 201 brings identity to U.S. government Registered Traveler goes nationwide Washington issues its ﬁrst e-passports Hong Kong ID ﬁnds use in private sector banking Pharma supply chain secured with RFID

Fall 2006 6 | OPINION | The many links of the chain of trust

18 | BIOMETRICS | Securing the Disney Gates

8 | HSPD-12 | Mandated government smart cards slowly coming along

20 | AUTHENTICATION | Two-factor authentication goes mobile on phones, PDAs, laptops, and more

30 | PAYMENTS | Axalto’s SmartFob offers contactless payment functionality in a radical new way

50 | PLASTICS | Corn Cards offer a greener alternative, but is the industry ready for plastic from the farm?

36 | FOCUS | Thales deploys ID solutions around the globe

52 | TECHNOLOGY | JSA receives web-revalue technology patent

39 | FUTURE | Famed Media Lab explores a contactless future

54 | SECURITY | Prox begins giving way to contactless as price cuts and multi-technology readers eliminate hurdles

34 | INTERNATIONAL | From the Great Wall to city buses in busy urban centers, contactless is ﬁnding a home in China

Fall 2006

Contents

Index of Advertisers INDEX OF ADVERTISERS Cardtech Securtech www.ctst.com CBORD Group, Inc. www.cbord.com Datacard www.datacard.com Datastrip www.datastrip.com Digital Identification Solutions www.digital-identification.com Gemplus www.gemplus.com HID www.hidcorp.com Integrated Engineering www.smart-ID.com LEGIC www.legic.com Lenel Systems Intl www.lenel.com Muhlbauer www.muhlbauer.de NFive www.nfive.com Sokymat www.sokymat.com RFID Library www.rfidnews.org Sagem Morpho www.morpho.com Smart Card Alliance smartcardalliance.org Ultra Electronics www.ultramagicard.com XceedID www.xceedid.com

29 47 7 2 21 58 | TAGGING | RFID curbs drug counterfeiting, but obstacles still exist

17 68 41 31 9

38 | PRIVACY | MIT helps security industry explore the privacy implications of RFID

51 | CAMPUS | QI readers bring USA Today newspapers to card carrying students on 70 campuses

3 57 60 23 43 27 33

46 | CAMPUS ID | Nova Southeastern replaces outdated campus smart card with new smart card system

12 | IDENTITY | Registered Traveler program goes nationwide

Perspective Access cards go ‘Swiss Army’ Hold on ‘cause multitechnology, multi-use credentials are here to stay Chris Corum Executive Editor, AVISIAN Publications I have seen it time and time again over years ... the tug-of-war between competing interests over “the card.” It happens within the implementing organization and it happens between integrators and vendors of solution parts. But it is literally being blown out of the water right now. No matter what part of the food chain you fit in – or think you fit in – hold on, because the balance is shifting. The card used to be a means to an end. It was a centerpiece, but really a relatively insignificant part of the access control solution. Almost anyone could sell it andalmost anyone could issue it. It was analogous to the ‘green screen,’ dumb terminal that relied on the Big Iron mainframe for value.

PUBLISHER Jeff Staples, jeff@AVISIAN.com EXECUTIVE EDITOR Chris Corum, chris@AVISIAN.com CONTRIBUTING EDITORS Kristen Fossgreen, Dee Ann Kuhn, Erik Peterson, Sara Pralle, Bret Tobey, Marisa Torrieri, John Wehr, Andy Williams, David Wyld ART DIRECTION TEAM Darius Barnes, Mike Houghton, Ryan Kline ADVERTISING SALES Jeff Staples, jeff@AVISIAN.com SUBSCRIPTIONS Regarding ID is free to qualiﬁed professionals in the U.S. For those who do not qualify for a free subscription, or those living outside the U.S., the annual rate is US$45. Visit www. regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE Regarding ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Jeff Staples, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2006 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualiﬁcations to info@AVISIAN.com with the message subject line “Editorial Advisory Board Submission.”

S T R E N G T H E N S E C U R I T Y, P R O T E C T B U D G E T S

INTEGRATED ID SOLUTIONS DISCOVER WHY SECURITY PROFESSIONALS

PHOTO ID SYSTEMS

TURN TO DATACARD FOR A TOTAL SOLUTION With ID card solutions from Datacard Group, you can enhance your security program without sacrificing your budget. That is why corporations, governments and other organizations make Datacard® the world’s best-selling brand of photo ID solutions. We offer everything you need to issue ID cards quickly and efficiently.

CARD PRINTERS

We integrate and test every component for seamless compatibility. So, you can expect outstanding power, performance and value. To learn more, call +1 800 356 3595, ext. 6623. Or visit us at www.datacard.com/ID.

ID SOFTWARE AND CAPTURE SOLUTIONS

SUPPLIES

SecureIDNews

Technology and politics face-off as controversial PASS Card showcases contactless vs. RFID struggle Andy Williams, Contributing Editor, AVISIAN Publications Even while two U.S. departments–State and Homeland Security–ponder PASS Card issuance, two U.S. senators have entered the fray, successfully pushing amendments that, if passed, would delay implementation of the controversial border crossing card for 17 months. PASS, which stands for People Access Security Service, is a proposed card designed to meet the Western Hemisphere Travel Initiative (WHTI) requirements, which mandates that by Jan. 1, 2008, anyone entering the United States, including U.S. citizens, have travel documents that prove their identity and citizenship. It was ﬁrst unveiled in mid-January by Secretary of State Condoleezza Rice and Department of Homeland Security Secretary Michel Chertoff.

Fall 2006

Canadian ofﬁcials claim the PASS card would severely hinder their country’s commerce, particularly tourism, making it more difﬁcult for Americans to visit Canada and vice versa. Some legislators from U.S. border states seem to agree. Lawmakers from New York and Vermont have attempted to impact the PASS card with legislation of their own. In July another legislative attack on the still-uncertain PASS Card program was mounted. Senator Patrick Leahy (D-Vermont) and Senator Ted Stevens (R-Alaska) managed to push through an amendment in two key appropriations bills that would delay implementation of the PASS card until June 1, 2009. Sen. Leahy is a senior member of the Appropriations Committee and is the Ranking Member of its Subcommit-

SecureIDNews

tee on State, Foreign Operations and Related Programs, which handled the Senate’s work in writing the annual spending bill. He is also a senior member of the Homeland Security Subcommittee. To say he carries a big stick would be an understatement. The amendments would also force Secretaries Chertoff and Rice to certify to Congress that seven standards have been met before the program moves forward. The Leahy-Stevens amendment also parallels the 17-month delay that the two senators managed to include in the immigration reform package. But because the future of the immigration bill is uncertain, they opted to tack on the amendment to the must-pass appropriations bill.

Add one more wrinkle … the amendment was not included in appropriations bills passed by the House, so it must go to conference committee. David Carle, a representative from Sen. Leahy’s ofﬁce, told SecureIDNews that the committee likely will not meet until after Congress’ August recess. Thus the appropriations bill probably won’t pass until this fall. “Momentum has been building in the senate. I don’t see any reason why it won’t pass,” said Mr. Carle “… a train wreck on the horizon” One of the problems the amendment is meant to solve is what Senator Leahy calls a lack of coordination between DHS and State and Canada. It’s “a train wreck on the horizon,” he commented when announcing adoption of

Variety of cards and technologies facilitate current border crossings The jury is still out on whether the other border crossing cards currently in use will serve as a substitute for the proposed PASS Card. The launch is currently mandated for Jan. 1, 2008, though pending legislation could delay this start. The Department of State is reportedly examining existing border credentials to see if they would meet the requirements of the Western Hemisphere Travel Initiative. Here are the four border crossing cards currently in use.

the amendment. “It will be far easier and less harmful to ﬁx these problems before this system goes into effect than to have to mop up the mess afterward. We need to prod these agencies to come to grips with these problems and ﬁx them beforehand, not afterward.” The Leahy-Stevens Amendment lists these seven prerequisites that must be met before the PASS card can be implemented: • Ensure that the technology for any card meets certain security standards and that DHS and State agree on that technology. • Share the technology with Canada and Mexico. • Justify the fee set for the PASS card. • Develop an alternative procedure for groups of children traveling under adult supervision with parental consent.

Border Crossing Card (Laser Visa) This card, nicknamed the “laser visa,” is a laminated, credit card-style, machine-readable document with several security features, including biometrics and optical storage. Valid for 10 years, the card enables Mexican citizens to enter the U.S. and is considered both a border crossing card and a visitor’s visa. Most Mexican visitors to the U.S., whether traveling to the border region or beyond, receive a laser visa. If coming from outside the Western Hemisphere, a passport is required. This card is a joint effort of the Department of State and the Citizenship and Immigration Services in the Department of Homeland Security to comply with the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (IIRIRA), which requires that every border crossing card issued after April 1, 1998 contain a biometric identifier such as fingerprint, and be machine-readable. Laser visa applicants must demonstrate that they have ties to Mexico that would compel them to return after a temporary stay in the U.S. United States consular officers look for evidence of strong family, business, or social ties. The visa application fee is $100. Children under 15 pay $13 but the child must have at least one parent who holds a laser visa or who is applying for a border crossing card.

Fall 2006

Awaiting decisions on technology, rules, and more Meanwhile, DHS and State are proceeding, albeit slowly, towards implementing the PASS card.

“Part of it is waiting until the Western Hemisphere Travel Initiative (WHTI) regulations are published,” said Anna Hinken, a DHS spokesperson.“The things that we will need to implement in the PASS card ﬁrst need to be published.” Once the proposed regs are released, there will then be time for public comment before they’re ﬁnalized, including, said Ms. Hinken, “what alternative documents will be acceptable.” There are currently four other bordercrossing type cards in use today. (See related story.) Having a say in what those regs might end up being include the three members of the Security and Prosperity Partnership of North America, created last year by leaders from the U.S., Canada, and Mexico, said Ms. Hinken. “The

ﬁrst steps are the initial technical standards,” she added. While there is no ﬁrm time line on PASS development, implementation hasn’t slowed because of the possibility of the Leahy-Stevens amendment passing. “We haven’t stopped the aspect of PASS card development,” said Laura Tischler, Bureau of Consular Affairs, Department of State. A request for proposal (RFP) is in preparation that will be submitted to the industry and “we expect to be in production by the summer of 2007,” she said. The department still wants the PASS card to cost less than half the price of a $97 passport. “That was partly the reason we introduced the concept of the PASS card,” Ms. Tischler added.

Secure Electronic Network for Travelers Rapid Inspection (SENTRI)

Free And Secure Trade (FAST) program

This Mexican border card, first implemented at Otay Mesa, Calif. in 1995, is designed for what U.S. Customs and Border Protection (CBP) calls “pre-approved, low-risk travelers.” Because they can utilize a dedicated lane, participants have a shorter wait time even at the busiest time of day, according to CBP. That’s because critical information required in the inspection process has already been provided in advance. This also saves about 30 seconds on inspection time. Applicants must voluntarily undergo a background check against criminal, law enforcement, customs, immigration, and terrorist indices. They’re also fingerprinted and personally interviewed by a CBP officer.

FAST is a border accord initiative between the U.S., Mexico and Canada designed to speed up commercial carrier shipments into and out of the three countries. It offers expedited clearance to carriers and importers enrolled in Customs Trade Partnership Against Terrorism (C-TPAT). In developing FAST, the three agreed to coordinate commercial shipments clearance at the borders.

Approved applicants are issued an RFID card that will identify their record and status in the CBP database upon arrival at the U.S. port of entry. All data is stored in the CBP database, not on the card, and is not transmitted via RFID. In the past, an RFID transponder was also afﬁxed to the applicant’s vehicle to give SENTRI users access to dedicated lanes at border checkpoints. The transponder is now being replaced with an RFID-equipped label that is adhered to the vehicle’s windshield. When an approved international traveler approaches the border in the SENTRI lane, the system automatically identiﬁes the vehicle and the identity of the occupants of the vehicle.

The initiative reduces customs information requirements and provides dedicated lanes at major border crossings. In addition, FAST participants don’t have to undergo cargo inspections as frequently as those not participating in FAST.

The applicant must provide originals and copies of evidence of citizenship, such as a birth certificate or passport; a valid passport or visa; proof of U.S. residency; a driver license; current vehicle registration; and evidence of employment or financial support. If DHS and State hold to their original plan to charge less than half the cost of a $97 passport for the PASS card, it will be a bargain compared to SENTRI’s $129. However, the main SENTRI benefit is speed of entry.

FAST streamlines and integrates the registration processes for drivers, carriers, and importers; minimizes paperwork and ensures only low risk participants are enrolled as members.

Applicants identified as low risk are interviewed, have their original identification and citizenship documents reviewed, fingerprinted and are digitally photographed. They are then issued an RFID-enabled FAST-Commercial Driver Identification Card. FAST participation requirements along the northern and southern borders are similar with minor exceptions. For the northern border, the driver, carrier, and importer must all participate in the FAST/C-TPAT programs in order to be eligible for FAST processing. On the southern border there are two additional requirements; 1) The manufacturer must be an approved C-TPAT participant, and 2) it must also adhere to CBP high security seal requirements.

Fall 2006

SecureIDNews

• Install all necessary technological infrastructure at the ports of entry to process the cards and train U.S. agents at the border crossings in all aspects of the new technology. • Make the card available for international land and sea travel between the United States and Canada, Mexico, or the Carib bean and Bermuda. • Establish a uniﬁed implementation date for all sea and land borders.

While the PASS card itself is controversial, the type of card that could be chosen is catching just as much heat. “The technology decision is key; it’s something that’s in discussion right now,” said Ms. Tischler. “It’s something we have to get right. We’re looking at balancing the needs of the borders and privacy. We’ve decided that will be spelled out in the notice of proposed rule making.” When will that be issued? “Soon,” she replied. The ﬁght over which ID technology to include in the card has added fuel to the current controversy. State favors a contactless card with a short read range, while the U.S. Customs and Border Protection agency, which falls under the DHS umbrella, wants border inspectors to be able to read PASS cards as far as 30 feet away.

United States, Canada NEXUS Highway Program NEXUS, a joint customs and immigration program between Canada and the U.S. for pre-approved low-risk travelers, is an alternative inspection program that allows pre-screened travelers to be processed with little or no delay by United States and Canadian border officials. Approved applicants are issued a photo-identification/proximity card. Participants cross the border in a dedicated lane where they present their NEXUS card and make a declaration. They are then released, unless chosen for a random inspection. Individuals can qualify to participate in NEXUS if they are a citizen or permanent resident of the U.S. or Canada, or if they are a citizen of a country other than Canada or the U.S. who plans to temporarily reside in either country for the term of their NEXUS membership and who pass an Interpol criminal history check. Applicants need to complete only a single application form. Qualified applicants are required to come to a NEXUS Enrollment Center only once, for an interview and issuance of a photo-identification card. All applications for a five-year membership are sent to a Canadian Customs Processing Center along with the $50 U.S. or $80 Canadian payment. Both the United States and Canada must approve an individual’s application.

However, a draft report from DHS’ own Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee opposes RFID technology. “RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity,” the report concluded. “Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security. Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior. These types of uses are still being explored and remain difficult to predict...We recommend that RFID be disfavored for identifying and tracking human beings.” But this report doesn’t seem to differentiate between short- and longread range technologies and offers no alternatives. It does suggest that if the DHS decides to go with RFID, it needs to offer as many “best practices” security measures as possible, such as giving the user the option of turning off the RFID signal and providing strong encryption processes. The Smart Card Alliance, a nonprofit organization representing a wide range of identity technology providers and end users from all industry segments, has also jumped into the RFID-or-not argument, agreeing that choosing a chip that can be read up to 30 feet or more does raise both security and privacy concerns. In its White Paper, “Western Hemisphere Travel Initiative PASS Card: Recommendations for Using Secure Contactless Technology vs. RFID,” the alliance touts the short read-range capabilities of contactless technology. At a minimum, DHS should conduct trials of both long- and shortread range technologies, the Alliance suggests, concluding “contactless technology will fulfill the operational requirement for high throughput while also providing strong security, protecting individual privacy, and leveraging the ePassport infrastructure.”

Wait and see … Today, it seems, there is more that we don’t know about the PASS Card than we do know. We don’t know what technology will be used, we don’t know what other existing IDs will be accepted, and because of the pending legislation, we don’t even know when it will go into effect. Next stop? Capital Hill … where the legislature may answer some of the questions and chart the PASS Card’s future.

There is also a limited NEXUS Air pilot project of the Canada Border Services Agency (CBSA), and U.S. Customs and Border Protection that facilitates quick entry into Canada and the U.S. for pre-approved, lowrisk air travelers. The pilot, that is testing the viability of iris scans, was ﬁrst implemented at the Vancouver International Airport in British Columbia in late 2004.

Fall 2006

SecureIDNews

The battle over technology: DHS wants RFID but State is pushing contactless

SecureIDNews

For those responsible for driver licensing, Real ID continues to be real frustrating Andy Williams Contributing Editor, AVISIAN Publications Operating under a “hurry up and wait” scenario, states have been scrambling since last year to determine how they’re going to comply with the Real ID Act passed in May 2005. The act is broad enough that states aren’t really sure what will be required of them to make their driver licenses and ID cards Real ID Act-compliant. But if their residents don’t have such licenses, they could be denied entry to federal facilities and commercial aircraft. The act gave states until May 11, 2008 to comply. But comply with what? A year has passed since the act’s adoption and the overseeing federal agency, the Department of Homeland Security, has yet to develop rules that would spell out those compliance measures. For example, what kind of ID card will be required? Will it have to have an RFID chip? And, most importantly, when will the rules for complying with Real ID even be issued? According to Jarrod Agen, DHS spokesman, the ﬁrst draft of the regulations won’t even be published in the Federal Register until the second half of 2006. Then, there must follow public hearings and public input, so ﬁnal rules aren’t likely until early next year, he added. That would give states just a little more than a year to meet the guidelines.

