Card Standards & Laws: Effect on Installers
ISO. ANSI. FIPS. TWIC. NIST. Understanding the standards and laws that relate to access control cards can feel like swimming in alphabet soup. But the days of proprietary systems â€“ when all that was necessary was to buy one manufacturerâ€™s cards and readers and they would work together â€“ are ending.
The technology playing field is expanding and getting more complex for manufacturers and security dealers alike, especially for companies that are involved with smart cards â€“ the technology around which most of the standards revolve.
â€œIt used to be in this industry people made things [that were] exclusive to them,â€ says Debra Spitler, executive vice president, government and national ID, ASSA ABLOY Identification Technology Group, Irvine, Calif., and chair of the marketing committee for the Security Industry Association (SIA). â€œIt was a marketing/selling point. And the consumer was OK with that. They are not OK with that anymore. Systems are more integrated. And the more integration you want, the more you need interoperable systems with standards.â€
Jim Colleran, product marketing manager, credential technologies, HID Corp., Irvine, Calif., adds that the development of the smart card industry itself has led to the need for standards.
â€œIt used to be, in access control, the technologies were proprietary. From mag stripe to Weigand, everybody developed their own. I sold that so someone had to buy my cards and my readers to make their system work.
â€œSmart cards developed in other markets â€“ like transit and financial â€“ where they were not necessarily selling systems, but components. Standards were developed to define how they would work together. Then you had access control heading towards smart cards because of the need for more security and the need to do more things with a card. The standards were already in place for other reasons, so we started using them.â€
But thatâ€™s just the beginning of the complex standards issue. There are essentially three levels on which standards are developed: international, federal government, and state/local. At each level, there are key standards or legislative issues that are currently in the works that could potentially have an impact on the access control market in general, and the dealer and integrator specifically.
International/National StandardsProbably the most basic and influential standard that virtually all smart cards must follow are the International Standards Organizationâ€™s. Essentially, ISO standards define everything from what a card looks like, to how the technology on the card will work.
Dr. Brad Paulson, a consultant with Thor Engineering, Northfield, Minn., is a representative at standards and technical meetings for ANSI and ISO. The American National Standards Institute (ANSI) works closely with ISO to make sure U.S. and international standards will work together.
â€œRight now a lot of these standards are in a state of flux,â€ Paulson says. â€œWe are currently working on all the IC (integrated circuit/smart card) standards. Most of those have been or are still in review this year.â€
In the access control field, the standard with the most relevance is ISO 14443, which governs contactless smart cards. This is one of the standards under review, Paulson says.
â€œOne of the reasons itâ€™s under review is that in order for contactless cards to become more available for low-end stuff like transit cards and the like, they are trying to find a way to cheapen the manufacturing process,â€ Paulson says. â€œOne way is to strip out some functionality of the chip, in which case, the standard needs to be changed.â€
Another area they are looking at is a standard that would include provisions for machine-readable passports and electronic visas.
The revisions to 14443 are expected to be completed within a year, once technical issues get resolved, Paulson says.
â€œThis one is going to be big,â€ he says. â€œIt will have huge ramifications on how a card gets built. The biggest issue I see is that there is no real need for it to be a card, per se. It can be anything.
â€œDefining the card is going to become an issue as those things get implemented,â€ Paulson adds.
The ISO standards are the bricks and mortar of the smart card world. â€œ[They] define the construction, the physical aspect, the security aspect of producing contact and contactless smart cards,â€ says Neville Pattinson, director of business development and government affairs, Axalto, Inc., Austin, Texas. â€œThey are the bread and butter of what a smart card company must do day to day.â€
What does all this mean to the security dealer? On a daily basis, probably not much.
â€œThey refer to how the card and reader talk to each other,â€ Colleran says. â€œOn the dealer side of it, somewhere in the specs it may define what standard the system has to work to. As long as the cards and readers say they meet [the standard], the dealer can be reasonably sure they will work.â€
Government StandardsIf the international and national standards are somewhat invisible to the dealer and integrator, anyone working within the federal government market is deeply affected by the standards being worked on at this level.
While there are any number of standards transpiring right now that impact the marketplace â€“ from the transportation workers identity card (TWIC), to smart card-based passports â€“ the most influential by far is FIPS 201.
Homeland Security Presidential Directive-12 stipulates that all federal employees and contractors must use a common credentialing system which will consist of a smart card. That card will contain both contact and contactless technology (for privacy reasons: the sensitive material will be kept on the contact card, access control will be handled using contactless technology), as well as a biometric component and Public Key Infrastructure certificates and digital signatures.
To meet this requirement, the National Institute of Standards and Technology (NIST) published a standard for secure and reliable forms of identification: FIPS 201. The FIPS 201 Personal Identity Verification (PIV) card is the result of this standard.
â€œFIPS 201 defines how we all now go on top of the previous specs (such as ISO) to create government identity cards,â€ Axaltoâ€™s Pattinson says.
â€œTraditionally physical access dealt with fairly simple technology,â€ he adds. â€œIt was not as secure as it could be. FIPS 201 defines a security regime. It puts a new generation of equipment out into the field handling physical access in a much more secure manner. We are going to see a whole new generation of physical access opportunities for readers and cards that support FIPS 201.â€
State LegislationNo standards for access control cards are currently being developed at the state and local level. However, in a few states, critical legislation is being proposed that could have a profound effect on the access control marketplace.
California Senate Bill 682, to establish The Identity Information Protection Act of 2005, was introduced by Sen. Joe Simitian after a northern California school tried to implement an RFID-based attendance system without first informing the parents.
In its current form (the legislation is due to come back before the legislature this month), the bill would place a three-year freeze on the expansion of existing RFID technologies or implementation of new ones.
