NACCU Migrating to Contactless:

(1)

(2)

AGENDA

• The demise of cards has been predicted for

many years. When will this really happen? This

presentation by two card industry experts will

cover the rise of ID cards, the technological

innovations that have made them indispensable

and the reasons that cards will be with us for a

long time.

(3)

AGENDA

• Trends

• Plastic cards

• Contactless smart cards

• Physical access readers

• Contactless payments

• Printing, reading and encoding contactless

• Migrating to contactless

(4)

TRENDS

• New contactless products

– System tools

– Cards and readers

• Decision points for card technology migration

– New building construction

– Card system upgrade – Transit integration

• IT getting more involved in ID decisions

• Phones!

– Will NFC or mobile apps dominate payments? – NFC pilot programs

Migrating to Contactless: 2013 4 Migrating to Contactless: 2013 4

(5)

CARD CONSTRUCTION

(6)

CARD CONSTRUCTION

Mag Stripe Layer

(7)

CARD CONSTRUCTION

(8)

LAYERS OF A SMART CARD

(9)

(10)

IDENTIFICATION TECHNOLOGIES

• THE CARD HOLDS IDENTIFYING NUMBERS FOR ALL THE

APPLICATIONS THAT IT TOUCHES

• EXTERNAL

• Visual • Printed Image • Photo • Printed Number • Automatic ID

• Encoded Mag Stripe • Bar Code

• INTERNAL

• Automatic • Prox Chip • Contactless Chip • Contact Chip Migrating to Contactless: 2013 10 Migrating to Contactless: 2013 10

(11)

DEFINITIONS - RFID

Three frequency ranges used for Radio Frequency

Identification cards:

1. Low Frequency – “Prox”

2. Ultra High Frequency – “UHF” “RFID” “EPC Gen II”

(Electronic Product Code)

(12)

PROXIMITY CARDS

Proximity

– “Prox” “Proxy cards”

– 125KHz, “Low Frequency” – Up to 100 bits of memory

– Usually pre-programmed by manufacturer

• 25 year-old technology

• HID, Indala, Casi-Rusco, AWID, Kantech

• Vulnerabilities

– New mobile devices that can read and write to Prox cards – Soon it will be easier to clone Prox than mag stripes

(13)

“RFID”

900 MHz, “Ultra High Frequency (UHF)”

• Used as ID tags for things more often than people • EPC Gen II – Electronic Product Code

• 30’ Read range

• Not considered as secure as Contactless • Inventory, vehicles, passports, ski

(14)

CONTACTLESS CARDS

Contactless Smart Cards

• 13.56 MHz “High Frequency”

• Additional rewritable memory available, up to 8K bytes

• Advanced security available – encryption

• Widely used for physical access, transit, payments

(15)

CONTACTLESS MEMORY

For commercial contactless cards:

Memory on a contactless chip is like a hardcover

book

– Book cover has the Card Serial Number (CSN) or

Universal ID (UID)

• Unique to every contactless chip • Electronically “stamped” by the mfr. • Interoperable

(16)

• The first chapter of the book can be reserved for the

physical access application

– Card ID number, for physical

access readers

– Locked with manufacturer’s key

– Recommend unique encryption key

for each institution

– Normally non-rewritable area

Migrating to Contactless: 2013 16

CONTACTLESS MEMORY

(17)

CONTACTLESS MEMORY

• Remaining chapters can be used for other

applications

• “Putting an application on the card”

– Storing a number in an area of the chip memory for

retrieval by a particular application

– Each application has its own chapter

– Often rewritable

• Biometric templates • Payment data

(18)

CONTACTLESS IDENTIFIER REVIEW

• CSN, UID, CHUID – Free read, not very secure

– Used by unlicensed reader manufacturers

• Physical access control application number

– Encrypted, secure

• Other application numbers

– Contactless credit card payment data mimics mag stripe data – Biometric templates

• Read/write data

– Some physical access control applications – Transit fare collection systems

– Payment applications – increment, decrement

(19)

ENCRYPTION

• Keys are like passwords that lock memory sectors on

smart cards

• If cards are pre-programmed for physical access, then

that application area is locked with a key

• Physical access cards can have manufacturer’s standard

key, or a custom key unique to the institution

• HID Elite Key program option for iCLASS

• Unique encryption key for cards and readers

(20)

PERSONALIZATION

• All ID printers have contactless reader options

• Each printer model has to be specifically

supported by software

– Smart cards require special support

(21)

(22)

REVERSE TRANSFER PRINTING

(23)

RE-CARD: IN-HOUSE OR OUTSOURCE?

Why Re-Card?

• New card technology • New card artwork or logo • New banking relationship • New card system

Things to keep in mind for your in-house re-card: • Printers

• Do you have enough printers?

