Regarding ID Summer 2006 by AVISIAN

Summer 2006

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Summer 2006 6 | OPINION | The many links of the chain of trust

18 | BIOMETRICS | Securing the Disney Gates

8 | HSPD-12 | Mandated government smart cards slowly coming along

20 | AUTHENTICATION | Two-factor authentication goes mobile on phones, PDAs, laptops, and more

30 | PAYMENTS | Axalto’s SmartFob offers contactless payment functionality in a radical new way

50 | PLASTICS | Corn Cards offer a greener alternative, but is the industry ready for plastic from the farm?

36 | FOCUS | Thales deploys ID solutions around the globe

52 | TECHNOLOGY | JSA receives web-revalue technology patent

39 | FUTURE | Famed Media Lab explores a contactless future

54 | SECURITY | Prox begins giving way to contactless as price cuts and multi-technology readers eliminate hurdles

34 | INTERNATIONAL | From the Great Wall to city buses in busy urban centers, contactless is ﬁnding a home in China

Summer 2006

Contents

Index of Advertisers INDEX OF ADVERTISERS Cardtech Securtech www.ctst.com CBORD Group, Inc. www.cbord.com Datacard www.datacard.com Datastrip www.datastrip.com Digital Identification Solutions www.digital-identification.com Gemplus www.gemplus.com HID www.hidcorp.com Integrated Engineering www.smart-ID.com LEGIC www.legic.com Lenel Systems Intl www.lenel.com Muhlbauer www.muhlbauer.de NFive www.nfive.com Sokymat www.sokymat.com RFID Library www.rfidnews.org Sagem Morpho www.morpho.com Smart Card Alliance smartcardalliance.org Ultra Electronics www.ultramagicard.com XceedID www.xceedid.com

29 47 7 2 21 58 | TAGGING | RFID curbs drug counterfeiting, but obstacles still exist

17 68 41 31 9

38 | PRIVACY | MIT helps security industry explore the privacy implications of RFID

51 | CAMPUS | QI readers bring USA Today newspapers to card carrying students on 70 campuses

3 57 60 23 43 27 33

46 | CAMPUS ID | Nova Southeastern replaces outdated campus smart card with new smart card system

12 | IDENTITY | Registered Traveler program goes nationwide

Perspective ??? ??? Chris Corum Executive Editor, AVISIAN Publications

PUBLISHER Jeff Staples, jeff@AVISIAN.com EXECUTIVE EDITOR Chris Corum, chris@AVISIAN.com CONTRIBUTING EDITORS Kristen Fossgreen, Dee Ann Kuhn, Erik Peterson, Sara Pralle, Bret Tobey, Marisa Torrieri, John Wehr, Andy Williams, David Wyld ART DIRECTOR Mike Houghton

text to come

ADVERTISING SALES Jeff Staples, jeff@AVISIAN.com SUBSCRIPTIONS Regarding ID is free to qualiﬁed professionals in the U.S. For those who do not qualify for a free subscription, or those living outside the U.S., the annual rate is US$45. Visit www. regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE Regarding ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Jeff Staples, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2006 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualiﬁcations to info@AVISIAN.com with the message subject line “Editorial Advisory Board Submission.”

SecureIDNews

New government smart ID cards slowly coming along HSPD-12 mandated ID cards will be ready for new federal employees by October Marisa Torrieri Contributing Editor, AVISIAN Publications Come mid-Autumn all new federal employees can expect to be issued a state-of-the-art smart card capable of granting secure access to designated buildings and services. However, it may be several years before every single existing federal employee gets new powerful plastic with standardized high-security specs, say the agencies in charge of developing the card in accordance with the Homeland Security Presidential Directive 12 (HSPD-12). HSPD-12, signed by President Bush in August 2004, calls for a number of measures to ensure more secure networks and communication across Federal agencies. Among these is a new Personal Identity Veriﬁcation (PIV) ID card. The standards for the PIV cards have been in development since HSPD-12’s release, guided by the National Institute of Standards and Technology (NIST) and codiﬁed in the FIPS 201 standard. 8

Summer 2006

The HSPD-12 mandate requires all federal agencies to switch to these PIV cards to raise the level of identity veriﬁcation and security across government. But getting all agencies to implement the new cards, mandated for new employees by Oct. 27, is proving to be a major undertaking. The General Services Agency, designated as the government’s Executive Agent for the Acquisition of Products and Services to implement HSPD-12, is working alongside NIST to test the PIV infrastructure. While NIST is testing conformance of the smart card software against the established standards, GSA is coordinating with vendors to test for interoperability between the smart cards and readers. “NIST is basically testing smart cards and middleware for conformance to the standards,” largely within 10 laboratories, says Curt Barker, the personal identity veriﬁcation program manager at NIST.

SecureIDNews

But getting the PIV card and system components up and running, as well as imposing a timeline on developers, is a difficult challenge – so much so that the General Accounting Office (GAO) has issued numerous reports citing these challenges, David Temoshok, director for identity policy and management for the GSA, tells SecureIDNews. “We don’t envision that we’re going to flick a switch in October of 2006 and all agencies will immediately replace their current badges,” says Mr. Temoshok. “That’s going to take several years. Implementing HPSD-12 is not about buying the right cards, it is about deploying systems across multiple government organizations that can be trusted and interoperate.”

Existing government-issued smart cards close but not entirely PIV Some agencies have been issuing smart cards for employee identiﬁcation for some time. For

example, the Department of Defense (DoD) has issued more than 8.8 million smart cards called Common Access Cards (CAC) across the military branches, and there are currently 3.2 million active CACs in the ﬁeld, says a DoD spokeswoman. But, according to Mr. Barker, there are certain aspects of the CAC card that made them a no-go for a national, all-agency implementation, per the HPSD-12 mandate. “It really wasn’t that the common access card was deﬁcient,” says Mr. Barker. “It was something that was designed for one department and was useful for some others, but we needed to specify something that met the needs and constraints of all the departments.” Subtle differences include the commands used to read the information on the card, and some elements of the information itself. In other words, there is employee information on the DoD’s CAC card that other agencies might not want to put on their employee access cards, such as military rank, says Mr. Barker.

HSPD-12 again takes center stage in event hosted by Lenel and Lockheed Martin Our subscribers have gathered by now how rapidly the U.S. federal government is moving toward a common identiﬁcation credential, driven by presidential mandate HSPD-12 and the resulting FIPS-201 guidance. We saw another example of the importance of this tasking when security system provider Lenel Systemsand government contractor Lockheed Martin hosted an HSPD-12 related event this week in Washington, DC. This event boasted an impressive draw from the federal government security sector. Lenel reported over 150 people in attendance, and we recognized many of the key players in the federal government sector and a representation from numerous agencies including the Department of State, Homeland Security, Defense, Commerce, NIST and the General Services Administration. The importance of the subject matter was reinforced as many of these attendees had just met the week prior during an Inter-agency Advisory Board (IAB) meeting in Washington, DC yet turned out to hear the latest product developments and to see ﬁrst hand how the pieces of the puzzle are beginning to come together. HSPD-12 and the resulting FIPS-201 have changed how the federal government measures progress and change. What was once measured in years or even decades has now been compressed into a matter of weeks and months, and this cooperative demonstration of enrollment, issuance and management of a standard credential is an encouraging sign given that the October 27, 2006 deadline is fast approaching. As the Department of Commerce’ Ron Martin was quick to remind us, “only 219 days left.” And counting...

Summer 2006

Another issue, adds Mr. Barker, is that “the PIV standard was designed so that any of the smart card architectures could meet it. The CAC card was more tailored to some of the manufacturers than others.” Additionally, he says, “the DoD has a highly automated human resources database to go with the common access card. Not all agencies have that.” For the government-wide deployment to be possible, a few adjustments were necessary, including the additional features such as the ability to read biometric data and contactless interfaces for physical access purposes.

With the next deadline just months away, serious challenges remain Key challenges to deployment include the tight timeframes for NIST, GSA, and the vendor community to conduct testing and complete development on products that adhere to the government’s standards. In addition, the sheer magnitude of the project – from each agency designing its own interface to getting all issuing centers to replace old cards with new – is keeping NIST and GSA conservative in their timeline estimates. “It’s about implementing a secure and standardized identity management system across the whole government,” says Mr. Temonshok. “The (key is) having the right and approved products that will interoperate with multiple readers but also integrate the systems across the back end.” Though the effort required is obviously substantial, the cards will vastly improve security, says Mr. Temonshok. Government workers going from one federal building to another, for example, often have to get new security clearance and a visitor’s badge. Under HSPD-12, Federal employees and contractors will be granted trusted access to facilities and networks based on the PIV card. “If you have the PIV card, then you know that employee has gone through background checks, and the badges can be trusted across government,” says Mr. Temonshok. “In order to have that trust, you have to read the card – so machine readability and interoperability is fundamental.”

Agency ‘To Do’ list for HPSD-12 compliance long but flexible The Federal Information Processing Standard 201 (FIPS 201) specifies the technical and operational requirements for the PIV system and cards. The title of FIPS 201 is “Personal Identity Verification for Federal Employees and Contractors” and it was approved on Feb. 25, 2005. In essence, it is the standards document that details procedures for the issuance of PIV cards to meet the HSPD-12 mandate. According to NIST, the primary requirements for implementing FIPS 201 include the “issuance of identity credentials that consist of public key infrastructure (PKI) and biometrics

technology on a smart card.”They suggest that the high-level agency requirements include: • Identify the facilities, systems, and other applications that will use the PIV standard • Obtain the services of an accredited PIV card issuer • Review and revise procedures for PIV card applicants to provide acceptable identity, source documents (i.e., OPM I-9) and complete PIV card application • Obtain services for capturing biometric information as speciﬁed in the FIPS 201 • Obtain PIV card readers with biometric readers as needed • Procure cards, readers, and PKI services conforming to FIPS 201 • Enable applications to use the PIV card • Operate and maintain a PIV card authentication and personal identity veriﬁcation system. While cards must conform to certain standards outlined in HPSD-12 and accompanying

standards published by NIST, agencies have a certain amount of ﬂexibility in how they want the cards to look and what information the cards should contain. For security purposes, cards will have a preset lifecycle. “The key information changes every three years because you don’t want to rely on the same variable information for too long because there are other ways, besides computationally breaking it, that it can be lost or exposed,” Mr. Barker says. “We’re trying to design electronic aspects of the card so if an adversary knows the design, they still won’t be able to exploit that knowledge,” Mr. Barker says. “The cryptographic algorithms have to be strong enough that even if the other person has the algorithm, without private key variable information, they can’t take advantage of that knowledge.”

��

SecureIDNews

Because the PIV card contains digital credentials -- ﬁngerprint biometric, digital certiﬁcate, PIN -- that are used to validate the cardholder to the card, card-theft will not necessarily breach security, he adds.

SecureIDNews

Registered Traveler program goes nationwide Smart cards and biometrics to expedite security checks for more frequent flyers Sara Pralle Contributing Editor, AVISIAN Publications Increased airport security since 9/11 has led to a frustrating flying experience for many travelers. While few deny the need for safeguards, frequent flyers desperately want a means to avoid the lines and the hassle these security measures have created. Enter the Registered Traveler program, initiated by the Transportation Security Administration (TSA), but now operated by the private sector. From the initial launch in Orlando, a handful of other airports have signed on and creative ways to expand the issuance opportunities are coming to fruition. The TSA developed the Registered Traveler (RT) program to expedite passengers through airport security by enabling participating travelers to use more automated, dedicated checkpoints provided they had submitted to a voluntary background check. TSA began pilot programs in 2004, with participants providing basic personal information enabling the TSA to conduct a security assessment to determine eligibility. If approved, the volunteer provided both fingerprints and an iris scan, allowing either biometric to be used for positive identity verification at the airport. The five federally managed pilots -- Minneapolis-St. Paul, Los Angeles, Huston Bush Intercontinental, Boston and Washington, D.C. -- concluded in October of 2005. While they all employed biometric technology, each test site followed varying procedures with regard to the credential and the method of biometric storage and comparison. In the end, all pilots achieved the primary goal – generating data about how RT can enhance security and customer service through biometric technology. As a result, TSA began working with interested airports, the travel industry, and vendors to begin operating a fee-based RT program nationwide.

TSA specifies the card, the biometric, and more Earlier this year, the TSA issued guidance detailing how the national RT program would work. The requirements include the use of a smart card as the mandatory credential and the utilization of ten stored fingerprint biometrics for identification. It also specified a formal redress procedure for any participants disqualified during the background check. 12

Summer 2006

Because the RT program will be operated by the private sector, multiple companies will likely offer services to the nation’s airports. The responsibility for screening and overseeing this pool of providers will fall to a single certiﬁcation body. By April 20, 2006, the TSA will select this third party entity charged with certifying service providers, managing compliance, and establishing requirements for airport checkpoint veriﬁcation providers. Screening for consumer participants in the program will begin June 20, 2006.

Verified Identity Pass takes a lead position In addition to the initial five pilots launched by TSA, a sixth program was launched at the Orlando International Airport as a public-private sector partnership. This program is still underway and has spawned a number of other RT sites. The vendor for the Orlando RT is Verified Identity Pass, and its product name is “Clear.” To date, more than 17,000 passengers have enrolled in the Clear program. Its members have their own security line at the airport and enjoy a maximum wait time of three minutes, compared with 31 minutes experienced by the airport’s regular flyers. As the program goes national, individual airports must decide whether they wish to participate. Airports in San Jose, Indianapolis, and Sacramento have already signed deals with Verified Identity Pass. The company has also recently signed a contract with the Greater Toronto Airports Authority to take the program across the nation’s border. In Canada, the plan is to establish partnerships with as many as 10 airports before the June launch date. Even the hotel industry is embracing this evolution in travel and customer service. Hyatt Hotels has agreed to purchase 10,000 Clear memberships from Verified Identity Pass. The hotel plans to offer them as part of the complimentary packages for its Gold Passport Members. What’s the cost to consumers not in this select group? While cost will likely vary depending on the individual service provider, memberships should range between $59-$125 a year (in Orlando, Clear cards are offered for an annual fee of $79.95). However, expect to see RT memberships being offered in a variety of customer benefit packages. As Verified Identity Pass CEO Steven Brill explains, “In addition to the Hyatt deal, we are developing partnerships with other luxury hotels, credit card companies, and both American and Canadian airlines to co-market our product and provide their premium customers with complimentary or discounted membership into the program.” With enrollment kiosks planned for major office buildings, hotels and airports throughout the country, the market for Registered Traveler memberships is immense. And the possibilities for collaboration between the transportation industry and other companies catering to the business traveler promise to be innovative and far-reaching.

Take 30 seconds and sign-up for a free subscription to this magazine [ turn page for details ]

FREE SUBSCRIPTION The following questions must be answered to complete your subscription. My job title is: ❏ CEO/President ❏ EVP/VP ❏ Director ❏ Manager ❏ Other ________________________ My primary job function is: ❏ Management ❏ Sales/marketing ❏ Operations/development ❏ Administration My relationship to ID technology is: ❏ End user ❏ Manufacturer ❏ Reseller ❏ Consultant ❏ Solution Provider/Integrator ❏ Other _______________________

Subscribe for FREE to Regarding ID magazine and keep up-to-date with the latest news and insight from the world of identity management, biometric, and advanced ID technology. (Free subscriptions available to U.S. addresses only. *International subscribers pay U.S.$45 per year to cover postage and handling costs.)

FAX this form to 703-327-2037 or subscribe ONLINE at www.Regarding ID.com/subscribe ❏ Please send me/continue to send me Regarding ID magazine FREE. ❏ My address has changed. Please send Regarding ID to this address instead.

Name

__________________________________________________________________

Job title _________________________________________________________________ Company

My primary market focus is: ❏ Government ❏ Corporate ❏ Financial ❏ Transportation ❏ Education ❏ Retail ❏ Other ________________________ My primary application focus is: ❏ Physical security ❏Computer security ❏ Payments ❏ Transit ❏ ID issuance ❏ Logistics ❏ Other _______________________ Number of employees in company: ❏ Under 25 ❏ 25 to 99 ❏ 100 to 499 ❏ 500 to 999 ❏ 1000 to 4999 ❏ 5000 to 9999 ❏ More than 10,000 Annual sales volume: ❏ Under $1 million ❏ $1-10 million ❏ $1 -25 million ❏ $25-100 million ❏ More than $100 million In the next 24 months, I expect to be involved in a decision to purchase: ❏ Physical security products ❏ Logical/computer security products ❏ Biometric products ❏ ID issuance hardware and/or software ❏ Smart cards (contact or contactless) ❏ RFID systems/components

___________________________________________________________

Address __________________________________________________________________ City ______________________________________________________________________ State/Province ______________________________ Zip/Postal Code _______________ Country: ❏ U.S. (FREE)

❏ *Other (U.S.$45) ____________________________________

Phone

_________________________________________________________________

__________________________________________________________________

Signature _________________________________________ Date

________________

* Non-U.S. subscribers: Fax this form and we will send you an invoice for U.S.$45 to the Email address you provide. Your subscription will begin when payment is received. To begin immediately, visit www.RegardingID.com/subscribe. I would also like to receive a FREE subscription to the following AVISIAN online publications sent to my email address (check all that apply): ❏ SecureIDNews

❏ ContactlessNews

❏ CR80News

❏ RFIDNews

FAX this form to 703-327-2037 or subscribe ONLINE at www.Regarding ID.com/subscribe

Have a colleague that would like to receive Regarding ID for free as well? A second subscription form is available on the reverse side of this page (colleague must sign the form to authorize subscription).

SecureIDNews

U.S. issues first e-passports to diplomats, citizen issuance to start later in ’06 Erik Peterson Contributing Editor, AVISIAN Publications The United States government plans to begin issuing e-passports – a new version of the passport containing a contactless chip and biometric security -- to the American public at the end of 2006. This announcement accompanies the commencement of a mid-January 2006 pilot program in which diplomats were issued the new passports. The biometric requirements for the new e-passports originate from the Enhanced Security and Visa Entry Reform Act of 2002 (Border Security Act), passed by the U.S. Congress in the aftermath of the 2001 terrorist attacks. The law stipulates new rules for countries in the Visa Waiver Program, the initiative that allows citizens of 27 countries to visit the U.S. for business or pleasure for up to 90 days without a visa. Under the new law, the governments of these countries must provide their citizens with secure, machine-readable, and biometrics-enabled e-passports that are compliant with International Civil Aviation Organization (ICAO) e-passport standards. Originally, the United States wanted the new e-passport requirements to be met by October 26, 2004, but the deadline was extended first to 2005, then again to October 26, 2006. The ICAO worldwide e-passport standards state that facial, iris, and fingerprint biometric technologies are to be used as the new criteria in securing traveler identification. The ICAO standards also mandate the use of contactless, machine-readable technology. A February 17, 2006 U.S. Department of State press release explained the new technologies of the e-passport and attempted to alleviate security and convenience concerns: “The new passport combines face recognition and contactless chip technology. The chip, embedded in the cover of the passport, holds the same information that is printed in the passport: name, date of birth, gender, place of birth, dates of passport issuance and expiration, passport number, and photo image of the bearer. Along with basic information included on current paper passports, e-passports will introduce a digital photograph. Previously issued passports without electronic chips will remain valid until their expiration dates.” Each step closer to e-passport reality, however, only seems to fuel those voicing security concerns. Groups such as the American Civil Liberties Union (ACLU) have voiced concerns that RFID-enabled e-passports have the potential to be global tracking devices that can be used to spy on citizens around the world. Just ten days after the press release, Laura Tischler, a spokeswoman for the State Department Consular Affairs, stated in an interview, “The information contained on the integrated circuit embedded in the passport will not provide a means to track U.S. citizens. This information will be used only in identity verification at ports of entry during travel.” An e-passport with face-recognition technology will make it “incredibly difficult for someone else to use your passport,” Tischler added.

