Card, mobile credential, payment and security
Card systems at colleges and universities have typically centered around on-campus commerce and access. But today, they are extending their reach off-campus and opening their on-campus services to more commerce-savvy students, faculty, and staff. Credit card use has continually increased on college and university campuses, specifically in conjunction with their transaction systems. The companies provisioning campus card program technologies, as well as the universities, find themselves facing greater responsibilities and, more importantly, liabilities.
In Blackboard’s case, it meant assuring the 400-plus colleges utilizing the company’s Commerce Suite products that cashless transactions – campus card and credit card – are handled in a secure fashion.
That meant making sure Blackboard’s Payment Gateway has been certified as compliant with major card association security programs, such as Visa CISP (Cardholder Information Security Program), MasterCard SDP (Site Data Protection) program, Discover’s DISC (Discover Information Security and Compliance) program and American Express’ Data Security Operating Policies, said Blackboard’s Tom Bell, vice president, industry relations.
“These programs utilize the Payment Card Industry (PCI) data security standard as the foundation to assess third-party processors,” he added. “This standard ensures that all third-party processes safely and securely store, process, and transmit sensitive credit card data across their network infrastructures. This is the second year that Blackboard has achieved this milestone in the payment card industry.”
In short, universities “want to make sure the partner they’re dealing with is compliant and understands the issues,” said Mr. Bell. “We’re very serious about this.”
As more campuses move to a system that deals with people when they’re on- or off-campus, and even online, “we see more issues with dealing with e-commerce or adding funds to accounts … different ways of paying for things. Blackboard has to provide a diverse choice. Years ago, we didn’t have to worry about this,” said Mr. Bell.
“While many third-party processors are not compliant with the PCI standard, Blackboard proactively met this challenge in early 2004 to ensure all credit card transactions originating from our Web Interfaced Card Management Applications were handled in the most secure way possible,” says Mr. Bell. “Our Payment Gateway is a powerful and flexible channel for conducting cardholder-not-present electronic transactions.”
What are the certification benefits?
“Every member along the electronic payment processing channel – from card association (Visa, MasterCard, American Express, Discover) to acquirer to processor to payment gateways down to the merchant level must comply with these standards in order to accept credit card transactions online,” said Mr. Bell. “Our clients must prove to their acquirers that any processor they are affiliated with is complying with the PCI standards. In short, university credit card acquirers must ensure that the university’s credit card processor(s) are complying with the PCI directives in order to maintain compliancy with their higher-ups, the card associations. In addition to embracing the required security standards, Blackboard provides our clients with a level of confidence when they negotiate discount rates with their Merchant Services Provider.”
Added Russ Palay, Blackboard’s director of e-business and electronic payments: “Visa, MasterCard, etc. mandated it throughout the entire chain … and since we are a third party processor for credit card transactions, we have a responsibility to make sure the credit card data that is transmitted and processed adheres to the card association compliance programs that are bundled under PCI.”
“What’s driving this is customer demand,” said Ron Dinwiddie, senior director of product development for Blackboard. “Pubic and private colleges and Universities are issuing mandates requiring the highest levels of security when accepting credit cards as a form of tender. We will continue providing our clients with the highest levels of security to protect them and their constituents.”
By Andy Williams, Contributing Editor
As the one-year anniversary of The CBORD Group’s acquisition of Diebold’s card systems division approaches, the Ithaca, NY-based company spans the range of colleges and universities – small, medium and now large campuses.
To Bruce Lane, CBORD’s executive vice president, the acquisition was a perfect fit with CBORD’s strategic direction. “Finally the stars aligned to make this happen,” explains Mr. Lane. “I’d been staying in contact with my competitors at Diebold for many years and I kept after them on it.”
“Prior to the acquisition, CBORD had the largest installed base of campus card users in the industry,” said Mr. Lane. “Diebold had larger university customers and that provided us with the need to meet any size campus.” Besides its 650 colleges, mostly in Canada and the U.S., but also in South Africa, New Zealand and Australia, CBORD also has about 200 corporate accounts, including hospitals and companies like Sprint and Daimler Chrysler. CBORD serves between 6 and 7 million cardholders. It is also delving into community colleges.
“We found some beginning synergies that benefited both customer bases,” says Mr. Lane. “Diebold had a very strong core competency in access control. The CS Gold access control product is highly optimized to meet the particular needs of colleges. The product has hundreds of access control installations in colleges. It’s a very powerful, defining product and we’re looking forward to bringing that to our Odyssey customers.”
The $38 million transaction addressed a gap in CBORD’s product line by adding Diebold’s access control and security expertise. The purchase also involved Diebold’s Card System employees migrating to CBORD. Most of them did, a couple didn’t, said Mr. Lane. “There were a lot of great people at Diebold that we are now happy to have as part of the CBORD family.”
Proving to the market that the acquisition makes sense …
CBORD has spent much of the past year proving that the acquisition was good for both companies. “Anytime there’s a change in the players or the marketplace, it’s always reasonable to assume that schools or employees or suppliers are going to get a little nervous. There’s no way to deal with that other than to show it was a good combination,” said Mr. Lane. “Our goal is to make the combined companies as successful as they can be, and to make it viable over the long haul. We’ve worked really hard and made the investment to show the marketplace that it was a logical move.”
For example, he said, CBORD has moved the CS Gold help desk into a new facility in Canton, Ohio. “We’ve also refurbished our training facility in Farmington, New York.”
CS Gold is optimized for large institutions while “Odyssey has a sweet spot among smaller and medium-sized schools,” said Mr. Lane.
“The Gold system is highly desired by institutions that have an IT staff and where the operators are looking for the ability to customize all levels of software for their use. These colleges have the time and resources to get into the system. The Odyssey system accomplishes most of that through user-set parameters where you don’t have to employ a programmer to do it,” he added. Another difference between the two: Odyssey can use a Sybase ASA or Oracle database, while CS Gold is Oracle-based.
“We found that when we were competitors there are customers who want a highly customizable system and others who want a very parameter-driven system,” Mr. Lane added. “(The two products) appeal to very different campus operations. They each have different system architectures. Now either type of customer can find a solution at CBORD.”
