ISO. ANSI. FIPS. TWIC. NIST. Understanding the standards and laws that relate to access control cards can feel like swimming in alphabet soup. But the days of proprietary systems – when all that was necessary was to buy one manufacturer’s cards and readers and they would work together – are ending.

The technology playing field is expanding and getting more complex for manufacturers and security dealers alike, especially for companies that are involved with smart cards – the technology around which most of the standards revolve.

“It used to be in this industry people made things [that were] exclusive to them,” says Debra Spitler, executive vice president, government and national ID, ASSA ABLOY Identification Technology Group, Irvine, Calif., and chair of the marketing committee for the Security Industry Association (SIA). “It was a marketing/selling point. And the consumer was OK with that. They are not OK with that anymore. Systems are more integrated. And the more integration you want, the more you need interoperable systems with standards.”

Jim Colleran, product marketing manager, credential technologies, HID Corp., Irvine, Calif., adds that the development of the smart card industry itself has led to the need for standards.

“It used to be, in access control, the technologies were proprietary. From mag stripe to Weigand, everybody developed their own. I sold that so someone had to buy my cards and my readers to make their system work.

“Smart cards developed in other markets – like transit and financial – where they were not necessarily selling systems, but components. Standards were developed to define how they would work together. Then you had access control heading towards smart cards because of the need for more security and the need to do more things with a card. The standards were already in place for other reasons, so we started using them.”

But that’s just the beginning of the complex standards issue. There are essentially three levels on which standards are developed: international, federal government, and state/local. At each level, there are key standards or legislative issues that are currently in the works that could potentially have an impact on the access control market in general, and the dealer and integrator specifically.

International/National Standards

Probably the most basic and influential standard that virtually all smart cards must follow are the International Standards Organization’s. Essentially, ISO standards define everything from what a card looks like, to how the technology on the card will work.

Dr. Brad Paulson, a consultant with Thor Engineering, Northfield, Minn., is a representative at standards and technical meetings for ANSI and ISO. The American National Standards Institute (ANSI) works closely with ISO to make sure U.S. and international standards will work together.

“Right now a lot of these standards are in a state of flux,” Paulson says. “We are currently working on all the IC (integrated circuit/smart card) standards. Most of those have been or are still in review this year.”

In the access control field, the standard with the most relevance is ISO 14443, which governs contactless smart cards. This is one of the standards under review, Paulson says.

“One of the reasons it’s under review is that in order for contactless cards to become more available for low-end stuff like transit cards and the like, they are trying to find a way to cheapen the manufacturing process,” Paulson says. “One way is to strip out some functionality of the chip, in which case, the standard needs to be changed.”

Another area they are looking at is a standard that would include provisions for machine-readable passports and electronic visas.

The revisions to 14443 are expected to be completed within a year, once technical issues get resolved, Paulson says.

“This one is going to be big,” he says. “It will have huge ramifications on how a card gets built. The biggest issue I see is that there is no real need for it to be a card, per se. It can be anything.

“Defining the card is going to become an issue as those things get implemented,” Paulson adds.

The ISO standards are the bricks and mortar of the smart card world. “[They] define the construction, the physical aspect, the security aspect of producing contact and contactless smart cards,” says Neville Pattinson, director of business development and government affairs, Axalto, Inc., Austin, Texas. “They are the bread and butter of what a smart card company must do day to day.”

What does all this mean to the security dealer? On a daily basis, probably not much.

“They refer to how the card and reader talk to each other,” Colleran says. “On the dealer side of it, somewhere in the specs it may define what standard the system has to work to. As long as the cards and readers say they meet [the standard], the dealer can be reasonably sure they will work.”

Government Standards

If the international and national standards are somewhat invisible to the dealer and integrator, anyone working within the federal government market is deeply affected by the standards being worked on at this level.

While there are any number of standards transpiring right now that impact the marketplace – from the transportation workers identity card (TWIC), to smart card-based passports – the most influential by far is FIPS 201.

Homeland Security Presidential Directive-12 stipulates that all federal employees and contractors must use a common credentialing system which will consist of a smart card. That card will contain both contact and contactless technology (for privacy reasons: the sensitive material will be kept on the contact card, access control will be handled using contactless technology), as well as a biometric component and Public Key Infrastructure certificates and digital signatures.

To meet this requirement, the National Institute of Standards and Technology (NIST) published a standard for secure and reliable forms of identification: FIPS 201. The FIPS 201 Personal Identity Verification (PIV) card is the result of this standard.

“FIPS 201 defines how we all now go on top of the previous specs (such as ISO) to create government identity cards,” Axalto’s Pattinson says.

“Traditionally physical access dealt with fairly simple technology,” he adds. “It was not as secure as it could be. FIPS 201 defines a security regime. It puts a new generation of equipment out into the field handling physical access in a much more secure manner. We are going to see a whole new generation of physical access opportunities for readers and cards that support FIPS 201.”

State Legislation

No standards for access control cards are currently being developed at the state and local level. However, in a few states, critical legislation is being proposed that could have a profound effect on the access control marketplace.

California Senate Bill 682, to establish The Identity Information Protection Act of 2005, was introduced by Sen. Joe Simitian after a northern California school tried to implement an RFID-based attendance system without first informing the parents.

In its current form (the legislation is due to come back before the legislature this month), the bill would place a three-year freeze on the expansion of existing RFID technologies or implementation of new ones.

New Hampshire has followed suit with similar legislation, and two more states may be considering it.