Source: Bundesdruckerei GmbH

And Department of State release attempts to address these concerns, stating, “the Department has incorporated an anti-skimming device in the passport’s front cover. The Department also included basic access control (BAC) technology to prevent skimming and eavesdropping. The anti-skimming device and the BAC technology, when taken together, will mitigate unauthorized reading of the e-passport.” Some disagree with the Department of State’s position. A Dutch security firm, Riscure, recently intercepted information being transferred from a contactless e-passport to a machine reader. According to Riscure, in only two hours they were able to decode the captured information and read the contents of the e-passport. Despite security concerns, the United States is determined to move ahead with the e-passports. Manufacturers are gearing up as well. Current e-passports use chips from Infineon Technologies North America Corporation that are embedded in the passport cover. A metal shield prevents skimming data while the passport is being read. To date, the Infineon technology is the only approved solution for U.S. passport use. The National Institutes of Standards and Technology is still testing products from Axalto, Inc., On Track Innovations Ltd., and ASK. Summer 2006

SecureIDNews

USB Flash drives get security facelift and offer authentication functionality to boot Marisa Torrieri Contributing Editor, AVISIAN Publications Who doesn’t love the convenience of the USB Flash drive, the mini data-storage device that’s taken off with the momentum that rivals Apple’s iPod? Certainly crooks love it, as it makes data theft a whole lot easier. The devices are so prevalent and convenient that business executives and government workers often take their security for granted, say the folks at SPYRUS, a San Jose, Calif.-based flash-drive manufacturer and highassurance security solutions. “The USB interface is certainly ubiquitous and quite popular, but it certainly has created a problem.” says SPYRUS CEO Sue Pontius drawing attention to recent cases where executives lost flash drives in cabs or government agencies were forced to seal their USB ports to prevent data theft. In response to the growing concern over protecting data, SPYRUS is one of a growing number of high-security solutions providers and flash-drive manufactures offering beefed up security for a variety of applications -- such as the banking

executive wanting another layer of strong authentication for financial transactions or the healthcare administrator needing to better protect patient data. Even for consumers, security is a growing concern for this form factor. SPYRUS recently unveiled its new Hydra Privacy Card Series II mass storage device at the RSA Conference in February. SPYRUS proudly touts its product as “the world’s first USB 2.0 personal hardware security token that seamlessly integrates secure mass storage using Suite B cryptographic algorithms, high-performance encryption and authentication services and One Time Passwords (OTPs).” And, the new product can help address compliance requirements for various government, financial and healthcare initiatives, says the company. USB flash memory card stalwart, SanDisk, also has designs on strong authentication and high security applications. The company is in the throes of worldwide deployment for a number of its more advanced flash memory cards. Its SanDisk Cruzer Profile product, a biometricequipped USB flash drive, is secured via a fingerprint scan (the two-piece unit’s “scanner” is contained in a removable cap). “We are shipping this now into retail stores nationwide and, soon, worldwide,” says a SanDisk spokesman.“We’ve had interest from government agencies and educational institutions on this product.” The latest versions of SanDisk’s two main flash drives -- the SanDisk Cruzer Micro and SanDisk Cruzer Titanium -- support the new U3 platform allowing for security and other software to be loaded to the device. “You can use the drive on any PC, calling up all of your files and programs, without leaving any personal information behind (footprints) on the host machine,” says the spokesman. These higher-security flash drives are gaining momentum in the consumer markets. “There is a growing concern,” says Ms. Pontius. “That’s why there is interest in a method of securing data and data transfer”

Summer 2006

Smart. Simple. Secure. Traditional badge systems, passwords, and secure tokens can’t come close to the level of security and convenience offered by SafesITe™. Using 2-factor authentication, one smart employee badge can securely manage network access, passwords, building entry, vending purchases, and more. Gemplus offers two pre-integrated smart ID card management systems: SafesITe Enterprise is a flexible system designed to meet the complex needs of commercial enterprises. SafesITe Government is a solution that complies with the FIPS 201 standards required by the U.S. Federal Government’s HSPD-12 mandate.

For more information call: 888-GEMSMART, or contact: us.sales@gemplus.com

www.gemplus.com/northamerica

SecureIDNews

Biometrics at the Disney Gates

When visitors step up to the gates of the four Disney World theme parks, the Magic Kingdom, Epcot, Animal Kingdom, or the MGM Studios, they will encounter something unexpected and largely foreign to them. Disney has embarked on a program to use an established biometric technology – ﬁnger geometry – to secure its valuable passes. Ostensibly, this new security is for the beneﬁt of the pass owner. However, it is also being implemented to secure Disney’s pricing structure and marketing strategy. It has not come without controversy – and at least a bit of confusion.

What is Finger Geometry? Hand geometry has been aptly described as “the ‘granddaddy’ of all biometric technology devices.” It is essentially based on the fact that virtually every individual’s hand is shaped differently than another individual’s hand, and over the course of time, the shape of the person’s hand does not significantly change. Operationally, finger or hand scanning systems capture the physical, geometric characteristics of an individual’s hand – with most systems having the capacity to do so in less than a second. From these measurements, a profile or “template” is constructed which will be used to compare against subsequent readings by the user. Finger and hand geometry are considered somewhat interchangeable terms. However, hand geometry evaluates the person’s entire hand form as a biometric identifier, while finger geometry looks only at a subset of the five fingers to form the identifier. In either case, such geometry does not entail the taking of a person’s fingerprints. In a recent study, the National Academies of Science found that while a person’s finger geometry is indeed far less distinctive than his/ her fingerprints, hand or figure biometrics is indeed suitable as an identifier for a wide variety of circumstances, where one in a thousand uniqueness is sufficient. Finger geometry has been used successfully since its commercial introduction in 1975, when it was brought to Wall Street for security purposes by the investment firm of Shearson Hamill. Over the years, it has been utilized to provide secure access and verify one’s identity in a wide variety of settings, including: • Athletes at Olympic Villages • Members of the Colombian National Legislature • Employees at 90% of U.S. nuclear power plants • Military officers • Prisoners • Parents at day care centers, and • Donors at sperm clinics.

David Wyld Contributing Editor, AVISIAN Publications 18

Summer 2006

Probably the widest use of ﬁnger or hand scanning is in the corporate realm, where such scanning is used in complement with employee badges, passes, and ID cards to prevent payroll fraud, a seemingly intransigent problem which has been estimated to cost employers in the U.S. alone hundreds of millions of dollars each year. While other forms of biometrics may be growing more rapidly, there is still substantial growth potential for hand and ﬁnger scanning, In fact, according to Biometrics Info, hand geometry revenues have been forecast to reach $97.4 million in 2007, which represents an almost 400% growth in the market since 2002.

Giving Disney Your Fingers

For a number of years now, Disney’s marketing approach has been to shrewdly push the sale of multi-day and annual passes to its theme parks that comprise the Disney World complex (Disney passes are not interchangeable between its parks in Anaheim, California and Orlando, Florida). The pricing structure at Disney World’s is transparently meant to encourage its visitors to buy passes for longer stays at its Orlando properties. In fact, the daily price of a Disney park visit drops signiﬁcantly as longer-lasting park passes are purchased – by half at the 7-day mark and by almost two-thirds at the ten day market. To put it quite simply, Disney makes about $200 more by selling ﬁve separate two-day tickets than by selling a single ten-day pass. So, to protect its revenue stream, Disney does not allow its annual or multi-day passes to be shared or transferred. They don’t want people to buy a ten-day pass, use it for two days, and then resell the pass to a buyer to use the remaining days. Not only do longer stays mean that families visiting Disney World will have more oppor-

A mixed reaction From Disney’s perspective, the ticket tag is a necessary security measure that does not violate its customers’ privacy. According to Disney spokeswoman Kim Prunty, contrary to some reports, “We’re not keeping a database of fingerprints.” In fact, the company does not maintain a permanent database of scans, as the information is purged from its systems after the individual’s pass expires. Disney has also not disclosed the vendor for its biometric system. However, Disney’s move to finger scanning has generated some degree of controversy since its implementation. Since Disney defines an “adult” park guest as being 10 or older, many minors are being subjected to finger scanning. Leading privacy groups have also attacked Disney’s move. The American Civil Liberties Union recently called the addition of biometric technology “a step in the wrong direction.” EPIC – the Electronic Privacy Information Center – recently issued a blistering attack on Disney for its use of finger scanning. It called the practice a “a gross violation of privacy rights,” as there is little notice given to consumers as to why their biometric information is being collected, how it will be used, and the protection afforded to the data. EPIC also criticized Disney’s move based on the legal principle known as “the proportionality test,” which can be encapsulized as whether the amount and type of information being collected equals the level of security being sought? To date however, there have been no lawsuits filed against Disney over its use of finger scanning technology. Surprisingly, both at ticket sales’ locations and at the actual park entry points, Disney has not seen fit to post information on exactly what is being done when the park patrons are asked to make the peace sign and insert their digits

into the reading machine. Most patrons – and even some public interest groups and media covering the developments at Disney - have assumed that the company is fingerprinting park visitors and matching the passholder’s print to the pass – and perhaps even other databases, such as criminal records, sex offender registries, and terror watch lists. This has led some industry observers to criticize Disney for having a corporate communications problem in not explaining the “why’s” for the use of the technology to its patrons, while others have seen fit to call upon Disney to find creative ways to leverage the technology - and the data it collects – beyond gate security to provide better in-park customer experiences for its guests.

Good technology often makes good business sense What is certain is that we will see more such applications of finger geometry in the future, as Disney is by no means alone in exploring how this established technology in the theme park industry. Indeed, according to a report from The Orlando Sentinel, several of the company’s principal competitors are looking to implement similar pass protection technology to their valuable tickets and passes in 2006, including: • Universal Orlando • SeaWorld Adventure Parks • Paramount Theme Parks. From the perspective of Dennis Speigel, President of International Theme Park Services in Cincinnati, such biometric scanning may be a necessary tool for the entire theme park industry. He recently observed that:“Tickets are very expensive for these facilities. If you can hand them off, it costs the parks money. The introduction (of this type of solution) will be used more broadly in the industry in the future.” For now, the introduction of finger scanning seems to present Disney with an operational challenge to get visitors used to the new requirement. The reaction of Simon Henson, who visited Disney while on vacation, is common. As Mr. Henson put it: “Overall it’s good. But it seems to make the queues longer. No one seems to put their fingers in all the way on the first try.”

Summer 2006

SecureIDNews

Disney has moved over the past decade to use automatic identification in various forms. In 1996, the company moved away from a hard plastic laminated pass for all holders of multiday or annual passes, which contained both a bar code identifier and a photo of the passholder. In its place, Disney began issuing mylar paper passes. These new passes had no photo identifier, and indeed, contained only minimal visual evidence of ownership, basically only the guest’s name and the expiration date of the pass. Beginning in June 2005, all Walt Disney World parks began using finger scanning at its park entrances to complement the security measures embedded in its mylar passes. When a Disney guest presents his pass at the turnstile, he is asked to insert the pass into a reader, and after doing so, to make a “peace sign” with his index and middle fingers and insert those fingers into a scanning area. During the scan, a camera takes a picture of several points on each person’s index and middle fingers and assigns a numerical value to the image. The scan – which is accomplished in less than a second – measures the length and width of the individual’s two fingers and the spread distance between the digits. Once the scan is taken – and all adults are required to do so - the pass is returned to the guest.

tunities to spend more money on food and beverages, souvenirs and trinkets, and other experiences, such as breakfast with Cinderella, while on Disney property. Perhaps even more importantly, the passes serve to “lock-in” guests to focus their Orlando visits on Disney parks, rather than spending their time – and money – at the competitor’s parks and other entertainment experiences available in this burgeoning family resort area.

SecureIDNews

Two-factor authentication goes mobile on phones, PDAs, laptops, and more Marisa Torrieri Contributing Editor, AVISIAN Publications At least this year, most U.S. consumers aren’t ready for one-time-password (OTP) generators or smart cards. So like the medicine maker that tricks kids into getting better by concocting fruit-ﬂavored, cartoon character remedies, a number of digital security vendors are tucking authentication into the devices Americans know and love – Blackberries and mobile phones. At February’s RSA Conference in San Jose, Calif., soft tokens for mobile commerce and secure authentication were key topics. The conference came within months of the FFIEC guidance that prompted banks to examine the strength of their security systems. The new technology -partnerships between digital security OEMS, soft-token makers, service providers and device manufacturers -- will amount to new applications to help consumers bank over their mobile phones in a more secure and convenient environment. Why are U.S. consumers ready for this stuff now, when mobile data is just taking off? “One reason is compliance – [some] banks cannot afford to distribute hardware tokens to each one of their customers, so FFIEC guidance has made them look for creative ways to [amplify] security,” says Kerry Loftus, director of consumer authentication services for VeriSign, a digital security OEM interested in building a network of shared authentication applications that use a single, open standard. VeriSign is a member of

Summer 2006

OATH (Initiative for Open Authentication), a multi-company organization focused on developing an open standard for strong authentication, also represented at the RSA Security Conference. The second reason, says Ms. Loftus, is that security risks have become very public, and consumers are truly more concerned about secure transactions. The Mountain View, Calif.-based company announced new partnerships at the RSA Securities conference that will make everyday mobile data transactions more secure, as part of its new ‘VeriSign Identity Protection’ (VIP) initiative. VeriSign will pair with handset manufacturer Motorola and USB-drive maker SanDisk to turn mobile devices or ﬂash drives, already in the hands of consumers, into authentication devices. For example, Motorola will embed the OATH-compliant OTP into their Java-enabled handsets. This will, in effect, turn that phone into an OTP mechanism. The upside is that enterprises (e.g., banks, online merchants) don’t have to pay to deploy a token -- that token is now taking the form of a mobile phone. “Consumers who are used to carrying those devices can get that security credential,” Ms. Loftus says. SanDisk will support VIP by manufacturing and distributing OATHcompliant USB mass-storage and trusted ﬂash devices, VeriSign says.

SecureIDNews

Pay for your eBay auctions with your mobile phone … E-commerce giants PayPal, Yahoo! and eBay are also partners in VeriSign’s VIP initiative. Their partnership will help create secure, trusted connections between consumer and those sites using any number of the devices in the VeriSign Uniﬁed Authentication and VIP families, says a VeriSign spokesman. VIP will enable a single credential to be shared across these sites, or any subsequently joining VIP network members, including banks, says a VeriSign spokesman. “Any device manufacturers who adhere to the [OATH] standard can use it to add strong-authentication security to their digital commerce transactions,” Ms. Loftus says.

Other companies envision security through consumer electronics as well Meanwhile, Diversinet, another OATH member and VeriSign partner, which makes security applications and physical soft tokens for mobile devices, announced similar plans to bank on U.S. consumers’ affinity for mobile devices. On Feb. 7, Toronto-based Diversinet officially released its “Next-Generation MobiSecure Soft Token” and accompanying MobiSecure Authentication Service Center. The MobiSecure token is a soft token that can be embedded into mobile phones, PDAs or laptops. It acts like a onetime-password generator (OTP), except that it is embedded on devices users know, love and carry constantly. The Service Center allows for automatic, over-the-air registration, token upgrade and token removal, making the process of change less cumbersome for consumers. On the tail end of the conference, Diversinet also announced an OEM partnership with RSA Security, which will use Diversinet’s over-the-air provisioning technology with its own Secure ID Product. Diversinet will also extend RSA Security’s SecurID soft token products for additional mobile device platforms, including Java, Symbian and Brew. The technology works like a network enabling encrypted data to travel back and forth between devices and online entities, and is essential for secure mobile commerce, says Stu Vaeth, chief security officer at Diversinet. Over the air provisioning automatically detects and registers new device types, as each operating system has its unique properties, and system requirements. “Internationally, people are more accustomed and more accepting to take the extra steps to use smart cards, hard tokens, things like that,” Mr. Vaeth says. “In the U.S., convenience is so fundamental, banks are so concerned with losing customers if they make them take extra steps.” And as phones get more sophisticated, so it seems, the applications will follow, such as SMS financial messages, and voice-enabled one-timepassword generators. “We’re doing tons of interesting things around the phone,” concludes Ms. Loftus, “because that’s a key device.”

Summer 2006

Publisher’s note AVISIAN’s suite of ID technology publications would not be possible without the invaluable support of our advertisers. Join our sponsors ... we look forward to contributing to your success in 2006. Best regards, Jeff Jeff Staples, Publisher, jeff@avisian.com 703-437-4588 ofﬁce • 703-728-2186 mobile • 703-832-8448 fax http://www.avisian.com/advertise

AccessID ACG Blackboard Castles Technology CBORD CIM-USA ColorID Corestreet Cryptography Research Datacard Datastrip Digital Identification Fargo General Meters HID Higher One IBM Indala Infinacard Integrated Engineering Intermec IR Security and Safety LEGIC Lenel Muhlbauer Nedap Nfive NuVision Networks Omnikey Plastic Card Systems Sagem SmartCentric Technologies Symbol Synercard Tokenworks Tradewind Technologies U.S. Bank Ultra Electronics Verisign Vision Base US Wells Fargo

www.secureaccessid.com www.acg-id.net www.blackboard.com www.castech.com.tw www.cbord.com www.cim-usa.com www.colorid.com www.corestreet.com www.cryptography.com www.datacard.com www.datastrip.com www.digital-identification.com www.fargo.com www.1card.com www.hidcorp.com www.higherone.com www.ibm.com www.indala.com www.infinacard.com www.smart-ID.com www.intermec.com www.irsafeschools.com www.legic.com www.lenel.com www.muhlbauer.de www.nedapavi.com www.nfive.com www.nuvisionnet.net/ias.html www.omnikey.com www.plasticard.net www.morpho.com www.smartcentric.com www.symbol.com www.synercard.com www.tokenworks.com www.tradewindtek.com www.usbank.com www.ultramagicard.com www.verisign.com www.visiondatabase.com www.wellsfargo.com

ID Solutions FIPS 201/PIV including identity prooﬁng, card management & personalization, physical & logical access control Match on Card Automated Fingerprint Identiﬁcation Systems (AFIS) for civil and law enforcement applications

Sagem Morpho Inc. is a biometric solutions provider with over 25 years of global experience in biometric identiﬁcation.

