For John Ekers, Fargo Electronics’ director of product marketing for software and services, it has become something of an evangelization issue.
“One of the things we’ve been trying to promote, which comes from working with security bureaus, is that it’s not just about your cards, but about your duplicates as well, your bad cards and how you are managing those,” said Mr. Ekers.
“…particularly in the ID market with desktop printers, you see a huge gap. No one is managing the bad cards, the ones that had to be remade,” he stresses. “Not many have software in place to tell you we made four copies of Jane’s ID badge and the fifth is what we sent out.”
What’s needed is something that will help organizations to do a reconciliation to match bad cards against the inventory and produce an audit trail. “The bad cards don’t necessarily have to be kept on file, but a supervisor needs to look at them, check them off (that they actually reviewed them) and then the cards can be destroyed,” said Mr. Ekers.
It’s all about hardening your security. The card may not have been encoded yet, but the picture is still there, the name is on the card and it could still be used fraudulently.
Fargo and others have tools that can secure the issuance process. “We’re trying to manage the issuance of both good cards and bad cards,” explained Mr. Ekers.
A recent presentation at a National Association of Campus Card Users (NACCU) conference on the issuance process ended, “with most of (the 40 college attendees) wanting to get back to their offices as soon as possible,” said Mr. Ekers. “These were people who initially felt their offices were pretty secure,” he said. “You need to know who has access to your card issuance system. Can someone come in over the weekend and produce fraudulent cards? And what is your liability if that happens? Fear drives a lot of this.”
If you’re providing a system to manage access, but you’re not managing the security of the issuance process, you could still be liable for any breakdown that occurs, he said. For example, someone could print out a fraudulent card that allows him to gain access to a secure building.
One preventative measure organizations can take is to utilize a tool that can lock down their printers. “If you have an application running on your PC, the only way the printer will work is if you present the printer password. That’s more widely accepted in the education market. In a lot of cases,” said Mr. Ekers, “you have students doing the badging process. At least over the weekend no one can come in and access the printer.”
Complementing that system, he added, would be a notification application. “An individual who comes in over the weekend who wanted to print badges and if the printer wasn’t locked up, the printer would send out a message over the network or cell phone and let the manager know that someone is trying to print something,” said Mr. Ekers.
Another possible security gap is the data itself that’s used to print the badges. “We recommend that you don’t maintain that data any longer than you need it. If you look at Visa or MasterCard, they’re not allowed to maintain account information for more than seven days. You don’t have to maintain a local database,” said Mr. Ekers.
Computer advancements have also led to more security holes. The simple USB port provides quick access to data on the computer. “A lot of corporations are not buying computers with USB ports,” he said.
Even if you don’t have the means to implement a sophisticated issuance security and card inventory system, “you can at least have an Excel spreadsheet where you log in the number of cards, cards you’ve printed, and so forth,” said Mr. Ekers. “You really need to manage that inventory.” Or, you could go low-tech with a simple pencil and paper method, he added.
“So many colleges today seem to be overwhelmed with operational requirements. Historically, they’ve let a lot of these things go just to get the cards out the door. But I think they’re starting to understand that there’s a lot more at stake,” said Mr. Ekers.