In April, the National Governors Association (NGA), the National Conference of State Legislatures (NCSL) and the American Association of Motor Vehicle Administrators (AAMVA) sent a ﬁve-page document to DHS pointing out their Real ID Act concerns. Around the same time, the Document Security Alliance (DSA), a public/private partnership of government agencies and private industry created to improve the security of critical documents, provided its own set of Real ID recommendations to DHS. Those suggestions covered the archiving of applicant data, card materials, DMV security, machine-readable features, and database cross-checking. The DSA suggestions addressed some of the same issues mentioned by AAMVA, governors, and state legislators, who, in a prepared statement, said that the Real ID Act, “in its current form will have a wide-reaching impact on citizens and states” and called for “reasonable and workable regulations to implement the objectives of Real ID.”

Drilling down to “the three-foot level” Jason King, spokesman for AAMVA, probably put it best: “We’re kind of at the 30,000-foot level right now. We need to drill down to the three-foot level.” That’s an awful lot of drilling and, even if the speciﬁcations were in place today, not a lot of time in which to do it. As to each state’s cost to comply, estimates have varied dramatically. “It is very difﬁcult to do an accurate cost analysis before we have any feedback from DHS,” said Mr. King. California Governor Arnold Schwarzenegger, in his proposed budget released in mid-May, asked for $18.8 million “to begin the planning and

Fall 2006

Take 30 seconds and sign-up for a free subscription to this magazine [ turn page for details ]

FREE SUBSCRIPTION The following questions must be answered to complete your subscription. My job title is: ❏ CEO/President ❏ EVP/VP ❏ Director ❏ Manager ❏ Other ________________________ My primary job function is: ❏ Management ❏ Sales/marketing ❏ Operations/development ❏ Administration My relationship to ID technology is: ❏ End user ❏ Manufacturer ❏ Reseller ❏ Consultant ❏ Solution Provider/Integrator ❏ Other _______________________

Subscribe for FREE to Regarding ID magazine and keep up-to-date with the latest news and insight from the world of identity management, biometric, and advanced ID technology. (Free subscriptions available to U.S. addresses only. *International subscribers pay U.S.$45 per year to cover postage and handling costs.)

FAX this form to 703-327-2037 or subscribe ONLINE at www.Regarding ID.com/subscribe ❏ Please send me/continue to send me Regarding ID magazine FREE. ❏ My address has changed. Please send Regarding ID to this address instead.

Name

__________________________________________________________________

Job title _________________________________________________________________ Company

My primary market focus is: ❏ Government ❏ Corporate ❏ Financial ❏ Transportation ❏ Education ❏ Retail ❏ Other ________________________ My primary application focus is: ❏ Physical security ❏Computer security ❏ Payments ❏ Transit ❏ ID issuance ❏ Logistics ❏ Other _______________________ Number of employees in company: ❏ Under 25 ❏ 25 to 99 ❏ 100 to 499 ❏ 500 to 999 ❏ 1000 to 4999 ❏ 5000 to 9999 ❏ More than 10,000 Annual sales volume: ❏ Under $1 million ❏ $1-10 million ❏ $1 -25 million ❏ $25-100 million ❏ More than $100 million In the next 24 months, I expect to be involved in a decision to purchase: ❏ Physical security products ❏ Logical/computer security products ❏ Biometric products ❏ ID issuance hardware and/or software ❏ Smart cards (contact or contactless) ❏ RFID systems/components

___________________________________________________________

Address __________________________________________________________________ City ______________________________________________________________________ State/Province ______________________________ Zip/Postal Code _______________ Country: ❏ U.S. (FREE)

❏ *Other (U.S.$45) ____________________________________

Phone

_________________________________________________________________

__________________________________________________________________

Signature _________________________________________ Date

________________

* Non-U.S. subscribers: Fax this form and we will send you an invoice for U.S.$45 to the Email address you provide. Your subscription will begin when payment is received. To begin immediately, visit www.RegardingID.com/subscribe. I would also like to receive a FREE subscription to the following AVISIAN online publications sent to my email address (check all that apply): ❏ SecureIDNews

❏ ContactlessNews

❏ CR80News

❏ RFIDNews

FAX this form to 703-327-2037 or subscribe ONLINE at www.Regarding ID.com/subscribe

Have a colleague that would like to receive Regarding ID for free as well? A second subscription form is available on the reverse side of this page (colleague must sign the form to authorize subscription).

At least one state tried to pass a law earlier this year rejecting the Real ID Act. The New Hampshire House passed the bill but it was narrowly defeated in the Senate. Regardless, it hints to the frustration regarding what many states consider an unfunded mandate. Said Mr. King: “AAMVA, as an association representing the technical experts, have reached out to DHS. We’re still hoping for a workable and fully-funded solution.” One of the changes AAMVA members would like to see is a time extension, but he admits that would probably take an amendment to the law, something only Congress can accomplish. He said the three organizations -- AAMVA, state legislatures, and governors -- have informed DHS “of the impact at the state level of meeting the deadlines. We’re hopeful DHS will take our recommendations and consider funding and timeline extensions.” But he also doesn’t want Congress to think AAMVA members will deliberately balk at enforcing the new law.“As the technical experts in driver licensing, we are committed to doing the best we can at meeting the guidelines as set forth in the Real ID Act,” he said.

What do the States fear from Read ID? The five page document issued by the three groups and submitted to DHS in late April, calls for “reasonable and workable regulations” and outlines specific state concerns with Real ID that include: • A potential 75% increase annually in visits to motor vehicle agencies. • The need for additional staff, facilities, training and equipment. • Only flexible regulations can ensure compliance. • Even if the regulations were in place now, there still isn’t enough time to implement the requirements as defined by the statute. “The absence of timely regulations, systems and resources will ultimately overwhelm all good intentions,” the document notes. • Implementation costs will be significant ... States are in the process of conducting a fiscal impact survey to accurately define the level of resources needed to meet federal standards. Another concern ... what is meant in the law by “official purpose,” the term for when and where a Real ID-compliant document will be required for admission to federal facilities, commercial aircraft, etc. The law doesn’t define “official purpose” which “could significantly affect the scope of the statute. For example, individuals who do not drive and choose not to obtain an ID card could be prohibited from access to federal buildings, access to post offices, social security offices, or even voting in federal elections depending upon the definition of what constitutes an ‘official purpose.’”

Both the technology and the process raise still-unanswered questions Then there is the card design and what information it will contain. For example, the organizations note, “a majority of states and the federal government have laws that protect the identity and security of certain classes of individuals, e.g., victims of domestic violence, judges, witness protection, law enforcement personnel. To address these concerns, states recommend minimum card design specifications...” They also want machine-readable technology requirements to be defined as an unencrypted two-dimensional bar code. States should also be allowed to propose interim methods of tracking address changes without the need to reissue a replacement credential. States need to be able to renew Real ID-compliant licenses and IDs through mail or the Internet. “In addition, an individual should be allowed to change their address during the license validity period without being required to obtain a new credential,” the organizations add in their DHS recommendations. Another issue is the requirement to capture digital images of ID source documents, such as a birth certificate. This will be “very costly,” the three organizations point out. This requirement could also run afoul of many state record retention laws, so states “must be given sufficient time to change conflicting record retention laws,” the groups recommend.

The DSA recommends “practical and holistic” approach The DSA, in its recommendations to Homeland Security, one of its members, took what it called a “practical and holistic approach” taking into consideration the legacy systems in operation today at state DMV offices. In the introduction to the recommendations, DSA notes that the regulations “will have a significant impact on our society from a business practice point of view as well as affecting the daily lives of our citizens,” Realizing that “significant improvements must be made in terms of technology, machine-readability, visual security options, ongoing training and ultimately, genesis (breeder) documents. DSA feels strongly that whenever possible the benefits associated with deeply embedded existing systems and infrastructures be incorporated into any redesign ... this will help meet the requirements in the time frame set forth in the Act, allowing DHS to develop acceptable standards. Reed Stager, Chair of the Government Affairs Committee for DSA and an executive with Digimarc Corporation, said DSA had originally provided a set of recommendations to Congress prior to passage of the Real ID Act. “I can’t say specifically how the framers used the information we provided,” he said. “As broad a change as may be required, two years is not very long (for compliance),” he added. “Many states may require passage of legislation to make them compliant.” The DSA approach “has been to identify elements that can improve ID security and methods that can help make states compliant with ID legislation,” said Mr. Stager. These recommendations could help states “implement (the Real ID Act) on a short time frame, and include 2d barFall 2006

SecureIDNews

programming necessary” to implement Real ID requirements. A press release from his office said the act would “require 24 million licensed drivers and identification card holders ... to return to the state Department of Motor Vehicles offices to establish identity and obtain compliant cards ... It will have significant workload and cost implications.”

SecureIDNews

codes; use of the Social Security online database and electronic capture and archiving of breeder documents, those documents people use to establish their identiﬁcation. We recommend those be captured and archived.” Regarding 2D barcodes, Mr. Stager said that made sense since “the existing infrastructure of states (45 of them anyway)” already have that technology in place. One of the fears, and what caused a furor earlier this year was that DHS might require a costly RFID chip to be included on driver’s licenses. “We also recommend enhancements and audits of the physical security ofﬁces which are issuing IDs and at the central issuing factories, throughout the supply chain,” said Mr. Stager. “The security features that go on the credentials, the stock (used to make the licenses) and the credentials themselves need to be protected throughout the manufacturing process.”

DSA recommendations to DHS Data Capture. Obtain the applicant’s photograph, demographic information, supporting “breeder “documents (e.g., birth certificates, Social Security cards), a digital signature, and, if necessary, appropriate biometrics (e.g., facial image). Identification Verification. Authenticate an applicant’s credentials and the breeder documents they present, as well as comparing select information against the issuing authority’s databases or records (e.g., Social Security Administration data). Secure ID Production. Utilize processes and technologies that enable secure central issuance and/or over the counter issuance including controlled access to security features and materials. Secure ID Credentials. Incorporate an ID card architecture that includes both difficult-to-counterfeit card materials with sophisticated laminating and finishing processes, as well as a number of overt and covert security features. Authenticating IDs. Verify - without infringing on an individual’s personal privacy - the authenticity of a proffered governmentissued photo ID, no matter where it was issued, at various points of inspection or transaction - public or private sector (e.g., law enforcement, DMVs, banks or retail).

Fall 2006

SecureIDNews

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION• Marisa Torrieri Contributing Editor, AVISIAN Publications

Fall 2006

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION•

NIST outlines requirements for today and tomorrow Cryptography requirements will create new challenges for federal agencies and vendors working on FIPS 201-compliant personal identity cards. Whether you’re starting out today, or looking toward future implementation, the National Institutes of Standards and Technology (NIST) staff member Donna Dodson emphasizes that stakeholders need to plan four to five years out. “It will save you a lot of time, a lot of money in the future,” said Ms. Dodson. FIPS 201 defines an identity structure that includes cryptographic keys. One key – the PIV Authentication Key – is a mandatory credential element. It can be used, along with its corresponding PKI certificate, to authenticate the owner of the card. Other keys may be used for generating digital signatures and supporting encryption. With an eye to the future, Ms. Dodson reminds us that advances in computing power require stronger algorithms and larger key sizes to protect information. So today’s requirements are certain to change in the future. “If you’re using the RSA algorithm, your key size jumps to RSA 2048 for your PIV authentication key by 2010,” she says. “RSA 1024 will no longer be applicable.”

The document outlines a number of FIPS 201 requirements, including: • The cryptographic mechanisms and objects that employ cryptography as specified in FIPS 201 and its supporting documents; • The cryptographic requirements for keys and authentication information stored on the PIV Card; • The cryptographic requirements for status information generated by PKI Certificate Authorities (CAs) and Online Certificate Status Protocol (OCSP) responders; and • The cryptographic requirements for management and information stored on the PIV Card. NIST SP 800-78 provides additional tables that include algorithms, key sizes and time periods for use. One warning: readers are assumed to have a working knowledge of cryptography and PKI technology. Still, the document is a crucial component of the PIV process and is a must read for implementers.

“Not every approved algorithm or key size is appropriate for every application,” explains Ms. Dodson. “Some algorithms and key sizes are approved for use for only a few more years, while others are expected to afford adequate protection for data for decades.” Agencies should keep an active calendar ﬁlled with various expiration dates for a number of the public key algorithms and key sizes, she suggests. Parties working on FIPS 201 solutions need to ask themselves such questions as: • Will you need to support multiple algorithms, or just one or • Is what you’re building today backward compatible with what you’re doing tomorrow?

Crypted out -- What’s inside 800-78 How strong will your cryptographic algorithm need to be? Can your card authentication key be symmetric or asymmetric? Ms. Dodson and two other key authors W. Timothy Polk and William E. Burr answer these and other questions in NIST Special Publication 800-78. The April 2005 document, “Cyrptographic Algorithms and Key Sizes for Personal Identity Veriﬁcation,” goes into these and other details for Federal agencies and other implementers of PIV systems. Fall 2006

SecureIDNews

Cryptography within FIPS 201 specification

SecureIDNews

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION•

Following a successful Winter Fox FIPS 201 test, DHS plans more exercises Broader tests involve new round of first responders and security technologies Marisa Torrieri Contributing Editor, AVISIAN Publications The Office of the National Capital Region and the Department of Homeland Security will host at least three additional interoperability tests over the next five months, now that the first major test of smart-card interoperability for the nation’s first responder community panned out successfully. In February, first responders from the National Capital Region, including the Pentagon, the Maryland and Virginia Departments of Transportation and the Port of Baltimore conducted the first of the first-responder tests, also known as the “Winter Fox” exercises. The tests simulated reallife national emergencies, with the purpose of ensuring interoperability of existing smart-card technology during a real-life incident. “When 9/11 took place, one of the things [the government] found out was that there were people who wanted to respond, but couldn’t because the pentagon couldn’t figure out a way to make sure trusted people would come through,” says Tom Greco, VP of enabling technologies for Cybertrust, the contracted shared service provider for the Maryland DOT’s first responder smart cards.“Hence, the need for an interoperable identity card, so you can control access to the perimeter.” As such, the forthcoming tests will focus on the lessons learned from the first exercises, and include a broader range of emergency personnel from the National Capital Region and other FEMA regions, says Anthony Cieri, senior advisor to Department of Homeland Security head Tom Lockwood. “It’s for a whole group of people who have to respond to a crisis outside of government communities,” Mr. Cieri says. This includes “utility workers, medical workers, telecom workers ... the idea was to show that credentialing, by those who owned the identities, can be trusted (by other organizations).” The tests are a testament to the government’s capability to set up a trust infrastructure across multiple jurisdictions, Mr. Cieri adds.

Fall 2006

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION•

In addition to improving the response rate of federal and state-level emergency responders, the tests coincide with the larger federal government mandate – HSPD 12 – that calls for the use of high-level access control technology to improve the security of government workers (and access to government facilities). For the current exercises, DHS Is leveraging the technology aspects of FIPS 201 (the standard developed to meet HSPD-12) to improve the response rate of l emergency responders defined in HSPD 8 (a Presidential directive to increase national preparedness in the event of attack or disaster), Mr. Cieri adds. Such emergency personnel are essential during time-sensitive crises such as the Sept. 11, 2001, attacks, as well as the Hurricane Katrina relief efforts. Had such technology been used during these incidents, there would have been fewer holdups to first-responder personnel, including firefighters, physicians and nurses, getting access to emergency epicenters.

��

The ultimate goal of the continued real-life exercises is to ensure the first responder community has secure access to scenes of crisis – and a variety of methodologies to authenticate identity. As such, a wider audience will be invited to participate. The next tests will include broader range of participants and technologies that conform to the specification, such as biometrics fingerprint technology. Facial biometrics was tested in the first exercise because the latest standard of fingerprint biometrics was only recently approved for the new FIPS 201 PIV cards, Mr. Cieri says. But the fact that the tests are underway is a huge sigh of relief, say authorities involved with the tests. “You’re going to have people who make up the first responder community who may be credentialed by a number of authorities. You have people with emergency medical skills who might be issued a card through one process, and utility workers who use another card,” notes Mr. Greco. “The real challenge is, making sure that when these credentials are issued, that they can interoperate in the same environment.”

��

SecureIDNews

“We’ve set up a trust model, so (an authority) can make a much more informed decision,” Mr. Cieri continued. “An incident commander knows they have “x amount of law enforcement, x amount of telecom workers” so they can put them to work in a much better response and recovery mode.”

SecureIDNews

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION•

Biometric component of PIV cards a technological journey SP 800-76 gives agencies some flexibility, but requirements still daunting to many It wasn’t too long ago that biometrics seemed like an expensive proposition that would only work in sci-fi movie plots. But today, the technology that measures human physical and behavioral characteristics for authentication has come a long way. And in the United States, millions of federal government employees and contractors will be in touch with the technology soon. That is because federal agencies are required to include fingerprint-based biometric data on the new IDs mandated by HSPD-12.