Building interfaces and finding shared components
Building an interface between CS Gold and CBORD’s signature Webfood online food ordering system, “was one of first things we did,” said Mr. Lane. Webfood, he said, is now installed in a number of CS Gold schools.
CBORD, he said, also pioneered its campus card users’ ability to use industry-standard POS terminals developed by MICROS Systems. “They’re the largest hospitality POS provider in the world,” said Mr. Lane. “When I started working with them 20 years ago, they were a small company. What’s nice is that now we’re one of MICROS’ largest resellers in the world. That gives our customers better access to service and product enhancements.”
He said Diebold had already begun to install MICROS as a better alternative to making POS terminals themselves. “So use of MICROS was a first, great similarity and point of synergy between the Gold and Odyssey systems.”
He added: “For off-campus programs, a school often takes CBORD card readers and sticks them at off-campus merchants. The readers work off the university’s host. We have hundreds of schools that do that, but we are evolving a new off-campus merchant program, a whole different paradigm to make off campus card use a lot more possible, particularly from a cost perspective.”
Integrating access control into the Odyssey platform
CBORD is also working on integrating Diebold’s access control system into campuses currently using the Odyssey platform. Before acquiring Diebold, CBORD had relied on third-party systems, such as Best, Synergistics and Sensormatic to provide access control solutions to campuses.
“Access control is different because you have to know how to deal with resident students, those on vacation, assigning students various levels of privilege,” said Mr. Lane. “Access control matrixes seem to be lot deeper for universities. They’re not a 9 to 5 operation. The matrix of privileges seems to be more complex for colleges and a lot of off-the-shelf access systems choke on that.”
CBORD is nearly complete with interfacing Diebold’s CS Access, the original native access control part of CS Gold, to the Odyssey platform. However, CBORD will still support third-party access control products if the school doesn’t want to change.
But with CS Access capability, CBORD will no longer have to pass on requests for a one-stop service that includes access control, as the company had to do in the past. “We now have the industry’s best access control system that’s highly tuned to the campus world,” said Mr. Lane. “Some (access control) companies build their systems to work well in a corporate or factory setting, but CS Access is very attuned to the particular needs of the college students and administrators.”
The CS Access portion is not being actively marketed yet. “The development work is done,” said Mr. Lane. “CS Access is battle-proven, Odyssey is battle- proven, so we hope to have it introduced within the next few months.”
The future …
Mr. Lane said he’s been very gratified with the acceptance of this transaction among CBORD’s university clients. “It seems to me the marketplace has accepted the work we’ve done and rewarded us with a number of new accounts,” he said. As to the future: “We have a lot of tricks up our sleeve and cool new things we’re going to be doing. We’ve doubled our development capability (and) we have no plans to do anything but grow. We’re very competitive and we’re very pleased our Gold and Odyssey products are widely accepted in the marketplace.”
Sure, students are a bank’s reason for its campus existence, but a more profitable client base includes the ones teaching the students … as well as the university administrators and staff. But attracting professors and staff that already have a banking relationship is no easy task.
Whitney Bright, vice president, Campus Banking, for U.S. Bank, said that while its programs are “tailored to the students rather than faculty and staff in terms of our ability to offer them services, they’re probably twice as profitable as a (typical) student account.” Put another way: “If we can grow faculty and staff, we don’t have to get as many students to justify the expense (of the branch),” she said.
But how do you attract faculty and staff away from their existing banks?
“We’re looking at how to (better) penetrate that market, but we haven’t yet had great success,” said Ms. Bright.
A method that works with new employees is to grab them before they have a chance to select another bank. “Employee orientation is a great way to get them,” says Ms. Bright. But the bank has to have a good in with the human resources department to make that happen. Ms. Bright reports that some universities have let U.S. Bank be part of the employee orientation program.
For existing employees, Ms. Bright suggests that direct deposit service can present an opportunity. “One of things we did with Marquette is help them with their direct deposit campaign,” said Ms. Bright. “Most schools have some kind of direct deposit. Of course, it does help to have a branch on campus. Then it’s more of a push to bank with us and to have direct deposit with us,” she adds.
At Milwaukee, Wisconsin-based Marquette, “everyone who signed up for direct deposit, received $10. The university appreciated our help in supporting (their effort to) increase number of faculty on direct deposit. If one signed up for a new account, the person got $5 and if he also signed up for direct deposit, the total was $15,” said Ms. Bright.
“(At the on campus branch), we can keep a supply of direct deposit authorization forms … which helps the university facilitate that process.”
Finally, there’s always the convenience factor to consider. In many, it’s easier to walk across campus to make that deposit, cash that check, or use an ATM than it is to leave campus to conduct routine banking business. And if the faculty or staff member has an account with the on-campus bank, he or she can save money as well as time by avoiding ATM fees.
The key to penetrating the faculty and staff market seems to a combination of patience, persistence, and creativity. Encourage your bank partner to keep the out in front of the audience and continually refine the message stressing a range of benefits. Not every benefit (e.g. convenience, cost savings, direct deposit) will resonate with every employee … but it is likely that at least one will. The trick is finding that sweet spot for each individual.
Physical security workhorse begins giving way to contactless as price cuts and multi-technology readers eliminate hurdles
By Chris Corum, Executive Editor, AVISIAN Publishing
You can do more – and you can do it more securely – with contactless than you can with proximity. Few would argue with this statement, yet each year proximity technology continues to outsell contactless in the North American security markets. But new products, attractive pricing, and better market education are turning this tide, making contactless the technology of choice for many professionals charged with securing their physical and logical enterprise.
Contactless technologies use the 13.56 MHz frequency to communicate data between the card and reader while proximity technology uses the lower 125 KHz frequency. Contactless can enable read-write and processing capabilities that become increasingly important as additional applications are desired. Proximity cards are traditionally a read-only technology, where a simple identification number is encoded to the card prior to issuance and that data remains static for life. It is this difference that opens up the possibility for a more robust utilization of the contactless card.