MorphoCheck F250

MetaMorpho

For more information: info@morpho.com 1.800.346.2674 www.morpho.com

RapID

ILS2-P250

MorphoAccess

SecureIDNews

Hong Kong’s smart ID cards secure online banking Government-issued IDs flourish as private-sector security token Marisa Torrieri Contributing Editor, AVISIAN Publications In some parts of the world, the acceptance of token-based authentication is slow and requires prodding from service providers, but in Hong Kong the use of smart cards and tokens is flourishing as consumers use the technologies for digital banking and other services. Nearly three years ago the Hong Kong government issued a law that would replace traditional identification cards with smart versions, primarily for more secure identification and immigration control. The cards, which cost the Hong Kong Special Administrative Region $21 million U.S. dollars, will be held by all citizens by mid-2007. In February 2003, an international consortium of technology companies led by Pacific Century Cyber Works Limited (PCCW) won the contract to provide the cards, system, and services for the government. Today, thousands of citizens have not only completed this process, but have caught onto using the smart cards for non-mandatory functions, namely digital commerce. Since the card mandate, there has been a rapid public acceptance of the technology for online banking in Hong Kong, says Gilbert Leung, Senior Sales Manager for smart card reader manufacturer Advanced Card Systems Ltd. (ACS). ACS announced last month that it has already received orders for 60,000 smart card readers embedded with The Hong Kong Post e-Cert – the digital certificate technology that secures the online applications. According to Leung, about 4.8 million personal banking transactions were processed through personal Internet banking every month during 2003, the year the Smart ID surfaced, representing a 30 percent increase over the prior year. Additionally, the number of transactions processed through business Internet banking every month has increased five-fold since 2002, he says (more current data is not yet available). Nearly a dozen banks already employ two-factor authentication tools like e-Cert for high-risk online banking transactions, in accordance with guidelines from the Hong Kong Monetary Authority (HKMA). Bank of America (Asia), BOC Credit Card (International) Limited and Bank of China (Hong Kong) are among the first to announce their use of ACS’ ACR30 smart ID card reader, Mr. Leung says.

Inside the chip: e-Cert technology fuels digital banking Today, card-bearing citizens who want to engage in digital commerce can use the e-Cert on their smart IDs. E-Cert, in short, is the security layer that enables cardholders to perform electronic transactions and online banking. It’s free for one

“Through the [one year e-Cert program], more than 950,000 local residents have already embedded Hong Kong Post e-Certs in their smart ID cards,” says Leung, adding that e-Cert-infused smart cards have “become the most widely recognized and readily available two-factor authentication tool owned by consumers in the market.”

Hong Kong sets example but will the world follow? Will others follow Hong Kong’s example ... issuing a national ID but encouraging its use for online authentication in the private sector? Yes and no, say experts and analysts following what’s happening in Hong Kong and in Singapore, where banks where required to implement two-factor authentication. In Hong Kong, citizens must, at a minimum, carry the technology or face monetary penalties. While the United States has the newly-issued Federal Financial Institutions Examination Council guidelines, it only suggests banks move to two-factor authentication. Mandating that all citizens carry the token is another matter altogether – one that has certainly helped the Hong Kong program to thrive. “I think markets like Singapore and Hong Kong can do that because they’re smaller and more contained,” says Kerry Loftus, director of consumer authentication services for VeriSign. “Consumers are more acclimated to incidents of fraud and banks can pass off costs. There’s already buy in from that side that ‘this is added security, this is a good thing.’ Here in the U.S., they’re more resistant – you don’t incur any costs if someone grabs your credit card. Consumers here aren’t feeling the brunt of fraud. It’s quite different.” It will take several years before similar smart-card technology enjoys the equivalent use in the United States, says George Tubin, senior analyst for TowerGroup, who covers strong authentication and smart card markets. “The smart card approach works when either the government or an industry, consortium sponsors and supports its development and implementation,” says Mr. Tubin, referring to Hong Kong’s approach, as well as that of the other Asian and European nations. “It’s very expensive and cumbersome to implement and maintain this type of approach and a single bank would typically not want to involve the resources -- both monetary and staff -- to support it. Once a group of interested parties come together to share the costs, it makes more sense.”

SecureIDNews

year, after which the government charges a subscription fee, according to http://www.smartid.gov.hk/en/index.html, the government’s web site devoted to the initiative.

SecureIDNews

Card-based PKI to better secure doctor’s communications SAFE BioPharma’s secure signatures to be adopted by more docs in coming year Marisa Torrieri Contributing Editor, AVISIAN Publications Expect to see an influx of doctors using digital signatures in lieu of cumbersome paper-penfax combinations to authorize medical care, services and prescriptions. Using public key infrastructure (PKI) with certificates held on a smart card, USB fob, or other hardware token, a new identity standard for the medical community is taking hold. At least, that’s the hope for the SAFE BioPharma Association, which says its hard work will bear some serious fruit this year. The global identity management coalition, which counts a number of pharmaceutical heavyweights as its founding members, formed with the primary purpose of development and deployment of the new technology standard. Members share the goal of promoting safe, secure, digital transactions that meet regulatory guidelines. At the end of 2005, the association announced a series of partnerships with major technology vendors. Adobe, Arcot Systems, CoreStreet, nCipher, IBM, and Kyberpass are the first to participate in the SAFE Vendor Partner Program, which encourages development of SAFE-enabled, off-the-shelf software and applications for a broad range of uses within the pharmaceutical and healthcare industries. Each program and application will be thoroughly tested by the SAFE-BioPharma Association to guarantee it functions according to SAFE requirements. What this means is a number of computer applications will soon become available to physicians and other medical caregivers who are ready to switch to digital signatures. Many of these physicians have been resistant to switching from the more tedious method of 26

Summer 2006

physical signatures, fax machines, and speedy delivery services to authorize medical transactions.

a PKI infrastructure,” says Mr. Rathbun. “When you try to deploy a PKI infrastructure for a medical environment, it’s a big challenge.”

The SAFE framework gives companies the ability to sign regulatory and commercial transactions in a legally enforceable way that is much faster and simpler, says George Rathbun, CTO of SAFE-BioPharma Association. It does this by simplifying, securing, and streamlining business-to-business and business-to-regulatory information exchange. Now that the standard is up and running, the organization’s biggest goal this year is adoption, says Mr. Rathbun.

When SAFE was formed, “we all witnessed and were painfully aware how difﬁcult it was for the community to manage the different forms of identiﬁcation mechanisms used to gain access to our systems,” says Mr. Rathbun. “The dominant methodology was an OTP issued to a doctor to gain access to an IT solution.”

“2006 is the year of that happening in scale,” says Mr. Rathbun. “SAFE has made the commitment to now begin with a more aggressive provisioning schedule.” In his role as CTO, Mr. Rathbun oversees and administers all aspects of technology for SAFEBioPharma Association. He also serves as chairman of the SAFE Technology and Implementation Working Groups and as the chief systems architect. Prior to leading the association, he served as a technology architect for Pfizer. SAFE members include the heavyweights of the pharmaceutical industry … AstraZeneca, Bristol-Myers Squibb, GlaxoSmithKline, Johnson & Johnson, Merck, Pfizer, Procter & Gamble, and Sanofi-Aventis. Representatives have been toiling away on this high-security pharmaceutical standard since its inception in 2001. But the organization faced numerous challenges in its early years. Because PKI and the ability to deploy smart cards and the necessary software is expensive, deployment is complex.“There are a lot of legal and financial considerations when deploying

But that was a difﬁcult form factor because many physicians accessed multiple systems and it brought up legal and privacy issues. The SAFE credential addresses these obstacles by issuing easy-to-use credentials for physicians so they don’t have to worry about security and can simply focus on sending their digital signature. As more physicians catch on,“I think you’re going to see other uses of this technology,” says Tom Greco, VP of enabling infrastructures for Cybertrust. The company supports the SAFE standard by offering compliant technology and services to pharmaceutical vendors and is piloting a SAFE-enabled system with Merck Pharmaceuticals. Cybertrust’s core business revolves around supporting shared security credentials for multiple industries and applications. “Adoption of new identity technologies – it’s a chicken and egg issue,” Mr. Greco says. “You’ve got to get credentials out there before people start using them (but) once you get the buyin from the doctors themselves, there will be multiple uses of the credential.” That could open up a whole new world of secure communications within the medical community.

SecureIDNews

First class lineup guarantees CardTech/SecurTech in San Francisco will be time well spent For a couple of years, it looked as if SecurTech was going to overtake the CardTech portion of the annual conference in terms of numbers of participants, but with last year’s rollout of contactless payments by the big three card issuers, the pendulum is swinging back. “It used to be we were split 50-50, now we’re 70% financial, 30% security,” said Bill Rutledge, program manager for SourceMedia which is producing the 16th annual CardTech/SecurTech Conference May 2-4 at the Moscone Center, San Francisco, Calif. That’s not to say security is playing second fiddle. Far from it. There is still plenty of both for participants. “I want to make it clear that we’re not a credit card event or that we’re just about biometrics. Everyone will find something and vendors (some 180 of them) will reach across sectors,” he added. This year’s conference will likely surpass last year’s 3,500-plus attendance figure. “We’re getting the same number of attendees on the security side, it’s just the percentage that has changed,” said Mr. Rutledge. Increased participation from the financial services sector accounts for much of that increase. “What’s different is that banks are all rolling out contactless cards, so everyone is aware of it,” added Mr. Rutledge. “We’re getting a lot of card associations and issuers to speak at the conference because we actually have programs out now.”

Live interoperable biometric demos “We’re doing a big focus on the fingerprint biometric standards,” said Mr. Rutledge. “There will be a day-long focus on that, but we’ll also be doing a fingerprint (and facial recognition) demonstration on the show floor. People will be issued cards and they’ll be able to scan in their biometrics.” They’ll then be able to go to various vendors on the exhibit floor, scan their cards and see a first-hand demonstration of the interoperability of the vendor’s hardware and software.

“It used to be that individual vendors had proprietary standards but now you can mix match hardware and software because they’re all using the same templates,” said Mr. Rutledge. “All fingerprint vendors will be demonstrating their ability to use an interoperable standard, not only for fingerprints, but facial recognition.” A workshop on “Biometrics for Access Security” will also take a close look at the current state of public acceptance of biometric technologies and how organizations are using biometrics to increase their security. The program will look at the various types of biometrics, including iris, finger, facial, hand and biometric fusion.

Two-factor takes center stage ID theft, a hot topic everywhere, will also receive a spotlight. “The FFIEC (Federal Financial Institutions Examination Council) is requiring two factor authentication next year for anyone doing online banking,” said Mr. Rutledge. A daylong session on Technologies and Strategies to Fight Fraud and ID Theft will delve into two-factor authentication and preventive measures banks and others can take to help their customers protect their identity and guard against phishing schemes and more. Stephen Malphrus, staff director for management with the Federal Reserve Board will discuss two-factor authentication requirements.

Convergence of physical and logical security remains key Sessions on another hot topic, convergence of physical and IT access, will include “Project Planning and Large-Scale Security Strategy,” led by Stephanie Dawson, manager, capital programs and technology services department, Port Authority of New York and New Jersey, and a case study on “Leveraging IP Networks for Security Convergence,” featuring Cisco Systems’ Bill Jacobs, corporate security systems manager.

NFC transitions from concept to reality NFC (near ﬁeld communication) is one of the hottest technologies on the scene and since last year’s CTST, it has moved from a discussion topic to real world trials and pilots. “NFC is an emerging technology and the four major pilot programs will each have speakers at the conference,” said Mr. Rutledge. Led by AVISIAN publisher Jeff Staples, the daylong session will cover the soon-to-be ratiﬁed NFC standards and results from several NFC trials. Presenters will include: Holger Kunkat, manager, Mobile Secure RFID Solutions for Philips and chairman of the NFC Forum’s Technical Committee; Bruno Charrat, CTO, INSIDE Contactless; Mohammad Khan, COO, ViVoTech; and John O’Malley, vice president, telecommunications, for Giesecke & Devrient.

Other features round out the event … “We’ll also have some great feature presenters,” said Mr. Rutledge. These include: William Vass, CIO of Sun Microsystems, speaking on the Future of Java Card; Douglas Bergeron, CEO of Verifone on the Future of Secured Electronic Payments; and Bruce Schneier, founder and CTO, Counterpane Internet Security on Security: What Works, What Doesn’t and Why. Two keynote luncheon speakers include John Partridge, CEO of Inovant (the global IT arm of Visa) on Emerging Transaction Technologies, and Olivier Piou, Axalto CEO, who will discuss the role of card-based technologies in the evolution of digital identity security. A dedicated Technology Pavilion will showcase biometrics, contactless, and NFC technologies. There will also be daily TechTours including guided tours of the exhibit ﬂoor in a particular product sector. With these great features, some 15 concurrent “track” sessions, and an exhibitor hall packed with 180 companies, the hardest decision by an attendee is going to be choosing where to go next.

May 2-4, 2006 The Moscone Center San Francisco, CA

F o c u s e d . S p e c i f i c . Tw o Te c h n o l o g y S e c t o r s . O n e E v e n t . CTST is America's largest advanced card and biometrics conference, covering secure transaction technology, contactless cards, and IT/physical access security convergence. CARDTECH: The Revolution of Contactless Transactions FULL-DAY WORKSHOPS COVER EVERY ASPECT OF TOKEN-BASED TRANSACTION AND SECURITY TECHNOLOGY AND BUSINESS STRATEGY. Foundations of Card Technology for Transactions

Contactless Transactions: An Issuer Perspective

Workshop Advisor: Randy Vanderhoof,

Workshop Advisor: Donald Davis, Editor and Associate Publisher, CARD TECHNOLOGY, SOURCEMEDIA

Executive Director, SMART CARD ALLIANCE

Java Card Technology Update

Prepaid Card Technologies and Business Strategies

Workshop Advisor: Ramanuj Banerjee, Technical Marketing, JAVA CARD GROUP

Workshop Advisor: Tim Sloane, Director Debit

GlobalPlatform and Multiapplication Card Technology Update

Advisory Service, MERCATOR ADVISORY GROUP

Integrating New Technologies for Point of Sale

Workshop Advisor: Marc Kekicheff, VP, VISA INTERNATIONAL, and Vice-Chair, GLOBALPLATFORM

Workshop Advisor: Paul Grill, Principal, FIRST

Contactless Transactions: An Acquirer/Merchant Perspective

Workshop Advisor: Henry Dreifus, CEO, DREIFUS ASSOCIATES, LTD.

Technologies and Strategies to Increase Customer Loyalty Workshop Advisor: Rick Ferguson, Editorial Director, COLLOQUY速

NFC: Technologies and Strategies for the Contactless/Telecom Convergence. Workshop Advisor: Jeff Staples, Publishers, AVISIAN PUBLISHING

ANNAPOLIS CONSULTING INC.

Emerging Payment Technologies: Challengers, Contenders and Conquests

Workshop Advisor: David Evans, Founder, MARKET PLATFORM DYNAMICS

Keynote Speaker:

For sponsorship and exhibiting opportunities, please contact Sharon Davis at sharon.davis@sourcemedia.com or 212-803-6586

JOHN PARTRIDGE PRESIDENT AND CEO GLOBAL IT ARM, VISA USA

Media Sponsors:

www.ctst.com

800-442-CTST

212-803-8777

ContactlessNews

Axalto’s SmartFob offers contactless payment functionality in a radical new way Andy Williams Contributing Editor, AVISIAN Publications

Bankcard issuers wanting to set themselves apart from others may opt for a different form factor than the same old, standard credit card. Axalto’s new SmartFob is a sureﬁre differentiator … and that is certainly one of the reasons it grabbed last year’s Sesames Award from CARTES for best new hardware. With the ongoing U.S. rollout of contactless payments by the big three credit card brands – MasterCard, Visa, and American Express – competition is deﬁnitely heating up. And issuers are beginning to explore the new freedom that contactless technology brings to the payment token form factor.

Summer 2006

As Xavier Chanay, president of product marketing and technology for smart card manufacturer Axalto put it, “there are two types of strategies used by banks for deployment of contactless payment. The most traditional one is the standard card form factor. Some banks want to use the same form factor because it’s what everyone is used to and feels safe about.” But for those banks wishing to “differentiate themselves,” Axalto has a choice. Enter the company’s SmartFob, what the company calls a “trendy” payment device that can provide the same functionality as a contactless smart card. It consists of a SIM card module and a contactless keyfob, which can be equipped with a switch to avoid unauthorized transactions.

ContactlessNews

That’s right, it can be turned on and off. And it’s not limited to the standard fob form factors either. The technique could be used to create contactless payment capability in a watch, a cell phone, or any other personal object, said Mr. Chanay. It provides the same functionality as an ISO 14443 contactless smart card.

smart card with a low-cost choice of different form factors,” said Mr. Chanay.

The on-off switch is possible because the antenna has been separated from the chip. The miniature card containing the chip can be added after the keyfob production phase, just like a SIM card for a mobile phone. This allows the physical SmartFob to be mass-produced at a much lower cost than keyfobs in which the antenna and the module are bound together during production. Furthermore, these devices can be updated as often as necessary, just like SIM cards, simply by popping out the SIM and inserting a new one.

“The device that will contain the chip card module can be manufactured in high volume at low cost, in China or elsewhere,” says Mr. Chanay. “We can offer different types of management. We can do the fulﬁllment ourselves, personalize the card, insert the module into the SmartFob device; or we can ship it to the user and they can do the insertion themselves.”

“When we spoke to bank customers in the U.S., they identiﬁed this need, which is how SmartFob was created,” Mr. Chanay added. And the reverse applies as well. “You could remove the module from one key fob and introduce it into another one. Everything that makes this your card is contained in the card module, not the fob,” he explained. “It’s very cost and efﬁcient in terms of logistics. We basically associate the strengths of the

Summer 2006

Since the SmartFob was announced in the fourth quarter last year, “we’ve presented it to some customers in North America and received a lot of interest,” he adds.

He added: “One of the things we didn’t think about, was that banks might want to change the designs of their fobs on a regular basis. Something they liked about our solution is that they can redesign the fobs easily. They can order large quantities of the devices and would have no issue with throwing them away because their cost is very low as there is no intelligence in them until the card has been inserted, which is not the case with a normal fob,” he said. Axalto subcontracts the fob itself, what he calls a “piece of plastic and an antenna.”

Axalto produces a SIM card for GSM, and for the SmartFob, with the same format as a bankcard, he said. The precut module, about one inch long by one-half inch wide, “is very easy to remove from the card body. If you’re a GSM subscriber, you can insert this into the GSM phone. That’s what GSM users do every time they change their handsets. It’s very easy.” But while Europeans and Asians have no problem replacing their own SIMs, “in the U.S. we don’t see bank customers doing the insertion themselves, so banks (will likely) want us to supply the finished devices,” said Mr. Chanay. On the other hand, he believes European banks will ask Axalto to ship the card directly to the end user and they will have their customers extract the module and insert it into the SmartFob. As a final comment, Mr. Chanay stressed what he believes to be the overriding benefit of the SmartFob. “You can reuse all the manufacturing infrastructure, especially the infrastructure needed to personalize cards to make each of them unique and your own. If you have something completely integrated, you have to change the production infrastructure every time. The real value of this innovation, whether the end user does the insertion, or Axalto or the bank, is the efficiency in creating a new marketing offer for banks.”

��

Smart cards in China From the Great Wall to city buses in busy urban centers, contactless is ﬁnding a home in the world’s most populous country

ContactlessNews

Andy Williams Contributing Editor, AVISIAN Publications With the Olympics coming to China in two years, the country is in the middle of upgrading many of its programs and much of its infrastructure, including access control, transit systems, and more. This -- coupled with ongoing demands that occur as the world’s most populous country rapidly modernizes – has the worldwide smart card industry scrambling to grab a piece of this potentially huge market opportunity. Frost & Sullivan, a research company that provides growth consulting and corporate training solutions, has estimated the Asian and Paciﬁc contactless smart card market to grow from 57.6 million units in 2003 to 453 million units in 2009 for a compounded annual growth rate of 41%.

One of the largest contactless chip providers in China is Philips. Its MIFARE technology is used primarily in transport in a wide range of Chinese cities, but it is also in use for access control at the Great Wall of China and a number of other locations. Jason Hitipeuw, MIFARE marketing manager with Philips’ contactless headquarters in Graz, Austria, estimates Philips has about an 80% share of the chip market in China. “Philips has a dedicated market segment for automatic fare collections (AFC) and transportation because it’s a perfect ﬁt for our MIFARE portfolio,” he said. “China is a big focus right now and is one of the most promising regions for contactless. China is simply a huge market for us.”