In fact, the difﬁculty may come from the wealth of choices presented, as agencies juggle offers from a growing number of vendors addressing the unique biometrics challenges and requirements of the mandate. Some are providing total solutions; others are providing components to a larger solution, prompting the issue of how to select a solution: go with one total-solutions provider, or use multiple vendors? Of course, interoperability and the agency’s own security needs are key factors driving choice.

So long as they are compliant with the FIPS 201 biometric fingerprint specs required for interoperability, as outlined in Special Publication 800-76 (Biometric Data Specification for Personal Identity Verification), agencies have plenty of leeway in choosing what contractors they want to work with, and which alternative types of biometrics they might want to use in conjunction with their IDs.

SP 800-76, which was published in February 2006, describes technical acquisition and formatting specifications for the biometric credentials of the Personal Identity Verification (PIV) system, including the PIV Card itself. It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards. The primary design objective behind these particular specifications is high-performance universal interoperability.

server. Other biometric technologies may be chosen for a variety of reasons (e.g., existing investment, outdoor operation, or staff can’t use fingerprints because they must wear protective gloves) But agencies are still largely unaware of their options, says Mr. Hamilton. The federal standard limits access to the fingerprint biometrics to direct contact with the smart card chip and then only after entry of a PIN number, he says. This is based on concerns that some have expressed that biometric data may be intercepted if it is transmitted through the contactless interface with the reader. But smart card developers say that fear is often overestimated and that such transmissions can be protected through encryption. “That process is cumbersome for physical access to entry points that have high-volume usage, or in areas with outside readers,” says Mr. Hamilton, referring to the use of PIN entry and contact reader slots for card insertion. Standardizing on fingerprint templates

Alternative biometric modalities can still be used When designing its biometrics application, an agency should consider several things. First, the federal government allows for some flexibility -- so long as agencies meet the minimum interoperability standards for fingerprint biometrics, they may opt to use alternative biometric approaches and technologies for their own internal operations. In other words, the mandated fingerprint templates ensure interoperability between agencies, but an agency may elect to use a different biometric for their internal, non-interoperable needs. For example, says SafLink’s Walter Hamilton, who doubles as chairman of the International Biometric Industry Association, an agency might want to store hand-geometry templates on a server within their physical access control system, and use the PIV card simply as a pointer to where the record is stored at the

Fall 2006

What’s new in SP 800-76 is that the publication specifies a standardized fingerprint template in lieu of vendor-specific proprietary fingerprints used in other applications. Therefore, all who want to market products – from those producing cards, to those producing readers – must conform to it. The fact that smart cards must be interoperable throughout the federal government presents hurdles to those vendors already working with their own – or other partners’ – proprietary technologies, adds Jim Miller, CEO of biometrics credentialing product developer ImageWare. His company addresses this challenge providing what he calls an “interoperable, multi-modal platform for biometrics.” But even with the standards being established, there are still many challenges facing federal agencies as they approach biometric authentication techniques.“The devil is in the details,” says Mr. Hamilton, “of trying to figure it out.”

FIPS 201 Approved OCSP Digital certificates ensure that for any application, both the credential and credentialholder are valid. As mandated by FIPS 201, all digital certificates must be validated using OCSP. CoreStreet’s GSA Approved FIPS 201 Infrastructure and Application Solutions are designed to meet the certificate validation needs of any deployment.

...in a box OCSP Responder Appliance 2400 The Responder Appliance 2400 is an optimized, hardware OCSP responder designed to improve performance and reliability by running locally, anywhere in the world. • • • • • • •

Designed for ﬁeld deployment Supports 1000s of users Up to 2400 responses per second Security hardened against intrusion Turnkey solution Reduced maintenance costs JITC and Common Criteria certiﬁed

$10,100

†

More information is available at www.corestreet.com/RA2400 or send a request for information to info@corestreet.com

†

Introductory US Government price is subject to change. Please contact your CoreStreet representative for the latest pricing.

www.CoreStreet.com

Cambridge Washington London Milan

SecureIDNews

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION•

SSP competition heats up as vendors align to issue certificates for new PIV cards The Oct. 27 deadline is right around the corner, and federal agencies are scrambling to implement smart cards to comply with Homeland Security Presidential Directive (HSPD) 12. But for Shared Services Providers who provide the Public Key Infrastructure (or digital certificates) for Personal Identity Verification (PIV) cards, the game has only just begun. Starting in October, more than 2,400,000 federal employees will be issued cards based on the FIPS 201 specification developed by the National Institute of Standards Technology (NIST). For every aspect of the card system, from the registration and card management systems to the card printing systems and security credentials embedded within cards, vendors who want a piece of the pie are extremely busy. All FIPS 201 components must be tested and approved by the General Services Agency, the group designated by OMB as the executive agent for the acquisition of HSPD 12 products and services for use by federal agencies and federal contractors.

Right now, though, it’s the Shared Service Providers like VeriSign and Cybertrust who have special reason to be excited – and stressed – about the prospect of winning contracts to provide the digital certificates to agencies. The Office of Management and Budget’s August 5, 2005 memo, “Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors” calls for all but handful of federal agencies to work with pre-approved PKI SSPs for the digital certificates for their new smart access cards. The memo states that, “Compliance with the Standard requires the activation of at least one digital certificate on the identity credential for access control.” This digital certificate (and any optional digital certificates on the identity credential) must originate from an “approved Shared Service Provider” except in the case where an agency met the deadlines of “certification authority cross-certified with the Federal Bridge Certification Authority at medium assurance or higher by December 31, 2005.” (Grandfathered agencies include the Department of Defense, the Department of the Treasury and the Department of Homeland Security). Because each agency is in various stages of planning for this, “you have to be flexible,” said Nicholas Piazzola, vice president of government programs for VeriSign, a longtime shared services provider, at last month’s “Smart Cards in Government” conference. “There’s no standard approach for how a federal agency will implement HSPD-12.”

Different agencies take different paths to certiﬁcate issuance Some federal agencies, such as the Department of Defense, that already have smart card issuing systems, are addressing how to migrate them for FIPS 201-compliance. Others are just beginning to think about their approach to implementation, said Mr. Piazzola. 26

Fall 2006

Some agencies favor the DIY route planning to acquire and manage their own HSPD 12 solution by outsourcing a PKI solution from a favored shared service provider, as well as taking different pieces of the solution from different, pre-approved vendors. More often than not, though, PKI SSPs are hooking up with federal systems integrators such as Lockheed Martin Corporation or Northrop Grumman Corporation. These integrators are the large, major corporations that put all the PIV card systems components (e.g., PKI, physical access, logical access, etc.) into one package for agencies who want to outsource most or all of the components of their HSPD 12 solution. Therefore, the time is ripe for new and existing SSPs to peddle their expertise – getting the word out about what they do in the hopes of beginning long-term relationships that will last for years to come. “A lot of agencies still haven’t settled on a solution,” agrees Tom Greco, vice president of enabling infrastructures for Cybertrust, one of the major shared service providers working with federal agencies on the new FIPS 201 PIV cards. “What we’ve done is approach agencies individually. Word of mouth helps a lot, and we’ve been approached b a number of systems integrators.” VeriSign, meanwhile, has given tutorials to about 20 agencies, says Mr. Piazzola. Demonstrations cover the digital-certiﬁcate enrollment process, and other steps needed for an end-to-end HSPD 12 solution. The company is touting its 10 years of experience delivering managed PKI across government and commercial industries. Still other SSPs – and there will likely be more entering the playing ﬁeld – are showing off other strengths and capabilities. But time is certainly a factor due to the timelines established for HSPD-12 compliance. “There’s a lot of politics to this,” says Mr. Greco. “A lot of agencies want to play chicken with the deadline.”

SecureIDNews

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION•

FIPS 201 vendors and products approved for agency use Federal bodies approving contractors’ wares, with little time to spare NIST works to approve applications and middleware As of July, The National Institute of Standards and Technology (NIST) is continuing conformance testing of the smart card software against the established standards, while the General Services Administration (GSA) is coordinating with vendors to test for interoperability between the smart cards, readers, middleware and other components. Additionally, NIST is on the brink of releasing the final publication of “Special Publication 800-85B, PIV Data Model Conformance Test Guidelines.” The document, for which a draft was posted May 25 calling for a fourweek comment period through June 22, provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card (for all specifications outlined in SP 800-73-1, SP 800-76, and SP 800-78). It also outlines tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in the FICC-SSP subcommittee document, according to NIST.

Where FIPS 201-compliant smart cards are concerned, summer’s hot and anything but lazy. The U.S. government is taking action on several fronts to help federal agencies get Personal Identity Veriﬁcation (PIV) card systems in place. From giving the thumbs up to smart card parts contractors to testing contractors’ wares, all of the pieces are coming together, with Oct. 27 looming. That’s the deadline set for federal agencies to issue new, interoperable smart cards based on the FIPS 201 speciﬁcation to all federal employees. “For the last year, everything sort of dried up. Agencies were waiting, no one wanted to move because they didn’t know where to go,” says Kevin Kozlowski, vice president of government division of FIPS 201 systems integrator XTec, which is working with the State Department and others to meet deadlines.“Now, there’s a mad rush. We’re starting to see RFPs to come out like crazy.” The PIV card initiative is mandated by Homeland Security Presidential Directive 12 (HSPD-12), signed by President Bush in August 2004. HSPD-12 calls for a number of measures to put into place more secure networks and communication systems across Federal agencies, including the new PIV ID card, which is capable of granting secure access to designated buildings and services.

Fall 2006

SP800-85B defines test procedures for characteristics that are already normatively standardized in FIPS 201-1, SP800-73-1, SP800-76, SP80078, and several other standards, explained NIST’s William MacGregor (Mr. MacGregor recently took over Curt Barker’s post as NIST’s Personal Identity Verification Program Manager). Thus, the primary users of SP800-85B will be developers of issuance systems, and agencies performing Certification and Accreditation (C&A) processes on PIV Card issuers, Mr. MacGregor notes. Other PIV-related NIST draft publications, including SP800-96 (cardreader interoperability & performance), and draft SP800-78-1 (PIV cryptographic algorithms) are simultaneously undergoing changes, and moving along toward final publication.

OMB and GSA work to approve vendors and products for agency use Meanwhile, the Ofﬁce of Management and Budget issued a press release July 5, drawing attention to the “government approved” list of vendors whose PIV-card components and solutions are ready to put in place. The General Services Administration, designated as the OMB’s Executive Agent for the Acquisition of Products and Services to implement HSPD-12, is working alongside NIST to test the PIV infrastructure. The list has grown several-fold in the last few months as more companies’ PIV card systems and components become available for federal agencies to use.

WORLDWIDE OUTREACH

The single industry voice for smart cards ... The Smart Card Alliance is a not-for-proﬁt, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading discussion on the impact and value of the technology in the U.S. and Latin America.

UNRIVALED EDUCATION

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. Worldwide outreach - A primary mission of the Alliance is to show the world the benefits of smart card technology. We accomplish this through an array of outreach efforts including an informative web site, published industry reports and papers, active press relations campaigns, our Smart Card Talk electronic newsletter, and an international calendar of speaking engagements and exhibitions. Unrivaled education - At Alliance-sponsored events and leading industry conferences, top quality smart card education is offered to the benefit of both members and leaders from industries impacted by the technology.

TASK FORCES & REPORTS

Task forces and reports - Active participation from representatives of member organizations feeds a vibrant network of industry-speciﬁc councils and focused task forces. Highly regarded white papers, reports, and other deliverables ﬂow from groups focused on payments, secure identity, health care, transportation, and more. Conferences – Alliance conferences feature informative programs and speakers who provide insight and knowledge on smart card technology and applications, coupled with exhibitions that showcase leading edge products. These events provide exhibitors with invaluable access to true decision makers and enables participants to see the technology in action.

CONFERENCES

Networking - The best and brightest from the smart card industry and the key markets it serves participate in the Alliance, attend Alliance functions, and share a camaraderie that extends beyond the Alliance organization to the worldwide network of industry activities. Join the Alliance. It will pay dividends for your industry, your company, and your career. For more information, visit www.smartcardalliance.org.

2006 Fall Annual Conference

October 3-6, 2006 HYATT REGENCY-LA JOLLA • SAN DIEGO, CA Each year, the Fall Annual Conference highlights the exciting new advances in market adoption and technology innovation for smart cards in North America and around the world. Don’t miss this event!

For details, visit www.smartcardalliance.org

NETWORKING

SecureIDNews

• FIPS 201 SPECIAL SECTION • FIPS 201 SPECIAL SECTION• The July 5 announcement is the ofﬁcial designation of FIPS 201 product and service availability, an OMB spokeswoman says.

The floodgates are opening ... Validation List for PIV Card Applications Despite looming deadlines, many federal agencies didn’t want to implement until the official go-ahead. “I think there’s an inconsistency in the level of knowledge each agency has,” says James Jasinski, executive vice president, Cogent Systems, which makes biometric template generators and matchers for the PIV cards, among other things, and has a number of FIPS 201-approved products on the GSA’s approved vendors list. “Until now, nothing was given the clearing. Now that it’s all been approved, the agencies can go through the process of achieving the original objective that was announced back in August.” Although approval is finally formal, Cogent and others have been busy courting agencies with their solutions and following up on RFPs issued by various agencies. “I think the focus is one, making sure our product is certified, second, that those products have been validated as being top of the line products,” says Mr. Jasinski. “Once we get that accomplished, we’re making sure we interface with as many systems integrators and agencies as possible.”

Oberthur Card Systems PIV EP v. 108 Java Card Applet on Oberthur ID-One Cosmo 64 v5 Smart Card Gemplus Corp. SafesITe FIPS 201 applet, Version 1.20 on GemCombi’Xpresso R4 E72 PK Card Hitachi, Ltd. PIV Application on Hitachi MULTOS Smart Card, Hardware Version: HD65145X1, Firmware Version 1.0 SETECS Inc. SETECS Inc’s OneCARD PIV-II Java Card Applet Version 1.0 on Gemplus GemCombi Xpresso R4 E72 PK card Keycorp Limited StepNexus PIV Application v4.2.1 on Keycorp MULTOS 64K Smart Card Source: csrc.nsit.gov/npivp (current as of August 4, 2006)

Validation List for PIV Middleware Gemplus Corp. Gemplus SafeSite FIPS-201 PIV-API Version 1.21 ActivIdentity Inc. ActivIdentity ActivClient PIV API version 1.0.30.0 Source: csrc.nsit.gov/npivp (current as of August 4, 2006)

FIPS 201 Evaluation Program Approved Product List Verisign, Inc. Shared Service Provider Verisign SSP PKI ORC, Inc. Shared Service Provider ORC ACES/ Cybertrust, Inc. Shared Service Provider Cybertrust Federal SSP Cogent Systems, Inc. Template Generator BioSDK 4.1/COGENT BSP Cogent Systems, Inc. Template Matcher B i o S D K 4.1/COGENT BSP Cross Match Technologies Inc. Fingerprint Capture Station ID500 Cross Match Technologies Inc. Fingerprint Capture Station ID500M Cross Match Technologies Inc. Fingerprint Capture Station ID700 Cross Match Technologies Inc. Fingerprint Capture Station L S c a n Guardian Oberthur Card Systems PIV Card PIV End Point Dual Interface Smart Card 30

Fall 2006

Finally, a tough printer for tough laminated cards.

ar d

o g n Ta L +

NEW

With the unique UltraCoverPlus 2 year warranty.

Integrated ID Card Printer + Laminator The Tango +L prints and laminates your card for increased visual security, and to protect cards against physical wear for a longer lifetime. With a Plug and Play Windows driver, standard Ethernet and USB for flexible interfacing, and both hardware and software printer locking facilities, the Tango +L is the professional’s choice.

Ultra Electronics Card Systems 6711 - 176th Avenue, NE Redmond, WA 98052 Tel: (425) 556 9708 email: USsales@UltraMagicard.com

www.Magicard.com

Double Cover UltraCoverPlus® 2 year warranty and support

Double Strength Robust metal design with lockable security

Double Security Both HoloKote® watermark and Holographic lamination available

secure ID card printers

SecureIDNews

Led by Belgium, citizen smart cards in Europe forge on Marisa Torrieri Contributing Editor, AVISIAN Publications While some countries continue to debate national ID cards, citizen smart card initiatives in some European countries are well underway. Technology players are working to secure contracts to provide services to card-holding citizens, many with an eye on what’s happening in Belgium – the European nation that is seen as the model for smart-card deployment. Despite a few initial delays, Belgium is becoming the first European country to standardize the electronic identity card. By the end of 2009, every Belgian citizen will be required to own an e-ID card –11 million cards, according to most counts. To meet this requirement, close to 10 million cards will be issued to the country’s citizens over the next three to five years. “Belgium is seen as the place where e-ID serves as an important tool in the promotion of knowledge,” says Gilbert Leung, a sales manager with ACS, a Hong Kong-based manufacturer of card readers that is providing more than 100,000 smart card readers for the Belgium project. “Being one of the first countries to have implemented a national ID card, Belgium is a good place where information about national e-ID systems could be discussed. Other corporations, including Microsoft and Adobe, see Belgium as a breeding ground for EID applications,” Mr. Leung says. A number of companies, including Zetes and Sun Microsystems, also have big stakes in the European nation’s smart initiatives. But the initial success in Belgium hasn’t come without its challenges. To many, Belgium is a leader not only for implementing the national ID program, but for getting past initial obstacles ... and for the most part convincing the wary public that government-issued IDs won’t disrupt personal privacy. “Belgium is a very forward-thinking country,” says Neville Pattinson, of the newly merged Gemalto (formerly Gemplus and Axalto), who

Fall 2006

has been working with smart cards in the U.S. and overseas since 1996. Each country, adds Mr. Pattinson, “(has) unique challenges balancing politics and citizen privacy.” Many national identity schemes are undergoing huge public policy debates, and only when citizens’ trust has been established the programs will move forward. In the U.K., concerns over personal privacy issues (and suspicions over government motivations) have slowed plans for national smartID cards. The U.S., with The Real ID initiatives, is now determining the next generation of state government issued ID cards, and whether or not they contain smart-card technology, notes Mr. Pattinson. Still other projects struggle based on citizen acceptance, be that due to privacy concerns, security issues, or simple consumer demand. “Other smart card projects in Europe are experiencing some problems,” explains Mr. Leung. “The French health card system project is receiving lots of criticism because of some security issues. As for the German health card project, they are still in the testing phase. They have yet to start implementing in fear of very low usage rates in the future.”