According to Erik Larsen, Product Manager of Identity Solutions for Lenel Systems International, smart card technology enables a host of opportunities. “Post-issuance ID number changes and additions, electronic purse and cashless payment functions, biometric storage and authentication, network access and security, and more,” he explains are all made possible.
The processing capabilities of contactless technologies enable the card to ‘participate’ in the security process, authenticating itself to the reader and protecting its owner’s data until it has verified that the reader is legitimate. “On-board processing also secures key components of biometric identification, cashless transactions, and a wide range of other applications,” adds Mr. Larsen.
So why does prox still dominate in some markets?
With all these inherent advantages of contactless, why do so many security officers and card system managers still opt for proximity solutions? Until now, there have been a number of legitimate reasons for such a decision, though many suggest this is changing.
Price
There has been the issue of price. “Originally it was cost of cards and readers,” says Mr. Larsen, “but those have been addressed.” In fact, in one well-publicized promotion, HID Corp. began offering its contactless cards and readers for the same end-user pricing as its prox offering. According to HID’s product manager for High Frequency Products, Jack Bubany, “the cost for contactless smart cards and readers is comparable with prox and we are working hard to get this word out to the North American market.”
Infrastructure
So if the technology is superior and the price is comparable, what else could be the holdup? As is often the case with new technologies, legacy infrastructure has been a major deterrent for many buyers. The cost and disruption involved with changing out card readers throughout a facility and re-badging the cardholder population has delayed or dismissed many potential migrations during recent years. Says Mr. Larsen, “customers that have a current system in place want to know what is the cost for reissuance and when will the ROI make sense.”
With prior generation equipment, the answer to this question was often met with dismay. But multi-technology readers capable of communicating with both contactless and prox technology are changing the landscape.
Many of the leading security companies are now offering a multi-technology reader. It can significantly ease a transition from prox to contactless by eliminating the need for a mass re-badging effort. New employee cards, replacement cards, and those with need for added security or functionality can be issued the contactless card beginning day one, while other cards are phased in over time or simply allowed to churn via the normal cycle of employee and card turnover.
“Even if a company has not made a conscious decision toward a particular contactless smart technology it’s only a matter of time before someone from the IT department asks the security group about their smart card plan,” says Jon Menzel, President and CEO of reader manufacturer XceedID. “If a company has been purchasing Multi-tech readers over time (and used them as simple prox readers) then they will have already invested a substantial amount toward the smart card upgrade without allocating special funds to do so. This greatly reduces the follow on investment to move all cards and readers to contactless technology.”
But these multi-technology readers are proving to have an important role beyond just a transition-enabler. “Your entire population may not need to go (contactless) smart cards,” explains Mr. Larsen, “or they may not need to go on a first phase deployment. Look at a multi-technology reader for the common areas where both populations need access and then use the 13.56 only at the secure doors.”
“Many large companies are content with their current card populations but have disparate technologies in multiple locations (i.e. HID prox in New York, GE/Casi prox in Los Angeles, and Mifare in London),” explains Mr. Menzel. “… Multi-technology readers function with all of these cards simultaneously saving significant investment dollars required to transition to one card.”
In the past, HID helped clients address the migration from prox to contactless with cards that combined the two technologies, but a new reader provides another alternative. Says Mr. Bubany, “some may see the card as the best migration point and some may see the reader. It depends on the client’s specific environment and needs.”
Education
With the obstacles of price and infrastructure seemingly all but eliminated, what else could delay the move to contactless technology? According to Mr. Larsen, the final hurdle is market education. It seems that while the vendor community has made the transition relatively painless, the buzz has not yet caught up. Say Mr. Larsen, “the general population is thinking it is still too expensive.” Additionally there remains a distinct level of confusion as to the capabilities of contactless technology.
But the end user is not the only community in need of education. “The security reseller and integrator segments need thorough education to ensure they can best help their customers,” adds Mr. Larsen.
Any salesperson will tell you that it is generally easier to sell something you have sold before and know well. This existing comfort level with proximity technology is perhaps the last major hurdle to increased market presence for 13.56 MHz. “The key customer-facing component of this industry is the integrator layer,” says Mr. Menzel, “and they must buy-in to both the benefits of contactless technology and see a reward for selling it over other solutions.”
“At HID we conduct workshops in major cities,” says Mr. Bubany, “one for dealers and one for end users to help them understand what smart card technology offers them. The goal is to give them a level of comfort so that they can feel safe selling the newer technology to clients or implementing it in their organization.”
Next steps
Many suppliers of security components are actively working with resellers and integrators to educate them of the new environment surrounding contactless. As these programs disseminate the information on improved technology, comparable pricing, and stronger security, it seems likely that North America will trend toward contactless technologies … joining the rest of the world’s security markets.
In the next installment of our physical security corner, we will continue this examination of contactless and proximity technologies. Part two of this article focuses on issuance, contrasting the challenges and opportunities that the divergent technologies present to the issuing organization.
By Chris Corum, Executive Editor, AVISIAN Publications
A newly-issued patent covering the movement of funds between accounts via the web is hitting close to home with campus card systems. No surprise as the patent was originally conceived to cover these transfers from a bank account to a campus card account.
In November 2005, United States Patent 6,963,857 was issued to JSA Technologies, a familiar name in campus card circles. JSA has been supplying value transfer solutions to colleges and universities since the late 90s. The technology enables web-revalue of campus card declining balance and other accounts.
“We had a working product late 1998,” says Jon Gear, Vice President of JSA, “and the patent was filed in 1999.“ More than six years elapsed between initial application and final approval, a timeframe that is not uncommon in the patent application process.
“It covers the transfer of funds between networks via the Internet,” says Mr. Gear. He stresses that the patent in no way impacts typical bank to bank transactions as these utilize a common financial processing network. It is when transfers occur from this traditional financial processing network into another network that the patent’s coverage seems to begin.
The opening salvo
In recent weeks, letters were sent from JSA to a number of companies and institutions that have developed systems that, according to Mr. Gear, may infringe on the patent. He adds, “we have not told any institution or organization that they are infringing. All we have done to date is (begin) to notify the market that we have this patent.”
