A single smart card used for access control, can potentially have several different numbers for that single card. This article provides some best practice guidance to select the correct card number to streamline administration over the lifespan of the card.
Commonly when a new smart card technology is implemented within an organisation, it is usually implemented alongside an access control system.
These days, it is unusual that the access control system will be the only system using the card, the card will often be used for other services, such as:
- Time and attendance monitoring
- Cashless vending
- Library Management
Each system may have its own requirements in terms of what card types they can read as well as in which format they read them, making choosing which card number to use more difficult.
Planning how cards will be managed then becomes critical to keep future costs and administration down, and provide high levels of usability for the card holder.
The ideal scenario is to have a single card with a single card number that can be used throughout the organisation and all services.
This provides a good user experience, but also this streamlines administration, increases security and identity management.
But how many numbers can a card have?
When a card is manufactured it is given a unique number which is programmed into the card by the manufacturer and cannot be changed.
This number is commonly called the Card Serial Number (CSN) or Unique ID (UID), similar to a hard drive or flash drive, the card can also be programmed with other data, or other card numbers.
As an example, a 1k MiFare card has 16 sectors, each one with four blocks, by comparison a 4K MiFare card has 40 sectors each with four blocks.
It is possible to write to any of there sectors or blocks as long as the system is setup to read that particular part of the card.
Cards with a 4 byte Card Serial Number can no longer be guaranteed to be unique, due the quantity of cards in circulation, NXP, manufactures of MiFare cards, increased the length of the CSN from 4 bytes to 7 bytes for new cards.
For security reasons, it is best practice to program a customer-specific card number onto the card, rather than using the card serial number.
The area of the card where the customer-specific card number is stored can also be locked to prevent unauthorised reading or copying of the card, which increases the security of the system.
The end user also retains control over their cards by encoding their own number, and this also gives a human-readable card number that is easy to type into an access control system.
Commonly, a facility or customer code will also be added, when a card is presented.
The system will first check if the facility or customer code matches, if not, it will ignore the card and will not read the number, if the facility or customer code matches, the system will then check if the card number is valid and whether that card number has the relevant authorisation.
Integration with other systems
If a service such as follow me printing comes along after the card is implemented, and this system can only read the card serial number, this could leave a significant problem.
Whilst most follow me printing systems have self enrollment modes to facilitate the capture of card numbers, it is best practice to capture the CSN and/or card number at the time the card is issued to future proof the cards and streamline the roll out of other systems that may be implemented in future.
If both the customer specific card number and card serial number are not captured when the card is issued, the only solution is to either recall and reprogram the cards that staff already have, or issue a new card that you have obtained both numbers from – both of these remedies are labour intensive and expensive.
Thanks to Ben O’Brien at ID Card Centre for his assistance with this article.