The Belgium e-ID program, however, “has been a very successful program in addressing the needs of the government for incorporating several applications for identity services. They’ve managed to combine several applications on their e-platform,” says Mr. Pattinson. “Without the chip they couldn’t have done that, so the benefit of having a secure computing device has enabled that capability.” But for now, while contractors line up at the foot of Europe, waiting for a chance to get in on the action, it’s still very much a game of wait-and-see, when it comes to the pace of deployment – with technology, and its ability to meet current needs of citizens elsewhere. “In embarking on any credentialing program, you need to define the applications you will deploy to provide benefit to the government and the citizens,” says Mr. Pattinson. “Are they trying to reduce document fraud, identity theft? Increase the security to online applications? These are all applications that smart card technology securely enables.”

OCTOBER 24-25, 2006

JACOB JAVITS CONVENTION CENTER

NEW YORK, NY

HOT! – ALL NEW FEATURE AREAS Urban Security • IP Institute

Sneak peek at the future. Two days only. Change is shaking up the physical security industry — new R&D advances, systems integration, the increasing reliance on software and networking applications. Get to where the industry is going — go to ISC East 2006.

And this year, ISC East will be held right along side Infosecurity NY 2006. Early registration to ISC East also provides you free access to the largest IT security event in the East. The growing convergence of IT and physical security makes this year’s event a not-to-be-missed business opportunity.

Source new products and solutions, make new contacts and gain critical industry knowledge. 9,100 industry professionals. More than 400 exhibiting companies. Two jam-packed days. It’s all here.

NEW

EVENTS

CODE: AD24

SPONSORED BY:

| CORPORATE SPONSORS:

NEW

To get to where the security industry is going, and to secure your place for free, register early at:

www.isceast.com/reID

KNOWLEDGE PRODUCED BY:

NEW

OPPORTUNITIES

ENDORSED BY:

Fall 2006

SecureIDNews

New thin batteries give juice to smart cards and secure card-based transactions Marisa Torrieri Contributing Editor, AVISIAN Publications Sure, One-Time-Password (OTP) devices are cumbersome. But hackers are relentless and pervasive. What’s a U.S. bank with fussy consumers to do? One answer: in lieu of a dedicated OTP apparatus, issue credit cards with ultra thin batteries, specially designed for insertion into cards, and capable of driving powerful transactions … such as generating numeric passwords ala OTP. As the demand (and need) for more sophisticated and secure technology grows, vendors that had been tinkering away on shrinking and implanting batteries into cards are getting lots of attention. A number of these battery makers are experimenting with different technologies that will work between the laminated surface of cards so two-factor authenticated transactions will not only be possible, but easy. Enter Solicore, one of the most heralded purveyors of power sources for cards. The company’s ﬂagship product is the ultra-thin, ﬂexible lithium-polymer batteries called “Flexion.”

The basis for the battery, a patented solid-state electrolyte, provides portable power solutions for numerous products, including smart cards, RFID tags, and medical devices. These tiny batteries are also ideal for novelty items and flexible display products – they won’t break if they bend a bit. Flexion batteries operate over a wide temperature range and are ideal for high temperature manufacturing, such as the hot lamination process often used in the production of credit cards and smart cards. What makes it possible, says Mr. Corey, is the development of an advanced, patented polymer material that significantly enhances the capabilities of lithium-based batteries. Solicore produces this polyimide material and their thin film batteries on a high-speed production line at its Lakeland, Florida, manufacturing facility. “Our battery is not designed for high drain applications, like cell phones,” says Mr. Corey. “We’ve optimized our products to be really thin and flexible. Part of issuing a card is conformance to ISO standards and our batteries withstand the rigor of all these tests.”

Other technologies for thin batteries are also emerging Before now, making a battery thin and ﬂexible enough to ﬁt into a credit card was more pipe dream than reality. In addition, the other powered card components (displays, buttons, etc.) weren’t at a level of maturity and development that were required in the hot lamination process, explains Dave Corey, CEO.

Fall 2006

But it’s not just lithium-polymer batteries that are in this space. Others are experimenting with different materials, which may be just as sturdy and ready to be placed alongside ﬂat displays and microprocessors, for ready-to-use cards.

Publisher’s note Thank you to our advertisers – both print and online – for allowing us to produce our suite of ID technology publications. Jeff Staples, Publisher, jeff@avisian.com 703-437-4588 ofﬁce • 703-728-2186 mobile • 703-832-8448 fax http://www.avisian.com/advertise

Enter Thin Battery Technologies (TBT), a 12-person company spin-off of Eveready Battery Company. TBT makes flat, flexible, disposable batteries with a carbon-zinc technology base, an alternate to the lithiumpolymer batteries, says Leonard Allison, VP of business development. The smart card market is a secondary target; a bigger market application for TBT’s product is data loggers, an RFID technology with timetemperature indicators. Data loggers are about the size of a credit card and contains an RFID chip to measure and record temperature of goods. The logger apparatus is increasingly being used for goods being shipped in the cold supply chain; thus it needs to be powered with a durable battery. “Our battery works especially well, down to minus-thirty-degree Celsius,” Mr. Allison says. “It doesn’t interfere with the RF signal.” “It’s one of the oldest technologies around,” he continues, noting that because TBT’s signature batteries combine carbon and zincs, they have the advantage of being able to be printed in the same facility as the card is manufactured. Often times, says Mr. Allison, lithium batteries must be made in unique manufacturing environments. Mass producing OTP cards – with battery, microprocessor, and display components within a card encasing – can be done at rapid speed, he says. And because “the chemistries are cheaper than lithium, [they are] easily scaled.” Other advantages, adds Mr. Allison, include easy landfill disposal.

Other applications of thin batteries Though OTP cards are a major focus of thin battery manufacturers, there are other applications that have and will be used in the future. Any application that requires an on-card display is certain to require a power supply. Beyond OTP, displays could be used for electronic couponing or loyalty applications, data storage and retrieval, and ticketing. Batteries have been used to drive small light sources built into credit cards, to power audio signals, and more. Until recently, on-card power supplies have been in-the-lab only. With recent advancements in thin, ﬂexible batteries however, expect to see powered cards serving a whole host of functions identiﬁed and yet unimagined.

AccessID ACG Blackboard Castles Technology CBORD CIM-USA ColorID Corestreet Cryptography Research Datacard Datastrip Digital Identification Fargo General Meters HDO Card Systems HID Higher One IBM Indala Infinacard Integrated Engineering Intermec IR Security and Safety LEGIC Lenel Motorola Muhlbauer Nedap Nfive NuVision Networks Omnikey Plastic Card Systems Sagem Sequoia Retail Systems SmartCentric Technologies Symbol Synercard Tokenworks Tradewind Technologies U.S. Bank Ultra Electronics Verisign Vision Base US Wells Fargo

www.secureaccessid.com www.acg-id.net www.blackboard.com www.castech.com.tw www.cbord.com www.cim-usa.com www.colorid.com www.corestreet.com www.cryptography.com www.datacard.com www.datastrip.com www.digital-identification.com www.fargo.com www.1card.com www.hdocardsystems.com www.hidcorp.com www.higherone.com www.ibm.com www.indala.com www.infinacard.com www.smart-ID.com www.intermec.com www.irsafeschools.com www.legic.com www.lenel.com www.motorola.com www.muhlbauer.de www.nedapavi.com www.nfive.com www.nuvisionnet.net/ias.html www.omnikey.com www.plasticard.net www.morpho.com www.sequoiaars.com www.smartcentric.com www.symbol.com www.synercard.com www.tokenworks.com www.tradewindtek.com www.usbank.com www.ultramagicard.com www.verisign.com www.visiondatabase.com www.wellsfargo.com

SecureIDNews

On card displays become reality, making cards more secure Display technology for smart cards is finally more than just talk Marisa Torrieri Contributing Editor, AVISIAN Publications It’s your credit card … spiked with something extra … a thin, flexible display with a readout similar to that of a calculator. But you don’t just make transactions with this card. With this baby you make them two-factor style, fusing something you know (your card number), with something you definitely have in your possession (your card).

Why would a cardholder care? Here’s one reason: in growing digital-transaction real-world scenario, where more and more purchases are made online, the party on the other end receives your card number and security code, but there’s no way of knowing that you actually are the one holding the card. No biggie … until some ID-stealing thief’s trying to purchase a dozen iPods online using your number. Fortunately, this new kind of card is on the horizon, and will allow consumers to conduct secure transactions with two-factor authentication with ease. A growing number of companies are developing thin, password-generating card displays that can be incorporated into your trusty cards. Equipped with displays, that can now be mass-produced at rapid speed, these new powerful cards generate single, numeric pass codes that change at the push of a button, transaction to transaction. In the future, people will be able to view things such as recent bank transactions and credit card balances – on the cards themselves. Because U.S. consumers and the ﬁnancial institutions that serve them continue to resist technologies such as One-Time-Password tokens, that make consumers do more work to secure their transactions, display-equipped cards are generating a great deal of interest as an alternative for secure two-factor authentication. In the next six months, a number of companies working with electronic displays, like Aveso Inc., SmartDisplayer, and InCard Technologies, are hoping to see their slender, powerful, high-tech wares bear fruit. Financial applications are, arguably, the hottest and most promising markets for display technology cards, thanks to nearly one-year-old

Fall 2006

Federal Financial Institutions Examination Council (FFIEC) guidelines, recommending that institutions to bear the burden of incorporating two-factor authentication methodologies into their offerings to enhance security. “This is another hardware or token format,” says Emily de Rotstein, executive vice president of marketing for Aveso Inc., a company that develops printed electronic displays. “If you’re a bank in America, you can brand the card, personalize the card, and add OTP functionality to the card itself. It’s the logical next step in the evolution of a payment card for secure online authentication.” According to Ms. de Rotstein, technology such as Aveso’s allows for easy integration of electronic displays into high-volume printed products such as credit cards and packaging labels. Because displays are produced using existing print-manufacturing techniques, display devices can be scaled cost-effectively in the hundreds of millions of units, volumes required to support a global industry standard for the electronic display card.

How the technology works, why it makes transactions better Sure, the form factor – a slender, powered card that give you a onetime-password, and may even be able to display credit card balances – is a sexy proposition. Especially in light of the FFIEC guidelines. But what about the technology? To get an idea of how a thin electronic display works, one must ﬁrst understand that it is just one of three critical components of a display card: the other two are the battery (the power source, which allows for a number to be generated), and the microprocessor (the chip that runs algorithmic applications to generate numbers). Display technology allows for a one time passcode to be generated and show up, on a card’s surface, within seconds. So a person holding the card possesses two-factor authentication – something they know (secret password), and something they have (the card itself ). The combination lessens the likelihood of identity theft.

And that’s just for starters.

“Thin and flexible electronic displays enable new applications that have not been possible displays that have not been possible in the past due to the limitations of the traditional, glass-based displays,” says Ms. de Rotstein, referring to glass-based, liquid crystal displays found in such applications as watches and phones. “Traditional displays are often too thick or too fragile for integration into the standard credit card. By overcoming these hurdles, plastic, flexible displays will transform the payment card and deliver benefits to consumers and card issuers alike.” It’s those applications Innovative Card Technologies (InCard) is banking on in a series of pilots set to begin in the fourth quarter of 2006, says CEO/Founder Alan Finkelstein. “The world is becoming aware that a random generator is the fastest, most cost effective way to get secure technology to the mass market,” says Mr. Finkelstein.

InCard Technologies recently created its DisplayCard with OTP and it plans to pilot the card later this summer. The card, via an embedded chip and an display, generates an OTP at the push of a button. Then, the card is authenticated by a secure server to confirm that the genuine cardholder is the one making the transaction. So, by the time cold snow has replaced this slip-and-slide summer, will interest in these cards generate a new kind of heat? InCard, for one, is crossing its fingers. “When we started to look into this three or four years ago, we met with everybody who was trying to develop technology and components like these,” says Mr. Finkelstein. “From the time they showed us a display that was working, it still took three years of R&D and many millions of dollars.” Still, the bottom line comes down to consumer behavior, the perceived necessity of two-factor security, and, according to Mr. Finkelstein, the question: “Do you want to carry two or three of those tokens or would you rather put a card (with a flexible display) in your wallet?”

Fall 2006

SecureIDNews

The display card will potentially be able to display all sorts of information to its users; numeric, electronic displays give numeric information, for example.

InCard is the exclusive provider of a ﬂexible display technology called SmartDisplayer, developed by the Taiwanese company of the same name, as it relates to displays placed in a card form factor.

ContactlessNews

Wells Fargo brings contactless payments to the wild west Andy Williams Contributing Editor, AVISIAN Publications A couple of years ago Wells Fargo’s Peter Ho was in Hong Kong when he picked up an Octopus card, a rechargeable contactless stored value smart card used for electronic payment. “I said ‘wow, wouldn’t that be cool if we could do something like that in the U.S.?’“ Zip ahead to 2006 and Mr. Ho’s dream is about to become a reality. Wells Fargo is soon to become the ﬁrst bank in the western United States to enter the contactless card arena. “We’ve been looking at contactless for quite a while now; we’ve been following the Orlando and New York tests,” said Mr. Ho, Wells Fargo Card Services vice president and product manager. MasterCard’s Paypass trial in Orlando included Chase, Citibank, MBNA, 60 retail locations and some 16,000 cardholders. Around the same time, American Express conducted similar trials in New York and Phoenix, Ariz. with its ExpressPay Card.

Fall 2006

What has been a stumbling block in contactless card issuance for most banks is not so much fear about whether their customers would use it but whether there was a merchant base large enough to support the new payment technology. “This time around we started seeing merchant adoption pick up faster,” said Mr. Ho. Even so, he admitted that not as many merchants have yet opted for contactless acceptance as has occurred on the east coast. “We’re taking a bit of a chance,” he added. The bank is “in discussions with individual merchants” to get more on board. According to Visa, some 4.5 million Visa cards are equipped with the contactless feature and more than 30,000 merchant locations in the U.S. accept contactless payments, though the majority of this growth has occurred in the eastern region of the country.

OCTOBER 11-12, 2006 FRANKFURT

MARRIOTT

Near Field Communications technology offers a unique identifier which, when integrated into a mobile handset unleashes a new era in advanced consumer applications for mobile carriers, merchants, consumer brand companies, advertisers and more. EDUCATIONAL SPONSOR

Attend NFC Germany 2006 and see the opportunities for a wide range of enterprises and industries from the convergence of Near Field Communications (NFC) and mobile phones.

HOTEL

& SAVE!

ASSOCIATION SPONSORS

FOCUSED PRESENTATIONS By These Industry Leaders Philippe Martineau Vice President, NFC Business Line Inside Contactless MEDIA SPONSORS

Oliver Steeley Vice President, Mobile/Wireless Centre of Excellence MasterCard International

Moin Moinuddin Industry Architect, Developer & Platform Evangelism Microsoft Corporation

Gerhard W. Romen Head of Global Market Development Nokia New Growth Business PRODUCED BY

Showcasing Applications Enabled by NFC...

ORGANIZED BY

...mobile payments ...contactless ticketing transactions ...access to digital content in the physical world

...mobile activation and authentication of digital purchases

Exhibit & Sponsor Opportunities Available Contact: Tim Downs, +1 949.223.3628 www.scievents.com/nfceu06

“We also saw this as a great opportunity to add convenience and speed to the day-to-day transactions for our customers. We started looking at how we would position this and saw right away a great connection between ‘My Spending Report’ which we offer to all credit and debit card customers,” he said. This report tracks a Wells Fargo card user’s spending and categorizes it so the customer “can see where they’re spending their money. Instead of spending cash, use your contactless card (further clarifying your total spending picture).”

ContactlessNews

He added: “We pride ourselves as being at the forefront of technology solutions that help our customers securely conduct their financial transactions when, where and how they want. .” The bank’s first contactless cards will be issued in the next couple of months, he said. “We’re not sure of the number of cards” that will initially be rolled out. Though Wells Fargo issues cards in all 50 states, it has brick and mortar banks in 23 states with 6,200 locations. “We’re basically west of the Mississippi, with Minnesota being our easternmost location,” he said. Wells Fargo chooses Visa as their contactless partner The Wells Fargo contactless card will be issued through Visa. “We do issue both Visa and MasterCard, but Visa is our primary association which is why we chose their contactless solution. Also, Visa is right across the Bay (San Francisco). We’re closer and we work well together.” First Data personalizes and embosses the cards on Well Fargo’s behalf. The first products to have the new functionality will be the institution’s Platinum and Signature cards. Who will receive it and what will it do? The new card will offer built-in protection with the WellsProtect program, eliminating cardholder liability for unauthorized transactions made at merchants, over the phone, on the Internet or at the ATM. For charges of $25 or less, no signature is required, speeding up transaction time. No receipt will be necessary either unless the customer requests it, said Mr. Ho. “If it’s over $25, it’s up to the merchants if they want to take the risk.”