Though the actual number of letters was not provided, it was suggested that there was between 10 and 20 parties notified. Campuses using systems supplied by vendors were not contacted, as the vendor would be the point of contact in these instances. “Schools only received the letter if they had a homegrown system,” said Mr. Gear.
What was the purpose of the letter? The intent can be found in the first line of the press release issued March 16, 2006, “Recently JSA Technologies contacted numerous private companies and several institutions of higher education regarding the licensing of a patent invented and commercialized by our company.“
JSA is seeking to license its patented technology. “We don’t want to shut anybody down,” says Mr. Gear, “if you are happy with what you are doing, we don’t want to stop you from doing it. We will just talk about licensing.“
When asked about the fees sought, Mr. Gear told CR80News that they were not yet determined. “It is premature to know what kind of fees would be expected and they will likely be determined on a case-by-case basis. The license fee will probably be negligible in the grand scheme of things.”
According to a company press release issued March 16, 2006, campuses with homegrown systems were contacted because, “we want to grant them licenses to our patent so they may continue their operations.” When asked by CR80News if campuses with in-house solutions developed for their own use prior to the issuance of the patent will be charged license fees, JSA officials stated that they would need a license if they developed the system after 1998 when the patent was filed.
That JSA is seeking license fees should come as no surprise nor should it be met with scorn. The fabric of an entrepreneurial and capitalist society requires protection of intellectual property. The patent is a hard-earned acknowledgement and legal proclamation of intellectual property. And patents are also not cheap. According to the release, JSA has “spent considerable time and resources developing and commercializing its patented software.”
Implications beyond campus cards
Reading the text of the patent, it seems likely that the reach may extend well beyond campus cards. Other financial systems that operate outside of the traditional banking network, but rely on it for revaluing or replenishment, may well be impacted.
Would gift cards architectures that operate within standalone or closed loop networks yet enable web-based value transfers from bank or card accounts be viewed as infringing? What about peer-to-peer payment networks like Paypal that rely on value transfers from bank accounts to fund their online payment service?
Mr. Gear said it was not something he was prepared to comment on suggesting only that, “we would have to have discussions to determine the extent to which these things may apply.”
Dissecting the patent into layman’s terms
We have done our best to translate the morass of ‘patent-speak’ into language that the average non-attorney can understand. The following translation is for the abstract of the JSA patent.
Actual language: The present invention is directed to methods of, and systems for, allowing an account participant to add value via a wide-area network to a first account from a second account. A first account server coupled to a wide-area network supports the first account. In a preferred embodiment the wide-area-network-accessible value transfer station (VTS) includes a central processing unit for executing instructions, and a memory unit. The memory unit includes an operating system, software for receiving from a participant via the network a) second account identification information, and b) a value that the participant desires to transfer to the first account from the second account, second account verification software for receiving the second account identification number from said receiving software and for verifying that the second account authorizes the transfer of the specified value, and value transfer software for receiving a value from the receiving software, for receiving a verification from the verification software, and for transferring the specified value to the first account from the second account if the verification is received. The wide-area-network-accessible VTS further includes conductive interconnects connecting the central processing unit and the memory unit to allow portions of the wide-area-network-accessible value transfer station to communicate and to allow the central processing unit to execute the software in the memory unit.
Translation: The patent is for a system that enables an account holder to transfer funds (or value) from one account to another account via the Internet (or wide area network). The first account operates on a specific network. A value transfer station (VTS) is a computer or similar device with connectivity to that network. The VTS runs software to accept (for the account holder) a second account number and a dollar (or value) amount to be transferred into the first account. The software also (1) verifies that the second account authorizes the transfer (e.g. that sufficient funds or credit are available), (2) receives the electronic transfer of the funds, and (3) adds that value into the second account. The VTS’ CPU and memory are connected such that the CPU can execute the software contained in the memory.
Text of the press release issued by JSA on March 16, 2006:
Recently JSA Technologies contacted numerous private companies and several institutions of higher education regarding the licensing of a patent invented and commercialized by our company. Since that time there has been much debate about the implications of the patent. It is my hope that this communication will address these issues and clarify our intentions regarding the enforcement of the patent.
JSA has been in business since 1998 and has spent considerable time and resources developing and commercializing its patented software. The patent was obtained to protect the business and intellectual property rights of JSA Technologies. Without the patent, companies with greater capital resources could use our invention for their financial gain and attempt to drive JSA Technologies out of business. That is why we sent communications to college and universities who have developed solutions that may infringe upon the patent. We want to grant them licenses to our patent so they may continue their operations.
JSA Technologies was founded on the principal that colleges and universities should be given the opportunity to choose their own path. No one company should be able to dictate what solution is used to satisfy a business objective. We spoke with many institutions frustrated with the limited offerings from their card system provider and developed our unique WebVTS™, StudentLink™ and MerchantLink™ products to address their needs.
We champion the concept of unique solutions and custom designs. That is why it is so important that everyone know our intentions regarding the patent. If JSA cannot meet the business requirements of a given college or university, we do not want to prohibit the institution from finding a solution that does. If, however, the solution uses our patented technology, we will request an appropriate licensing agreement.
We want you to choose JSA Technologies based on the quality of our product and not because we have a patent.
I encourage you to contact JSA if you have any questions or concerns about our patent.
David Johnson
President/CEO
JSA Technologies
(877) 572-8324 x2200
[email protected]
Additional resources:
To visit JSA online, click here.
To read the full text of the patent online, click here.
By Andy Williams, Contributing Editor, AVISIAN Publishing
Shackled by an outdated card program and its proprietary operating system, Nova Southeastern University (NSU) went looking for something bigger and better and, more importantly, a campus card that would enable the university to keep pace with technology.
With its 27,000 students, NSU, located in Fort Lauderdale, Florida, is the largest independent higher education institution in the southeast and the seventh largest in the U.S. Founded in 1964, the not-for-profit university has branch campuses in Miami and Dania Beach, with the Dania location housing the Oceanographic Institute, and what NSU calls “student educational centers” in Tampa, Orlando, Miami, West Palm Beach, and Jacksonville, Florida, Las Vegas, Nevada, the Bahamas, Jamaica, and Puerto Rico.