MIFARE is used in more than 80 cities in China. The chips are sold to card manufacturers, which are then delivered to the system integrators who implement them in the system. Interestingly, said Mr. Hitipeuw, many of the cities are using local system integrators rather than the big international ones. “The Chinese are deﬁnitely fast movers when it comes to contactless,” he said. “Philips has been in China since 1995 contactlessly,” says Mr. Hitipeuw.“(Getting) contactless technology into the transport AFC systems (in China) was a lot easier than say Europe where you had older legacy magnetic stripe tickets and an existing infrastructure to deal with.”

As far as multi-applications go, a few cities are combining their contactless transport cards with student ID cards and loyalty cards, “but not too much is being done on the payment side (because the) total infrastructure just isn’t there yet,” said Mr. Hitipeuw. He stresses that he believes contactless payment will be an important opportunity for Philips in the future, “the cities (using contactless) have a current view of adding more features, such as contactless payment.”

Larger chips and multiple applications The Beijing One Card, an automatic fare collection card, “is now using MIFARE 4k because it provides a little more functionality and can handle multi-applications easier,” says Mr. Hitipeuu. There are now “up to eight million cards, mainly good on buses and the metro,” he adds, suggesting that some 15 million cards are expected to be issued by 2007.

What changes are the Olympics initiating? The country is aware “of how usable and convenient the public transport in Beijing is and how the transport operators make travel and mobility more comfortable and secure with the current MIFARE system,” He said. “Any new infrastructure or new subway lines that are put in will also run on the MIFARE chip.” China, he said, is also considering the prospect of using contactless tickets to control access to the Olympic events.

Contactless at the Great Wall That’s what the Great Wall of China, which attracts about four million visitors a year, is doing. It started using an e-ticketing system powered by MIFARE in 2004. “They were interested in what they could do to track visitors, how many visitors came to the Great Wall, etc,” said Mr. Hitipeuw. The ticket could also serve as a souvenir. Chinese ofﬁcials wanted to make access to the Great Wall more secure. “MIFARE was really a good choice,” he added. Visitors take the one-time use paper ticket, touch it to the gate and walk in, he explained.

The e-ticketing system, which uses Philips’ MIFARE UltraLight, was installed by the Beijing Municipal Administration and Communications Card Co. Ltd., which also handles the city’s Beijing’s One Card. That makes it compatible with Beijing’s existing ticketing system. Another up and coming application, geared for cell phones, is near field communication (NFC). “We’re definitely in discussions with different mobile operators to introduce NFC as an addon to the infrastructure that’s already there,” he said. “It’s a great lead-in to contactless ticketing and is definitely the next push for us in China.” While there are currently no China NFC projects that he could discuss, “I think you can expect to see some interesting news coming in the near future,” he added.

Others seek opportunities as well Philips is by no means the only international company that sees great opportunities in the world’s most populous country. Many of the leading players in smart card and identity protection-related industries have established ofﬁces or joint ventures in the country. At the same time, Chinese smart card manufacturers such as EastCom Peace and Watchdata are working to capture the business in their own backyard. With so much at stake, the two short until the Beijing Olympics should be quite interesting to watch.

ContactlessNews

The top 80 cities in China currently using MIFARE have at least a million residents or more. Mr. Hitipeuw estimates the number of chips that were issued in China in 2005 at 120 million.

The latest city to use MIFARE is Nanjing.“It’s the ﬁrst city in China to go with our MIFARE DESFire chip, which is the next generation of MIFARE. It has an open triple-DES cryptology, it’s faster and has 4k of memory,” said the MIFARE marketing manager. As more cities migrate to contactless, or upgrade, he expects more projects in the Chinese market will move towards the newer, more secure chip.

Thales deploys ID solutions around the globe From transit to passports ... security to payments, the global integrator is involved Andy Williams Contributing Editor, AVISIAN Publications

ContactlessNews

Global systems operator Thales is more than just a transit/transport integrator utilizing smart cards. Lots more. Try aircraft carriers, global positioning systems, air traffic control, contactless payments, passports, unmanned aircraft, and ... well, the list goes on. Even Louvre security has a spot on Thales’ menu of services. The company was created in 1893 when electricity was in its infancy. Through a series of mergers and purchases it became Thomson-CSF and, in late 2000, was rebranded Thales after the merger with the UK electronics group RACAL. It shares its name with the Greek mathematician, philosopher and, possibly engineer, who lived more than 2,600 years ago. “As one of the fathers of modern geometry, and one of the first engineers ever, it is not difficult to imagine why he gave his name to the Thales Group,” said Pierre-Antoine Benatar, director of marketing for Thales Transportation Systems. While Thales started in the electrical contracting business, it now bills itself as a global electronics company serving aerospace, defense, and security markets worldwide. It considers its birthplace as France, but has operations in more than 30 countries. With 60,000 employees, the Thales Group generated gross revenues of 10.3 billion euros 2004. “We are an international company with global reach and a strong focus in the European market,” said Mr. Benatar. The company has three main operations: defense, aeronautics, and security. Headquartered near Paris, one of the company’s many specializations is in smart card transit integration, but its diverse offerings also include providing electronics for aircraft carriers and producing the Magellan GPS system. In defense, “we provide everything electronic, from radars, sensors, radios and communications. We’re jointly developing the UK aircraft carriers and also for the UK we’re building its unmanned aircraft vehicles,” said Mr. Benatar. “There is a lot of cross fertilization between markets,” he said. For example, unmanned aircraft, similar to the Watchkeeper designed by Thales for the UK MOD, could have civil use as well, such as checking out pipelines in wilderness areas. “A large amount of our income goes into research and development to allow for this cross fertilization, to enable us to make the leap from the civil world into the military world and of course exploit military security technologies into civil activities,” he said. “In aeronautics, anything you can think of electronically that can go into an airplane, we do. For example, we designed the cockpit for the

new Airbus A380, the largest people carrier yet, capable of holding up to 555 people,” he added. “We also provide cockpit training and simulations for the new Boeing 777 aircraft for pilots and an air traffic management system for airports. We are able to build a turnkey Air Traffic Management (ATM) system for airports. We’re also involved with in-flight entertainment systems. It’s quite a complex electronic system to deliver entertainment to each seat. We’re very much R&D focused on delivering state of the art electronic systems to our customers.”

A focus on smart cards ... Where Thales shines in the use of smart card technologies, though, is in security, which involves three areas: transit/transport; physical and logical access control; and contactless payments, said Mr. Benatar. “Our security division deals with civil security (not involved with defense) where we serve governments and businesses alike for their security needs. We have a security integration business, and we also deal with transportation and energy. We have an e-security business that focuses on banking and government security; electronic terminals which provide secure payment terminals for retailers; all that is under our security division,” said Mr. Benatar. “Transit is our biggest market for contactless technology and where we have most of our experience,” he added. “We’ve been in transport for many years, mainly in the transit-ticketing business, but also in the development of safety systems for transport trains. When you have a train system, you need to have an operation center where you can control all the trains’ activity. This supervision center gives you the position of all those trains, to ensure passenger safety and avoid a crisis situation.” The first priority for transportation ticketing systems is passenger flow, moving passengers through the system smoothly with minimum waiting times, while providing secure transactions. “What we’ve delivered for more than 30 years is a fare collection system, first based on paper, then magnetic technology, now contactless technology. Our main focus today is helping transport authorities and operators migrate to contactless. Most systems are based on magnetic tickets today, except for certain modes of transport, like intercity buses, where you can still find paper tickets.”

Overwhelmingly contactless ... He estimated that 90% of Thales business in ticketing is contactless today. “Contactless is the next revolution in fare collection. It’s the one we’re living today because it delivers clear beneﬁts to all involved,” he said. “For the end user, it reduces waiting time and for transport operators it reduces the cost of ownership (maintenance costs primarily). In a contactless system, thanks to reduction in fraud and much lower maintenance costs for the system, the cost of ownership can be reduced by 20%, maybe more.”

Moving to a regional or country-wide system, “which is what we implemented in the Netherlands, citizens only need one card. We were the ﬁrst in Europe to implement a countrywide system. It’s a fully contactless smart card system. Even the paper tickets have a chip on them. We had to deal with ﬁve different operators, each with their own rules for calculating fares.” But the advantages for the end user are worth it. “Once we integrated the Netherlands system, we can now calculate the best trip for the traveler using multi-mode transports. We can automatically give you the best fare for your trip.” In Bangkok and New Delhi, Thales developed a recyclable smart token for implementation in their metro systems. “These recyclable plastic tokens are good for the occasional traveler. He gets a small token that he validates when entering the system. When he exits, he drops the token off at a recycling site,” said Mr. Benatar. “Each customer has its own business requirements. We’re able to tailor those requirements to meet the needs of our customers. It made more sense in India and China to deliver recyclable tokens because of the sheer number of passengers, even though these smart tokens are a little more expensive.”

Managing the end-to-end process ... While Thales considers itself a systems integrator, Mr. Benatar says it is also “unique because we actually control our core technologies and equipment. We control the entire design of

Most of Thales customers require the company to follow open standards for the cards, such as 14443 A and B, or Sony Felica. “Our readers can support all three types of standard cards,” said Mr. Benatar. “The cards might come from different sources. We deﬁnitely want the ability to propose open standards. The customer doesn’t want to be locked into one type of card.” He said Thales “surrounds itself with the right partners to deliver the best solutions to our customers.” He uses the Netherlands project as an example. “For these projects, we partnered with Accenture and Vialis to create the EastWest Consortium. Vialis installs and maintains the system’s physical infrastructure, such as smart card readers and ticketing and fare machines. Accenture operates the system’s backofﬁce, which includes clearing and settlement of revenues for the participating transport companies. “ Another example is the joint venture between Thales and Panda in Nanjing, China to provide services to the Chinese market for Integrated Fare Collection systems (IFS). The joint venture, called Nanjing Thales Panda Transportation System Co., Ltd., is what Thales calls a “milestone” in the collaboration between the two companies. By combining their forces, Thales and Panda are positioned to compete and succeed in the Chinese market, said Mr. Benatar.

ID and access control “Electronic cards and passports are the center of concern for nations today,” said Mr. Benatar. “The U.S. is pushing for development of such technology, the rationale being the capability to integrate biometrics on a chip. This is leading to increased security.” Thales, he said, has “an important role to play. We haven’t been involved in the U.S. biometric race yet, but in late 2005, Thales became the ﬁrst company to introduce on a national scale a secure ID card.” In Morocco, “we’re going to roll out 20 million (IDs) over the next four years. We’re assisting the government in the entire process, production, biometrics, and all

the security surrounding that. We are the integrator, and we expect the first cards to roll out in 2007.” This ID system includes both personal details and biometric data and meets new security requirements concerning travel documents. The solution includes ID document production equipment and software, high-security consumables and connectivity with the Automated Fingerprint Identification System (AFIS), which acquires digital fingerprints and compares them with a fingerprint database. Access control is also a strong Thales suit. “We provide security for the Louvre,” said Mr. Benatar. “We also secure banking sites, petrol refineries, where contactless cards can be used to access the buildings. The next step up is an integrated single card where you can use the same badge to open the gate and access your computer.”

Payments as well ... In the contactless payments arena, Mr. Benatar said Thales has “two main involvements. First, is point of sale, where we’re developing terminals helping merchants to support contactless technology. It’s a fast developing and emerging market and we are trying to accompany our customers into the evaluation of that new technology. We want to ease acceptance by merchants and try to ease migration by issuers by facilitating support for contactless cards. We want to support both contact and contactless cards,” he added. Even though Europe is knee-deep in EMV cards, he said “banks are now starting to think about the impact of contactless. They want to be ready for the next iteration of smart cards. Contactless is deﬁnitely coming although Europe is behind the U.S. in this area.” Next up for ticketing, the U.S.? Thales was in the U.S. “many years ago,” said Mr. Benatar. “We supplied Boston, Los Angeles, San Francisco, Baltimore ... based on magnetic ticket technology. That was through one of the companies later acquired by Thomson.” But competition forced them to temporarily abandon the U.S. market. “Now, we’re back. We have operations in North America (on the West Coast and in Canada) and this is our next challenge.”

ContactlessNews

Thales is involved in more than 40 to 50 transit systems around the world.“Some are city level, but the trend today is for large, intermodal systems,” he said.

our control gates, ticket vending machines, card validators, POS terminals, portable veriﬁer machines, ticket issuing machines. More importantly, we have full control over the design of our core contactless card reader.”

MIT helps security industry explore the privacy implications of RFID ContactlessNews

Andy Williams Contributing Editor, AVISIAN Publications A company specializing in contactless cards and readers and a university that’s synonymous with technology advances are meeting the privacy and security fears surrounding RFID head-on.

partnership. We’re also looking at developing a white paper with a much deeper treatment of the privacy questions and balancing those with the economics.”

HID Corp. started with a forum last December on RFID legislation pending in California then joined up with the Massachusetts Institute of Technology (MIT) to create a public forum to discuss RFID and public policy. Additionally they will jointly explore new uses of RFID for personal identiﬁcation that can enhance privacy and security (see sidebar). They also will be producing a web site to inform industry, government, and the general public about RFID.

The December forum in California was HID’s initial attempt to bring together federal policy makers, industry representatives, end users, and government agencies to begin the RFID/privacy discussion. Of immediate concern is pending RFID legislation proposed by California Senator Joe Simitian, a forum participant.

“There is a lot of misinformation, a lot of misperceptions out there about RFID,” said Kathleen Carroll, HID’s new government relations director. “HID would like to take a proactive approach in this area.” One of the reasons for her hiring, she said, was that “HID realized very quickly that it needed someone dedicated to following this legislation and educating (legislators and others) on the technology. I was drawn to the position because Steve Wagner (HID CEO) is passionate about the fact the company does care about the privacy of individuals. Your ultimate customer is the person using that card and if they don’t trust it, it hurts your business. You have to be trustworthy.” Collaborating with MIT lends legitimacy to what might otherwise be construed as an attempt by industry to promote a proﬁtable enterprise. MIT is the ideal impartial ground for this collaboration, said Dan Greenwood, an attorney and lecturer at MIT’s Media Lab. “As government and private industry expand their use of RFID, privacy concerns have emerged that deserve a neutral forum for dialogue that includes stakeholders from government, private industry and the public. We at MIT will provide that forum with support from HID, by inviting stakeholders to our campus and hosting a relevant Web site on our servers,” he added.

Senator Simitian calls his SB 768, “look before you leap” legislation that would require a three-year moratorium on any use of RFID on certain state-issued ID cards, including driver licenses. The senator, after consulting with industry, revised his bill from the original, more hard-lined intent that would have barred RFID technology from a wide range of government issued ID documents. Mr. Greenwood, who spoke at the December forum, explained that one of the “sub-texts of the event was the getting together of stakeholders to have a broad-based dialog on the deeper balances that have to happen to widely deploy this new technology. We can consider it social digestion. Part of what was significant about this forum is that it reflected the coming of age of RFID technology. No one has the final answer in this. The tone was one of contributing our opinions, a dialog as opposed to a one-sided monolog. The other aspect was we came away with the intent to not have this be the last public forum. There was a desire by all the stakeholders to have this be the beginning.” For now, the industry will be focusing on privacy concerns. “People are worried that their information stored on RFID-enabled (or contactless) cards can be stolen,” said Ms. Carroll. “What HID is doing is getting the facts out there that the industry cares about privacy too. No one is going to use our products if they don’t trust our products. If legislators start to ban the technology, it will throw a blanket over creative solutions to the privacy issue and we’ll also lose the benefits of the technology.”

Creating a proactive plan … “We’re bringing people together and leveraging academia where we have the scope to go much deeper on the issues,” said Mr. Greenwood. “That doesn’t depend on quarterly proﬁts, it’s an important role as a

She adds, “(An RFID-enabled ID card) doesn’t contain any personal information, just a unique ID number. When you listen to some of the rhetoric out there, people think you have this card in your pocket telling everyone you’re Jane Doe and you live on XYZ Street. That’s not

true. Even if someone has a reader, even if they get the ID number off your card, they would then have to ﬁgure out where to go to connect that number with any information about you.”

On the web …

The web site is “pretty much written,” said Ms. Carroll. “We have a section that will describe the technology in laymen terms. It’s not a complicated process, but we tried to put it in language the average person will understand. There will also be a section on legislation pending in various states and the status of it. A section will give people the opportunity to learn more and the web site will be linked to various white papers about RFID technology, its many uses.” “It’s a model we’ve used before,” added Mr. Greenwood. “We successfully held an online forum on the Real ID Act and we were able to create a neutral forum and facilitate it.” A Steering Committee, composed of MIT researchers and faculty and an industry Advisory Board, has been created since the collaboration was announced. Advisory Board membership includes: Richard Varn, Senior Fellow, Center for Digital Government and Center for Digital Education; Daniel Combs, President, Global Identity Solutions; Jeff Staples, Managing Partner, Avisian Inc.; and Bill Newill, Acting Executive Director, International Association for Identiﬁcation Technologies. In addition to its proactive efforts involving RFID, HID says it has established an “industry-ﬁrst” set of corporate privacy policy principles governing the use of RFID.

Dan Greenwood, a lecturer for MIT’s Media Lab, explains that the lab is working on a number of interesting prototypes using contactless cards and readers. “We decided to kick it up a notch,” he says,“(experimenting with) homes of the future, offices of the future. We see a rainbow of creative outflows from this partnership (with HID).” “We don’t need to reinvent the wheel with RFID,” adds Mr. Greenwood, “we’re working with industry partners to look at ways that RFID can be more deeply utilized.” One of those “cool things” MIT is experimenting with is loading multiple IDs onto a single card. According to Mr. Greenwood: “We tore open four HID cards. We took the tags out and hooked each to a passive antenna and we put an on-off switch on each of the tags. When off, it would break the circuit so you wouldn’t transmit anything. Each one of tags correlates to a different means of identity. You could have an on-off switch for each of the IDs. If you got stopped for speeding, you’d turn on your driver’s license ID, but you wouldn’t need that for entering an office building. We wanted to address this aspect of the privacy issue head on. When it’s off, no one is going to be able to access the information on your card unless they reached into your wallet and physically turned it on.” Another experiment is RFID-enabled jewelry or a watch, etc. Mr. Greenwood postulates: “On a pearl necklace, what if one of the pearls were an actual RFID tag?” As a web page dedicated to the Smart Cities Group of MIT’s Media Lab explains it: “Unlike a single national ID, or a widely used unique identifier, it is possible through the concept of MultiIdentity Cards for a person to have one chip for, say, an employee access card, another as a driver license, another as a retail loyalty card and another for e-commerce...The chip information can be designed such that no chip can be linked directly to another...By turning all the chips to the off mode, the user can enter a digital stealth mode, never emitting any information wirelessly.” The lab, explained Mr. Greenwood, is working on an easier on-off design using a thumb slider to toggle between the chips, and another design using a button set to activate the chips easily. “These designs also rely upon mechanical operations to turn on and off each chip, thereby eliminating the possibility that an unauthorized user could secretly activate a chip by remote electronic transmission without the knowledge or consent of the card holder. This is because the card holder must physically turn on or off a given chip before it is capable of transmitting. All designs, however, allow a user to choose to leave any given chip in the on mode, for ease of use in such applications as parking or building access, when the card holder may wish to keep the card in a wallet or purse for routine, convenient use,” the web page adds.