Contactless payments celebrate first birthday One year after nationwide launches, big three U.S. payment card brands remain bullish on contactless Andy Williams Contributing Editor, AVISIAN Publications After two-plus years of pilots in various parts of the U.S., each of the big three credit card providers rolled out their own contactless payment version last year. So, after a year in operation how are things going? Actually, since the pat answer from all three is “very well, better than expected, etc.” the better question would be, what’s next? A lot, as it turns out, from different form factors, including watches, to use of mobile phones as a payment medium, to tapping and going your way through the New York Metro turnstile. None of them are resting on their laurels, so to speak. They are keenly aware that the 17-plus million contactless cards that have been issued by MasterCard, Visa, and American Express still represent a small minority of credit cards in use. Predictably, contactless payments are following a similar pathway that regular credit cards took when they were ﬁrst introduced. Credit card companies–and card users–proceeded cautiously then, as they are now.

The bank will be issuing the new cards to the “reissue population,” those with cards coming up for renewal, said Mr. Ho. “We’ll select a subset of that group and issue the contactless card to them. That way we can measure their afﬁnity to the new technology.” Unlike other banks which might have special names for their contactless cards, this will simply be called the “Wells Fargo Visa Contactless Card,” said Mr. Ho. “Visa took the stance to allow the issuer to name the card on their own.” Sticking with the Visa name also allows the bank to piggyback on Visa contactless card promotions. “We’re already educating customers on what the card does and the last thing we wanted to do was confuse them by coming up with a different name,” said Mr. Ho. Overall, Mr. Ho views the contactless card as “a great opportunity for our customers, allowing them to better manage their spending.” Once (customers) understand the concept and what it does, it will be very successful. We’re very excited about it.” 40

Fall 2006

“We had a goal of about two million cards … We have greatly exceeded that,” Cathleen Conforti, MasterCard Worldwide

According to the survey: • Nearly half (49%) of respondents said they carry less cash today than they did ﬁve years ago. • 60% had only $20 or less in cash on-hand, an 11% jump compared to 2003 ﬁgures. • Three out of four said they no longer believe it is necessary to carry large amounts of cash. • More than six in 10 (62%) use cash less often for purchases.

Last year, all three launched their contactless payment brands nationally.

Equally intriguing, MasterCard’s own internal data suggests that customers use their credit card 18% more frequently once PayPass is enabled. Though PayPass technology can also be used for transactions exceeding $25 (at which point a signature or PIN is required for veriﬁcation), roughly 75% of all PayPass transactions were for purchases below $25 and approximately 45% of all PayPass transactions were for purchases below $10.

To date, MasterCard has issued some 10 million PayPass cards globally. In addition, said Cathleen Conforti, global PayPass product manager for MasterCard Worldwide, some 32,000 merchants have signed up to accept PayPass. The company, she said, doesn’t release individual country statistics, but the PayPass program is in available 13 countries. “We had a goal of about two million cards … We have greatly exceeded that,” she said.

“We’ve gone from 8,000 to 30,000 (merchant locations) in about 8 months; we’ve seen tremendous growth.” Brian Triplett, Visa USA

According to MasterCard’s review of PayPass users’ performance, PayPass provided a: • 36% increase in usage per account. • 45% increase in total transactions per account. • 230% increase in usage at PayPass merchants. • 270% increase in the number of transactions at PayPass merchants. No wonder the merchant base for contactless is growing. “After our early research, we started with the merchants. They were seeing consumers move thru the line quicker,” said Ms. Conforti. “Banks have the opportunity to put in their customer’s hands a card for places where they normally have to use cash. And consumers do like the fact they don’t have to hand this card over, they can hold onto it during the transaction process,” said Ms. Conforti.

Visa has issued some ﬁve million cards and American Express about two million. Merchants include fast food restaurants (McDonald’s), convenience stores (7 Eleven and Sheetz), pharmacies (CVS), movie theaters (Regal Entertainment Group), and camera stores (Ritz Camera Centers), most which customize in speed, which makes contactless a natural ﬁt. While the original credit cards capitalized on a “buy now, pay later, sometimes much later” philosophy, contactless cards are going after cash. While contactless won’t spell the end of coins and dollar bills–at least in the foreseeable future-- it is tying in with what appears to be the consumer’s desire to carry less currency. A recent survey commissioned by MasterCard shows that growing numbers of U. S. consumers are using less cash in favor of alternate payment methods, such as credit and debit cards. The Consumer Payments Survey conducted by Ipsos, was designed to gauge national attitudes towards the use of cash versus alternate payment methods, as well as to determine consumer interest in using new technologies, such as contactless payment technology, said Ms. Conforti.

“You always want to make sure consumers and merchants are educated … how you use it, where you can use it,” she stresses. “Our national awareness has increased 200 percent. Consumers are getting the message.”

Visa focuses on the top-20 metropolitan areas Visa’s marketing strategy has been to concentrate on the U.S.’ 20 major demographic areas, in other words, the largest metropolitan areas. In fact, the three credit card companies initially concentrated their rollouts on the east coast. It was just recently that contactless came to the west coast when Wells Fargo began issuing contactless cards tied to Visa. “As we bring more cards to market, merchants sign up as well,” said Mr. Triplett. “We have to work together, which is why we’re focusing on the top 20 demographic areas and building from that.” Mr. Triplett said Visa is “actually ahead of where we thought we’d be a year ago with 30,000 acceptance locations. We’ve gone from 8,000 to 30,000 in about 8 months; we’ve seen tremendous growth.”

Fall 2006

ContactlessNews

While MasterCard, Visa, and American Express all conducted successful pilots in 2002-04, it took a “foundational event” to open the ﬂoodgates, said Visa USA’s Brian Triplett, senior vice president for emerging product development. That’s when the three decided on a single ISO 14443compliant system … laying the foundation for point-of-sale equipment to handle contactless cards from all three.“That convergence as well as the pilot tests were there for all key stakeholders to observe,” he added. “That gave everyone the initiative to put some effort behind it.”

In fact, he added, “the adoption rate is the fastest we’ve seen for any new technology. I do expect we will continue to see signiﬁcant growth; whether it’s double or triple we’ll have to wait and see.”

Signing merchants is key to American Express strategy

ContactlessNews

American Express has issued more than two million contactless Blue Cards according to latest figures (February 2006), said public affairs office spokesperson Rosa Alfonso. American Express began adding its contactless payment feature, called ExpressPay, to Blue cards in June 2005 following pilots in Phoenix, Arizona, New York and Singapore. The tap-and-go feature on the Blue card got a big boost last month when McDonald’s Corp. announced that it would accept ExpressPay at its 12,000 restaurants, said Ms. Alfonso. “We’ve definitely grown. The focus has been on the U.S.,” she added.

contactless infrastructure we’ve put in place. It’s opening up a lot of opportunities of ways to pay and places to pay.” For example, fans at some pro baseball and football stadiums can use their contactless cards to make concession purchases, speeding up the purchase process. MasterCard Worldwide is also piloting a six-month contactless project with the Metropolitan Transportation Authority, New York City Transit, Citi Cards, and Citibank at select New York City subway stations. Preselected people can use their Citi credit card to access selected subway trips.

While ExpressPay is only being issued to card members as their card comes up for renewal, truth is “anyone who wanted it could call us up and request it,” said Ms. Alfonso. She said the company is “very pleased with the momentum that ExpressPay has generated. Right now, we’ve focused on signing up more merchants.”

Focusing on benefits helps fuel consumer and merchant acceptance Transaction speed obviously has been the biggest selling point. Witness MasterCard’s latest TV advertisement featuring Olympics silver medalist Meb Keflezighi making pit stops during a marathon he is running, using his MasterCard PayPass to make fast purchases, said Ms. Conforti. “Unattended transactions” is what contactless payments are all about, said Mr. Triplett. “In the traditional world, you have to run a mag stripe thru a reader. Plus, maintenance is a lot more intensive.” Said Ms. Alfonso: “We’re focused on speed and convenience, customers making smaller purchases and doing it fast. They’re in and out quickly.” ExpressPay requires no signature, but the merchant can opt to require one, she added. “It’s designed to be flexible.” With Visa and MasterCard, there’s usually a $25 limit before a signature is required, or the merchant must accept responsibility if the card turns out to be stolen. American Express stats, said Ms. Alfonso, show ExpressPay with no signature is 53% faster than cards and 63% faster than cash.

“Opening doors” for new payment card uses Contactless also opens more doors, “allowing us to put those terminals in new places,” said Mr. Triplett. “We’re laying the foundation to use the 42

“(We are) very pleased with the momentum that ExpressPay has generated. Right now, we’ve focused on signing up more merchants.” Rosa Alfonso, American Express

Contactless has also made its way to other form factors–key fobs, basketball or football-shaped fobs, even watches. ExpressPay key fobs are available on request, said Ms. Alfonso. “Everything we do is about choice. A mother with three children might prefer the key fob because it’s easier to get to. Me, I prefer the card. Bottom line is we have both options available depending on the user’s preference.” Visa is also examining alternative form factors, said Mr. Triplett. “Consumers are most comfortable with the card product they already have. Once they get comfortable with the technology, they’ll be more comfortable with other form factors,” he said.“We’re looking at 2D form factors, like a mini card, or a tag, or something similar to a card and others with different 3D shapes, such as a circle or a football. When Visa rolls anything out, we want to make sure it’s commercially viable. There’s also a lot of education that has to go into that.” Both Visa and MasterCard are also involved in near ﬁeld communication pilots that allow cell phones to be used as contactless payment cards. “We’re actively engaged into seeing how this can be brought to market,” said Mr. Triplett. “A mobile phone is something you always have with you,” said Ms. Conforti. “One thing about this is coming up with a cost-effective way to get PayPass into phones, how we can do it on a scalable basis.”

Fall 2006

Besides transit and mobile phones, MasterCard is piloting a vending machine project in Philadelphia. In effect, any small purchase medium

��

NFC progresses from pilot to full rollout in Germany ‘Overwhelming success’ of Hanau transit trial leads to commercial launch Andy Williams Contributing Editor, AVISIAN Publications

ContactlessNews

NFC is making a name for itself. After a number of high-profile trials last year and early this year, what is being heralded by many as the first commercial rollout of the near field communication technology launched recently with bus passengers in Hanau, Germany. Why Germany? “There was no deeper reason in choosing Germany than that we had good

Fall 2006

contacts with Nokia,” said Holger Kunkat, program manager for mobile secure NFC solutions with Philips Semiconductors. Nokia, Philips, Vodafone and the Rhein-MainVerkehrsverbund (RMV), the regional public transport authority for the Region Frankfurt Rhine-Main in Germany, kicked off the deployment following a successful ten-month

ﬁeld trial. Nokia 3220 mobile phones with integrated NFC technology are now being used as electronic bus tickets. The phones can also act as loyalty cards for discounts at local retail outlets and attractions in Hanau. “We got in touch with RMV. They’re innovative in terms of enabling new ticketing systems in Germany and they already had a contactless

ticketing system for buses,” Mr. Kunkat added. “With the contactless ticketing system in place it was just a simple matter to use a phone instead of a card.”

receive an invoice from the local public transport operator outlining all trips taken, and the costs, which are calculated using the best available fares at the time of travel.

Since the NFC-equipped phone sends out the same signals as a contactless card, no upgrades of the Cubic-supplied transit readers were needed, he said.

“It’s a postpaid system,” explained Mr. Kunkat. “Passengers have to check in on the bus and check out ... and at the end of they month you get a bill provided by the system integrator. This way, people have better control over the amount of trips. The billing system collects al your trips, time of day you took the bus, etc.” The bill arrives separately from the passenger’s normal phone bill. “There are currently no plans of including all on one bill,” he added.

“How to do the ticketing, that knowledge was already in the hands of the people. They like the convenience factor (of an NFC phone). They don’t have to take a dedicated card; just take the phone instead,” said Mr. Kunkat. Hanau is a city of about 95,000 located some six miles east of Frankfurt in central Germany. Currently, a couple thousand are using the NFC phones, said Mr. Kunkat. The ten-month trial involved just 165 people. “During the trial period, the feedback from the people involved was so overwhelming that the idea was born to go with a commercial application,” said Mr. Kunkat. At the end of the trial, more than 90% of the trial participants considered this a positive, convenient system worth continuing. In the trial and in the commercial deployment, Philips has “acted more as a technology provider bringing the relevant people together,” he said. Vodafone, a mobile telecommunications group with operations in 26 countries across 5 continents, has shops that are offering the NFC-enabled Nokia 3220 handsets for sale. At the end of the month, the customers will

In addition to public transport ticketing in Germany, a newly introduced local leisure card -- the “RMV-ErlebnisCard Hanau” loyalty card - is being incorporated into the NFC-enabled phones. This feature enables mobile phones to receive discounts at RMV’s 14 selected retail partners in the area including restaurants, shops and local attractions. This, says Mr. Kunkat, is the next natural step towards an NFC-enabled payment program at retail merchants in Hanau. “The technology in the phone is the same,” he said. “The issue for the payment system is to have the application stored on the smart card, such as PayPass or other credit card or debit card scheme. You just have to store the contactless application into the phone; and it will behave like a contactless smart card.” As to expanding beyond Hanau, “the issue in Germany is that public transportation is a fragmented market. If you drive 100 or 200 kilometers you’ll ﬁnd a different regional transit system.” Still RMV’s region encompasses some ﬁve million people, so there is certainly room for expansion. “We have very good indications that we will have more commercialization in 2006 and there’s a strong indication it will be in the U.S.

However, since last December, Visa and Philips have been working together on a major NFC trial at the Philips Arena stadium in Atlanta, Georgia. The pilot allows sports fans to buy goods at concession stands and apparel stores using their NFC-enabled phones. Additionally they are able to access and download mobile content such as ringtones, wallpapers, screen savers and clips from favorite players and artists by holding their NFC phone in front of a poster embedded with an NFC tag. Other partners in this trial include Nokia, Cingular, Atlanta Spirit, Chase and ViVOtech. Philips also has two other NFC trials underway, one in Caen, France and the other in Taiwan. In the Caen trial initiated last October, residents use Samsung D500 mobile phones with an embedded Philips NFC chip to secure payment in selected retail stores, parking facilities and to download information about famous tourist sites, movie trailers and bus schedules. Partners in this pilot include France Telecom, Orange, Samsung, retailer Group LaSer and Vinci Park. Philips has also been working with Taiwan’s Proximity Mobile Transaction Service Alliance (PMTSA) to demonstrate a BenQ prototype mobile phone capable of making secure payments using NFC that is part of a plan to deploy NFC-enabled mobile phones for access to Taiwan’s public transport network. About NFC: NFC technology evolved from a combination of contactless identiﬁcation (RFID) and interconnection technologies and operates in the 13.56 MHz frequency range, over a distance of typically a few centimeters. NFC technology is standardized in ISO 18092, ISO 21481, ECMA (340, 352 and 356) and ETSI TS 102 190. NFC is compatible with Sony’s FeliCa card and the broadly established contactless smart card infrastructure based on ISO 14443, which is used in Philips’ MIFARE technology and other offerings.

Fall 2006

ContactlessNews

It also helped, said Mr. Kunkat, that “in Hanau people already had experience with using contactless smart cards.” That’s a far cry from a study Philips recently conducted in Atlanta, GA with NFC phones. The small study showed that among novices in the use of contactless, education was extremely important. Even ﬁguring out where to pass the phone over the reader required training (see sidebar).

maybe by the middle of the year,” he noted though refusing to elaborate further.

ContactlessNews

NFC gets lab tested as users trial phone payments, smart posters, and ticketing Andy Williams Contributing Editor, AVISIAN Publications Even with a commercial rollout a short time ago for NFC-enabled phones, Philips continues to tweak the new technology. A study the company conducted late last year raised a couple of issues which will probably find their way into newer NFC iterations, although one of the findings had to do with the readers, not near field communication. Using a controlled environment, Philips and Visa recently conducted a controlled study to determine how novice NFC users would take to paying for products with their cell phones. But the study went beyond payment, testing the smart poster concept as well as applying an radio frequency tag to a DVD box to allow potential purchasers to first see a movie trailer. Philips recently implemented what it calls the first commercial rollout of NFC-enabled phones in Germany, and the company has several pilots are underway in other regions as well. The U.S., says a Philips spokesman, may be next to experience NFC commercialization. Besides the “coolness” factor, participants in the study found the phone easy to use, said Francesco Prato, business development manager for NFC with Philips Semiconductors. He was quick to point out that this Atlanta study was different from the pilot Philips was also conducting at the Atlanta arena, allowing sports fans with NFC-enabled phones to purchase food and beverages from the concession stands. “We wanted to test the usability of specific technology in different scenarios,” Mr. Prato said of the controlled study. “It was very important to see how the consumers were able to interact for the first time with NFC and to see their major issues or concerns, if they were very quick to learn how to use it. We wanted to see specific issues in different scenarios and if consumers were going to change their behavior.” The study was conducted at a Philips test facility and consisted of 20 people – roughly half male and half female covering different age ranges. “They were users of credit and debit, frequent cell phone users,” said Mr. Prato. About 50% of the study group were “early adopters,” others were fairly new to cell phones. But they all shared a common link. “No one 46

Fall 2006

knew anything about NFC,” he points out.“It was very interesting to see their ﬁrst reactions ... people were very surprised to see how they could interact with a poster; for example,” said Mr. Prato. “They were very surprised to see that by touching something without any interaction, they could use NFC (as a payment vehicle).”