John K. Brueck, Jr., Nova’s director of Campus Card Services, said it was a “pretty elementary decision” to seek a new card program. “We were handcuffed with our current program. We can’t develop new applications or get new equipment because it’s a proprietary operating system, and it was getting more and more expensive to operate.”
Nova’s current campus card would not have appeared to “outdated” to many observers. It was a smart card with a 1k and 4k chip as well as proximity capability and a magnetic stripe. The system offers physical access to buildings and parking lots on campus, acts as a library card, and functions for a host of payments. “Through the smart chip in a contact environment, users can pay at POS stations, use copiers, pay for print, laundry and vending,” said Mr. Brueck.
Replacing the existing smart card system in pursuit of better functionality
But administrators felt constrained by the current system as they found it impossible to add functionality. In addition, they have several different cards –five in all – that are utilized for different functions. That was another reason the college needed change. Administrators wanted a single card – a true one card system.
He said the university “wanted to offer our students superior service. We needed to have a partner that could develop new applications and new opportunities, something that would ease the student experience and positively affect the way students move about campus. It made sense, then, to move to a larger card system that would offer more functionality.”
The college tasked Siemens Corporation, to start exploring what was available and what would work. “Siemens was already established providing infrastructure on our campus,” said Mr. Brueck. That included the college’s security system, including access control and cameras.
“We looked at various vendors based on where we wanted to go with our card program. Siemens identified SmartCentric Technologies International Ltd. as the best fit and reached agreement with the company to provide the smart card system.”
SmartCentric Technologies, based in Ireland, has successfully installed campus card programs, based on its SmartCity system, at about 15 universities, mostly in the U.S., including schools in Orlando and Tallahassee, Florida. SmartCity is a multi-application smart card-based system that includes stored value, loyalty, gift cards, logical access, physical access, biometrics, car parking and ticketing.
“Nova wanted a system that would give them the flexibility to grow their programs,” said SmartCentric’s CEO, Kieran Timmins. “They’re not just buying for today, but tomorrow.”
The partners – Siemens and SmartCentric – also had to take into consideration the university’s “complex requirements,” said Mr. Timmins. “Nova has very diverse campuses … the main one in Fort Lauderdale, one in the Carribean, etc.”
We are working very closely with Siemens,” said Mr. Timmins. “Siemens is on the ground doing project management, requirements analysis, and working with Nova to make sure the networks … the technical architecture is in place.”
Big plans for the new system
Every student – whether at the main campus, in the Bahamas, or in Orlando – receives a student ID card from NSU. However, it depends on what’s available at the specific campus as to what else the card can be used for, said Mr. Brueck.
“The ultimate goal is to take the applications on our south Florida campus, such as pay for print, and grow the applications, where prudent, to extend them to our other campuses,” Mr. Brueck added. “There might not be a need for a meal plan at Las Vegas but you might have web revalue. One of the other things is to have the ability to grow our program outside North America, to be able to do business in different currencies at the cash value stations. For example, the cash revalue stations in Jamaica would accept Jamaican dollars. If we open a campus in Europe, it would accept euros.”
This parallels with what Mr. Timmins says is “the concept behind SmartCity … not every card holder has to have the same profile or even the same size card. In the old days of smart cards, everyone had the same card. Now we can select very precisely who will need what.”
The SmartCity One Card., utilizes both contact and contactless technologies, Nova’s phase one applications will include student, faculty, and staff ID cards; cashless purchases at POS, vending machines, pay for print, meal plans; a web-based card revalue and card holder portal; and access control. The access control portion will incorporate both physical and logical applications and will use biometrics where needed.
The biometric portions, said Mr. Timmins, will be match-on-card. “When you do biometric authentication, you’re authenticating against the card, not a database.”
Mr. Timmins said the new system is planned for early 2007. “There is a significant amount of work that needs to be done, not the least of which is support for the Siemens Card operating system.” Siemens will be supplying the chip and the card, he added, “with SmartCentric supplying the software.”
The card will be a combi-card with prox and an embedded 64 k contact chip from Siemens on the card. “Biometrics (for physical access) can go on either the contact or contactless portion. The contactless portion of the card will support prox technology so the existing investment in prox readers will be maintained,” he added. “We’ll be taking out existing readers on laundry and vending and replacing with our own readers. In the initial phase we’re aiming to replace what they have today: vending, laundry, POS, pay for print.
Moving to the future
Web-based revalue will allow cardholders to look at the value on the card and where it was used. There are also plans for logical access, but I’m not sure which phase this will fit into. Next will be e-ticketing and off-campus use. Digital certificates (the ability to digitally sign documents) is also on the list of possibilities.”
“We want to go with single sign on and digital certificates, but whether we move in that direction or not, we’re currently evaluating,” added Mr. Brueck. The card-based digital certificate program would primarily be used at the university’s health care center.
As to moving off campus, it will come, but not right away. “We know we’re going off campus,” said Mr. Brueck. “There’s a lot of interest from retail food establishments with what we’re doing and students want to be able to pay for services off campus. Web revalue will help with that functionality.” That’s one of the reasons the college is planning to place up to four purses on the card.
In the e-ticketing phase, NSU cardholders will be able to pay for event tickets over the Internet and load the ticket to their NSU card, making entry to NSU’s University Center (opening in August) easier on the patron, said Mr. Timmins.
The initial rollout will be 30,000 cards. “We’re going through workshops with them at the moment to determine what will be in phases 1, 2, 3, etc.”
“We’re looking at doing what’s right,” said Mr. Brueck. “We’re taking baby steps. We’re being methodical and not growing beyond our britches too quickly. We feel very comfortable with Siemens and SmartCentric. We look at this as a partnership but also as a family because we’re going to be working very closely with them.”
Additional resources:
To visit the NSU card program on the web, click here.
To visit SmartCentric on the web, click here.
