Cards for access control and identity management are still the main player in the commercial world, with service providers and technology making it easier to manage and print your own cards.
We live in a world where biometric access control and identity verification and authentication technologies get all the attention. And while there are many benefits of biometric solutions in the access and identity world, the reality is most of the world still relies on cards for access.
Apart from being used as a sole access method, in many instances where multi-factor authentication is used, cards still form one factor, supported by biometrics, PINs and other factors. And while many of the arguments in favour of using biometrics, such as not being able to forget you fingerprint or face at home, are valid, these technologies are costly. Moreover, there are always those few people who can’t register their fingerprints, and there are still questions of accurate facial recognition in different lighting conditions and so on.
And, of course, in a world of cyber risks, the issue of using biometrics, or ‘one password for a lifetime’ raises concerns about the security of your biometric. Should a biometric database be hacked and your fingerprint or facial template be stolen, are you at risk? The old cliché of being able to change your password (or card), but not your fingerprint, applies. Of course the biometric companies have encryption and proprietary protocols to ensure your template can’t be reversed into an image, but the Internet has its fair share of scare stories of breaches of biometric security. The Access & Identity Management Handbook 2020 deals with this topic in an article titled ‘The Security of Biometrics’.
The fact is that, for many reasons, cards of various types are still widely used and are unlikely to vanish anytime soon. In fact, cards are still a growth industry that extends beyond access control to banking, loyalty and a range of uses in other markets.
Hi-Tech Security Solutions spoke to John Lakin from CardzGroup Africa and Shaun Stanley, managing director of doculam, asking them about the latest developments in the card industry, and about the trend towards do-it-yourself (DIY) card generation and issuing.
A growing market
Lakin says ID card printing is an interesting discussion topic today, with the market polarising between cards having all static fields printed during the manufacturing phase, as opposed to desktop solutions providing the final personalisation of the variable fields.
He says the manufacturing process provides “extremely good quality finishes with perfect pantone matches and clarity which cannot be replicated on desktop machines, except at great capital cost. If there is a great deal of detail or large areas of colour required this [the manufacturing process] provides the greatest chance of customer satisfaction.
“The capital cost of purchasing hardware and then the inevitable consumables vs. the relatively low requirement for production means desktop setups do not always make financial sense. They do provide an excellent argument for instant satisfaction and complete convenience, but with typical lead times for fully printed cards being around five days, a little planning goes a long way.”
Stanley notes that while card printer technology continues to improve, there are no exaggerated differences in the current printer technologies that are available across the various brands, making purchasing your own card printer somewhat easier. “Encoding capabilities, security features, speed of print and cost of producing a card are generally the features that are focused on for improvement by manufacturers of the ID card machines around the world.”
And while there are numerous card technologies available, Lakin adds that the largest share is still magstripe cards. Cards with embedded RFID are increasing their market share steadily in second place, but he says the high-end products with all the security bells and whistles in the form of contact or contactless chip cards only really appear in volumes in the gaming and banking sectors where advanced security is required.
doculam operates mainly in the security sector, and Stanley says RFID cards are still the preferred card for access control applications. Chip cards have historically been used in the banking sector, however, due to the technology in the cards, these continue to grow in popularity in certain security applications.
As noted above, while access control is a large market for cards, the retail industry is the largest consumer of card products in the form of gift and loyalty cards. “Even those retailers with a good mobile app and online presence still want the ‘real estate’ in your wallet or purse,” notes Lakin.
The impact of biometrics
It’s to be expected that the drive for biometric identification and access control would impact the card market, and biometrics has had a slight impact. However, Lakin notes that biometric solutions have been with us for more than 15 years and the market for cards is still strong and still growing in some sectors.
Similarly, Stanley has seen some decline in card use with the increase in popularity of biometric systems, but he adds that due to the nature of cards and their place in identification, there is little evidence to suggest that cards will become obsolete in the near future.
Interestingly enough, with the view to improving security, some biometric solutions choose to store biometric data on a card as opposed to a centralised database and/or on the reader. “There are benefits to this in that the system only has to do one-to-one verification for each individual as opposed to one-to-many. This speeds up the process and reduces the chances of false identification,” Lakin notes.
Are cards secure?