ContactlessNews

MIT and HID are also creating an online resource for industry, government and the general public, where they can learn more about RFID and privacy-related topics.

MIT’s famed Media Lab explores a contactless future

Ventura County’s transit card is a true contactless pioneer

ContactlessNews

Andy Williams Contributing Editor, AVISIAN Publications Being small can have its advantages. Ventura County California’s smart cardequipped transit system serves just 15,000 riders daily. And even with six independent operators for its bus lines, the county can still reconcile how much each operator is to receive in transit fares each day. It can also deliver, in real time, a very accurate bus schedule via displays at each bus stop or on the Internet so riders know where their bus is at any point in time. Ventura County is located on California’s west coast, with Santa Barbara to the north and Los Angeles to the south. Its 800,000 people live in ten different cities. The mission of the county’s transportation commission “is to enhance transportation throughout the county,” explained Steve DeGeorge, director of technology for the Ventura County Transportation Commission (VCTC). “We primarily do that by insuring an equitable distribution of funds, by serving as an objective third party in prioritizing transportation projects and also oversee transportation operations.” Because of its size, the county has largely skated under the radar as smart card projects go. Even though it has likely the longest history of any smart card transit project in the U.S., and even ranks among the longest running smart card projects – transit or otherwise. “We were one of the early pioneers,” said Mr. DeGeorge. “We started in 1994 when the State Department of Transportation wanted to conduct a smart card research project.” It was the county’s size that made it desirable for such a project. “It was controllable,” said Mr. DeGeorge. A small consulting ﬁrm helped put together a system that was trialed for a number of years. According to Mr. DeGeorge, “that demonstration, while not real successful technically, did show a lot of promise and what these systems were capable of.” “Nine times out of 10 the system would crash,” he said. “But it was a demo and we were trying to see what could work together. In 1994, the CPUs we were using were enormous and buses weren’t set up to carry that kind of equipment. We used a Band-Aid and baling wire approach. We mounted these things the best way we could.” One of the problems, he said, was that not much thought had been given to the driver’s interface with the system. “The operators hated it. We really did compile all these lessons we learned from that ﬁrst project and put them into our second.”

Early lessons lead to a better second attempt Planning for the second iteration of the project began in 1999 when the Ventura County Transportation Commission (VCTC), like practically everyone else in the country dependent on computers, was trying to decide how to make its system Y2K compliant. “We were trying to see whether it was worth changing our system or to go for a state-of-the-art system,” recalled Mr. DeGeorge. “The decision was made to go for state-of-the-art and in early 2000 we bid the entire system.” At the time, VCTC was operating 80 buses countywide. “We wanted something we could own and operate ourselves, where we could handle the clearinghouse, the maintenance, a system where we wouldn’t have to (constantly) go back to the vendor,” said Mr. DeGeorge. An ERG/Motorola partnership won the contract but, Motorola later got out of the smart card business. The ﬁrst 10,000 cards came from Motorola and the French-based company ASK is the current card supplier. The dual interface (contact/contactless) card is ISO/IEC 7816 and ISO/ IEC 14443 Type B-compliant. It is called “Go Ventura.” “Our project was more than just electronic fare collection. We included the integration of automatic passenger counters and a suite of reports to allow us to do in-house reconciliation of sales and riderships and to give us statistical transit data by stop. We count every single passenger at every single stop. They had to meet this criteria.”

2191 Adv 54x248

Today, VCTC has 115 buses. “We do have commuter rail, but it is not yet part of the smart card project,” he said. He would eventually like it to be, but since the rail can take passengers into Los Angeles, which has its own smart card program, so compatibility issues would have to be worked out.

A host of factors make Go Ventura unique “We’re a little different than (many) other smart card projects,” said Mr. DeGeorge. “Our e-purse is universal in our system. It will recognize the fare structure wherever you are. If you’re in the north end, where trips are only $1 or you’re eligible for a 10% discount (because of the number of trips you buy) the card recognizes this.” There are also four types of passes, he said.“Our cities don’t actually touch (so) going from one city to the next requires you to take three different bus operators.” Of the six independent transit operators, five are municipally-owned and the sixth is an intercity bus. A pass is good for unlimited travel for a set time period. “So if you buy a pass for February, you can ride the bus for as much as you want and it only costs you $40,” he added. “And it’s good throughout our system.” On the other hand, a card with an e-purse on it can only be used until the money on the card runs out.“We have our diehard pass users and our diehard purse users,” he said. With both, users can add value remotely. For now, they call VCTC or go to one of 20 VCTC outlets (POS terminals), and the next time the card is used, it’s updated with the new value. “We don’t currently have online sales,” said Mr. DeGeorge, “but that is my very next project.” With a fleet size of just 115, you wouldn’t think there would be 32 different vehicle types, but there are. “I have designed installations for all of them. They vary all over the place. But in the first project, we learned you have to involve the drivers right from the start. They helped us design each installation,” said Mr. DeGeorge.

The buses are also equipped with GSM (global system for mobile communications) that allows VCTC to track every bus. “You can go on the Internet and see where the buses are. We also have signs at the bus stops to tell you, in real time, when the buses are arriving.” VCTC uses NextBus, which uses GPS tracking satellites to provide the vehicle arrival information.

19-07-2005

11:24

INTEGRATED E N G I N Sm E art E RTecI hno N Glogy!

“In most smart card projects, a consultant is part of the project management team. In Ventura County, it was us and only the vendor; and in VCTC’s case, just me. I really see this as something special. We worked with ERG, which has an ofﬁce right next door. It’s a very unusual working relationship and it has certainly helped me become very familiar with the system.” One of the reasons Mr. DeGeorge said he wanted VCTC to have autonomy over the project is that “I didn’t want to have to go back to the vendor for route changes, or stuff like that. ERG gave us the ability to control that ourselves. We’ve changed routes, stops, fares 18 times and it never cost me a dime extra. ERG has always come through,” he added.“At times I’ve been a pain in the butt. However, they’ve always worked with me and kept the project going. I certainly can’t complain.” Nearby California State University Channel Islands developed its own version of the Go Ventura card, which is branded by the university. “We had hoped that when Cal State was building the university they would embrace our card as their university card,” said Mr. DeGeorge.“We built an adjunct project to ours to allow them to do that, but the university only embraced the transit application. They issue and brand their own transit card. In terms of the university card itself, they went in a different direction...so we don’t control their cards. We just gave them a compatible system and we do receive their ridership data.” As to what’s next for the Go Ventura Card, Mr. DeGeorge said VCTC is looking to increase its sales outlets and possibly allow the card to be used for purchases other than bus tickets. “I want to use it at merchants so bad, it hurts,” he said. “But it’s one step at a time.”

www.smart-ID.com Contactless Smart Card readers for Security, -Passport & -Payment Standards: ISO 14443 & ISO 15693 (including Mifare®)

Smart Security & Identification Europe Head Office � : +31(0)20 46 20 755 USA West Coast � : +1 831 659 3218 East Coast � : +1 717 666 1107 � info@smart-ID.com

Pagi

Smart Card Alliance members make real progress toward a more secure world

ContactlessNews

Andy Williams Contributing Editor, AVISIAN Publications The Smart Card Alliance has seen some good days and some really bad ones. Following 911 and the mini-recession that terrorist attack caused, the Alliance’s lost nearly one-half its membership -- falling from 160 to 86 organizations. Now, it has made its way back to nearly pre 9-11 membership numbers and, if 2005 is any indication, even better days are ahead for the alliance. Smart card industry veteran Randy Vanderhoof, who joined the alliance as its executive director in 2002 two years after its creation following a merger between the Smart Card Forum and the Smart Card Industry Association (SCIA), said membership is currently hovering at around 152. The merger of the two organizations became somewhat of a necessity, explained Mr. Vanderhoof, after SCIA and the Smart Card Forum began pulling back as a result of a downturn in the economy and the markets served.“It was a combination of mergers in the industry as well as the fact that the Smart Card Forum membership was heavily based in the ﬁnancial market that was experimenting with stored value and electronic purses on smart cards. That market never materialized and a lot of members associated with the banking industry left the smart card industry,” he added. “What’s evolved has been an emergence of a strong market for smart cards in security which ﬁlled the gap when payments were being de-emphasized in the U.S. Now we’re seeing a resurgence in the payment industry as well.”

Organizing based on vertical industry segments Last year, recognizing that the smart card industry “was growing rapidly in a number of disparate vertical markets, which had unique technologies and requirements,” the alliance created industry-focused councils within the 42

Summer 2006

organization “to better focus on, and address the needs of those vertical markets,” said Mr. Vanderhoof. That led to the formation of the Contactless Payments Industry Council and similarly-organized councils representing transportation, healthcare, physical access and the newest, identity. The councils operate as semi-autonomous business units with a governing committee and their own mission statement. An example of the type of programs the councils produce is the Contactless Payments Council’s free webinar held in conjunction with the retailer-oriented Stores magazine in February. The intent was to give prospective merchants and financial issuers and processors a layman’s view of contactless payments. To say the webinar was a success would be an understatement. “We were expecting about 75 to sign up,” said Mr. Vanderhoof. Instead more than 600 people signed up, with 315 participating online when it was first held and another 100 who later listened to the post-recording. “It was by far the most we ever had sign up for a webinar,” said Mr. Vanderhoof. “We developed that program to target the merchants and financial institutions who have yet to get on board with implementing smart cards. We wanted to drive an awareness of the benefits of contactless payments.” “The councils have elected their own steering committees; they decide what projects or deliverables they wish to work on; they’ve created their own budget and funding. All members of the Smart Card Alliance are welcome to participate in one or more of the industry councils, but some councils have established separate membership rules.” he said. That allows organizations, such as end user groups, to participate within one of the councils without actually having to become a full member of SCA. “We have enabled SCA members to make recommendations to the board to form industry

councils on their own. So each of these ﬁve councils that have been created were started through the initiative of several member organizations who felt there was a need to put more effort into addressing the smart card adoption issues relating to that vertical market,” added the SCA executive. “We were concerned the market was growing bigger than we had the ability to address because of the number of different directions the technology was taking,” he added. “In order to be responsive to the needs of the North American market, we felt we needed to provide additional attention in some of these areas, where they had either unique requirements or unique issues that needed to be addressed.”

North American roots but worldwide reach While the SCA is based in North America (Princeton Junction, NJ), “We don’t limit our membership to North American companies,” said Mr. Vanderhoof. “We have a large number of European and Asian companies which are members who see speciﬁc opportunities to service the North American market. In addition, last year, we formed the Latin America chapter as a subgroup within the SCA to address the needs that are unique to Latin America.” The alliance, in fact, opened a support ofﬁce in Miami, Florida last summer. SCA received a $288,000 matching grant from the U.S. Department of Commerce in 2004 as part of its Market Development Cooperator Program (MDCP) to foster trade between the U.S. and Latin America, said Mr. Vanderhoof. The Latin America chapter is the initial result of that grant. “We saw there was a need for a similar education and information exchange for emerging Latin American countries that were not being serviced by any smart card industry association,” he added. The chapter currently has 10 members.

WORLDWIDE OUTREACH

The single industry voice for smart cards ... The Smart Card Alliance is a not-for-proﬁt, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading discussion on the impact and value of the technology in the U.S. and Latin America.

UNRIVALED EDUCATION

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. Worldwide outreach - A primary mission of the Alliance is to show the world the benefits of smart card technology. We accomplish this through an array of outreach efforts including an informative web site, published industry reports and papers, active press relations campaigns, our Smart Card Talk electronic newsletter, and an international calendar of speaking engagements and exhibitions. Unrivaled education - At Alliance-sponsored events and leading industry conferences, top quality smart card education is offered to the benefit of both members and leaders from industries impacted by the technology.

TASK FORCES & REPORTS

Task forces and reports - Active participation from representatives of member organizations feeds a vibrant network of industry-speciﬁc councils and focused task forces. Highly regarded white papers, reports, and other deliverables ﬂow from groups focused on payments, secure identity, health care, transportation, and more. Conferences – Alliance conferences feature informative programs and speakers who provide insight and knowledge on smart card technology and applications, coupled with exhibitions that showcase leading edge products. These events provide exhibitors with invaluable access to true decision makers and enables participants to see the technology in action.

CONFERENCES

Networking - The best and brightest from the smart card industry and the key markets it serves participate in the Alliance, attend Alliance functions, and share a camaraderie that extends beyond the Alliance organization to the worldwide network of industry activities. Join the Alliance. It will pay dividends for your industry, your company, and your career. For more information, visit www.smartcardalliance.org.

Smart Cards in Government

5th Annual Conference and Exhibition April 18 - 20, 2006 Sheraton National Hotel • Arlington, Virginia For details, visit www.smartcardalliance.org

NETWORKING

Quality white papers educate wide audiences

A voice for accurate technology information

Yet, even with the webinars, outreach efforts, its trade councils and annual conferences, the alliance’s biggest beneﬁt to its members and to the smart card industry as a whole has been in the amount of information the alliance produces in the form of its white papers.

While the alliance white papers serve as a good information source for the industry, just as important, said Mr. Vanderhoof, is countering the misinformation ﬂoating around about smart cards.

ContactlessNews

“They have been the most effective way of communicating the value of smart cards because they are available to a wide audience. People appreciate the concise nature of the reports and see the quality of the material as helping them understand the market and allowing them to address their needs with particular industry providers,” said Mr. Vanderhoof. “We provide shared services to all council groups, which means we provide the support for their white papers, seminars, and conferences and we provide a means for them to meet over conference lines to discuss their projects and to develop their deliverables and then to post the results of their activities on each council’s web pages so people can learn from their work.” At one point, the alliance charged nonmembers for the reports, but they’re now available as a free download from the alliance’s web site, smartcardalliance.org. There seems to be no slowing down in the number of white papers the alliance is issuing either. In just the past couple of months, three white papers were produced dealing with smart cards in the healthcare industry, the top 10 “Hot Identity Topics,” and one dealing with smart cards and parking. “The Physical Access Council is continuing to focus on the government market and helping agencies deﬁne the FIPS 201-related issues. The council has published two reports and has prepared a Power Point presentation that has been shared with federal agencies and NIST to address the needs of FIPS 201,” said Mr. Vanderhoof. The alliance has also “done a lot of work to differentiate between secure forms of RF technology, such as what is being used in passports, ID cards, and payment cards from other forms of RFID technology,” he said.

“We’ve been very active,” he said. “We’ve published several reports, including FAQs (frequently asked questions) that set the record straight between the use of contactless and RFID. We’ve spoken at numerous industry events, such as privacy and travel conferences, information security and access security events and conferences dealing with border security and access control. And we continue to attempt to promote qualified speakers from the smart card industry who can define the differences between appropriate electronic ID and security applications from those that might be endangering personal privacy or individual security.” Mr. Vanderhoof sees the No. 1 issue facing the smart card industry today is global interoperability and the need for smart card technology to be integrated into the hardware and software platforms that will allow these platforms to reap the benefits of smart cards for fast, secure, and portable execution of transactions. “There is still a great deal of work ahead to integrate the standards that exist at the smart card level with the terminals and readers and back end systems that are in place to be able to use the smart card to authenticate individuals or execute secure financial transactions,” he said. “The industry has made great strides in this direction both at the individual market level as well as at the national and international standards level, but there is still a great deal of work to be done.” And interoperable cards in the transportation arena as well as in the ID and information security markets are still a ways off. “There’s still a lot of work that needs to be done just to simplify the use of smart cards to replace user names and passwords,” he added. Sure there is much still to be done. But the efforts of the Alliance leadership, its councils, and members at large, are making the benefits of a smart card-secured future a reality today.

Joining the Smart Card Alliance The alliance has several dues structures: One for the Leadership Council ($10,000 a year) which is the alliance’s voting class and from which the board of directors are chosen; and one called “General” which is $4,000 a year for commercial organizations and $1,500 for government organizations. It also has a $1,000 Associate Level for consultants and independent contractors. To ﬁnd out more about membership in the Smart Card Alliance, visit www.smartcardalliance.org.

Summer 2006

CR80News

Nova Southeastern replaces outdated campus smart card with new smart card system Andy Williams Contributing Editor, AVISIAN Publications Shackled by an outdated card program and its proprietary operating system, Nova Southeastern University (NSU) went looking for something bigger and better and, more importantly, a campus card that would enable the university to keep pace with technology. With its 27,000 students, NSU, located in Fort Lauderdale, Florida, is the largest independent higher education institution in the southeast and the seventh largest in the U.S. Founded in 1964, the not-for-proﬁt university has branch campuses in Miami and Dania Beach, with the Dania location housing the Oceanographic Institute, and what NSU calls “student educational centers” in Tampa, Orlando, Miami, West Palm Beach, and Jacksonville, Florida, Las Vegas, Nevada, the Bahamas, Jamaica, and Puerto Rico.

John K. Brueck, Jr., Nova’s director of Campus Card Services, said it was a “pretty elementary decision” to seek a new card program. “We were handcuffed with our current program. We can’t develop new applications or get new equipment because it’s a proprietary operating system, and it was getting more and more expensive to operate.” Nova’s current campus card would not have appeared to “outdated” to many observers. It was a smart card with a 1k and 4k chip as well as proximity capability and a magnetic stripe. The system offers physical access to buildings and parking lots on campus, acts as a library card, and functions for a host of payments.“Through the smart chip in a contact environment, users can pay at POS stations, use copiers, pay for print, laundry and vending,” said Mr. Brueck.

Replacing the existing smart card system in pursuit of better functionality But administrators felt constrained by the current system as they found it impossible to add functionality. In addition, they have several different cards –ﬁve in all – that are utilized for different functions. That was another reason the college needed change. Administrators wanted a single card – a true one card system. He said the university “wanted to offer our students superior service. We needed to have a partner that could develop new applications and new opportunities, something that would ease the student experience and positively affect the way students move about campus. It made sense, then, to move to a larger card system that would offer more functionality.”

We are working very closely with Siemens,” said Mr. Timmins. “Siemens is on the ground doing project management, requirements analysis, and working with Nova to make sure the networks ... the technical architecture is in place.”

Big plans for the new system Every student – whether at the main campus, in the Bahamas, or in Orlando – receives a student ID card from NSU. However, it depends on what’s available at the speciﬁc campus as to what else the card can be used for, said Mr. Brueck.

CBORD Campus Solutions Campus Card Systems - Access Control and Electronic Security Foodservice Management - Catering and Event Management Software Web-based Ordering - Housing Assignment Systems Judicial Conduct Tracking

The college tasked Siemens Corporation, to start exploring what was available and what would work. “Siemens was already established providing infrastructure on our campus,” said Mr. Brueck. That included the college’s security system, including access control and cameras.

CR80News

“We looked at various vendors based on where we wanted to go with our card program. Siemens identified SmartCentric Technologies International Ltd. as the best fit and reached agreement with the company to provide the smart card system.” SmartCentric Technologies, based in Ireland, has successfully installed campus card programs, based on its SmartCity system, at about 15 universities, mostly in the U.S., including schools in Orlando and Tallahassee, Florida. SmartCity is a multi-application smart cardbased system that includes stored value, loyalty, gift cards, logical access, physical access, biometrics, car parking and ticketing. “Nova wanted a system that would give them the flexibility to grow their programs,” said SmartCentric’s CEO, Kieran Timmins. “They’re not just buying for today, but tomorrow.” The partners – Siemens and SmartCentric – also had to take into consideration the university’s “complex requirements,” said Mr. Timmins. “Nova has very diverse campuses ... the main one in Fort Lauderdale, one in the Carribean, etc.”

