Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS

Addressing security concerns in centralized and distributed card issuance environments

Chris Corum   ||   Jul 28, 2005  ||   , ,

Architectures for card issuance systems can be categorized as either centralized or distributed in nature. Each scenario presents a unique set of opportunities, and perhaps more importantly, security risks that must be understood and addressed.

There is a macro and a micro distinction that can be made when defining the two types of issuance architectures. At a macro level, centralized issuance can refer to situations in which a third party issuer is handling the card production and distribution on behalf of the client. With distributed issuance the client controls its own card production and distribution.

In closed system environments (e.g. campuses, corporations), a more micro-distinction for centralized and distributed issuance can apply. When a campus has multiple branches or a corporation has multiple locations, centralized issuance has all cards produced from a single, controlled location. Distributed issuance deploys the technology and responsibility for issuance to the various sites.

In the case of both the macro and micro distinctions, the following discussion can apply.

In the past, centralized meant secure and distributed meant fast …

“We are seeing great opportunities and advances for distributed issuance,” says John Ekers, Director of Product Marketing for Systems and Software, Fargo Electronics. “In general, it is always better if you are controlling more of the process yourself.”

Certainly this self-control aspect is the key reason issuers choose the distributed model. Using the campus setting as the example, distributed issuance equates to instant issuance. The enrollment, authentication, imaging, production and distribution can be completed onsite, while the cardholder waits. Centralized issuance cannot accomplish this.

But, centralized issuance has traditionally possessed a major advantage over its distributed counterpart: added security. Blank card stock can be locked down and each piece accounted for at all stages in the process; staff access can be tightly monitored; fraudulent card creation can be curtailed via stringent checks and balances; etc.

“What we are seeing today,” adds Mr. Ekers, “is a migration of the security control procedures traditionally used in centralized issuance bureaus to the distributed environments.”


Categorizing the risks

A major shift in the nature of campus, corporate, and other ID card applications have been the primary driver for increased issuance security. A degree of risk has always existed but as the privileges and opportunities that an ID enables has expanded, the dangers arising from fraudulent cards have grown.

The risks associate with issuance procedures can be thought of in three main areas and for each, according to Mr. Ekers, there are significant advances underway for distributed environments. The areas are materials, data, and personnel.

Materials:
In centralized issuance all card stock, printer supplies, and equipment are kept in one location making it easier to manage and track. When production is distributed, so too must the materials be distributed. This requires a more sophisticated system of control.

Off-the-shelf inventory management software, built-in security mechanisms in new printer models, and software prompts in both printers and imaging software are making it easier to manage materials in a distributed environment.

Personnel:
In centralized issuance, employees undergo background checks and can be closely monitored throughout the day. Monitoring is far more difficult in a distributed environment.

By requiring stringent login procedures, restricting the hours that an employee can print cards to appropriate times, and employing other system-controlled checks and balances, remote monitoring and control are becoming a reality. “In the near future,” says Mr. Ekers, “I expect to see biometric login to issuance systems become the norm.”

Data:
In terms of issuance data, both the personal information of your cardholders and the ongoing system operation data is crucial. Obviously, the security of the cardholder data is paramount to ensure individual privacy. The system operation data is key to monitoring efficient and appropriate use of the equipment and materials.

In a highly controlled centralized environment, data can be tightly held on a closed network with security controls appropriate to the need. The physical premises can be locked down and unauthorized access restricted. This is far more difficult in a distributed environment where open or pseudo-open networks are used and open access to the premises is required to facilitate customer service.

Advances in encryption techniques (e.g. hardware security modules that manage issuer keys) have made it possible to ensure that cardholder data is never transmitted “in the clear” thus reducing the risk of data compromise. High level encryption and high speed networking is enabling distributed access to centralized data repositories, thus allowing the cardholder data to be held securely in a single location and accessed only when necessary by a distributed site.


Distributed issuance: no longer be “less secure”

“We are nearing the point where the security benefits of centralized issuance are no longer sufficient to merit the loss of control,” says Mr. Ekers. “Distributed issuance can be technology-enabled such that its security matches, and potentially exceeds, its counterpart.”

He concludes with the following thought, “When an issuer switches from a centralized model to a distributed model they are forced to reexamine the controls employed for materials, personnel, and data. I have seen many cases where they find significant security holes in their former centralized processes that have been corrected in the migration.”

Related Posts

Subscribe to our weekly newsletter

RECENT ARTICLES

High school bathroom

Bathroom breaks tracked by campus ID and mobile app

At California’s Fresno High, a new app is authorizing and monitoring trips to the bathroom in an effort to increase students’ time in class and decrease gathering in halls and bathrooms. Of course, this has not gone over well with students. Raising your hand and asking the teacher if you can go to the bathroom […]
Atrium Ozzi container

Atrium clients track check-out and return of reusable containers at OZZI kiosks

The push to reduce or even eliminate single-use containers from campus dining is now easier for Atrium clients. Thanks to a seamless integration between Atrium and the OZZI reusable container program, the processes for both students and dining services is streamlined. Atrium clients have been using OZZI for years, but the two systems were independent. […]
HID report snapshot

Security industry’s top trends include mobile IDs, MFA and sustainability

The 2024 State of the Security Industry Report from HID Global studies trends and changes in the security industry. This year six major themes emerged surrounding mobile identity, multi-factor authentication, biometrics, AI, and sustainability. The research includes data from more than 2,500 individuals – partners, end users, and security/IT personnel – from around the globe. Respondents […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Join Jeff Koziol and Robert Gaulden from @AllegionUS as we explore how mobile credentials and proptech are changing on- and off-campus housing.

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.