A Colorado-based manufacturer of contactless security readers has significantly strengthened its market position with a major announcement in the physical security space. XCeedID’s multi-technology readers - capable of reading prox plus an array of contactless card flavors (e.g. Mifare, DESFire, iCLASS, my-d) - have been selected by Lenel for private-labeling.
Lenel Privately-Labels XceedID Multi-Tech Readers
GOLDEN, COLORADO – February 9, 2006 – XceedID Corp. recently entered into a private-label OEM agreement with Lenel Systems International, the leading provider of software and integrated security management systems. XceedID Corporation’s innovative line of ISO-X™ Multi-Technology readers will now be available under the Lenel brand as the Lenel OpenCard™ Reader series.
XceedID and Lenel worked together to customize the versatile ISO-X Multi-Technology reader for use with the Lenel OnGuard® security platform, creating a unit with unprecedented functionality. Using OnGuard OpenCard™, Lenel’s smart card encoded information standard, the Lenel OpenCard Readers support HID® proximity, GE/CASI® ProxLite®, my-d®, MIFARE®, MIFARE DESFire®, HID iCLASS™, XceedID ISO-X and other technologies. The devices can read proximity numbers, smart card serial numbers and the data application areas of contactless smart cards.
“XceedID is pleased to be working closely with Lenel to deliver innovative reader solutions to the market. We expect our threaded partnership with Lenel to grow with current and future products and we anticipate that our combined offering will be a significant value-add for the Lenel customer base.” said John Menzel, XceedID President and CEO.
“Lenel is very pleased to now offer flexible, competitively-priced readers that support multiple card technologies with an open standard,” said Erik Larsen, Product Manager of Identity Solutions for Lenel Systems International. “The Lenel OpenCard Reader series provides a viable solution for customers who are transitioning from one card technology to a newer standard, or for those who require multiple card technologies in a complex access control environment.”
The Lenel OpenCard Reader series includes a mullion-mount reader, a mid-range reader and a mid-range reader with a keypad.
About Lenel
Lenel Systems International, Inc. is a global leader in the development and delivery of scalable, integrated systems for the commercial security market, with more than 12,600 system implementations in 75 countries. Lenel is headquartered in Rochester, New York, with sales and support coverage in all major world markets. Lenel is a subsidiary of UTC Fire & Security, which is a business unit of United Technologies Corporation (NYSE:UTX). More information about Lenel and its products can be found on the company’s web site at www.lenel.com.
By David Wyld, Contributing Editor, AVISIAN Publications
When visitors step up to the gates of the four Disney World theme parks, the Magic Kingdom, Epcot, Animal Kingdom, or the MGM Studios, they will encounter something unexpected and largely foreign to them. Disney has embarked on a program to use an established biometric technology – finger geometry – to secure its valuable passes. Ostensibly, this new security is for the benefit of the pass owner. However, it is also being implemented to secure Disney’s pricing structure and marketing strategy. It has not come without controversy – and at least a bit of confusion.
What is Finger Geometry?
Hand geometry has been aptly described as “the ‘granddaddy’ of all biometric technology devices.” It is essentially based on the fact that virtually every individual’s hand is shaped differently than another individual’s hand, and over the course of time, the shape of the person’s hand does not significantly change. Operationally, finger or hand scanning systems capture the physical, geometric characteristics of an individual’s hand – with most systems having the capacity to do so in less than a second. From these measurements, a profile or “template” is constructed which will be used to compare against subsequent readings by the user. Finger and hand geometry are considered somewhat interchangeable terms. However, hand geometry evaluates the person’s entire hand form as a biometric identifier, while finger geometry looks only at a subset of the five fingers to form the identifier. In either case, such geometry does not entail the taking of a person’s fingerprints. In a recent study, the National Academies of Science of Science found that while a person’s finger geometry is indeed far less distinctive than his/her fingerprints, hand or figure biometrics is indeed suitable as an identifier for a wide variety of circumstances, where one in a thousand uniqueness is sufficient.
Finger geometry has been used successfully since its commercial introduction in 1975, when it was brought to Wall Street for security purposes by the investment firm of Shearson Hamill. Over the years, it has been utilized to provide secure access and verify one’s identity in a wide variety of settings, including:
Probably the widest use of finger or hand scanning is in the corporate realm, where such scanning is used in complement with employee badges, passes, and ID cards to prevent payroll fraud, a seemingly intransigent problem which has been estimated to cost employers in the U.S. alone hundreds of millions of dollars each year. While other forms of biometrics may be growing more rapidly, there is still substantial growth potential for hand and finger scanning, In fact, according to Biometrics Info, hand geometry revenues have been forecast to reach $97.4 million in 2007, which represents an almost 400% growth in the market since 2002.
Giving Disney Your Fingers
Disney has moved over the past decade to use automatic identification in various forms. In 1996, the company moved away from a hard plastic laminated pass for all holders of multiday or annual passes, which contained both a bar code identifier and a photo of the passholder. In its place, Disney began issuing mylar paper passes. These new passes had no photo identifier, and indeed, contained only minimal visual evidence of ownership, basically only the guest’s name and the expiration date of the pass. Beginning in June 2005, all Walt Disney World parks began using finger scanning at its park entrances to complement the security measures embedded in its mylar passes. When a Disney guest presents his pass at the turnstile, he is asked to insert the pass into a reader, and after doing so, to make a “peace sign” with his index and middle fingers and insert those fingers into a scanning area. During the scan, a camera takes a picture of several points on each person’s index and middle fingers and assigns a numerical value to the image. The scan – which is accomplished in less than a second – measures the length and width of the individual’s two fingers and the spread distance between the digits. Once the scan is taken – and all adults are required to do so - the pass is returned to the guest.