Enjoy the power of a ﬂexible and expandable system from the recognized leader in the industry. Automate functions. Minimize operation costs. Maintain consistency. Enhance reporting. Run efﬁciently.

The CBORD Group, Inc. • 61 Brown Road, Ithaca, NY 14850 607.257.2410 • FAX: 607.257.1902 • www.cbord.com

Summer 2006

“In the old days of smart cards, everyone had the same card. Now we can select very precisely who will need what.”

“The ultimate goal is to take the applications on our south Florida campus, such as pay for print, and grow the applications, where prudent, to extend them to our other campuses,” Mr. Brueck added. “There might not be a need for a meal plan at Las Vegas but you might have web revalue. One of the other things is to have the ability to grow our program outside North America, to be able to do business in different currencies at the cash value stations. For example, the cash revalue stations in Jamaica would accept Jamaican dollars. If we open a campus in Europe, it would accept euros.”

CR80News

This parallels with what Mr. Timmins says is “the concept behind SmartCity ... not every card holder has to have the same proﬁle or even the same size card. In the old days of smart cards, everyone had the same card. Now we can select very precisely who will need what.” The SmartCity One Card, utilizes both contact and contactless technologies, Nova’s phase one applications will include student, faculty, and staff ID cards; cashless purchases at POS, vending machines, pay for print, meal plans; a web-based card revalue and card holder portal; and access control. The access control portion will incorporate both physical and logical applications and will use biometrics where needed. The biometric portions, said Mr. Timmins, will be match-on-card.“When you do biometric authentication, you’re authenticating against the card, not a database.” Mr. Timmins said the new system is planned for early 2007. “There is a signiﬁcant amount of work that needs to be done, not the least of which is support for the Siemens Card operating system.” Siemens will be supplying the chip and the card, he added, “with SmartCentric supplying the software.” The card will be a combi-card with prox and an embedded 64 k contact chip from Siemens on the card. “Biometrics (for physical access) can go on either the contact or contactless portion. The contactless portion of the card will support prox technology so the existing investment in prox readers will be maintained,” he added.“We’ll be taking out existing readers on laundry and vending and replacing with our own readers. In the initial phase we’re aiming to replace what they have today: vending, laundry, POS, pay for print.

Summer 2006

Moving to the future Web-based revalue will allow cardholders to look at the value on the card and where it was used. There are also plans for logical access, but I’m not sure which phase this will fit into. Next will be e-ticketing and off-campus use. Digital certificates (the ability to digitally sign documents) is also on the list of possibilities.” “We want to go with single sign on and digital certificates, but whether we move in that direction or not, we’re currently evaluating,” added Mr. Brueck. The card-based digital certificate program would primarily be used at the university’s health care center. As to moving off campus, it will come, but not right away. “We know we’re going off campus,” said Mr. Brueck. “There’s a lot of interest from retail food establishments with what we’re doing and students want to be able to pay for services off campus. Web revalue will help with that functionality.” That’s one of the reasons the college is planning to place up to four purses on the card. In the e-ticketing phase, NSU cardholders will be able to pay for event tickets over the Internet and load the ticket to their NSU card, making entry to NSU’s University Center (opening in August) easier on the patron, said Mr. Timmins. The initial rollout will be 30,000 cards.“We’re going through workshops with them at the moment to determine what will be in phases 1, 2, 3, etc.” “We’re looking at doing what’s right,” said Mr. Brueck.“We’re taking baby steps. We’re being methodical and not growing beyond our britches too quickly. We feel very comfortable with Siemens and SmartCentric. We look at this as a partnership but also as a family because we’re going to be working very closely with them.”

Emory University enables online campus card deposits via PeopleSoft system Andy Williams Contributing Editor, AVISIAN Publications

That means that the funds will be available to the student in no more than 60 minutes. If he makes a deposit five minutes before the batch process is scheduled to run, the money is available almost instantly. “Students don’t have to come to the Emory Card Office and they don’t have to wait in line to make deposits,” says Mr. Seigel. “(We have) freed staff from the process of receiving and processing checks and at the same time avoids bank fees and bank credit card fees.” “We approached our bursar’s office first about wanting to reduce the amount of checks and cash we handle in our operation. (We met with) the PeopleSoft group here on campus … and we gave them the information about what General Meters could provide us to make this happen,” said Mr. Siegel. Several months later the system was operational.“The student can now log onto his bursar account, look at bills and statements and make a selection on this bursar page to make an ACH deposit into the student’s flex account,” said Mr. Siegel. The program began in mid-January “and we reduced our walk-in traffic about 50% as far as deposits go. That’s with doing very little advertising,” he added.“It has worked flawlessly from the outset. I really think by the fall semester we’ll be doing 70% of our deposits this way, especially with the incoming freshmen class.” With less bursar office traffic, “we can concentrate on other important items for our customers,” said Mr. Siegel.

An Atlanta university seeking to reduce the number of checks passing through its business office now allows its students -- or their parents -- to handle many of those financial transactions electronically via their campus ID card. The result has been a 50% reduction in walk-in traffic, freeing up staff for other purposes. “We were wanting to reduce the amount of checks and cash we handle in our operation,” explained Dave Siegel, director of EmoryCard and Campus Life Technical Services at Emory University. For General Meters, the Colorado-based company that handles the university’s card program with its University One-Card System, “it’s all about making campus life more efficient,” said company vice president Jeff Zander. What Emory University has done is enable its 12,500 students to log-in to their PeopleSoft student account called OPUS, which is controlled by Student Financial Services, and make a bank transfer to their EmoryCard Plus account (PeopleSoft provides Emory’s personnel and financial system). After they fill out the Automated Clearing House (ACH) bank form, every 60 minutes a job runs in PeopleSoft that sends the deposits in a file to the Emory FTP server where the General Meters’ University One-Card System processes the deposit and the student then has access to that money on his campus card.

The future of the program Mr. Siegel foresees ACH deposits becoming the standard procedure, greatly reducing if not eliminating the acceptance of checks and credit cards at Emory as well as campuses throughout the country. While any university with support for declining balances can make this system work, Mr. Zander said it helps if “you have the ﬂexibility of an open architecture platform which can allow other services and interfaces to be part of the university’s card program. At General Meters, we make the hardware and software and if the system is open, like ours, then (automated deposits) can happen.” This is just phase one for the program, said Mr. Siegel.“Our next step will be allowing employees to make these ACH transfers.”

About the EmoryCard program: The EmoryCard equipped with a mag stripe, is used for meal plans, bookstore purchases, laundry, vending, copying, printing, door and computer access, and events, said Mr. Siegel. It also can be used to verify a student’s age when he attempts an alcoholic beverage purchase. Summer 2006

CR80News

Adds Mr. Zander: “The objective is convenience. We’re automating cash handling using the Web. Students can actually view their account statements on the web and it allows students to manage their card program without having additional staff dedicated at the campus level.”

Corn Cards offer a greener alternative, but is the industry ready for plastic from the farm? Marisa Torrieri Contributing Editor, AVISIAN Publications It sounds corny to some, but the latest card en route to consumers’ wallets promises the same durability of traditional petroleum-based (PVC) cards without using up one of Earth’s most valuable and dwindling resources ... oil. A new card made from processed corn got a big push when card manufacturer Arthur Blank & Co. (ABCO) announced last month it is ready to roll out millions of the regurgitated stalks for environmentally conscious retailers – whether they’re producing gift cards or highly secure access control or ID cards.

CR80News

Called “CornCard USA” by Arthur Blank & Co., the card itself can be composted, incinerated and mechanically recycled in industrial facilities. This new corn-based card can be used in the same applications as the more traditional petroleum-based counterparts. The CornCard USA may be printed with most of the special inks and panels Arthur Blank offers, and with a number of security measures (i.e., specialized inks only visible with infrared and black light readers, or Guilloche printing). While CornCard still reportedly costs nearly 10 percent more than PVC, Arthur Blank’s new rollout isn’t the only indication that these cards should be taken seriously. Major corporations such as Microsoft and Wal-Mart have said they are seeking renewable resource alternatives

to traditional packaging, notes Jake Jacobs, vice president of sales for Arthur Blank & Co. “Unlike petroleum-based cards, corn-based cards can be mechanically recycled, composted (this takes several years) and won’t release toxins when burned,” says Mr. Jacobs. “Creating the resin from corn also produces much less harmful gas than producing plastic from petroleum. On a small scale, this isn’t as big a deal, but when you consider Arthur Blank & Co. used 8 million pounds of raw materials last year for gift cards alone, you can clearly see the environmental beneﬁts of using corn-based cards.”

You can’t eat them, but you can swipe them: Cards look, feel the same as PVC Processing corn cards involves several steps, explains Todd Niemuth, marketing manager for Spartech Corporation, the “plastic sheet extruder” company that makes CornCard USA Sheets for Arthur Blank & Co. Spartech competes with PVC sheet extruders, using the process of fermentation, followed by polymerization. The process of corn polymerization, the ﬁrst step in making corn cards, is similar for both corn- and oil-based plastics, explains Mr. Niemuth, who notes that the process is just as complex for both corn and oil plastic. Conducted by NatureWorks for Spartech and ultimately, for Arthur Blank & Co., the process involves turning raw materials into pellets.

First, the corn is planted, harvested, then sent to a milling plant where starch is separated and isolated from other components. The starch is converted to sugar. Then, through a fermentation process much like making wine or whiskey, micro organisms convert the sugar into a lactic acid, which ignites the biological process of polymerization. The polymer, or plastic, is formed into pellets that are sold to Spartech. “The most environmentally signiﬁcant difference is that PVC is derived from oil, something that takes millions of years to regenerate, while PLA is derived from corn, a plant that grows in roughly 100 days,” Mr. Niemuth says. Then, the sheet extruder takes the pellets and mixes its own proprietary blend of chemical additives to give the corn-spawned plastic better strength, before ﬂattening it into thin sheets that look like a thick sheet of paper. “You can get 60 cards out of one sheet of plastic,” Mr. Niemuth says. After the sheet extruder turns the pellets into sheets, they are then shipped to Arthur Blank & Co., which adds its own, top-secret binding formula to the sheets before churning out the corn cards. The formula, developed by ABCO, is necessary to prevent problems such as ink bleeds and cards that curl at the edges. The formula is a result of several years of trial and error, as bad printing and imperfect cards were an industry-wide problem for years, Mr. Jacobs says.

What will turn corn into a corporate cashpot? If the cost of oil continues to rise, it won’t be long before both card manufacturers and retailers start following Arthur Blank’s lead by investing in alternative resources. But for now, the biggest challenge to adoption is that retailers are not demanding the CornCard, say a number of Arthur Blank’s manufacturing competitors. Versatile Card Technology (VCT), for instance, makes a huge range of cards for a variety of industries, but according to a source, the company won’t consider making CornCards without customer demand. “They’re really expensive,” says a VCT spokesman. “It’s more client-driven,” and clients are interested in “highest print quality at lowest price.” PVC cards are industry standard and CR80 cards cost 10 cents apiece, the spokesman notes. Should environmentally conscious vendor such as Whole Foods Market want to order one million corn cards, however, VCT would jump on the chance to make them, the spokesman adds. Until then,“PVC’s a very rugged, durable material,” the VCT spokesman says. But Mr. Niemuth believes that all of the leading card manufacturers are deﬁnitely keeping plans to manufacture corn cards. While the cost of corn remains stable, oil prices continue to skyrocket. When the price of making CornCard USA becomes more competitive, manufacturers will become even more accommodating.

Summer 2006

CR80News

“I think it’s safe to say every non-secure card manufacturer in the top 10 has asked us for trial material, and has it or will get it soon,” Mr. Niemuth says. “That doesn’t necessarily mean they have demand, but there’s a tremendous amount of interest.”

JSA receives web-revalue technology patent Talks of license fees spread through campus card community

CR80News

Chris Corum Executive Editor, AVISIAN Publications A newly-issued patent covering the movement of funds between accounts via the web is hitting close to home with campus card systems. No surprise as the patent was originally conceived to cover these transfers from a bank account to a campus card account. In November 2005, United States Patent 6,963,857 was issued to JSA Technologies, a familiar name in campus card circles. JSA has been supplying value transfer solutions to colleges and universities since the late 90s. The technology enables web-revalue of campus card declining balance and other accounts. “We had a working product late 1998,” says Jon Gear, Vice President of JSA,“and the patent was ﬁled in 1999.“ More than six years elapsed between initial application and ﬁnal approval, a timeframe that is not uncommon in the patent application process. “It covers the transfer of funds between networks via the Internet,” says Mr. Gear. He 52

Summer 2006

stresses that the patent in no way impacts typical bank to bank transactions as these utilize a common ﬁnancial processing network. It is when transfers occur from this traditional ﬁnancial processing network into another network that the patent’s coverage seems to begin.

The opening salvo In recent weeks, letters were sent from JSA to a number of companies and institutions that have developed systems that, according to Mr. Gear, may infringe on the patent. He adds, “we have not told any institution or organization that they are infringing. All we have done to date is (begin) to notify the market that we have this patent.” Though the actual number of letters was not provided, it was suggested that there was between 10 and 20 parties notiﬁed. Campuses using systems supplied by vendors were not

contacted, as the vendor would be the point of contact in these instances. “Schools only received the letter if they had a homegrown system,” said Mr. Gear. What was the purpose of the letter? The intent can be found in the ﬁrst line of the press release issued March 16, 2006,“Recently JSA Technologies contacted numerous private companies and several institutions of higher education regarding the licensing of a patent invented and commercialized by our company.“ JSA is seeking to license its patented technology. “We don’t want to shut anybody down,” says Mr. Gear, “if you are happy with what you are doing, we don’t want to stop you from doing it. We will just talk about licensing.“ When asked about the fees sought, Mr. Gear told CR80News that they were not yet determined. “It is premature to know what kind of fees would be expected and they will likely be determined on a case-by-case basis.

The license fee will probably be negligible in the grand scheme of things.” According to a company press release issued March 16, 2006, campuses with homegrown systems were contacted because, “we want to grant them licenses to our patent so they may continue their operations.” When asked by CR80News if campuses with in-house solutions developed for their own use prior to the issuance of the patent will be charged license fees, JSA ofﬁcials stated that they would need a license if they developed the system after 1998 when the patent was ﬁled. That JSA is seeking license fees should come as no surprise nor should it be met with scorn. The fabric of an entrepreneurial and capitalist society requires protection of intellectual property. The patent is a hard-earned acknowledgement and legal proclamation of intellectual property. And patents are also not cheap. According to the release, JSA has “spent considerable time and resources developing and commercializing its patented software.”

Implications beyond campus cards

Would gift cards architectures that operate within standalone or closed loop networks yet enable web-based value transfers from bank or card accounts be viewed as infringing? What about peer-to-peer payment networks like Paypal that rely on value transfers from bank accounts to fund their online payment service? Mr. Gear said it was not something he was prepared to comment on suggesting only that, “we would have to have discussions to determine the extent to which these things may apply.”

Dissecting the patent into layman’s terms We have done our best to translate the morass of ‘patent-speak’ into language that the average non-attorney can understand. The follow-

Actual language: The present invention is directed to methods of, and systems for, allowing an account participant to add value via a wide-area network to a first account from a second account. A first account server coupled to a wide-area network supports the first account. In a preferred embodiment the widearea-network-accessible value transfer station (VTS) includes a central processing unit for executing instructions, and a memory unit. The memory unit includes an operating system, software for receiving from a participant via the network a) second account identification information, and b) a value that the participant desires to transfer to the first account from the second account, second account verification software for receiving the second account identification number from said receiving software and for verifying that the second account authorizes the transfer of the specified value, and value transfer software for receiving a value from the receiving software, for receiving a verification from the verification software, and for transferring the specified value to the first account from the second account if the verification is received. The wide-areanetwork-accessible VTS further includes conductive interconnects connecting the central processing unit and the memory unit to allow portions of the wide-area-network-accessible value transfer station to communicate and to allow the central processing unit to execute the software in the memory unit. Translation: The patent is for a system that enables an account holder to transfer funds (or value) from one account to another account via the Internet (or wide area network). The first account operates on a specific network. A value transfer station (VTS) is a computer or similar device with connectivity to that network. The VTS runs software to accept (for the account holder) a second account number and a dollar (or value) amount to be transferred into the first account. The software also (1) verifies that the second account authorizes the transfer (e.g. that sufficient funds or credit are available), (2) receives the electronic transfer of the funds, and (3) adds that value into the second account. The VTS’ CPU and memory are connected such that the CPU can execute the software contained in the memory.

CR80News

Reading the text of the patent, it seems likely that the reach may extend well beyond campus cards. Other ﬁnancial systems that operate outside of the traditional banking network, but rely on it for revaluing or replenishment, may well be impacted.

ing translation is for the abstract of the JSA patent.

CR80News

Life after prox? Physical security workhorse begins giving way to contactless as price cuts and multi-technology readers eliminate hurdles Chris Corum Executive Editor, AVISIAN Publications You can do more – and you can do it more securely – with contactless than you can with proximity. Few would argue with this statement, yet each year proximity technology continues to outsell contactless in the North American security markets. But new products, attractive pricing, and better market education are turning this tide, making contactless the technology of choice for many professionals charged with securing their physical and logical enterprise. Contactless technologies use the 13.56 MHz frequency to communicate data between the card and reader while proximity technology uses the lower 125 KHz frequency. Contactless can enable read-write and processing capabilities that become increasingly important as additional applications are desired. Proximity cards are traditionally a read-only technology, where a simple identiﬁcation number is encoded to the card prior to issuance and that data remains static for life. It is this difference that opens up the possibility for a more robust utilization of the contactless card.

Summer 2006

According to Erik Larsen, Product Manager of Identity Solutions for Lenel Systems International, smart card technology enables a host of opportunities. “Post-issuance ID number changes and additions, electronic purse and cashless payment functions, biometric storage and authentication, network access and security, and more,” he explains are all made possible. The processing capabilities of contactless technologies enable the card to ‘participate’ in the security process, authenticating itself to the reader and protecting its owner’s data until it has veriﬁed that the reader is legitimate. “On-board processing also secures key components of biometric identiﬁcation, cashless transactions, and a wide range of other applications,” adds Mr. Larsen.

So why does prox still dominate in some markets? With all these inherent advantages of contactless, why do so many security ofﬁcers and card system managers still opt for proximity solutions? Until now, there have been a number of legitimate reasons for such a decision, though many suggest this is changing.

Price There has been the issue of price. “Originally it was cost of cards and readers,” says Mr. Larsen, “but those have been addressed.” In fact, in one well-publicized promotion, HID Corp. began offering its contactless cards and readers for the same end-user pricing as its prox offering. According to HID’s product manager for High Frequency Products, Jack Bubany,“the cost for contactless smart cards and readers is comparable with prox and we are working hard to get this word out to the North American market.” Infrastructure So if the technology is superior and the price is comparable, what else could be the holdup? As is often the case with new technologies, legacy infrastructure has been a major deterrent for many buyers. The cost and disruption involved with changing out card readers throughout a facility and re-badging the cardholder population has delayed or dismissed many potential migrations during recent years. Says Mr. Larsen, “customers that have a current system in place want to know what is the cost for reissuance and when will the ROI make sense.” With prior generation equipment, the answer to this question was often met with dismay. But multi-technology readers capable of communicating with both contactless and prox technology are changing the landscape. Many of the leading security companies are now offering a multitechnology reader. It can signiﬁcantly ease a transition from prox to contactless by eliminating the need for a mass re-badging effort. New employee cards, replacement cards, and those with need for added security or functionality can be issued the contactless card beginning day one, while other cards are phased in over time or simply allowed to churn via the normal cycle of employee and card turnover.