New Hampshire has followed suit with similar legislation, and two more states may be considering it.
â€œThe legislation in California and New Hampshire are all wrapped around the privacy issue,â€ says Gerry Cordasco, vice president and general manager, Compass Technologies, Exton, Pa. Cordasco is also vice chair of the access control advisory council for SIA.
â€œAs soon as you talk about storing personal information on a card, people become very concerned about theft of that,â€ he says. â€œIdentity theft is a hot-button to a lot of people. From a practical standpoint, however, the probability of someone being able to remotely read information is incredibly unlikely.â€
One of the problems with these types of legislation is the broad definition of RFID, Spitler says.
â€œRFID means you can read a tag and get some sort of information off it,â€ she says. However, applications for it are as wide-ranging as toll transponders, product tracking, proximity access control cards, and contactless smart cards.
â€œIn the marketplace today, people talk about RFID,â€ she says. â€œThe average consumer doesnâ€™t understand there are different RFID technologies that do different things. You are not going to be able to track someone through a building that is carrying an access control card with an inch or two read range.â€
HID hosted an invitation-only forum in December to try to bring policymakers and industry end users together to discuss the issue. â€œHID is in the security and privacy business,â€ Spitler says. â€œWe really want to work with stakeholders, including privacy groups, to try and resolve the policy discussion.â€
There could be multiple implications of this. â€œLAX, for example is a county/city airport,â€ Spitler says. â€œThey are also working with the federal government on testing of new systems. What happens there? If they decide to put RFID in driverâ€™s licenses and we are in a three-year moratorium in California, do we need a passport to do our banking?â€
Another issue could affect the dealer directly. â€œAt one point in the California bill they indicate that no third party could have access to data,â€ Spitler says. â€œTypically, systems are sold through a systems integrator. That means the OEM or manufacturer becomes party three or four. Systems integrators would have to do all the programming they typically rely on the manufacturer for. That could be potentially disruptive to how the channel works today.â€
Spitler and others are hopeful they can work together with lawmakers to develop legislation that will work for all concerned.
â€œHID is all for privacy,â€ she says. â€œWe very much want to work with senator Simitian to find a way to have appropriate legislation. There should be penalties for people who skim numbers off cards.â€
Pattinson is also confident that better information will help the legislators better understand the technology. â€œWith the appropriate use of technology, none of their objections are founded,â€ he says. â€œWe can produce appropriate technology to answer their security and privacy concerns.â€
However, if it passes, Pattinson calls the legislation â€œfairly devastating to the industry.â€
Sidebar: FIPS 201: Impact on Dealers & IntegratorsThe impact from FIPS 201 could be felt all over the industry. As of last October, federal organizations were supposed to have a plan in place to become compliant. By October 2006, the government will begin to issue the new smart cards.
What might this mean for dealers and integrators? There are multiple issues.
â€œItâ€™s possible that because of the issue of sensitivity and who has access to cards and readers, there could be restrictions on who could purchase, sell and install the actual readers,â€ says John Philippi, director of security consulting, Ross & Baruzzini, St. Louis, Mo. â€œDealers could be required to go through a screening process.â€
At the very least, the FIPS 201 standard opens the market up to new competition, Spitler says.
â€œYou are talking about a card that will have potentially new technology that a lot of access control manufacturers and dealers have not dealt with in a big way before,â€ she says. â€œThe current card in use uses a contact smart chip module for logical access. The plan for the new card is contactless for physical access and contact for logical. That could be two separate chips or one dual interface chip.â€
There are two potential ways things could go on the dealer side, she adds.
â€œOn the positive side there is going to be a lot of rebadging into these new cards that meet the new standards. That could mean card sales. It could mean infrastructure changes, new readers and head ends. It could open up new sales opportunities.
â€œBy the same token, it could also mean a shift in business from the traditional access control integrator to one of the prime [government] contractors.â€
While FIPS 201 may have an effect on the dealer, however, the standard itself may not be as directly important as other issues.
â€œThe standards that are being put out right now are very high level communications standards,â€ says Dennis Caulley, vice president, AccessID, Redmond, Wash. â€œManufacturers have to understand that to make a compatible device. Itâ€™s much simpler for dealers. The speed of transfer of data is not particularly relevant to them. Itâ€™s way back in the specification. They need to know it works across the various platforms they have to install it in.
â€œI think most dealers will have a major question about how to bring their clients to the new platform. Understanding how to transition from proximity or mag stripe into these new contactless smart cards is something we are definitely seeing dealers concerned with.â€
Dealers and integrators who do not operate in the government market are not likely to see much effect from FIPS 201 in the short term. Long term, though, there could be a shift in the marketplace.
â€œI think you are going to see a lot of large enterprises or corporations watching whatâ€™s happening and hoping to benefit by more standardized, open, non-proprietary systems,â€ Spitler says. â€œThe federal government is trying to drive for non-proprietary systems. They want to be able to meet that spec and buy from a large variety of players. The days of having a proprietary system reader/card are probably going by the wayside. Enterprises are watching what the government is doing. However, watching and following are two different things.â€
Pattinson agrees. â€œI think it will enable the adoption of smart cards for many markets with the availability of open standards. It will allow them to have freedom of choice. It will have a good effect on the end user getting a competitive product and increase the adoption of smart cards and potentially mean more installation opportunities for those installers and dealers.â€
Sidebar:Standards ABCs â€“ a Glossary of Terms
- ISO â€“ International Standards Organization
- ANSI â€“ American National Standards Institute
- HSPD-12 â€“ Homeland Security Presidential Directive - 12
- FIPS 201 â€“ Federal Information Processing Standard 201
- PIV â€“ Personal Identity Verification
- NIST â€“ National Institute of Standards and Technology
- TWIC â€“ Transportation Worker Identification Card