For a number of years now, Disney’s marketing approach has been to shrewdly push the sale of multi-day and annual passes to its theme parks that comprise the Disney World complex (Disney passes are not interchangeable between its parks in Anaheim, California and Orlando, Florida). The pricing structure at Disney World’s is transparently meant to encourage its visitors to buy passes for longer stays at its Orlando properties. In fact, the daily price of a Disney park visit drops significantly as longer-lasting park passes are purchased – by half at the 7-day mark and by almost two-thirds at the ten day market. To put it quite simply, Disney makes about $200 more by selling five separate two-day tickets than by selling a single ten-day pass. So, to protect its revenue stream, Disney does not allow its annual or multi-day passes to be shared or transferred. They don’t want people to buy a ten-day pass, use it for two days, and then resell the pass to a buyer to use the remaining days.
Not only do longer stays mean that families visiting Disney World will have more opportunities to spend more money on food and beverages, souvenirs and trinkets, and other experiences, such as breakfast with Cinderella, while on Disney property. Perhaps even more importantly, the passes serve to “lock-in” guests to focus their Orlando visits on Disney parks, rather than spending their time – and money – at the competitor’s parks and other entertainment experiences available in this burgeoning family resort area.
A mixed reaction
From Disney’s perspective, the ticket tag is a necessary security measure that does not violate its customers’ privacy. According to Disney spokeswoman Kim Prunty, contrary to some reports, “We’re not keeping a database of fingerprints.” In fact, the company does not maintain a permanent database of scans, as the information is purged from its systems after the individual’s pass expires. Disney has also not disclosed the vendor for its biometric system.
However, Disney’s move to finger scanning has generated some degree of controversy since its implementation. Since Disney defines an “adult” park guest as being 10 or older, many minors are being subjected to finger scanning. Leading privacy groups have also attacked Disney’s move. The American Civil Liberties Union recently called the addition of biometric technology “a step in the wrong direction.” EPIC – the Electronic Privacy Information Center – recently issued a blistering attack on Disney for its use of finger scanning. It called the practice a “a gross violation of privacy rights,” as there is little notice given to consumers as to why their biometric information is being collected, how it will be used, and the protection afforded to the data. EPIC also criticized Disney’s move based on the legal principle known as “the proportionality test,” which can be encapsulized as whether the amount and type of information being collected equals the level of security being sought? To date however, there have been no lawsuits filed against Disney over its use of finger scanning technology.
Surprisingly, both at ticket sales’ locations and at the actual park entry points, Disney has not seen fit to post information on exactly what is being done when the park patrons are asked to make the peace sign and insert their digits into the reading machine. Most patrons – and even some public interest groups and media covering the developments at Disney - have assumed that the company is fingerprinting park visitors and matching the passholder’s print to the pass – and perhaps even other databases, such as criminal records, sex offender registries, and terror watch lists. This has led some industry observers to criticize Disney for having a corporate communications problem in not explaining the “why’s” for the use of the technology to its patrons, while others have seen fit to call upon Disney to find creative ways to leverage the technology - and the data it collects – beyond gate security to provide better in-park customer experiences for its guests.
Good technology often makes good business sense
What is certain is that we will see more such applications of finger geometry in the future, as Disney is by no means alone in exploring how this established technology in the theme park industry. Indeed, according to a report from The Orlando Sentinel, several of the company’s principal competitors are looking to implement similar pass protection technology to their valuable tickets and passes in 2006, including:
From the perspective of Dennis Speigel, President of International Theme Park Services in Cincinnati, such biometric scanning may be a necessary tool for the entire theme park industry. He recently observed that: “Tickets are very expensive for these facilities. If you can hand them off, it costs the parks money. The introduction (of this type of solution) will be used more broadly in the industry in the future.”
For now, the introduction of finger scanning seems to present Disney with an operational challenge to get visitors used to the new requirement. The reaction of Simon Henson, who visited Disney while on vacation, is common. As Mr. Henson put it: “Overall it’s good. But it seems to make the queues longer. No one seems to put their fingers in all the way on the first try.”
About the author:
David C. Wyld ([email protected]) is the Maurin Professor of Management and Director of the Strategic e-Commerce/e-Government Initiative at Southeastern Louisiana University.
Higher cost and lower market demand slows the adoption of PVC’s biodegradable rival … for now
By Marisa Torrieri, Contributing Editor
It sounds corny to some, but the latest card en route to consumers’ wallets promises the same durability of traditional petroleum-based (PVC) cards without using up one of Earth’s most valuable and dwindling resources … oil.
A new card made from processed corn got a big push when card manufacturer Arthur Blank & Co. (ABCO) announced last month it is ready to roll out millions of the regurgitated stalks for environmentally conscious retailers – whether they’re producing gift cards or highly secure access control or ID cards.
Called “CornCard USA” by Arthur Blank & Co., the card itself can be composted, incinerated and mechanically recycled in industrial facilities. This new corn-based card can be used in the same applications as the more traditional petroleum-based counterparts. The CornCard USA may be printed with most of the special inks and panels Arthur Blank offers, and with a number of security measures (i.e., specialized inks only visible with infrared and black light readers, or Guilloche printing).
While CornCard still reportedly costs nearly 10 percent more than PVC, Arthur Blank’s new rollout isn’t the only indication that these cards should be taken seriously. Major corporations such as Microsoft and Wal-Mart have said they are seeking renewable resource alternatives to traditional packaging, notes Jake Jacobs, vice president of sales for Arthur Blank & Co.
“Unlike petroleum-based cards, corn-based cards can be mechanically recycled, composted (this takes several years) and won’t release toxins when burned,” says Mr. Jacobs. “Creating the resin from corn also produces much less harmful gas than producing plastic from petroleum. On a small scale, this isn’t as big a deal, but when you consider Arthur Blank & Co. used 8 million pounds of raw materials last year for gift cards alone, you can clearly see the environmental benefits of using corn-based cards.”
You can’t eat them, but you can swipe them: Cards look, feel the same as PVC
Processing corn cards involves several steps, explains Todd Niemuth, marketing manager for Spartech Corporation, the “plastic sheet extruder” company that makes CornCard USA Sheets for Arthur Blank & Co. Spartech competes with PVC sheet extruders, using the process of fermentation, followed by polymerization.