Testing a series of compelling NFC applications The study’s three two-hour scenarios included a “coffee corner,” a movie trailer and a smart poster. With the coffee corner scenario, a user could order coffee and a Wi-Fi Internet connection. The access code for the login was transferred from the phone to the user’s laptop, said Mr. Prato. The movie trailer involved an RFID label on a DVD box and, using the NFC-enabled phone, the user was able to watch a movie trailer that, ostensibly, would help him make a purchase decision. And if the person had a NFC-compatible TV, the trailer could be played there as well, said Mr. Prato. With the smart poster, a user could buy tickets to a concert, download ring tones, and even download games. “For example, the consumer would be able to buy two tickets and sell one to a friend via NFC. You just touch with your phone and you could transfer the tickets and you could also get money back from the phone,” he said. “We were interested to see how NFC could enable person-to-person interaction.”

What did they learn? He said that at the beginning of the study, “users ﬁrst wanted to understand how to interact, but the learning curve was very fast and soon they were very comfortable” using the NFC-enabled phone.“At the end of each scenario, we recorded their questions and answers and their facial expressions.” Some of the study’s ﬁndings were obvious – a focus on speed and convenience – elements that have been trumpeted by the contactless world for several years. But it was also discovered that perhaps today’s computer-literate world wanted something even more automatic and

simple. For example, the study noted that receiving transactions “should be even more automated. For example, “participants liked the simplicity of transactions that were initiated just by holding the mobile phone to an NFCenabled reader. However, for sending applications, such as selling a ticket to a friend, users may prefer to initiate the transaction with a command.”

he should touch or not touch so there’s a real need of showing where to touch.” In other words, as the study pointed out, “Users did not want to guess where and how to orient their mobile phones to complete a transaction.”

Even after showing the users how to handle and manipulate the transaction, they still had trouble ﬁguring out where to place the phone over the reader. “One of the results was a need for a clear and consistent marker,” said Mr. Prato. “The consumer would look where

What happens with a lost NFC-enabled phone? “That’s one of the questions I get asked often,” said Mr. Prato. “If you lose your credit card, anyone can use that card ... the damage could be high. (But) having your card in the phone, no one can see the number.”

In Europe, for example, the “ﬁrst application taking off using NFC phones is (transit) ticketing. In Europe, they’re fully aware of contactless for mass transportation so it is easy to move from card to phone...very easy,” he added. Philips also has tests underway in Italy “that we’ll announce (later) this summer,” he suggests. “I think NFC will take off by the end of the year and we expect to go commercial in the U.S. by the end of the year.”

2006 to be the Year of Near Field Communication Christophe Duverne Vice President, Sales and Marketing, Identification, Philips Semiconductorsor 2006 promises to be the year of near field communication (NFC). With live trials underway now in France, Germany and the United States, consumers are getting an idea of what the near-term future holds for them. NFC technology is set to drastically change the dynamics of consumer electronics by opening up a myriad of new business and application opportunities. It will significantly impact the way consumers shop, travel and exchange data. It will change the way handset manufacturers, operators, suppliers and content providers work together and enable new business models and profit opportunities. And most importantly, it will change the way consumers use their mobile phones forever, enabling them to do things they never thought possible, like entering a sports stadium with an electronic ticket on their mobile phone, or pay for their groceries using their mobile phones at checkout. The possibilities are immense.

In the City of Caen in France, Philips, France Telecom, Orange, Samsung and retailers Group LaSer and Vinci Park kicked off a major multi-application NFC trial. During the six month trial, 200 Caen residents will use Samsung D500 NFC-enabled mobile phones as a means of secure payment in selected retail stores and parking facilities as well as to download information about famous tourist sites and bus schedules.

Numerous ﬁeld trials are being deployed around the world so key players throughout the value chain can best understand how consumers react to this technology.

Mobile payment and transactions with NFC exploit two basic principles of modern society: everyone needs to pay for products and everyday services and just about everyone carries a phone. Results from these worldwide implementations are demonstrating that consumers everywhere like the convenience of mobile payment.

In April 2005, Philips, Nokia and German public transport network operator Rhein-Main Verkehrsverbund (RMV) began to trial an NFC ticketing solution that allows RMV’s customers to use NFC-enabled Nokia 3220 phones to buy, store and use tickets around the bus network in the city of Hanau, near Frankfurt.

Another trial just kicked off this month, signifying the ﬁrst major trial of NFC in North America takes place at the Philips Arena stadium in Atlanta, Georgia. In this trial, sports fans can easily buy goods at concession stands and apparel stores using their NFC-enabled mobiles. They can also access and download mobile content such as ringtones, wallpapers, screensavers and clips from favorite players and artists by holding their NFC phones in front of a poster embedded with an NFC tag.

The technology is there, the consumer interest is there, the infrastructure is there. All that’s needed now is more imagination to devise more innovative applications and operators to facilitate more roll-outs.

Fall 2006

ContactlessNews

Added Mr. Prato: “They liked the fact there was less interaction, that you don’t need to select the application.”

The study involved phones, “with vibration; so they knew the transaction went thru,” he said. “You didn’t need to watch the display. Another possibility is providing a text message conﬁrmation.”

Mr. Prato thinks that NFC, because of its cell phone compatibility, could help “drive contactless technology in the U.S. There are more than 30 million contactless cards in the U.S. now which is one of the reasons we did this here in the U.S. with Visa.”

Contactless ticketing takes hold in English football But don’t Bend (the Smart Card) Like Beckham

ContactlessNews

David C. Wyld Contributing Editor, AVISIAN Publications When you think of British soccer, what images come to mind? In all likelihood, images of David Beckham artfully bending the ball into the goal and of rowdy English fans. What is increasingly being noticed is that soccer – or football – clubs in the United Kingdom are at the forefront of harnessing contactless card technology to the beneﬁt of both teams and their loyal fans. Indeed, football clubs in the UK are fast transforming the notion of what it means to be a “season ticket holder,” as tickets are falling by the wayside in favor of smart cards. These contactless solutions are fast becoming the global benchmark for creating customer loyalty and bringing a form of yield management to the stadium. While the 2006 FIFA World Cup ushered in a great deal of excitement about soccer in the U.S., it also served as the largest proving ground to date of integrating contactless into sports ticketing, with: • 12 venues • 64 games • 3.5 million contactless paper tickets.

Fall 2006

Yet, the real revolution in events management today is the prospect of eliminating the ticket altogether, replacing the paper ticket with a smart, contactless card.

StadiaCard helps Liverpool expedite access and reduce scalping There are a number of competing ﬁrms today in the UK seeking to bring contactless solutions to bear in football stadiums in their country. Stadiacard, a division of the UK-based TelCo Management Limited, is working with several leading football clubs in the UK to prove the viability of a contactless card solution. Most notably, the Liverpool Football Club has been at the forefront, using contactless technology in its stadium since 2003. For the upcoming 2006/2007 season, the Liverpool Club, winners of the 2006 FA Cup, will be shifting its season ticket buyers entirely to Stadiacard’s contactless solution, providing them with what they are branding as the Fan Card. Liverpool has equipped its historic Anﬁeld Sta-

dium, which dates back to 1884, with readers at all of its entry gates. The Liverpool Club believes that the system will not only speed entry of season ticket holders into the stadium, but also eliminate the possibility that these buyers could resell individual game tickets from their season-long package or provide them to “ticket touters” (scalpers). This is because the Fan Card will be required for entry throughout the season and thus, if sold, the season ticket purchaser would lose the right to enter the stadium for not just a single match or series of games, but the remainder of the season. While Anﬁeld only has a capacity of 45,400 seats, the Liverpool club has issued more than 130,000 Fan Cards to date. Supporters who are not season ticket holders can use their Fan Cards as ID when purchasing individual game tickets via the phone or the Internet.

TeamCard solution helps clubs throughout the UK A similar solution, also aimed for the football market, is being marketed by the St. Andrews,

Scotland-based Scotcomms Technology Group. Scotcomms TeamCard contactless solution is being employed by several leading football clubs in the UK, including: • • • • • • •

Bolton Wanderers The Celtic (Glasgow) Chelsea Crystal Palace Everton Ipswich Town Millwall

There is also a significant security benefit to the use of contactless tickets for sporting events in general and for football specifically. Unlike with paper form tickets, if a fan’s ticket card is lost or stolen, the team can simply issue a replacement and cancel out the original lost item. Also, the team retains significant control over the use of the card, which is especially important in venues such as football in England, where crowd rowdiness and hooliganism has been of paramount concern in recent years. If a team can identify trouble making fans, they can simply deactivate that person’s contactless ticket card and ban them from the grounds. In the same fashion, as has been done in Liverpool since the 2003/2004 season, stadium security and support personnel have themselves been issued contactless cards, allowing for the club to maintain required staffing levels throughout the stadium and monitor staff movement for both management and payroll purposes. Finally, since the fan’s card also operates as a form of payment in the stadium, the benefits of contactless payments at concessions and merchandise sales locations can be reaped. And, in the United Kindgom, unlike at sports venues in the United States, where sports betting is not legal in the stadium setting, fans can place wagers before and even during games using the same contactless ticket card. Over the next five years, it is likely that we will see similar developments in the United States, both at professional and collegiate sporting venues. Out of a desire to heighten revenue and a need to increase security, sports executives will see that contactless cards offer a “win-win” proposition to both the team and its fans. While we have seen the development of co-branded contactless payment solutions for concession/souvenir payments, an allinclusive smart card solution will likely emerge as the industry standard in time. Thus, the sports space presents tremendous opportunity for growth in the future.

ContactlessNews

One of the significant benefits of such contactless ticketing is the ability of the sports’ team/club to derive incremental revenue from what would have been unused tickets by season ticket holders. One of the British football clubs making use of the TeamCard, the Bolton Wanderers, has turned a season ticket holder’s inability to attend a game into a “win-win” for all parties. Gareth Moores, a director of the club, estimates that 5-8% of season ticket holders can not attend a given game. The Bolton Club rewards season ticket holders who notify the organization in advance of their inability to attend a game with £10 worth of points loaded onto their TeamCard. These points can then be used for purchasing either refreshments in the club’s stadium or team merchandise from the club. The club is then able to resell that unused seat – for an average profit of £15. Likewise, football clubs have begun to offer seating upgrades to better sections on an availability basis to card holders, with the ability to charge their registered payment option immediately should they choose to sit in a better seat for an event.

Electromagnetic sleeves protect contactless IDs, but is the eavesdropping threat real?

ContactlessNews

Marisa Torrieri Contributing Editor, AVISIAN Publications With a long workday behind him, Mr. Government Worker leaves the building, heading for the massive parking lot. He passes a gentleman (Mr. Man), but little does Mr. Government Worker know that beneath the stranger’s briefcase hides an RFID Reader with an antenna short enough to remain out of sight but long enough to communicate with a FIPS 201 PIV Card. Mr. Man captures the ‘free-read’ ID number from the card and now can in essence replay this information to the access control reader at the entry door to the building to gain access.

The company is one of a handful of manufacturers of protective shields and sleeves designed to protect contactless cards from eavesdroppers. Identity Stronghold is marketing its electromagnetic smart card sleeves in consumer, ﬁnancial, and government markets, including federal agencies shopping around for FIPS 201-compliant products. The electromagnetically opaque “Secure Sleeve” products help ensure that invasive communications such as relaying, eavesdropping, or cloning and tracking of ID, debit and credit cards, U.S. passports, and the new FIPS 201 PIV cards don’t occur.

A preposterous scenario? Not really, says Walt Augustinowicz, founder of Identity Stronghold.

“The new government PIV card has a contactless interface, which, basically will get you into several pieces, including the CHUID (the unique ID number), and it can be read by any ISO 14443 reader,” he says.

“It’s called the ‘leech-and-ghost theory,’” says Mr. Augustinowicz, noting that a handful of white papers have been written on such topics. “It’s pretty realistic.”

Mr. Augustinowicz refers to section 2.4 of the FIPS 201-1 publication, which states: “Ensure that technologies used to implement PIV sustain and do not erode privacy protections relating to the use, collection and

“Our sleeves are made with a special laminate material that contains a shielding layer and several other layers that make it very durable and tear and water resistant as well as printable.” - Mr. Walt Augustinowicz 50

Fall 2006

disclosure of information in the identiﬁable form. Speciﬁcally, employ an electromagnetically opaque sleeve or other technology to protect against any unauthorized contactless access to information stored on a PIV credential.”

durable and tear and water resistant as well as printable,” Mr. Augustinowicz continues. “The shielding layer forms a faraday cage around the card preventing the electromagnetic energy necessary to power the chip from reaching it.”

But whether federal agencies will embrace added security and the notion that such sleeves are a necessity remains to be seen. Factors that will inﬂuence such decisions include perceived threat and cost.

Randy Vanderhoof, Executive Director of Smart Card Alliance, says the notion of adding a protective sleeve to a contactless card came up for discussion when the government was planning for the new electronic passports, which use contactless technology.

The company is submitting technical specs to the National Institute of Standards and Technology (NIST) for testing to receive a listing on the FIPS 201 approved products list.

A 170-year old physics experiment lives today in the Farraday cage The sleeves works on the Faraday cage principle, notes Mr. Augustinowicz. According to online resource Wikipedia, a Faraday cage is an enclosure designed to exclude electromagnetic fields. It is an application of Gauss’s law which describes the distribution of electrical charge on a conducting form, such as a sphere or a plane. Intuitively, since like charges repel each other, charge will “migrate” to the surface of the conducting form. In the case of the smart card sleeve, its ‘cage’ routes the external RF field away from the contactless antenna inside. The application is named after physicist Michael Faraday who built the first Faraday cage in 1836 to demonstrate his finding.

The passport sleeve is not required by any spec, says Mr. Augustinowicz, noting that the new U.S. passports have an anti-skimming mesh embedded in the top cover. It operates on a similar principle to the cage, relying on a metal mesh to shield the antenna from an external RF ﬁeld. For FIPS 201 PIV cards, Mr Vanderhoof says he hasn’t heard a lot of lengthy discussion or debate about such sleeves, though the issue has come up at conferences and meetings. He stresses that the new ID cards contain “the most secure card speciﬁcation that’s ever been created for implementation of an ID card.”

There’s another issue, technology aside. Even if an agency were to use electromagnetic sleeves, employees might not care. “(Many) people who are issued a sleeve by federal agencies would probably toss it in the drawers and not use it after they are issued their cards,” Mr. Vanderhoof says. Still, there is, technically, an opportunity for someone to know there is some limited data on a card using an RF reader. Even though you can’t pick up the data, you can technically use an antenna to learn that someone is holding a PIV government card. And there are all sorts of scenarios for why someone would want to know you’re a government employee. “There’s folks whose job it is to look at worse case scenarios for government applications,” says Mr. Vanderhoof, “and the industry has to respond to that and it has.” But if interest in the Secure Sleeve and related products is an indication, the concern – real or imagined – continues to exist.

Furthermore, the new PIV cards will be dualinterface, containing both a contact and a contactless interface. The contactless interface is most often used for physical access, and is read by a contactless reader. The contact interface will be required to access the biometric component for authentication processes, to validate that the card is being held by the appropriate user. Most agree, however, that though the biometric may be required for physical access in certain situations,

“Our sleeves are made with a special laminate material that contains a shielding layer and several other layers that make it very

The company is submitting technical specs to the National Institute of Standards and Technology (NIST) for testing to receive a listing on the FIPS 201 approved products list. Fall 2006

ContactlessNews

If recent conferences are any indication, the product could pick up some serious momentum in the near future: Mr. Augustinowicz says he gave out 250 sleeves or so at a recent government CIO conference.“People were coming back,” he says, “asking for extras for their wife’s credit’s card.”

it is unlikely that it will always be mandated as agencies develop their customized access control strategies.

When it comes to issuance, contactless ‘rocks’ prox 13.56 Mhz contactless cards improve ﬂexibility and security for access control

ContactlessNews

Chris Corum Executive Editor, AVISIAN Publications Contactless technology facilitates multiple applications and services from a single card, but Erik Larsen, Product Manager of Identity Solutions for Lenel Systems International, stresses that another advantage is equally crucial for card issuers. “Contactless lets you take control of - and secure - the data on your cards,” he says, “something proximity technology just doesn’t do.” “We give customer the ability to encode the cards themselves and capture the data they want to use,” explains Mr. Larsen. “You can populate it all into (Lenel’s) onGuard system and then let the issuer encode what they want onto their cards. You no longer need to be told by the application or technology what will be on the credential.” Other leaders in the contactless arena concur. According to June Colagreco, VP Marketing Communications for HID Global, “our iCLASS contactless offerings have enabled us to provide much greater control and flexibility to our issuers. By using the iCLASS field card programmer, our customers have the flexibility to instantaneously issue personalized credentials on the spot”. “(Our customers can) even encode the iClass secure area of a card,” adds Mr. Larsen. “You can get completely blank iClass cards without even the application page layout configured … Our application will configure the proper page area and personalize the card.

