28 June, 2011
In the last five years, the University of Arizona has transformed its CatCard from a basic identification card to a multipurpose tool. In terms of security, the school has been particularly aggressive creating multiple levels of access using magnetic stripe, contactless smart card and biometric technologies.
In 1998, the Tucson, Ariz.-based university had 14 different ID cards on campus, according to Assistant Director of CatCard Services, Diane Tatterfield. University leadership decided to consolidate these into one identification card, the CatCard. Today there are 75,000 active CatCards used to gain access to 800 locations around campus.
Prior to 2006, the CatCard featured a magnetic stripe and a contact smart card chip. The mag stripe enabled physical access to buildings and privileges such as meal plans. Users loaded money onto the contact chip to pay for other services such as vending, laundry and photocopying.
The university decided to pilot a contactless chip card five-years ago when it built the BIO5 Institute and medical research laboratory buildings, Tatterfield says. Because parts of these labs demanded high security, the university needed a solution beyond what CatCard’s magnetic stripe could provide.
Partnering with Irish smart card integrator, SmartCentric, the university developed a system of three readers that enabled different levels of access based on a particular environment’s security requirements. Options include tapping the contactless chip, tapping the chip and entering a PIN, and finally tapping the chip and presenting a fingerprint for biometric matching.
Tatterfield says the university evaluated door access readers for six-months before selecting units from Integrated Engineering, a Dutch company that was acquired by HID Global in 2007. The CatCard includes an NXP DESFire contactless chip. It stores a biometric template containing a series of points from the fingerprint. This stored template is later matched with a template created by a reader at the door.
By installing the new security infrastructure at the time of construction, the university avoided a future retrofit of the buildings. With higher levels of access control, the labs have a leg up when competing for grants and contracts that require secure facilities, says Tatterfield.
While most access points on campus still use the magnetic stripe, a campuswide conversion to contactless physical access control is underway. All new construction includes contactless readers, including two new residence halls that opened this Spring with contactless tap and tap-plus-PIN security.
The price for increased security
Higher levels of security do come at a price. According to Tatterfield, standalone contactless smart card readers costs the university just $40, but adding PIN capabilities ups the cost to $700 and biometric versions cost $1,200.
The total cost for a finished card–including card stock, ribbon, printer and personnel–is $42, explains Tatterfield. Students pay $25 for the card, and employees, retirees and alumni receive their first card for free. Vendors–such as Coca-Cola, Federal Express and lab supply companies–who need access to secured areas pay full price for their cards. The CatCard office receives additional funding to cover the full cost of the cards.
The university eliminated the contact chip from the card in November 2010. According to Tatterfield, improvements in technology enabled the unattended payment environments such as vending, laundry, and photocopy to move to the contactless interface. Removing the contact chip saves approximately $5 per card.
Contactless technology has helped the university save in card replacement costs. Because the magnetic stripe is swiped less frequently due to the contactless interface, the stripes do not wear out as quickly so cards don’t need to be replaced as often. This has decreased Arizona’s card replacement levels from 11,000 per year to 6,000 per year, says Tatterfield.
The university phased-in the contactless technology as new students required their initial card and returning students replaced lost cards. Today 95% of the cardholders have contactless IDs.
Controlling access privileges
To leverage the CatCard’s security features, general building access is determined by the cardholder’s status. When a student signs up for a CatCard, says Tatterfield, within 15 minutes he receives access to certain facilities including computer labs, TV lounges, the recreation center, library and athletic facilities.
For more fine-grained control, the building manager for each facility can dictate access for cardholders. Access can be limited to a specific time period, such as 24/7 access, business hour access or access for a certain number of days.
The card has a lifespan of four to five years. When a card is replaced, the cardholder receives a new 16-digit ID number based on the International Organization for Standards’ ISO numbering protocol. The system automatically replaces the user’s old ISO number so that the new card is usable immediately at all access points to which the cardholder is approved.
The biometric challenge
Implementing a new system, especially a sensitive one like biometrics, took some trial and error. Relying solely on fingerprint scans for individuals who work a lot with chemicals can be difficult because chemicals can ruin people’s fingerprints. The university also discovered that it was difficult to get high quality fingerprints from Asians, explained Tatterfield.
The CatCard department worked with the university disabilities office to determine that the inability to offer a good fingerprint was, in fact, a disability. With this decision, a number of labs were downgraded from biometric readers to chip-plus-PIN security. A policy was made that if every individual using a specific lab could not use the biometrics, that lab could not upgrade the system to biometric readers.
The CatCard office also discovered that the dry Arizona climate interfered with the biometric readers. Electric shocks were frequent when users touched a reader causing interruption in the reader’s operation. To eliminate the problem, the readers were reprogrammed to reset every second instead of every five minutes. The desert heat also often made a user’s hands too dry to roll a proper print, but they found that hand lotion solves this problem.
The CatCard provides other services beyond identification and physical security. It is necessary to access e-mail accounts and class schedules. The CatCard also controls meal plans, manages Bursar accounts and authorizes library and recreation center services.
The contactless chip also contains a wallet that holds up to $250 for use on campus. Also on the financial side, a partnership with Wells Fargo enables users to tie their bank account to the CatCard and use it for debit card and ATM functions.
The contactless chip enables the university to explore non-traditional partnerships, concludes Tatterfield. Ongoing discussions with Tucson’s bus system could one day result in the CatCard being used for transit ticketing and fare collection. And a host of other applications are on the horizon as the CatCard continues to claw its way into the future.
Arizona CatCard at a glance:
- Active cards: 75,000
- Students: 39,000
- Faculty/Employees: 12,000
- Retirees, alumni, guest researchers, vendors, and satellite campuses
- Cards issued each year: 25,000
- Total number of readers: ~800
- Magnetic stripe: ~570
- Contactless: 100
- Contactless-plus-PIN: 60
- Biometric: 70
- Number of buildings on campus with contactless readers: 12