Despite numerous tales of how insecure cards are and how easy it is to clone them, cards are still popular for access control. The obvious reasons for this are the cost benefits and the simplicity of creating and issuing cards, but those making the decision to use cards for access should be aware of the security implications in their respective environments.
“Card security is possibly the most misunderstood part of the card question because of assumptions made, great marketing and general ignorance,” states Lakin. He offers some insight into the security question.
“ISO standards, which are created to enable us to create interoperability, are also the biggest roadblock in terms of security. If something is secure, it’s not always convenient; and if it’s convenient it’s not always secure. The ISO standards which govern magstripes, 125 kHz RFID and 13,56 MHz RFID cards mean that these are all inherently insecure, yet these are the most widely used technologies in circulation.”
He explains that magstripe cards can never be secured because there is no way to protect the data. Similarly, 125 kHz RFID can never be regarded as secure, despite clever marketing, because these are not ‘smart’ and there is no way to protect the data.
“On the other hand, 13,56 MHz RFID cards where a customer is using the UID (unique ID) are not secure because the UID is not protected. The major difference is that this card can be made secure utilising tools available specifically for that purpose.”
Stanley expands on this, noting that each card has its own level of security and storage capabilities. “The type of card you would purchase should be specific to your application and security requirements, different cards have varying types of capabilities and costs attached. An access control service provider would make the recommendation of which card to use based on the security level and risk of the client. RFID cards transmit data securely from a distance without any physical touch, therefore they provide secure access solutions.”
The issue with card security is not always about the card itself. There are many factors to security, including the way cards are used, the permissions granted, the management of all the cards an organisation issues, and whether the users themselves are taught about securing their access cards.
Advice on DIY card printing
Returning to the issue of printing cards for your own business or relying on a service provider, one must include the security of the cards and the information they may contain (on smartcards for example) when making the decision. Addressing the DIY and outsourced options, Lakin has the following thoughts.
“Card design is a very personal thing for a customer and if you are going to print your own cards, you need to ensure you get the result you are looking for every time. Card printers start at around R10 000 and prices increase quickly, depending on requirements, and you can quickly get to R20 000 plus. These will then need consumables in the same way a photocopier does and all of these costs need to be weighed up against your goal. In many circumstances consumers purchase a printer, use it for the initial rollout and then periodically afterwards.”
When considering the outsourced route, he suggests a visit to the proposed facility is ideal to see the processes in place to prepare the cards, as well as the quality control during the process and before shipment. “Questions should be asked about data storage and destruction, and what safeguards there are in place. For the most part this is an unregulated sector, but best practices should be observed to ensure no data breaches.”
When asked what advice he would offer to a customer, Stanley explains that it really depends on the customer’s requirements. “Smaller customers who have a small staff complement and low staff turnover would be advised to use a bureau service to keep costs down, while it would be more cost effective for companies with larger staff complements to buy equipment and do the printing themselves.
“The pre-printed process can also be used for static data to keep costs down on large bulk volume prints, after which the customer would use the ID card printers and software to personalise the information on individual cards.”
The key to ensuring you receive the service and quality required, according to Stanley, is to ensure the company you select has a track record in the industry.
Explaining the CardzGroup approach, Lakin says: “CardzGroup is a full service company with manufacturing, card personalisation and fulfilment services available. We are able to mix services to meet the immediacy of the customer’s needs. For example, several tertiary education providers purchase cards from us for their new student intake. They require cards manufactured to their specification, but then need to personalise them for each student as they enrol. We manufacture the cards and supply their printers and consumables for the personalisation.
doculam offers both a bureau service and also sells ID card printers. In addition, Stanley notes that hosted services are making inroads into the cards marketplace as well and doculam is actively pursuing solutions in this area. The company recently launched its new Magicard NEO range of printers which have been designed specifically for Africa and its needs. “The coding capabilities of the units help Doculam to secure future orders on film for our distributors and to prevent the spread of clone ribbons,” notes Stanley.
When it comes to deciding on whether cards are the right decision for your access control needs, price is usually the primary concern, followed by the simplicity of issuing new or replacement cards, and then the general ease of use.
Cards have, are and will play a role in access and identification for many years, both in the corporate access control world and beyond in everyday life. Security is always a concern, even for those cards with embedded and encrypted electronics, which means they need to form part of the organisation’s complete security posture in terms of planning and strategy.
For more information contact:
© Technews Publishing (Pty) Ltd | All Rights Reserved