“The legislation in California and New Hampshire are all wrapped around the privacy issue,” says Gerry Cordasco, vice president and general manager, Compass Technologies, Exton, Pa. Cordasco is also vice chair of the access control advisory council for SIA.

“As soon as you talk about storing personal information on a card, people become very concerned about theft of that,” he says. “Identity theft is a hot-button to a lot of people. From a practical standpoint, however, the probability of someone being able to remotely read information is incredibly unlikely.”

One of the problems with these types of legislation is the broad definition of RFID, Spitler says.

“RFID means you can read a tag and get some sort of information off it,” she says. However, applications for it are as wide-ranging as toll transponders, product tracking, proximity access control cards, and contactless smart cards.

“In the marketplace today, people talk about RFID,” she says. “The average consumer doesn’t understand there are different RFID technologies that do different things. You are not going to be able to track someone through a building that is carrying an access control card with an inch or two read range.”

HID hosted an invitation-only forum in December to try to bring policymakers and industry end users together to discuss the issue. “HID is in the security and privacy business,” Spitler says. “We really want to work with stakeholders, including privacy groups, to try and resolve the policy discussion.”
If passed as is, the legislation would put a three-year moratorium on any state or local government use of RFID cards, including libraries, driver’s licenses, public schools, and healthcare institutions.

There could be multiple implications of this. “LAX, for example is a county/city airport,” Spitler says. “They are also working with the federal government on testing of new systems. What happens there? If they decide to put RFID in driver’s licenses and we are in a three-year moratorium in California, do we need a passport to do our banking?”

Another issue could affect the dealer directly. “At one point in the California bill they indicate that no third party could have access to data,” Spitler says. “Typically, systems are sold through a systems integrator. That means the OEM or manufacturer becomes party three or four. Systems integrators would have to do all the programming they typically rely on the manufacturer for. That could be potentially disruptive to how the channel works today.”

Spitler and others are hopeful they can work together with lawmakers to develop legislation that will work for all concerned.

“HID is all for privacy,” she says. “We very much want to work with senator Simitian to find a way to have appropriate legislation. There should be penalties for people who skim numbers off cards.”

Pattinson is also confident that better information will help the legislators better understand the technology. “With the appropriate use of technology, none of their objections are founded,” he says. “We can produce appropriate technology to answer their security and privacy concerns.”

However, if it passes, Pattinson calls the legislation “fairly devastating to the industry.”

Sidebar: FIPS 201: Impact on Dealers & Integrators

The impact from FIPS 201 could be felt all over the industry. As of last October, federal organizations were supposed to have a plan in place to become compliant. By October 2006, the government will begin to issue the new smart cards.

What might this mean for dealers and integrators? There are multiple issues.

“It’s possible that because of the issue of sensitivity and who has access to cards and readers, there could be restrictions on who could purchase, sell and install the actual readers,” says John Philippi, director of security consulting, Ross & Baruzzini, St. Louis, Mo. “Dealers could be required to go through a screening process.”

At the very least, the FIPS 201 standard opens the market up to new competition, Spitler says.

“You are talking about a card that will have potentially new technology that a lot of access control manufacturers and dealers have not dealt with in a big way before,” she says. “The current card in use uses a contact smart chip module for logical access. The plan for the new card is contactless for physical access and contact for logical. That could be two separate chips or one dual interface chip.”

There are two potential ways things could go on the dealer side, she adds.

“On the positive side there is going to be a lot of rebadging into these new cards that meet the new standards. That could mean card sales. It could mean infrastructure changes, new readers and head ends. It could open up new sales opportunities.

“By the same token, it could also mean a shift in business from the traditional access control integrator to one of the prime [government] contractors.”

While FIPS 201 may have an effect on the dealer, however, the standard itself may not be as directly important as other issues.

“The standards that are being put out right now are very high level communications standards,” says Dennis Caulley, vice president, AccessID, Redmond, Wash. “Manufacturers have to understand that to make a compatible device. It’s much simpler for dealers. The speed of transfer of data is not particularly relevant to them. It’s way back in the specification. They need to know it works across the various platforms they have to install it in.

“I think most dealers will have a major question about how to bring their clients to the new platform. Understanding how to transition from proximity or mag stripe into these new contactless smart cards is something we are definitely seeing dealers concerned with.”

Dealers and integrators who do not operate in the government market are not likely to see much effect from FIPS 201 in the short term. Long term, though, there could be a shift in the marketplace.

“I think you are going to see a lot of large enterprises or corporations watching what’s happening and hoping to benefit by more standardized, open, non-proprietary systems,” Spitler says. “The federal government is trying to drive for non-proprietary systems. They want to be able to meet that spec and buy from a large variety of players. The days of having a proprietary system reader/card are probably going by the wayside. Enterprises are watching what the government is doing. However, watching and following are two different things.”

Pattinson agrees. “I think it will enable the adoption of smart cards for many markets with the availability of open standards. It will allow them to have freedom of choice. It will have a good effect on the end user getting a competitive product and increase the adoption of smart cards and potentially mean more installation opportunities for those installers and dealers.”


Standards ABCs – a Glossary of Terms

  • ISO – International Standards Organization

  • ANSI – American National Standards Institute

  • HSPD-12 – Homeland Security Presidential Directive - 12

  • FIPS 201 – Federal Information Processing Standard 201

  • PIV – Personal Identity Verification

  • NIST – National Institute of Standards and Technology

  • TWIC – Transportation Worker Identification Card