But these multi-technology readers are proving to have an important role beyond just a transition-enabler. “Your entire population may not need to go (contactless) smart cards,” explains Mr. Larsen, “or they may not need to go on a ﬁrst phase deployment. Look at a multi-technology reader for the common areas where both populations need access and then use the 13.56 only at the secure doors.” “Many large companies are content with their current card populations but have disparate technologies in multiple locations (i.e. HID prox in New York, GE/Casi prox in Los Angeles, and Mifare in London),” explains Mr. Menzel. “… Multi-technology readers function with all of these cards simultaneously saving signiﬁcant investment dollars required to transition to one card.”

Education With the obstacles of price and infrastructure seemingly all but eliminated, what else could delay the move to contactless technology? According to Mr. Larsen, the ﬁnal hurdle is market education. It seems that while the vendor community has made the transition relatively painless, the buzz has not yet caught up. Say Mr. Larsen, “the general population is thinking it is still too expensive.” Additionally there remains a distinct level of confusion as to the capabilities of contactless technology. But the end user is not the only community in need of education. “The security reseller and integrator segments need thorough education to ensure they can best help their customers,” adds Mr. Larsen. Any salesperson will tell you that it is generally easier to sell something you have sold before and know well. This existing comfort level with proximity technology is perhaps the last major hurdle to increased market presence for 13.56 MHz. “The key customer-facing component of this industry is the integrator layer,” says Mr. Menzel, “and they must buy-in to both the beneﬁts of contactless technology and see a reward for selling it over other solutions.” “At HID we conduct workshops in major cities,” says Mr. Bubany, “one for dealers and one for end users to help them understand what smart card technology offers them. The goal is to give them a level of comfort so that they can feel safe selling the newer technology to clients or implementing it in their organization.”

Next steps Many suppliers of security components are actively working with resellers and integrators to educate them of the new environment surrounding contactless. As these programs disseminate the information on improved technology, comparable pricing, and stronger security, it seems likely that North America will trend toward contactless technologies … joining the rest of the world’s security markets.

In the next installment of our physical security corner, we will continue this examination of contactless and proximity technologies. Part two of this article focuses on issuance, contrasting the challenges and opportunities that the divergent technologies present to the issuing organization.

Summer 2006

CR80News

“Even if a company has not made a conscious decision toward a particular contactless smart technology it’s only a matter of time before someone from the IT department asks the security group about their smart card plan,” says Jon Menzel, President and CEO of reader manufacturer XceedID. “If a company has been purchasing Multi-tech readers over time (and used them as simple prox readers) then they will have already invested a substantial amount toward the smart card upgrade without allocating special funds to do so. This greatly reduces the follow on investment to move all cards and readers to contactless technology.”

In the past, HID helped clients address the migration from prox to contactless with cards that combined the two technologies, but a new reader provides another alternative. Says Mr. Bubany, “some may see the card as the best migration point and some may see the reader. It depends on the client’s speciﬁc environment and needs.”

RFIDNews Viagra and Oxycontin tagged, but future still uncertain for RFID in pharma David C. Wyld Contributing Editor, AVISIAN Publications

Robert Malone, Editor of Inbound Logistics magazine, recently commented that, “it doesn’t take a rocket scientist to discover that pharmaceuticals are a prime candidate for the use of RFID in our new era of high security.” In recent months, there have been significant developments in the pharmaceutical marketspace, as both Pfizer and Purdue Pharma have announced significant RFID-labeling programs for two of their most sought after – both legally and illegally – drug products. Pfizer has announced that by the end of the first quarter of 2006, all shipments of Viagra, the lifestyle drug for erectile dysfunction, will carry RFID tags. Likewise, the privately-held Purdue Pharma has green-lighted a significant pilot program to apply smart labels to all shipments of OxyContin, a narcotic pain-killer. For both companies, the decision to move to RFID is based on the popularity of these specific products, both in the mainstream and grey markets. Both are among the leading counterfeited and diverted prescription drugs today. According to Peggy Staver, Pfizer’s Director of Trade Product Integrity, the decision to implement RFID was not difficult for her firm, commenting: “It was an easy decision for us, as it’s safe to say that Viagra has been our most counterfeited item.” Likewise, Purdue Pharma is concentrating its RFID-tagging efforts on shipments of OxyContin. According to Aaron Graham, Purdue Pharma’s VP of Corporate Security, RFID gives his firm new visibility and control over the sensitive supply chain for OxyContin, which he describes as a “a highflyer outside of legitimate commerce.” The case for item-level tagging in pharmaceuticals is unique to the controlled substance supply chain, with the unmatched need to assure drug integrity, to prevent diversion and theft, and to fight counterfeiting, recently estimated to cost U.S.-based pharmaceutical companies between $28 and $30 billion annually. Overall, the World Health Orga-

Summer 2006

nization (WHO) estimates that as much as 10% of the half-trillion-dollar pharmaceutical market is counterfeit. The drug industry’s trade group, the Pharmaceutical Research and Manufacturers of America (PhRMA), fully supports the move to increased utilization of RFID. From the perspective of Alan Goldhammer, PhRMA’s Associate Vice President for Regulatory Affairs: “Our bottom line is patient safety, and efforts that make it safer for American patients is something we support.” Thus, “the cost-benefit analysis in tagging shipments of Viagra is a lot more beneficial than tagging cans of Campbell’s Soup,” according to Kevin Starke, an analyst covering the RFID market for Weeden & Company. Still, for the pharmaceutical industry, the actual dollar ROI on RFID tagging may still be years away. Thus, governments have stepped into the fray, with a federal level recommendation – but not a mandate - from the U.S. Food and Drug Administration (FDA) that item-level RFID tagging be in place by next year. However, states are beginning to enact their own regulations over the pharmaceutical supply chain, with Florida’s drug pedigree law scheduled to go into effect July 1, 2006 and California’s regulations slated to commence in January 2007. Such laws call for an “e-pedigree,” providing the ability to track a controlled substance from the manufacturer to the wholesaler’s distribution center, and ultimately, to the pharmacy. Controversy remains ... Pharmaceuticals are indeed likely to be one of the first consumer-level applications of RFID tagging of products, and with all this activity, one would expect only rosy forecasts for RFID in the pharmaceutical sector. Yet, two just-issued reports have taken starkly contrary positions on just how fast RFID-based labeling and control will spread in the pharma marketspace.

In late January, IDTechEx issued a report, RFID Forecasts, Players & Opportunities: 2006-2016, which was extremely bullish on the pharmaceutical RFID market. As shown in Table 1, IDTechEx predicts that the tag market will grow by more 700% in the next year alone and grow almost exponentially over the next five years as more companies choose to – or are mandated to – tag pharmaceuticals at the item level in more areas of the global market. From the perspective of the report’s author and IDTechEx’s Chairman, Dr. Peter Harrop, the rapid growth of RFID in the pharmaceutical sector can be explained by the “unusually broad range of benefits” item level tagging offers in this sector. He commented that: “Frankly, no other form of RFID can claim such a full range of benefits, including saving lives, preventing sickness, reducing theft, fraud, counterfeiting and costs, providing more responsive customer service and recalls of higher integrity.” Harrop predicts that,“drug tagging has so many compelling drivers for all in the value chain as well as regulatory authorities, it may rise to be around 60% of all item level tagging in 2010.” On the bearish side, Oyster Bay, New York-based ABI Research warns of a slowdown in the move to RFID in this critical sector. According to ABI’s February 2006 report, entitled “The RFID Healthcare and Pharmaceutical Markets,” despite the success of Pfizer and Purdue’s highly publicized pilots, it predicts the pharmaceutical industry will only tag about ten pharmaceutical products total by the end of this year.

RFIDNews

Sara Shah, ABI Research’s industry analyst for RFID, goes so far as to observe that the earlier forecasts for the speedy implementation of RFID in the pharmaceutical sector may have been a case of “irrational exuberance.” Shah predicts that both pharmaceutical companies and the all-important major drug wholesalers, including AmeriSource, Cardinal Health, McKesson or HD Smith, will concentrate on more internally-focused “four-wall” pilots and implementations rather than tagging for control throughout their supply chains. Shah also does not see government e-pedigree mandates as ultimately driving demand in the pharma sector. Rather, she predicts that companies will be able to comply with the state-level regulations through bar code technology, and that with some uncertainty if the laws will take effect on schedule,“there is a potential that the market will slow more if state pedigree laws are pushed back.” ABI is not alone in predicting that the bar code will continue to survive as the principal identiﬁer of pharmaceuticals. Mark Neuenschwander, President of the Neuenschwander Company, a Bellevue, Washington-based consultancy specializing in medication-use automation, recently commented that: “I believe that the bar code, like the movie theater, the legal tablet, and the telephone, will maintain its value for years to come. RFID is now too expensive and the technology too complex to replace bar codes very soon.” In the end, we will likely see widespread deployment of RFID at the item-level over time – the question is how speedy will this transition be. Millions in investments are being wagered both on the timeline and the depth of market penetration in this all-important sector.

Summer 2006

RFID curbs drug counterfeiting, but obstacles still exist Marisa Torrieri Contributing Editor, AVISIAN Publications Whether it’s the rising cost of prescription drugs or more sophisticated technology and funding for counterfeiters, incidents of drug counterfeiting have skyrocketed in the United States. Drug counterfeiting now costs the Food and Drug Administrations more than $30 billion annually, a number so great that the agency is embracing new technology that will help it give teeth to a law that requires the pharmaceutical industry to closely track a drug’s “pedigree.” That’s the term applied to a drug’s record documenting that it was manufactured and distributed under secure conditions. Prior to RFID coming on the scene, pedigrees were kept as a paper trail – creating obvious problems with volume, accuracy and notation standardization. Today the FDA is looking to RFID as an alternative, creating an electronic or ‘e-pedigree.’ In response, the RFID industry is cooking powerful antidotes to thwart pharmaceutical crooks and grab a piece of this massive market opportunity. A mandate for a drug pedigree has existed for nearly two decades since the Prescription Drug Marketing Act (PDMA) of 1987 called for all companies involved in the production and distribution of pharmaceuticals to keep rigorous pedigrees. But it was essentially unenforceable, says Joseph Pearson, pharmaceutical business development manager for Texas Instruments RFid Systems. “There was no way to enforce the law because of the millions of products that go through the supply chain – from manufacturers to distributors to wholesalers to your local pharmacy,” Mr. Pearson says. “There was no way to do it until RFID came around.”

But just last year, FDA issued a report calling for all parties in a pharmaceutical supply chain to track and trace a product’s pedigree, and gave a big nod to RFID as the best way to accomplish that goal. The FDA also said that it expects to start enforcing the PDMA by the end of this year, stating in the report that the “adoption of electronic track and trace technology would help stakeholders meet and surpass the goals of the Prescription Drug Marketing Act (PDMA). Until now, the FDA delayed its effective date for enforcing a number of the PDMA’s provisions … to allow stakeholders to move toward an electronic pedigree.” In its report, originally issued in February 2004 but updated annually, the FDA praised RFID stating that “(it) is the most promising technology to meet this need … Implementation of RFID will allow supply chain stakeholders to track the chain of custody (or pedigree) of every package of medication. By tying each discrete product unit to a unique electronic serial number, a product can be tracked electronically through every step of the supply chain.” Per the FDA’s recommendations, a number of states have followed by taking matters into their own hands. The best-known state law, “Florida’s Drug and Cosmetic Act,” requires components of the pharmaceutical supply chain to keep better records of a drug’s pedigree. The Florida law goes into effect July 1, 2006.

an RFID solution that included integrated PKI security. In short, the Authenticated RFID system validates transactions at multiple points, from the pharmaceutical manufacturing facility (where PKI-infused tags are signed) to multiple wholesale and distribution points (where a PKI tag is authorized). The product is authorized yet again its end point – the pharmacy. It’s a seemingly smooth operation. But even Texas Instruments still faces a number of challenges to deployment. Adding high-end security to existing RFID systems will increase the platform’s cost; there’s also the issue of who pays for this stuff, and how all involved parties will work together so that the network ﬂows smoothly, Mr. Pearson says. “We at TI recognize that the industry has a need for RFID technology today,” he says, noting that his team has develop Tag-it HF-I Standard and Professional products to suit the industry’s needs. Tied in with cost are privacy concerns. Some worry rogues with readers might stand outside of pharmacies to get private information from a tagged container as it is carried away by the customer. Although the likelihood of that happening seems low, Texas Instruments has acknowledged the pharmaceutical industry’s fears by adding a new feature to its product line.

Inside the pharmaceutical supply chain

What makes the transport of drugs a unique challenge is the security necessary to maintain privacy and prevent counterfeiting: because pharmaceuticals are highly coveted targets, it is necessary that an RFID system be able to meet federal pedigree requirements, as well as keep tabs on a product’s whereabouts at all points – from the factory to the warehouse to the pharmacy or health facility. A June 2005 White Paper from Texas Instruments, “Securing the Pharmaceutical Supply Chain – The Authenticated RFID Platform,” described

The new Tag-it HF-I platform, offers password protected write functionality that allows decommissioning of certain information on the tag before it goes to the consumer. Should the need arise, sections of the tag containing product information can be decommissioned prior to the purchase or the RFID tag functionality can be completely disabled using a special command, Mr. Pearson says. “The drug companies see a lot of advantages in RFID products,” Mr. Pearson says. “They can get more information, get better planning, and obviously they want to see a secure product in their distribution channels. There are advantages, from a pharmaceutical manufacturing perspective, but there has to be a network of connectivity for this to happen.”

RFIDNews

As with any supply chain operation reliant upon RFID as its backbone, pharmaceuticals have the opportunity to beneﬁt from a system that enables monitoring throughout the entire supply chain.

Range, write verification and better speed top criteria for Gen 2 shoppers Marisa Torrieri Contributing Editor, AVISIAN Publications The Chinese say it’s The Year of The Dog, but in the market for the best Gen 2 RFID products, it’s also the year for a doggone number of new choices. Numerous vendors are hyping their latest RFID chips, readers, tags, printers and software, leaving buyers with an apparent wealth of options. But with every vendor peddling its Gen 2-compliant products as superior, buyers are left in a sea of confusion. In response to this, Intermec, one of the leading companies spearheading the development and acceptance of the EPCglobal Gen 2 RFID specification, published the white paper, “Will your EPC Gen 2 System Be up to Standard?” The eight-page white paper from Intermec, which makes its own suite of Intermec Gen 2 RFID systems, gives potential buyers a brief outline of the essential qualities one should look for when evaluating Gen 2 RFID products. On Dec. 14, 2004, the EPCglobal Generation 2 RFID standard, with input from more than 60 companies, was ratified and approved by the EPC Global Committee, the not-for-profit standards organization representing the supply chain industry. Compared with previous generations, the latest specification is a huge improvement, with better read range and performance in crowded environments. Data storage is also better -- the first generation had either 64 or 96 bits of information; Gen 2 RFID starts at 96 bits. And perhaps most importantly to buyers, Gen 2 specifies one standard only while the previous generation had two standards – Class 0 and Class 1.

RFIDNews

Unlike barcodes, Gen 2 RFID doesn’t just capture data to improve operations. It allows companies to capture information dynamically as assets move through a supply chain without the line-of-sight requirements of bar code scanning. And Gen 2 RFID includes technology that allows tags to be read from and written to along the way, ensuring accurate, up-to-the-minute information. The RFID buyer’s challenge, then, is to compare different readers, tags, and ancillary products. In its white paper, Intermec provides a detailed list of characteristics that differentiate the latest breed of RFID from previous versions. Gen 2 readers and tags are full of performance enhancements such as higher security and increased read speed, says Chris Kelley, director of RFID for Intermec and a contributor to the report. “End users are saying, ‘we need a single standard protocol, with global compliance, without the site license,” Mr. Kelley told RFIDNews. “The user wanted multiple manufacturers, not proprietary schemes.” 60

Summer 2006

A buyer’s considerations, says Intermec, should include: 1. Speed: According to Intermec, there is no firm or minimum speed specification within the Gen 2 standard, because reading speed depends on many variables, including power output, tag density and the RF environment. Gen 2 products have features that allow for speedier communications between readers and tags, such as “group select,” a feature improves high-speed reading and data sorting. 2. Range: A single company’s user requirements are the prime determinant for the range required from Gen 2 EPC systems, says Intermec. To illustrate: A company at one point in the supply chain may only need to capture pallet tag information from a few feet away with handheld readers before shipping the pallets to a customer. But at the next stop, tagged cases might be stacked high on warehouse shelves where much longer read range is required. According to Intermec, there is no mandated range requirement in the Gen 2 standard because of the many variables that effect range, such as interference, reader power output and reader density. 3. Security:“Gen 2 provides [security safeguards], whereas some Generation 1 products didn’t provide security that users demand,” Mr. Kelley says. These safeguards include the ability to kill a tag and the ability to encrypt or lock data onto a tag (writing data to a tag and then creating a password to prevent data from changing downstream by nonauthenticated users). Another security feature, often called cloaking, refers to the architecture by which a reader only transmits encrypted data to a tag, keeping the data secure even if the signal is intercepted. Perhaps the biggest consideration is a company’s specific information needs. “Usage environments are anything but standardized or homogeneous,” writes Intermec. “Gen 2 or any RFID technology won’t provide exactly the same performance at any two facilities. That is why it is important to understand the difference between what Gen 2 specifies and the range of performance that compliant Gen 2 products could provide in real-world use. Gen 2 is a standard, and standards specify minimum performance requirements.”

Worldwide applicability makes Gen 2 shine Dirk Morgenroth, marketing manager of RFID for Philips Semiconductors, says he agrees with most of the important buyer criteria outlined in Intermec’s white papers. “In principal, we fully agree with the information,” Mr. Morgenroth says. “Intermec was one of the key companies participating in Gen 2 standardization. What’s important, for Philips, is that the technology, from a standards and regulatory point of view, is accepted on a worldwide basis. Gen 2 does this - with Gen 1, the technology could not operate in Europe or Asia.”

Philips makes Gen 2-compliant RFID chips that go into labels, tags and (potentially later) into readers. It benefits from the new specification because it can now forge partnerships with other technology providers using interoperable technology. Gen 2 also allows, among other things, the company to offer standardized chips for different applications, Mr. Morgenroth says. The most important thing to keep in mind, no matter whose RFID product, is that it actually has been certified as Gen 2-compliant by EPC Global to ensure interoperability. “The really important part is that the product, the hardware the label is really in compliance with the standard,” Mr. Morgenroth says. “Every

producer needs to go through EPC Global Certiﬁcation process. That would be very much the fundamental part.” Finally, buyers should keep in mind that it is difﬁcult to ascribe a single cost to upgrading to a Gen 2-compliant system or suite of products. Price varies, and is mainly dependent upon need, and, as Mr. Morgenroth says, “what do you want to do, and how do you want to move forward?” Philips, for example, has extra memory on some of its chip that can store extra data. For companies that rent pallets to manufacturers, it’s an important feature because they need extra content that combines different EPC numbers onto a single chip.

A Cheat Sheet for Gen 2 RFID Below is a selection of the important characteristics that should be part of your RFID Gen 2 buyer’s checklist. Much of the data is based on a information in Intermec’s white paper, “Will your EPC Gen 2 System Be up to Standard?” What’s different

Why This Matters

Potential Buyer Questions

Range

There is no range requirement in the Gen 2 standard because of the many variables that effect range (e.g. interference, reader power output, the amount of time the reader can continuously transmit). There’s no one magic range as different users have different needs.

