By Anya Curtis
Bell ID sees the expansion of card applications across all industries -- banking cards are also travel passes (Barclaycard & Oyster), student cards can also be a library card and have an e-purse application for those all important beers in the student union. Equally a citizen ID card has the potential to be an e-passport and hold a drivers license. Most recently mobile phone handsets are replacing the actual plastic cards to give users further flexibility and convenience. While each industry brings its own special requirements to issuing smart cards, there are a number of key challenges that any large-scale ID project faces, and the resolution of these challenges is often crucial to the long-term success of a scheme.
The drivers for migrating to a smart card-based ID scheme are common to any large-scale project, whether it is a corporate ID card, government ID program (including e-passports, etc.) or e-health cards (both patient and healthcare professional cards).
The primary concern is always the need for a high level of security, but this is swiftly followed by the ability to authenticate a users’ identity. For example, by using biometric data or PINs for verification. In addition, the need for transparency and accountability, with accurate audit trails is very important -- in an e-health card scheme, for example, a patient’s medical records must be maintained accurately.
Another key driver in using smart cards is the need for standardization across numerous government departments or health authorities, who may all be doing almost the same processes but not quite, which can have repercussions if people need to move from one system to another.
The use of multiple digital certificates in combination with smart cards and card management can be the staring point for different government bodies to use one card. Each government body may distribute certificates with different rights and restrictions to its user base. E-Government services will pick the right certificate from the card and provide the individual cardholder with services dedicated to her/his status. The capability to use the Internet or kiosks with one single smart cards and access with this card several government portals, will move government services to a significant higher service level and at the same time reduces costs and bureaucracy. Running from one government department to another to receive forms, stamps and other official documents will be drastically reduced for countries introducing smart cards as part of a comprehensive e-government strategy.
The need to save money is also a huge consideration for any project -- the extreme bureaucracy which is inherent in any paper-based system is greatly reduced by introducing a smart card system. The potential for financial savings was certainly a factor behind Austria’s pioneering ‘e-Card’ project. The system, which uses Bell ID’s ANDiS Card and Application Management System issued and managed over 10 million social insurance cards across the country. The scheme, which went live in 2005, began to replace the paper healthcare vouchers which eliminated the need to issue and process around 40 million of these vouchers each year. By using the cards to hold the vouchers, a considerable saving could be made, as there is no need to produce a new card for every new voucher -- the information on the card could be updated as and when it was needed. The introduction of a smart card management system is a vital piece of long-term planning for any organization. It is a way of introducing all these elements -- financial savings, standardization, transparency, audit trails and authentication of identity -- and using them to benefit itself in the future.
CHALLENGES AND RESOLUTIONS
The need for a solution that provides card issuers with a highly secure means of identification needs to be managed in a different way to a paper-based, or magnetic stripe-based scheme -- each and every card in circulation need to have cryptographic keys to ensure its security. In addition, each card will have at least one application on it that will need managing, and of course the cards themselves need to be managed during their life-cycle, for example, to ensure that expired cards are removed from circulation so they aren’t available to fraudsters. No paper or magnetic stripe card system is capable of performing these activities -- that is the job of a sophisticated Card and Application Management System (CAMS) which will maintain a high level of security which controlling the (potential) millions of card, applications and cryptographic keys.
A truly flexible and scalable solution, as only the most sophisticated of CAMS are, will bring huge benefits to any large scale ID scheme. To be considered as properly scalable the CAMS should be able to deliver the same high performance even at card volumes numbering tens of millions. In addition, the CAMS should be flexible enough to be able to integrate with a company or government’s existing systems.
The challenge of operating a card scheme within a large company or government that has many offices or departments also needs to be overcome. The CAMS should always have ‘multi-issuer’ capability to facilitate the issuance and management of cards at many locations. For example, national ID cards may be issued at local government offices. The CAMS should be able to do this without problems. In addition to ‘multi-issuer’ the CAMS should also have ‘multi-card type’ apability which allows the issuer to define different varieties of card within the same system, which may have different rights such as card requests, authorization, registration, personalization or distribution. For example, within the context of a healthcare professional’s card, a nurse’s ID card would be different from that of a senior doctor. Equally a patient’s medical ID card would be different again from their doctors’ yet they all need to operate in the same framework.
As the aim for any smart card project is to simplify the numerous and complicated bureaucratic procedures that large organizations often have, the ability to update or change information on the cards is of paramount importance. Known as Post-Issuance Personalization (PIP) this allows changes to be made without the need to recall cards when you need to add or removed applications or rights. A current project which used a PIP module as part of its CAMS is the Qatar National ID, which is a national identity smart card for all citizens and residents in the state of Qatar. For this project Bell ID provides its ANDiS CAMS which acts as the central component of the project, managing the issuance and life-cycles of the cards and their cryptographic keys, as well as the status of on-card applications. As the ID card uses digital certificates, and contains finger, face and iris biometrics, it would be unfeasible to create a new card when anything needed to be changed -- it would be both time consuming and costly. With the PIP module the cards can be updated without the re-issuance. This means that the Qatar ID cards will also be able to have new applications added to the existing cards, ensuring the long-term future of the scheme. The flexibility of the system also allowed the government to manage the ID card and the ePassport in one CAMS system.
In Bell ID’s experience, one of the most important advantages of a sophisticated card and application management system is that it is ‘future-proof’ and fulfills both the current needs of the scheme but also will be able to continue to provide the same level of service as the project grows and develops over time.
In the past, the cards have been seen as the central component of a card scheme. However, the complexity of large ID projects, along with their need for flexibility, scalability and rich functionality is ensuring that the card and application management systems are really at the center of a project. All over the world, card vendors, system integrators and consultants understand the importance of the CAMS when it comes to managing cards, applications and keys.
Anya Curtis is Marketing Manager of Bell ID (www.bellid.com).
For more information, please send your e-mails to email@example.com.
ⓒ2007 www.SecurityWorldMag.com. All rights reserved.