How does traditional proximity issuance differ? In most cases, proximity cards arrive at the client site with a unique identiﬁcation number pre-encoded on the card. Typically, this same number is also printed on the card as well. When an issuer (e.g. company, university, security integrator) prepares a new badge for a cardholder, that card is printed through an ID card printing system or simply handed to the cardholder if it is not to be personalized with data, photograph, etc. Next the ID number that was encoded in the proximity card at the factory must be enrolled into the issuing organization’s ID card system, security system, and perhaps other systems. Speciﬁcally, the card’s assigned number must be linked to the database record of the cardhold-

Fall 2006

er to whom it was issued. If this process is skipped or done incorrectly, these systems won’t know how to manage the individual’s approved privileges and access rights. The system’s integrity would be compromised. These additional steps are necessitated because the card number is preset in the majority of proximity card issuances (note: in certain instances, prox cards can be programmed by the integrator or issuer at the time of issuance, though this is the exception rather than the rule).

Contactless streamlines the issuance process Unlike typical proximity cards, however, contactless cards often arrive at the issuer’s location without the pre-encoded ID number. Each card is blank, awaiting input from the card issuing system to assign numbers and data to different ﬁelds or ﬁles on the chip. Most modern issuance systems have the ability to encode an array of common contactless chips “inline” during the card imaging process. Internationally standardized contactless varieties (e.g. ISO 14443 and ISO 15693) and named products (e.g. Philip’s Mifare, HID’s iCLASS, Sony’s FeliCa, Legic’s Advant) can often be encoded while the card is being printed. This saves a crucial step in the issuance process, eliminating the need to ‘register’ the proximity card’s number into the issuing organization’s systems. With contactless technology, the issuing organization’s systems actually assign the number to the individual and encode it on the card directly. Still, many contactless issuers prefer to order their cards pre-programmed.“The majority of (our) customers still order secure contactless cards pre-programmed with their access control application information,” says John Menzel, CEO of contactless reader manufacturer XceedID. “This is mainly due to the fact that they have always done it this way. We sell mostly white ISO cards with secure sector programming and the end customer ends up printing at time of issuance.” HID offers a contactless version of its popular Corporate 1000 proximity program.“The iCLASS Elite Program provides security professionals the ability to standardize on a ‘single credential’ solution that can be used

for all applications and locations worldwide,” says Ms. Colagreco. The issuer receives a proprietary 35-bit format that includes a Company ID Code unique to each end user. “For added security, HID tracks card numbers to insure that no duplications occur,” she adds.

Updating data on the card creates flexibility and saves money This fundamental difference between proximity and contactless technology has additional repercussions on system operation beyond initial issuance. During the lifecycle of a cardholder within an organization, there may be cause to change an ID number in an existing card or port the number from one card to another. With proximity cards neither of these options can be accomplished but contactless makes both easy and secure. “Since (most contactless) cards can be written to multiple times you can ‘re-program’ a smart card if you have a programmer with the appropriate keys to overwrite a particular sector,” says Mr. Menzel. This is a major advantage over prox technology, he stresses, citing that prox is “typically a one time write with no security.” Imagine the employee or student that returns to the badging location with a damaged card. He wants a new card and the security of the card’s data can be assumed intact, as the card is present at the time of request. In such a situation, the issuer could simply take possession of the existing card and re-issue a new card with the same identification numbers and other data, making sure to destroy the prior card. There would be no need to update records in other systems, as the data remained the same. Alternatively, an identification number on an existing card might need to be changed if a system change occurred or fraudulent activity was suspected. With contactless technology, the existing card could simply be updated with the new number and the same badge preserved.

Taking this one step further, a customer could even update the keys for both cards and readers so that the entire system uses a new set of keys to communicate. “HID has enabled a rolling key feature in their (new) reader that can be controlled by OnGuard,” explains Mr. Larsen,“(When) the card is presented to the reader, it is automatically updated with the new key that is stored in the reader.” Just another example, he point out, of the power of contactless smartcards over proximity. Ms. Colagreco adds that this key update management capability is a major customer security advantage. “Security systems traditionally relied on the possession of the card with its unique ID number to deter unauthorized access. With contactless, we are exponentially more secure thanks to credential keys and the ability to update them as needed for a higher level of security, not to mention complete key and data encryption.”

Conclusions In prior articles we have examined: • How price is comparable between the proximity and contactless cards and readers, • How a wide array of applications and services can be supported with contactless technology, and • How transition to contactless can be virtually seamless thanks to a new breed of multi-technology readers that support both proximity and contactless technologies. This examination of the beneﬁts that contactless technology provides over proximity in the issuance process should provide more food for thought as you consider when the time is right for your organization to migrate to contactless, the new standard in identiﬁcation technology.

CR80News Contactless takes Swiss campus to new heights LEGIC provides payment and security applications for students in Switzerland Andy Williams Contributing Editor, AVISIAN Publications While many U.S. colleges and universities have been hesitant to delve into the contactless world, European and Asian campuses have taken the opposite approach. So it is with the University of Technology and Economics (HTW Chur) in Chur, Switzerland. The college opted for a contactless campus card system based on chips supplied by LEGIC Identsystems Ltd., also based in Switzerland. The company specializes in the design and manufacture of 13.56 MHz contactless smart card technology, including ISO 15693 and ISO 14443 compliant read/write chip sets, security modules, and transponder chips. HTW Chur specializes in high tech pursuits, so what better way to emphasize your philosophy than to offer your students and faculty a cutting edge, cashless ... and contactless ... environment? The range of courses offered by the HTW Chur covers six degree and three postgraduate courses, two Executive Masters of Business Administration and a wide-range of training courses. The college, according to LEGIC, specializes in the ﬁelds of tourism, entrepreneurship and commerce, telecommunications and electrical engineering, structural engineering

and architecture design and computer science. Two other Swiss companies, EVIS and Kaba, are also involved in the Chur project. EVIS, a LEGIC partner for more than 11 years, provides the project with vending solutions, access control systems, card personalization, hardware/ software, cashless payment systems, POS terminals, and time and attendance solutions. Kaba specializes in security technology, such as locking cylinders, security locks, motorized cylinder locks and access control systems. “We are a basic technology supplier,” said Stephen Neff, LEGIC’s vice president for sales and business development. “We supply transponder chips and people integrate our products into the ﬁnished product. Our technology products allow them to make the all-in-onecard system.” Utilizing this multi-function technology, the university has already issued more than 2,000 cards to students, staff, faculty, and visitors at HTW Chur. The cards serve as the students’ ID, allow access to lockers (where student laptops are typically stored), provide cashless vending and copying, serve as the library card, and enable discounts at off-campus merchants. Museums and theaters also accept the contactless smart card, said Mr. Neff.

The college prints its own cards on site with a card printer from Zebra. This, said Mr. Neff, allows the school to personalize the cards and initialize the chip according to the area in which it will be used.

Payment applications are crucial to campus card success Students are issued their cards when they enroll. Guests, visitors, and external users of HTW Chur facilities such as the library, can obtain a LEGIC smart card upon payment of a deposit. The student ID is used for payment transactions in the canteens, vending machines, and copiers and printers. Charging stations - one in each of the two main buildings - allow students or faculty to add value to their card’s e-purse with up to 300 Swiss francs (about US$240). “The student simply presents his contactless smart card to the charging station,” says Mr. Neff, “inserts the money he/she wants to load on the card and after a few seconds the loading station conﬁrms that the card has been recharged.”

... 3” x 5”

That’s right, whether your database includes 100 or 100,000 records, you can take it anywhere with the new DigiSwipe™ from TokenWorks®. Continuing the legacy of the CardTool® magnetic card reader, DigiSwipe™ enables a variety of devices utilizing the standard Compact Flash Type II connector. Using pen and paper to track activities is a thing of the past, order your DigiSwipe™ today!

Affordable. Portable. Flexible. Solutions by TokenWorks®.

For more information please visit us at: www.tokenworks.com/digiswipe.htm

“One of the main advantages of this system,” said Mr. Neff, “ is that students only have to bring cash to school if they plan to recharge their electronic purse. They don’t need cash for vending machines, the canteen, or copying machines.” When funds are spent - via vending or in the canteen - the transaction is forwarded to a central server via the campus’ existing network. Thanks to the TCP/IP networking of all reading units, the card balances can be checked and (lost or stolen) cards can be blocked immediately if necessary. “The balance is not stored in a back end system,” said Mr. Neff.“The money is in the possession of the cardholder only. This increases the security and the conﬁdence in the system.” Physical security complements the ﬁnancial offering ...

CR80News

Kaba technology is used for access control and the locks on the 800 lockers. EVIS provides the vending solutions, added Mr. Neff. Since it is a contactless card, a student need only tap his card against the locker’s lock to open it. While dormitory access is possible using the system, HTW Chur doesn’t need that capability because it is a commuter school, said Mr. Neff. But the campus does have plans to expand the access control capabilities of the system.

In the near future, ofﬁcials plan to deploy locking systems on individual laboratory doors to guarantee greater security and convenience for the user.

“There are more then 50 universities in Europe and Asia using the LEGIC contactless smart card technology already and more are opting for this technology every year,” said Mr. Neff.

One of the beneﬁts of this particular LEGIC technology, the all-in-one-card, is that more applications and functional areas can be added later as the college’s needs progress.

But, encouraging U.S. institutions to opt for contactless is a challenge. With ofﬁces in Chicago, and Dallas, LEGIC is doing what Mr. Neff calls “missionary work. We’re working with campuses, going to suppliers, trying to sell them on using contactless technology.”

Mr. Neff provides the following example: “... a Chinese university, with more than100,000 LEGIC student cards, installed readers in dormitory showers that turn off the water automatically when the student takes his card away from the waterproof reader in order to save water and money. (Others have added) parking access or access to fitness centers.” “(HTW Chur) is very satisfied with the new allin-one-card solution,” said Mr. Neff.“The whole process is much easier and the students profit a lot from the increased comfort. Even the complexity for the card administration has been reduced significantly.” And, he added, thanks to the central data administration and the university using its own printers, it can easily administer and replace lost or stolen cards. Evangelizing contactless technology in the U.S. LEGIC has installed its campus card solution in many locations in addition to HTW Chur.

Of course, U.S. Government requirements, such as those included in FIPS 201 and the Department of Defense’s Common Access Card, are helping generate contactless demand, he adds. “Four or ﬁve years ago, it (contactless) was a non-issue. Now we’re at least getting invitations. It didn’t happen overnight in Europe, either.” Even so, LEGIC currently has some 70 million contactless cards in the ﬁeld. Contactless advantages for campus card systems ... He thinks contactless cards would be preferable at universities if, for nothing else, than for ease of maintenance. “Universities tend to incur quite a bit of vandalism (with items such as gum or coins) being stuffed into the slot designed for the contact card. In Canada’s (early) ATMs, the slot was exactly the thickness of a processed cheese slice, (and vandals stuck them in) so they had to make the slot smaller. Contactless is almost vandal-proof which, I think, is its biggest advantage over contact.” Another big contactless advantage is, of course, its hands-free capability. “You can put your contactless ID badge into your pocket and walk by the reader. With a contact badge, you always have to take the card out of the holder and put it back again,” said Mr. Neff. Concludes Mr. Neff:“The most important thing for universities is linking access control with vending, restaurant and other applications. They have to be able to run independently of each other so the card becomes the network ... you can obtain IT access as well as physical access. The biggest stumbling block is that many people don’t believe it can be done.”

Students at HTW Chur use their contactless cards to access reader-equiped lockers 56

Fall 2006

ID cards for visitors: Easier and more necessary than ever Even in a post 9-11 world, college campuses remain fairly open. Anyone can enter the campus itself with barely a nod from security. Corporations are a different matter and many have hardened building access in recent years. So, too, have K-12 schools. But with more options and lower costs, is it now time for colleges to take another look at better controlling visitors to their campuses? Supporters of visitor management solutions think so.

CR80News

“Colleges are watching ingress and egress better than they used to do,” said Steve Blake, director of secure systems for Fargo Electronics, whose printer/encoders are used in visitor ID management systems.“But adoption has been better for visitor management in K-12 than in post secondary schools.” Had some kind of visitor management program been in effect at the University of Cape Town in South Africa, a university professor might have avoided being beaten up by people who easily gained access to the building housing the professor’s ofﬁce, as recently reported by a Cape Town online news service. It’s one of the tradeoffs for having an open campus, a quality in which most colleges take pride. But are those days numbered? “(People are) implementing both unattended and attended visitor management systems,” explains Mr. Blake. “However, if you’re concerned about security, there is no reality to using an unattended system. I’ve been to several schools where you print out your own badge. It’s based on the honor system and it will work only for those who are honorable.” Visitor management systems were in use even before 9-11. “They’ve been available for about seven years,” said Mr. Blake. “But there was a low level of adoption until the last couple of years. What has changed is that prices have come down to where they’re more affordable. New technology also makes it much easier to go through the registration and badging process.” 58

Fall 2006

But it took “9-11 for visitor management (and other security systems) to skyrocket,” added Mr. Blake. Some of the more popular visitor management programs are the ones that allow a visitor’s driver license to be swiped or scanned, thus providing a visitor’s critical information along with his picture. Then a temporary badge can be produced, usually in less than a minute, complete with photo. “Driver license scanners can be tied to the software. A school clerk will take your driver license, run it through a scanner and be able to print a card with a Fargo printer in color or black and white, within 30 seconds,” said Mr. Blake. “This is what’s really driving the growth in visitor management. If anything happens, the school has the front and back of the visitor’s driver license.” Despite the ease of creating visitor IDs, it could still be difﬁcult for colleges to implement.“The issue is that with colleges, they tend to be an open environment with a lot of public access,” said Mr. Blake.“If you’re going to have attended locations for visitors you might have multiple points of issuance. Some (colleges) do use ID cards for visitors, but there hasn’t been a high level of adoption here.” To date, the real adoption of visitor security has been in the corporate arena, Mr. Blake added.

Selecting a visitor management system from the host of options Do a Google search on “visitor ID badge management” and nine different products show up on the ﬁrst page alone. Some of the bigger providers of visitor ID management software include Avery and Brady ID, plus “there are a lot of homegrown ones out there as well,” said Mr. Blake. Most work with ID card printers, but Avery’s for example also prints on paper labels.

Another aspect of visitor badge management is whether it will be standalone (located on a single computer) or tied to the network. Standalone architecture is obviously easier since all data resides on the PC at the front desk. But regardless of the system chosen, says Mr. Blake, implementation is simple. “You can be up and running in 30 minutes.” Visitor management systems don’t require top-of-the-line printers to function adequately. “Our entry level printers tend to be the printer of choice for visitor management,” he said. “They contain just the features that are necessary. A visitor management solution typically doesn’t require high volume card production.” Another consideration is how easy the visitor ID badge printer is to operate and maintain. “(Operators) need to be able to change ribbons and load the cards easily, so they can spend their time with people interaction, not printer interaction,” said Mr. Blake. “With our Persona C30 printer, for example, you can just pop the ribbon and cleaning cartridges in, unlike some printers where you have to deal with rolls of ribbons or cleaning rollers. Ease of use is extremely important. Operators can’t be afraid of what they’re about to use.” Visitor management software has also evolved, said Mr. Blake. “They’ve migrated to include modules that are not only people-related, but will handle packages as well. For example, if UPS or FedEx delivers packages to the front desk, the software allows the packages to be logged in ... right at the front door to create a history, an audit trail, of that package internally.” With lower prices, more products from which to choose, and ease of use, “maybe it’s time for colleges to take another look at this,” said Mr. Blake. “There has been great adoption (and successes) elsewhere. This could be the time for colleges to examine how visitor ID management can beneﬁt them.”

Gonzaga and North Texas students ‘touch the future’ paying on and off campus with fingerprint biometrics Andy Williams Contributing Editor, AVISIAN Publications More student choices, more options, and peace of mind for their parents are some of the ideas that went into the development of iMye, Sodexho’s new method of paying for food on or off campus. Oh yes, there’s also the “coolness” factor. “You don’t need a card or cash, just your ﬁnger,” said Ric Rocca, senior vice president of strategy for Sodexho Education Services, of the company’s ﬁnger scan technology.

CR80News

Even the name, “iMye” tracks the idea behind the program: In explaining the genesis of its name, the company explains “I Am Me...My Choices are Mine.” Said Mr. Rocca: “The name was developed internally and reflects the Millennium Student. They’re individuals. It’s a combination of ‘me’ and ‘my,’ a reflection fo how they view music. They don’t buy albums anymore, just individual music and they want more variety and flexibility in terms of where they’re eating.” The program - in a pilot stage right now - is at two colleges: Gonzaga University, Spokane, Wash., and the University of North Texas, Denton, Tex. It allows students and faculty to pay for their meals on campus and at select restaurants off-campus with a simple scan of their finger. Both Gonzaga and UNT were chosen for the pilot “because we have had great support from our clients there and from the Sodexho operational team,” said Mr. Rocca. Sodexho handles food service for an estimated 900 campuses across North America. Dale Goodwin, PR director at Gonzaga, reported that early indications suggest that the system seems to be a success from the student perspective said the “students like it, from what I hear.”