• Rent printers? How many? How long? • Cards

• Don’t forget to order extra cards for production • Considerations

(24)

PAYMENT CARDS

• EMV (Chip and PIN ) in EU, Canada, other parts of the

world

• NFC in Japan, Korea

– Mostly FeliCa, not PayPass (MC) or PayWave (VISA)

• Mag stripe is standard in US

– Some contactless card use

– EMV is coming – standards required by MC and VISA, by 2014 – Many EMV terminals will have contactless readers

– NFC may become payments method in US?

• “NFC was hijacked by the payments industry and has not

been heard from since.”

(25)

CONTACTLESS PAYMENT

• Many banks issue contactless payment cards (credit, debit, pre-paid)

– Applications by Master Card (PayPass), VISA (PayWave), AMX (expresspay)

• It’s all about convenience

– Every transaction must be successful

• The data is not encrypted on contactless payment cards

– Helps assure successful transaction

– Skimming is very easy, especially with NFC phones

• NFC for payments would follow the no-encryption model

– Back-end systems could help recognize fraud

• Bank payment apps could technically reside on your campus cards

(26)

CONTACTLESS FOR TRANSIT

• MIFARE was made for transit

• Legacy systems write payment data to card • Newer systems are usually account-based

• Chicago is installing an open loop system – Ventra Card

– Based on Master Card Debit

– Single ride and day tickets, or contactless bankcard

• Closed loop transit data usually proprietary to that system

– Cards must be programmed by transit agency, or under licensing agreement

• UTA is exception - they read CSN • Latest cards could hold multiple apps

– ISO 14443 standard

• IR aptiQ • HID SEOS

(27)

CONTACTLESS NUMBERS

• Physical access cards traditionally pre-programmed by

manufacturer

– Numbers captured at issuance

• Printer with reader and correct software • Manually, with USB reader at PC

• Some systems now write data to cards in printer

– Blackboard, with FeliCa and MIFARE

(28)

SECURITY COMPARISON

(29)

THE FUTURE -- PHONES!

• NFC for physical access

– Near Field Communication

– Contactless chip in the phone that talks to phone OS – Many new smartphones have NFC chips

• Apple, not yet

• NFC for payments

– BYOD

• How to provision and manage?

(30)

NFC CREDENTIALS

• Remember secure credentials on cards?

– Readers at doors look for the same credentials, whether on cards or phones

• VIRTUAL CREDENTIALS!

– Reader mfrs. will not give credentials away for free – Will integrators charge for this service?

• Credentials for NFC payments

– Could be free?

– Not encrypted

– How to provision phones?

(31)

THE FUTURE – PORTABLE DATA

• One manufacturer’s approach to making data portable

• HID’s SIO – Secure Identity Objects

– Data can be anything – ID number for PACS, employee ID, ISO number

– SIO can be securely stored on contactless card, PC, phone – SIO data read at door by HID SE readers

• NFC, MIFARE, DESFire, SEOS, iCLASS

(32)

NFC FOR PAYMENTS

• Commercial mobile payment evolution:

• Google Wallet will now have card

• Software solutions (phone apps) already more widely used than NFC

• Starbucks

• PayPal – Home Depot • MCX – Wal-Mart, Target

• Will use QR codes!

• ISIS

• Verizon, AT&T • Trying to use NFC

• Network operators own the SIM

(33)

FUTURE - EMV CARDS

• Gold contact chip on front

– “Chip and PIN”

• Global

– 1 billion EMV cards issued globally – 15.4 million POS terminals

• Coming to the US?

– VISA and MC guidelines

(34)

FUTURE -- PIV, CAC, TWIC?

• Dual interface chip

• Gold contact chip on front

• Used for authentication and logical access

• Contactless interface through antenna in card

• Used for physical access • No encryption on this data

• US Gov requires background check

• PIN unlocks card

• Fingerprints stored on card

• Iris templates coming

• Smart chip has PKI encryption

• Best portable encryption available

• Many certificates on card for many uses

(35)

CREDENTIAL CONCLUSIONS

• Determine your security requirements and policies

– Levels of security – Throughput

– Convenience

– Human participation

• Readers are almost forever – choose wisely

• Create migration path to introduce advanced authentication technology

– Multi-technology cards and/or readers

• Visual security for cards is important

• Keep systems that work well and make sense • Test!

(36)

NFC CONCLUSIONS

• Widespread adoption by payments industry in the U.S. is

years away

• NFC could work in closed loop environment

– Has to be fully supported by infrastructure: PACS or payments – How to manage mobile devices?

• Apple? • Android • Windows?

• Test!

(37)

CARD CONCLUSIONS

• More general purpose plastic cards issued worldwide in

2012 than ever!

• Use cards until NFC support is available for your

application

• If you need to upgrade from mag or prox, for PACS:

– Buy readers that could read NFC

• iCLASS SE • aptiQ

• Integrator proprietary

(38)

Migrating to Contactless: 2013

Thanks!

(39)