Does the reader allow for maximum read range, per FCC standards? (i.e., does it use frequency hopping spread spectrum (FHSS) communication, which enables maximum read range?)

Dense Reader mode

Dense reader mode refers to the capability for multiple readers (10 or more) to co-exist on the same spectrum. RFID products with dense reader mode allow for a lot of readers to be “on” at the same time.

Persistence

The sleep mode can pose a problem when tags on the edges or outside of the reading ﬁeld don’t receive full power from the reader, and therefore may not remember if they have been identiﬁed. Enter “Persistence” – a new Gen 2 feature that lets tags remember their status if they lose access to reader power. Persistence greatly improves read performance.

Is persistence supported?

Group Select

When it comes to speed, group select is an important feature for providing highspeed reading and sorting. Group select provides the capability for RFID interrogators to be set to seek and read select groups of tags (based on data structure) and to ignore others in the read ﬁeld. For example, interrogators can be set to ignore case tags and only record pallet tags.

Is Group Select supported?

Continuous Operating Mode

Continuous operating mode refers to the fundamental, constant communications between reader and tag. By using spread spectrum communications and spreading signals across the 900 Mhz band, such communication is made possible.

Is continuous operating mode available?

Write-to-tag Ability

The ability for a user to write data to a tag, and verify that the data has been written is a key feature of Gen 2 RFID, says Chris Kelley, director of RFID for Intermec. An RFID system is only as good as its ability to verify that the tags in that system have been read. The best systems have superior timing and synchronization methods to provide fast, reliable veriﬁcation of data written to tags.

Can the interrogator write to tags? Is write veriﬁcation performed? Can data be “write protected?”

Does this reader provide dense reader mode performance? What is the cost to upgrade?

RFIDNews

Summer 2006

Getting past Retailers and vendors taking systems integrators seriously to move beyond mass-market RFID mandates Marisa Torrieri Contributing Editor, AVISIAN Publications

To date, the RFID requirements issued by a handful of mass-market retailers’ have been met primarily via ‘slap and ship,’ smacking a tag on a box and calling it ‘RFID Compliant.’ But thanks to the release of the EPC/Global Gen 2 RFID standard and increasing availability of interoperable RFID components, that’s starting to change. Retail suppliers of all sizes appear to ﬁnally be moving beyond ‘slap and ship.’ Instead of investing in the minimum amount of technology possible to comply with the RFID demands from Wal-Mart and others, companies are taking the next step determining how to use RFID in a more integrated fashion to create a true return on investment (ROI) – both in supply chain and closed-loop operations.

RFIDNews

For the companies looking to upgrade their existing system beyond readers, tags and printers, a number of RFID systems integrators such as Bearing Point and Xterprise are combining individual RFID parts, like readers and printers, with software, hardware, consulting and management. Likewise, the majority of RFID component vendors who make chips, inlays, readers, antennas and software have strategies in place that require support from technology partners, reseller relationships and distribution channels. Compared with the ‘slap and ship’ approach, the full-systems-integration approach “takes a village” to accomplish, says Bill Allen, director of strategic alliances for Texas Instruments RFID Systems. The Dallasbased company’s RFID branch makes chips, transponders and other technology for several mediums (such as credit cards, supply chain technologies and anti-theft devices for cars). “It’s a fairly complex system to extract beneﬁts,” says Mr. Allen. “It’s not something that you just plug and play. If you enter into the implementation process with an attitude that it’s going to be easy you’re going to get yourself into real trouble.”

Summer 2006

SLAP AND SHIP

Entire systems integration is a bit more cumbersome of a process, involving the integration of readers, tags and printers with backend hardware and software. While just about everyone is looking at long-term ROI rather than simply meeting a mandate the big players such as Kimberly Clarke and Proctor and Gamble have recognized it quicker and are able to make the systems integration investments earlier than most smaller companies, Mr. Allen says. The bigger companies, too, are more likely to be able to afford the high cost of full-scale, systems integration than their smaller counterparts.

Integrators see opportunities grow as market moves beyond ‘slap and ship’

Utilizing the collected data will determine the true value of RFID Next on the horizon: a “retail analytics” RFID system that Xterprise will begin testing in April with one of its clients. Products will be tagged and shipped through an automated process. Additionally, a sophisticated software system will allow a company to track product transactions between various distribution centers and showroom ﬂoors. The new system will include a user-friendly graphical interface that presents the data in a readable manner, telling the company, for example, how many promotional SKUs were sent out on a particular date, how long they sat in the distribution center, and how long they sat in the back of the store before making it to the sales ﬂoor.

Carrollton, Texas-based Xterprise, a four-yearold RFID systems integrator that works with companies of all sizes to get RFID up and running, has enjoyed a “250 percent” increase in business over the last two years, according to Steven Hall, Xterprise’s Senior Vice President of Global Sales. While most clients are simply interested in the ‘slap and ship’ approach, the increasing number of RFID-enabled distribution centers and retail outlets has spiked interest in more sophisticated solutions.

“You can see all the statistics to see how long it takes your product to reach the sales ﬂoor,” Mr. Hall says. “It’s like sending out a group of people to audit the back ofﬁces of Wal-Mart to make sure my products are on display. It’s also going to tell me how well these products are moving in my stores.”

Of the 30 clients for whom Xterprise has installed ‘turnkey RFID solutions,’ seven have gone from basic ‘slap and ship’ to automated systems that can handle the increasing number of products that need to be tagged and sent to distribution centers. More and more, potential clients are asking about RFID systems that involve integrating the technology with a company’s own ERP and WMS systems.

“The transitory near term to long term challenge within the context of budget constraints is imposing and often underestimated,” says Erik Michielsen, director, RFID and M2M at Oyster Bay, N.Y.-based ABI Research. “Setting goals and mapping RFID deployments and resources to meet these goals is an important fundamental step that is often voiced but, unfortunately, not always well-executed.”

For most manufacturers that supply retail outlets such as Wal-Mart, Mr. Hall says,“the volumes that they have to ship right now is small because the number of stores equipped to read RFID are small.”

The biggest challenge, says Mr. Michielsen, is, “how do you balance near-term and long term with the money and resources you have available?” And the next big question, he suggests, “plays into how an RFID solution impacts IT planning and resource allotment.”

“So the question is,” suggests Mr. Hall, “can my simple slap and ship solution scale to meet those volumes?”

It seems we still have a long way to go before slap and ship is truly replaced by fully integrated, enterprise wide RFID solutions. But this positive trend toward ROI-focused programs rather than simple mandate compliance, will help both the RFID industry and the supply chain to better deﬁne the true potential of the technology.

Summer 2006

RFIDNews

But because Wal-Mart is reportedly doubling the size of its RFID-based distribution centers, companies may need to double, triple or quadruple the number of cases they ship to the mass-market retailer.

Still, for companies wanting to beef up their RFID, concerns are more likely to go beyond simple product comparison.

The Moment of Truth for Airlines on RFID As lost baggage numbers skyrocket, need for RFID grows ... but who will pay? David C. Wyld Contributing Editor, AVISIAN Publications Jan Carlzon, the former President of Scandinavian Airlines (SAS), wrote a best-selling business book in 1986, titled Moments of Truth. Carlzon deﬁned the “moment of truth” in any service business as, “anytime a customer comes into contact with any aspect of a business, however remote, (it) is an opportunity to form an impression.” Carlzon emphasized the importance of managing all the small details of the entire airline experience for passengers, in order to generate superior customer satisfaction and loyalty. From this simple “moment of truth” concept, Jan Carlzon took SAS -- an airline that was failing at the time -- and quickly turned it around to become one of the world’s premier airlines.

RFIDNews

When we are standing at the baggage carousel at a remote airport late at night and our bag does not come out of the chute, we are having our very own personal “moment of truth” with the airline that brought us there, but not our luggage. Apparently, more and more of us are having such “moments of truth” with the airlines. According to a recently released report from the U.S. Department of Transportation, U.S. airlines are doing a disastrous job of handling their passengers’ luggage. In fact, the baggage problem is so bad that aggregate statistics for 2005 reveal that U.S. airlines lost, misdirected, or misplaced an average of 10,000 bags each day. In all, the airlines racked up more than 3.5 million problem bags for the year, up significantly from prior years. Certainly, the ability to deliver a passenger’s checked bag is central to any airline’s value proposition and its basic service promise. Yet, U.S. airlines, strained by financial difficulties, have reached a crisis point in their ability to securely and successfully route you and your bag to your destination at the same time. While more than 98% of “lost” luggage is ultimately found and reunited with its owner, such recovery efforts are costly both in terms of the airlines’ expenses and the loss of goodwill and brand loyalty from the passenger.

Thus, there has been great interest in replacing the current barcode-based luggage tracking and sorting systems with RFID technology. Pilot tests have been conducted at several major airports, showing that RFID can successfully sort and route checked baggage with a 99+% accuracy rate. This represents a quantum leap in accuracy, as industry statistics show that the present barcode systems correctly identify and route between 85 and 90% of all checked baggage. When a bag is not read properly, airline personnel must intervene to correctly route the item in question to its proper ﬁnal destination. This is a labor intensive process that must be conducted in a limited time, often in the bowels of the airport, on a frigid airport tarmac, or in the belly of a jumbo jet. We are standing today at the threshold of a real take-off in the application of RFID technology to the very real problem of airline baggage handling. This will only be facilitated by the fact that an industry standard for RFIDbased luggage tracking has recently been established. In late November 2005, the member airlines of the International Air Transport Association unanimously adopted IATA standard RP1740c, which speciﬁes the use of UHF tags to track checked baggage.

But where will the money come from in a cash-strapped industry? The principal hurdle in making the leap to RFID technology in baggage tracking is the question of exactly who should make the investment. While airlines stand to gain greatly in the technological shift from the moment of truth perspective, the ﬁnancial conditions of the vast preponderance of the airlines are dire. For 2005, U.S. airlines collectively lost over $8 billion. As was recently stated in Supply Chain Review, “the promise of electronic tracking for luggage is still very much a thing of the future as cash strapped airlines are reluctant to invest in the costly technology.” Thus, while Delta was an early leader in investigating RFID,

having implemented a successful pilot of the technology in Jacksonville, Florida in 2004, it is very uncertain that the carrier will be able to fulﬁll its goal of converting to RFID-based baggage handling system-wide by 2007. In fact, to date, it has been major airports that have taken the lead in actually moving to RFID. Symbol Technologies has already implemented RFID-based baggage tracking and sorting systems at a major airport in both Las Vegas and Hong Kong. While each airport handles approximately 70,000-75,000 checked pieces of luggage daily, they are very different operationally. This is due to the fact that 80-90% of all passengers passing through Las Vegas’ McCarran International Airport originate at or are destined for the gambling mecca, while the predominance (60%) of the passenger load at Hong Kong International Airport are connecting travelers. Another company, FKI Logistex, has won contracts to install such systems at major Asian airports, including: • • • • • • • • •

Bangkok Beijing Guangzhou Ho Chi Minh City Manila Seoul Shanghai Singapore Sydney.

Security beneﬁts of an RFID-based solution Of course, there is also a security beneﬁt to RFID-based baggage tracking, given the increased visibility of such systems. With RFID, it is possible to more closely monitor individual pieces of checked luggage and match the bag to the passenger more quickly. But who should pay for this added anti-terrorism measure -the government, the traveler, the airline, or the airport? Likewise, RFID luggage tags will allow for misdirected bags to be found more quickly and for less luggage to be ultimately declared

“lost.” While the passenger ultimately benefits, should RFID tags come at a price to them (perhaps as an option), or should tagging simply be a “cost of doing business” for the airlines? In the view of Dr. Christian Petschke, Managing Director for BearingPoint’s European Aviation Practice, the shift from barcode-based tracking to RFID for luggage is a matter of when, not if. Speaking for BearingPoint, Dr. Petschke observed that: “We are convinced that RFID will become a standard for baggage handling in the industry, although RFID may not be suitable for every airline and airport in the near term.” In his firm’s RFID Baggage Handling Feasibility Study, issued late last year, BearingPoint identified several key parameters that will determine the suitability of RFID-based baggage tagging for a given airport and/or airline. These include: • • • • •

the nature of the operations (hub and spoke versus direct ﬂights) the present number of mishandled bags per 1,000 passengers; the average direct cost incurred for each bag lost or delayed; the cost of RFID tags and readers; and the current read rate for the present barcode-based systems.

The business case for RFID-based baggage tagging is indeed a complex one, precisely because it is not just the airlines who will benefit from the crossover to the new technology. While the ROI calculation may be very attractive for the airlines, they are constrained from making such investments in RFID on a wholesale basis, due to the simple fact that their financial difficulties make even attractive process improvement technology unapproachable for many. However, while the technology will certainly have financial, operational, business intelligence, and customer service pay-offs, air carriers may not be able to take the lead in this transition. Bob McKinley, Vice President Business Development Transportation Markets, Alien Technology, summed it up well: “RFID is an exciting and promising technology that will likely change the landscape of material handling across a broad range of industries, including aviation, just as barcode changed everything 15 years ago. It has the potential of significantly increasing visibility through transportation systems driving greater efficiency, customer service, reduced costs for irregularities, and a much higher level of security. But this can only happen if everyone impacted by the technology works together to leverage its potential.”

About the author: David C. Wyld (dwyld@selu.edu) is the Maurin Professor of Management and Director of the Strategic e-Commerce/e-Government Initiative at Southeastern Louisiana University in Hammond, Louisiana.

The wide world of sports evolves via RFID Golf balls, race cars, runners, pigeons all tagged in the name of the game David C. Wyld Contributing Editor, AVISIAN Publications The wide world of sports is no doubt one of the sexiest applications for RFID on the horizon, and innovative companies across the globe are rushing into sports applications for the technology. We are seeing that the games and races themselves can be enhanced through the use of RFID technology and we are seeing that RFID can be used to create new metrics – as well as new gambling opportunities – in the sports world.

RFID on the field Exciting, in-event applications of RFID technology are changing the way we play and watch sports. The most noteworthy team sport example to date comes from the world of soccer. The Erlangen, Germany-based Fraunhofer Institute for Integrated Circuits has developed an RFID-based system to give complete visibility to the soccer field. Both the ball and a shin-guard on each of the players are outfitted with RFID-chips. Readers positioned to scan the entire field track the location of both the players and the “Smartball” up to two thousand times each second. The Fraunhofer system can enable referees to consult the data to aid in disputed goals and troublesome offsides penalties. It also allows soccer clubs and their fans to access performance metrics on their teams and individual players. The system, which is being tested by Adidas and by soccer’s world governing body, FIFA, is likely to be approved for tournament use this year.

RFID on the links

RFIDNews

Probably the most intriguing individual sport prospect is on the golf course, as anyone who has picked-up a golf club has been there. You hit your drive off the tee, and it goes, and goes, and goes – where? Most golfers have spent countless hours combing the banks of creeks, looking in crevices, and pouring through thickets in often fruitless searches for their wayward shots. But what if there was a high-tech way for the ball to tell you where it was and guide you to it? Radar Golf, based in Roseville, California, is seeking to RFID-enable the game with its Radar Golf System. Such a prospect led Stephanie Stahl, the editor of InformationWeek, to say that ﬁnding lost golf balls may be the “killer app” for RFID in the consumer world.

Radar Golf’s ball, manufactured by a Chinese contractor, has an RFID tag embedded inside its core. The ball has been certiﬁed as conforming to the rigorous standards of the United States Golf Association (USGA), enabling it to be used in tournament play. The company’s patented Ball Positioning System (BPS) is built into a handheld unit, which is essentially an RFID reader that transmits a speciﬁc radio frequency signal to search for the lost ball. It provides a visual LCD signal strength display and pulsed audio tone feedback to the golfer during their search, with the beep increasing as the golfer nears the location of the wayward ball. The BPS presently has a detection range of up to 100 feet. The company began marketing the system in mid-2005. The Radar Golf System retails for $249, which includes a dozen golf balls (additional dozen balls sets retail for $39). It plans to license the technology to other golf ball manufacturers to equip their branded balls with RFID tags.

within a minute fraction of a second of each other. The system allows for real-time race tracking via the Internet for all IRL races, including the Indianapolis 500, where antennas are installed in the track surface in the Indianapolis Motor Speedway. While NASCAR has not announced a similar in-race system, the fastgrowing racing circuit is employing RFID for tracking tires used by all racing teams in its three racing circuits. The system will enable for centralized control over the Goodyear tires used in NASCAR events, in order to allow for an even playing ﬁeld between the race teams and better control over tire stock. RFID also presents a very practical advantage over the former barcode based labeling of tires for NASCAR events. Goodyear had in the past attempted to track tire inventory for race teams by applying bar code labels to the sidewalls. However, they quickly found that the bar code labels could be intentionally rubbed off or smudged when in use.

RFID goes to the races RFID can add value and visibility to racing events of all types. One of the longest standing applications of RFID has been in the area of marathon racing. The ChampionChip Company pioneered the use of RFIDchips attached to runners in the Berlin Marathon in 1994. Since then, the ﬁrm’s namesake tracking device has been worn by millions of road racers, cyclists, in-line skaters, cross-country skiers, and triathletes in events worldwide. The tracking device, which uses passive RFID technology with antennas built into specially-designed mats over which the athletes must pass, allows for the racers’ real, net times to be recorded as they pass the start and ﬁnish as well as other intervals along the course.

RFID for the birds? Finally, in a slower speed form of racing, RFID has been introduced in the ancient sport of pigeon racing. In the past, to determine timing and ranking in pigeon races, handlers had to catch pigeons one-by-one and read an identiﬁcation number from metal rings attached to their legs. Today, the standard practice is to attach RFID-enabled plastic bands to the birds’ legs, and with the positioning of antennas at points along the course from the release point to the home loft.

The wide world of sports, forever changed ... It also brings the “value-add” of real-time tracking via the Internet for friends, fans, press, and family members. It has been used in the New York City Marathon, where 5,000 runners per minute crossed the 36 meters-wide starting line at the Verrazano Narrows Bridge. And in the June 2000 Broloppet half-marathon, in which runners raced across the new bridge connecting between Denmark and Sweden, a record 79,837 competitors were tracked using the ChampionChip. Commenting on the state of marathon technology, Judith Donohue, manager of the HP’s New England Initiative, whose ﬁrm has worked with the Boston Marathon for over a decade, observed: “We’ve come a long way from when we used to draw a line in the street with chalk.”

RFIDNews

RFID at the speedway RFID has moved into a wide variety of motor racing outlets. Texas Instruments has developed the Race Timer system for motorcycle racing, in which an RFID transponder is placed either on the motorcycle’s front fender or in the rider’s chest protector. The system is a quantum improvement over the former use of single-ﬁle gates and either manual recording or scanning barcodes attached to riders’ helmets. With the TI system, the size of motorcycle events can grow signiﬁcantly, supporting up to 1,000 riders in a single event. RFID has also been adopted by the IRL (Indy Racing League), with active transponders being positioned in the same point in the nose of the Indy Car and with antennas positioned around the track. With speeds of over 200 mph, the system can distinguish between two or more racecars passing the same point

In the end, we will see the automation of routine scoring and statistics compiled in major sporting events, such as line crossings in a wide variety of sports and distance calculations in golf. W will also see RFID-based systems replace some of the fundamental rule elements of sports, to the betterment of the game. After all, it is hard to believe that in 2006, the way we measure ﬁrst downs in football is still with a chain.