Fall 2006

Storing scans not fingerprints to protect privacy First thing Sodexho wants to make clear is that it’s a “finger scan” not a “fingerprint.” In other words, the actual fingerprint is never stored in the centralized database, only algorithms that allow for simple identification. “It’s finger scan technology, not a fingerprint, so a record isn’t kept. It uses 16 points which converts the finger scan into algorithmic numbers, rather than the 64 points used for fingerprint comparisons,” said Charles Wesley, Sodexho general manager in Spokane. “Essentially,” as the web page points out, the finger scan is simply “a batch of numbers, not your fingerprint” that’s kept on file. Added Mr. Rocca: “The finger scan takes an image of the student’s finger, then we discard the actual fingerprint.” The later finger scan is compared with the algorithm. The finger scan database is stored centrally on a Sodexho computer and transmitted over the Internet.

How the system works: the student perspective “Students can sign up online or on campus,” said Mr. Rocca. “They can even mail in an application, but to validate the account, they have to put their ﬁnger on a ﬁnger reader on campus. Everything else can be done online.” That includes loading, or reloading the student’s account.

It’s a prepaid meal plan type account, a debit system, added Mr. Rocca. “It allows them to go to participating retailers around campus and outlets (off-campus) which have ﬁnger scan technology right next to the cash register. Students (or parents) can set up the account for automatic reloads or buy a meal plan. They get dollar for dollar.” In other words, there is no cost to the students. “This university (Gonzaga) was interested in being part of the pilot program, on the cutting edge,” said Mr. Wesley. “The school is pleased with the ability of the program to offer students a prepaid account to spend on and off campus.”

Mr. Rocca, who heads up iMye, said one of the main concepts that led to its development was that “we’re always looking for ways to better satisfy our clients, our customers. Students want choices and we always try to give them that.” He said students “like the technology associated with biometrics. They’re comfortable with it, they like the fact they don’t have to carry a card. We’d been looking at the technology for a while. It’s a safe and convenient way to do the same thing that a card does.” Sodexho has partnered with Biometric Access, a Texas company that produces the finger scan readers. “It’s a good, solid company,” said Mr. Rocca.“They’re growing and they fit the bill with what we needed for this program.” How the system works: the merchant perspective Since Sodexho operates a campus’s foodservice program, the readers cost the college nothing; they’re part of the contract. Offcampus, eventually merchants accepting finger scan technology will have to pay

a fee.“There are a variety of ways to supply the readers,” said Mr. Rocca. “They can rent it, lease it or buy it outright, but since iMye is still in the test stage, we’re not charging the merchants right now.” The finger scanner is about eight inches high, four inches wide and takes up about a 6-by-6inch square space on the cash register table. One glitch so far, if it can be called that, is transaction speed. Since the finger scan is compared with a database and is transmitted via the Internet, merchants with dial-up connections could experience longer transaction times. Normally, approval is almost instantaneous. Merchants and the university also have to make sure their cashiers are properly trained. “Once the right amount of training is in place, you save time at the register,” said Mr. Rocca. “You have to make sure cashiers know how to complete the transaction with somebody’s finger,” added Mr. Wesley. “With a trained cashier and a customer used to finger scanning, it can be faster than cash or credit card. While the cashier is ringing up the order, the customer has the capability to start the finger scan process.”

The pilots at the two schools were initiated mid-term, in the middle of the normal school year. Just 350 students at Gonzaga (slightly more than ﬁve percent of its 6,000 students) signed up and about twice that number participated at UNT, said Mr. Wesley. The smaller numbers, however, gave Sodexho time to explore the feasibility of the program.

He said some 20 merchants have signed up in Spokane and “a little less” at UNT. Merchant participation, too, is expected to increase this fall. “The merchants that we are signing up now are predominately either restaurants or grocery stores,” he said. But that’s likely to change as other types of merchants become interested in the program. That could also lead to different types of purses in the student accounts. “In the near future the money in the students’ accounts will be segmented into buckets of money ... some that can be used only for food, some that can be used for anything, such as bookstores and other non food merchants,” said Mr. Rocca. “Students seem happy with the program and our clients seem happy,” said Mr. Rocca. “The system works well, kids like the technology, the coolness of it. We’re really excited about it. Bottom line is it gives kids more options, more choices in where and how they eat. And it gives parents the peace of mind that their students are using the money they send them for food.” Or, as Mr. Wesley pointed out, iMye “is about touching the future.”

“We’re expecting a much higher penetration this fall,” said Mr. Rocca.

Fall 2006

CR80News

Moving from pilots to full-blown programs

The program is also going to expand into other colleges in the Spokane area and possibly at UNT as well. “We’re not going to blow it out just yet. We’re trying to make sure it’s the right thing to do, we’re moving cautiously,” said Mr. Rocca. “We want to grow these test accounts ﬁrst.”

RFIDNews Libraries abadon the barcode in favor of RFID New technology facilitates self-checkout, automated re-shelving, and more Andy Williams Contributing Editor, AVISIAN Publications

If you haven’t been to a public library lately you might be surprised what you find. You might find you can check out your own books and DVDs without the aid of a clerk. You might find a librarian quickly scanning a shelf of books to determine which have been misfiled or are missing. You might find that you can return your books at an off-site drop box and get immediate credit for having returned them. No more rushing to the library itself to avoid overdue penalties. This and more is already available to many library patrons courtesy of RFID.

The new version of ICODE, the tag ﬁrst launched in 1996-97, is called ICODE SLI-S. It includes enhanced security and privacy features with password protection, says Mr. Luidolt. The ICODE SLI-S also offers increased read performance and is speciﬁcally suited for a library’s automated management of its media.

Barcodes, once the library’s main staple for keeping track of its media, are becoming passe. A small paper tag with an embedded chip is today’s leading-edge option. And the move from barcodes to RFID is allowing libraries to increase checkout speed while improving inventory management and theft prevention.

It’s also what makes self-checkout a reality. “People can scan the RFID label on their own, then exit the library through a security gate,” he said.

Netherlands-based Royal Philips Electronics has been helping libraries sort and check out books for about 10 years. In June, the company released its next generation RFID chip for libraries. Philips serves more than 50% of the hundreds of libraries worldwide currently using RFID, according to Markus Luidolt, marketing manager for Philips Semiconductors’ RFID Market Sector Team in Austria. 62

Fall 2006

Self check-out, ﬂexible returns, automated ﬁling, and more

Anyone familiar with other in-store self-checkout procedures will have no problem using a similar system in an RFID-equipped library. A touchscreen guides the patron through the process: “Place your books here, place your library card here...” and you’re done. “Self-serve barcode systems never worked too well,” adds Mr. Luidolt. “You had to scan each barcode, but with RFID you can check out everything at once.”

YOU WiLL FiND THE SMART iD AT CARTES 2006 ACCESS CONTROL - BiOMETRiCS – AUTHENTiCATiON - ENCRYPTiON – CONTACTLESS – RFiD Faced with today’s growing demand for security and the development of services requiring increased identification and authentication, both the private and public sectors are searching for reliable and accessible solutions. CARTES, the major event for pioneering identification technology companies, gathers together in one single roof worldwide players offering identification solutions and applications you need.

3 DAYS YOU CANNOT MISS!

A specific offer • An area located in the heart of the show • Dedicated conferences

PREPARE YOUR VISIT ON WWW.CARTES.COM Free badge • Exhibitors list • Congress registration • Practical infos

2006 The world leading event for Smart Card and Identification

7, 8, 9 Novembre 2006 WW W . C ARTES . COM P a r i s - N o rd V i l l ep i n te E x h i b i t i o n C e n t r e - F r a nc e CARTES 2006 1, rue du Parc F - 92593 Levallois-Perret Cedex - France cartes@exposium.fr

In addition to self-service checkout, consumers can serve themselves when making returns. Here, the item is scanned in and automatically sorted by electronic sorting stations, saving library staff time. Librarians are freed to address other challenges, such as material identification and inventory and information storage. The system works great not only finding lost books -- or actually which ones are lost – but discovering which books have been misfiled. “In the past, you went through the shelves individually,” says Mr. Luidolt. “Now, if you have sports books in the economics section, the system would recognize it.”

“The label on books can go anywhere, but most times it’s ﬁxed near the binding; so if you put it in a shelf, it can be easily read with a handheld reader,” he added. That’s got to be a joy for library clerks who, with the reader, can simply walk down a shelf of books, scanning as they go, instead of having to take each book off the shelf and physically scan it, as was necessary under a barcode system.

RFID’s advantages over barcodes ... “Library systems worldwide are increasingly moving to standardized technology that is both ISO15693 and ISO 18000-3 compliant,” said Mr. Luidolt.

Implementing the new solution from Philips Migration to the new chip is easy, stresses Mr. Luidolt.“You can use (it) in the existing environment ... check-in, check-out and security. The new chip uses the same infrastructure as the old chip in terms of detection.” Only software changes are required. The new password protection feature of Philips’ new chip prevents unauthorized access to sections of the on-chip memory and allows only authorized parties to have the capability to modify the stored data. The password protection also prevents people from illicitly switching off the electronic article surveillance (EAS) anti-theft functionality. That feature alone may be worth upgrading to the new system. “Most libraries that use SLI today and like the new IC will migrate over time,” said Mr. Luidolt. “This means putting the new ICODE SLI-S on new media (replacement of media in libraries is in the area of 10-20% per year) without changes to the system. The system can handle both types easily as they use the same standard ISO 15693 & ISO 18000-3.1.” Without changing its infrastructure at all, libraries would have a “higher theft detection rate due to increased read performance,” said Mr. Luidolt. “That’s especially important for media like CDs and DVDs where detection is more difﬁcult due to the metal content (of the media).”

RFIDNews

The importance of read range in library environments The new chip includes 2 Kbits of on-board memory with a 64-bit unique serial number and 96-bit, one-time programmable electronic product code (EPC). The ICODE SLI-S can be integrated into existing projects and offers reading speeds up to 200 labels per second using the EPC inventory command set and 60 labels per second with the fast inventory read command set, according to specs released by Philips. The chip has a read range of about two meters, depending on system conﬁguration. As to placement, on a CD or DVD, since it’s a small label, “it’s very speciﬁc on where the tag has to be. It should go in the middle of the CD since it will be a rather small label. You need to have the best possible RF performance because the label is smaller, meaning less read range,” he added.

Fall 2006

One of the biggest advantages of RFID over barcodes is its durability. “Our very early experience out of Singapore is that some 10 million labels have been in use for seven years,” said Mr. Luidolt. Compare that life span with barcodes that can get dirty and can be easily torn. The cost per tag depends on volume (number of tags purchased at a time) but typically is 50 cents per tag or lower, he said. One reason for the pricier tags in libraries (compared to those used in the supply chain) is that the tags have to last a long time, said Mr. Luidolt. Supply chain tags need only last until the product is shipped and sold. “Libraries can do more work with the same amount of staff,” said Mr. Luidolt. It could also lead to longer operating hours. Several libraries in Singapore utilizing RFID, for example, are now open 24 hours. Singapore currently has the largest RFID installation globally with more than 10 million labels in use. Other libraries using Philips’ RFID technology include the public library of Shen Zhen, Jimei University Library in Xiamen, China, and the Munich Public Library. Philips has also worked with a US system integrator, Bibliotheca, to supply the Jefferson County Public Library in Denver, Colorado with more than 1.2 million custom printed RFID book tags for use in ten libraries in the area. All public libraries in The Netherlands have adopted RFID in their systems as well as other libraries across North America, including Princeton, New Jersey; Oakland, California; Lexington Kentucky; and the Whitby Public Library near Toronto, Canada. Upgrading from a barcode system to an RFID tag is pretty easy, concludes Mr. Luidolt.“You scan the barcode and an RFID label (is automatically) produced. It’s done kind of on the ﬂy, (so) not a lot of additional effort is required to make the change.”

Today’s RFID seekers asking more sophisticated questions than predecessors Wal-mart’s ‘next 300’ proving to be an educated bunch Marisa Torrieri Contributing Editor, AVISIAN Publications Gone are the RFID conventions dominated by basic questions like “What is Middleware?” Companies on-ready to deploy RFID technology are more familiar with fundamental issues and terms related to supply chain implementations. Whether for government or mass-market retailer mandates, the excitement surrounding the technology itself is a testament to RFID’s growth in the United States and internationally. So as implementation moves beyond the initial 300 Wal-mart suppliers that have generated so much RFID buzz, it is clear that others have learned from these voluntary, and not-so-voluntary, pioneers. Erik Michielsen, director of RFID and M2M for consulting ﬁrm ABI Research attributes the more sophisticated questions asked by companies to a greater overall awareness of the technology’s attributes, as well as an increase in its perceived importance. It’s round two for many players in this space, as the guinea pigs of the ﬁrst compliance-based supply chain implementations had experiences that better educated the end user market.

“Many are now using RFID internally for closed loop asset tracking applications that provide achievable short term ROI and that complement longer term focused supply chain efforts.” Industry veteran Clarke McAllister, with RFID inventory vendor ADASA, agreed. “The general quality of the questions we’re getting is higher

ADASA’s software and accompanying RFID device allows for mobile tagging, so companies don’t have to drag their cartons around a warehouse to a designated spot, before shipping them off to the Wal-Marts of America. Instead, they can embed them with tags as soon as the goods get off the shelf. Veterans in the RFID space caution newcomers to keep a clear head and not get too cocky about implementation. Learning from other companies mistakes, and having a solid vision for implementation are crucial to beneﬁting from the technology. RFID labeling and printing provider Zebra Technologies Corporation issued an online list of 10 “Best Practices” for “next 300 suppliers to WalMart” to adopt. The ‘practices’ are a compilation of lessons learned from Zebra’s experience with a large number of “First 300” suppliers to WalMart. Among the most useful tips: • Choose supplies carefully: If your tags don’t work, you risk missing deadlines for compliance; • Determine the ‘where’ and ‘how’ of smart labeling: Ask questions like, ‘Will you incorporate RFID tags into your current shipping labels or add new label formats?’ • Look beyond compliance for ROI: Zebra suggests companies investigate the ways in which RFID can help improve business practices. Fall 2006

RFIDNews

“As a result, RFID end users are now asking vendors and integrators more challenging questions that relate to longer term RFID implementations,” Mr. Michielsen says. Moreover, adds Michielsen, such initial experience allowed end users to better understand RFID applications beyond supply chain compliance.

than in the past,” McAllister says. “For me, that’s evidence the industry is moving forward.”

More balanced RFID legislation proceeding in California New bill takes a “common sense” approach to RFID vs. Privacy issue Marisa Torrieri Contributing Editor, AVISIAN Publications A new “common sense” RFID bill that encourages the use of RFID technology in state government IDs, while addressing privacy concerns of citizens and organizations such as the American Civil Liberties Union, is gaining traction in California. The bill, AB 2561, co-sponsored by Silicon Valley State Assemblyman Alberto Torrico, represents a more sensible approach to privacy and remotely readable identification cards than previously proposed bill, says the American Electronics Association (AeA), a technology advocacy membership organization, and cosponsor of the legislation. AB 2561 calls for a board of experts to ensure RFID technology is used with security safeguards that protect the privacy of Californians, “while safeguarding the flexibility of technologists to seek investment capital for new privacy innovations,” according to the AeA. AB 2561 directs the California Research Bureau to analyze the use of this technology while seeking guidance from an advisory panel that includes government, technology and consumer representatives. This, according to the AeA, is in an effort to develop best practices that will ensure that adequate and appropriate protections directly correlate with the level of sensitivity of data on the RFID-enabled identification credential.”

First proposed on Feb. 23, the bill passed with bipartisan support in two California legislative committees, says Roxanne Gould, AeA’s senior vice president of California government and public affairs. It was reviewed by the state’s appropriations committee, unanimously approved by the Assembly (House), and sent to the Senate in the closing days of May. The new Torrico bill is intended as an alternative to RFID legislation proposed by Sen. Joe Simitian [D-Palo Alto]. The Simitian bill called for a three-year moratorium for chip-based wireless technology to be studied more carefully before they can be put into government-issued state ID cards (such as driver’s licenses). It was considered reactionary and unfair by many in the technology industry, in that, according to opponents, the bill basically banned the technology rather than legislated against potential improper use.

In creating AB 2561, the AeA approached Mr. Torrico for support, says Ms. Gould. The outcome is a bill supported by organizations on both sides of the privacy issue, Ms. Gould notes. The hope, from the AeA’s perspective, is that the new Torrico bill will help foster consumer acceptance of RFID technology, says Ms. Gould. So far, more than one-dozen states have attempted to pass legislation either limiting or prohibiting the use of RFID. Much of the legislation – and consumer support for such legislation – is based on false or exaggerated propaganda, members of the AeA contend. While privacy is a serious issue, many consumers are unaware of the power of RFID to actually protect privacy – not thwart it, says Ms. Gould. “The protections that can be used (to enhance privacy) are numerous and can be quite comprehensive. It should be more about what data is on the credential that determines the various levels of protection that should be employed. An ID card with a random number does not warrant the same level of protection that the U.S. Passport level of data deserves. One size does not ﬁt all and is not in the best interest of consumers.” Ms. Gould says.

RFIDNews

“Just because it’s a radio tag in a credential doesn’t mean it can be read by unauthorized people. We’re trying to educate people – there’s great beneﬁt in something that’s virtually un-hackable ... so much more difﬁcult to forge than a magnetic strip that’s used on a driver’s license today,” says Ms. Gould. “The spectrum of technologies provides that each have their appropriate niche. Banning any one of them across the board isn’t in anyone’s best interest and stops the evolution of what could be an incredible tool in so many venues.”

Fall 2006

��

✓ ✓ ✓

��