The process of corn polymerization, the first step in making corn cards, is similar for both corn- and oil-based plastics, explains Mr. Niemuth, who notes that the process is just as complex for both corn and oil plastic. Conducted by NatureWorks for Spartech and ultimately, for Arthur Blank & Co., the process involves turning raw materials into tiny pellets.
First, the corn is planted, harvested, then sent to a milling plant where starch is separated and isolated from other components. The starch is converted to sugar. Then, through a fermentation process much like making wine or whiskey, micro organisms convert the sugar into a lactic acid, which ignites the biological process of polymerization. The polymer, or plastic, is formed into pellets that are sold to Spartech.
“The most environmentally significant difference is that PVC is derived from oil, something that takes millions of years to regenerate, while PLA is derived from corn, a plant that grows in roughly 100 days,” Mr. Niemuth says.
Then, the sheet extruder takes the pellets and mixes its own proprietary blend of chemical additives to give the corn-spawned plastic better strength, before flattening it into thin sheets that look like a thick sheet of paper.
“You can get 60 cards out of one sheet of plastic,” Mr. Niemuth says.
After the sheet extruder turns the pellets into sheets, they are then shipped to Arthur Blank & Co., which adds its own, top-secret binding formula to the sheets before churning out the corn cards. The formula, developed by ABCO, is necessary to prevent problems such as ink bleeds and cards that curl at the edges. The formula is a result of several years of trial and error, as bad printing and imperfect cards were an industry-wide problem for years, Mr. Jacobs says.
What will turn corn into a corporate cashpot?
If the cost of oil continues to rise, it won’t be long before both card manufacturers and retailers start following Arthur Blank’s lead by investing in alternative resources.
But for now, the biggest challenge to adoption is that retailers are not demanding the CornCard, say a number of Arthur Blank’s manufacturing competitors.
Versatile Card Technology (VCT), for instance, makes a huge range of cards for a variety of industries, but according to a source, the company won’t consider making CornCards without customer demand.
“They’re really expensive,” says a VCT spokesman. “It’s more client-driven,” and clients are interested in “highest print quality at lowest price.” PVC cards are industry standard and CR80 cards cost 10 cents apiece, the spokesman notes.
Should environmentally conscious vendor such as Whole Foods Market want to order one million corn cards, however, VCT would jump on the chance to make them, the spokesman adds. Until then, “PVC’s a very rugged, durable material,” the VCT spokesman says.
But Mr. Niemuth believes that all of the leading card manufacturers are definitely keeping plans to manufacture corn cards. While the cost of corn remains stable, oil prices continue to skyrocket. When the price of making CornCard USA becomes more competitive, manufacturers will become even more accommodating.
“I think it’s safe to say every non-secure card manufacturer in the top 10 has asked us for trial material, and has it or will get it soon,” Mr. Niemuth says. “That doesn’t necessarily mean they have demand, but there’s a tremendous amount of interest.”
Additional resources:
To visit Arthur Blank & Co. on the web, click here.
To visit Spartech Corporation on the web, click here.
To visit Natureworks PLA on the web, click here.
Debitek, a card reader/device manufacturer and stored value solution provider, has been acquired from its prior owner Ingenico by Heartland Payment Systems. Debitek is well-known in the “closed system” card market with more than 20-years experience providing mag stripe and smart card payment solutions to college campuses, corporate sites, gaming/entertainment venues, and correctional facilities.
Heartland Payment Systems Acquires Debitek
Acquisition Provides Prepaid and Stored Value Solutions Platform in Rapidly Expanding Small-Dollar Transactions Market
PRINCETON, N.J., Feb. 13 /PRNewswire-FirstCall/ – Heartland Payment Systems, Inc. (NYSE:HPY), one of the nation’s largest providers of merchant acquiring services, today announced it has acquired Debitek, a leader in prepaid and stored value solutions. Debitek immediately provides Heartland with a proven platform in the stored value and prepaid market, particularly with respect to small-dollar payment applications.
Robert Carr, Chairman and CEO of Heartland Payment Systems, Inc., said, “Debitek is a leader in the prepaid and stored value solutions industry with arguably the most successfully deployed technology of its kind in the United States. A prepaid and stored value solution is also an ideal platform to capitalize on the growth opportunities of small-dollar transactions, which is a large and rapidly emerging electronic payment solutions market. Debitek’s substantial installed base utilizing their proprietary software provides a solid foundation for penetrating this market. We are excited about the opportunity to broaden our product offering while also entering the new markets already served by Debitek solutions.”
Debitek, headquartered in Chattanooga, Tennessee, has an established client base utilizing approximately 130,000 payment devices, and an experienced and dedicated management team. The Company has a proven, reliable solution to transfer value to either Mag stripe or Chip (“Smart”) cards. Among its many applications, Debitek provides its cashless solution to numerous university and business campuses across the country - including the Universities of Florida and Minnesota, Northwestern University, and BMW, Coca- Cola and Morgan Stanley - as well as the entire Federal penitentiary system.
Larry Hauser, Vice President and General Manager of Debitek, said, “We are pleased to be joining with Heartland Payment Systems. With Heartland’s extensive resources and nationwide infrastructure, we can accelerate growth within our established markets as well as broaden our reach into new markets. We also envision numerous synergistic opportunities to leverage our prepaid and stored value technology with Heartland’s payroll and transaction processing leadership.”
Financial terms of the transaction, which was structured as a stock purchase, were not announced. Heartland believes the transaction will not have a material impact on earnings in the near term.
About Heartland:
Heartland Payment Systems, Inc. (HPS), a NYSE company trading under the symbol HPY, delivers credit/debit card processing and payroll solutions to over 110,000 small to medium-sized merchants throughout the United States. HPS also provides additional services to its merchants such as gift and loyalty card programs, paper check authorization, and sells and rents point-of-sale devices and supplies.
With over 1,000 national sales professionals, HPS builds long-term business relationships in local sales territories providing merchants with enhanced technology tools that assist them in more effectively operating their businesses.
Heartland commenced operations in 1997, and since 2000 has grown at a compound annual rate of more than 30% to become the seventh largest merchant processor in the United States and fifteenth largest merchant processor in the world.
