Smart Cards Essay, Research Paper
1. Technology Requirements of a Smart Card
What is a Smart Card?
Before I outline the technology requirements of the project, I think it is helpful to define what exactly a smart card is. The actual term smart card comes from France. It was during a period of national investment and modernisation in France during the 1970’s which led to the development of the Carte a Memoire. This was later renamed by the governments marketing department equivalent (the Intelimatique) as the smart card. Although sometimes referred to as a chip card or an integrated circuit card, for purposes of this report I will refer to the device as a smart card. Smart Card Forum (1996).
The card itself tends to be similar in size to today’s plastic payment card, except it has an actual silicon computer chip embedded in it. A small gold or silver contact connected to the chip inside the card is usually visible on the surface. This allows it to be programmed with a much more sophisticated range of information than say magnetic strip cards, which can only hold basic numerical data such as an account number. Smart Card Forum (1996).
Types of Smart Card
There are also different types of smart cards, as outlined by the Estonian Institute of Cybernetics (1995)
i) An intelligent smart card contains a central processing unit – a CPU- that actually has the ability not only to store and secure information, but to make decisions as required. Because intelligent cards offer a “read/write” capability, new information can be added and processed. Different types of applications can be supported and will allow for new applications to be added to it. It will also maintain security “firewalls” between them. This type of card, for example, has already been adopted by 60,000 staff and students at the University of Michigan, making use of both a chip and magnetic stripe. Their cards contain a number of features such as personal identification, dormitory security, banking details and library services.
ii) The second type of card is often called a memory card. Memory cards are primarily information storage cards that contain a stored value which the user can “spend”. These cards may be used in a pay phone for example and are more likely to be used and thrown away after a duration of time.
In addition, each of these cards can be used in two different ways. One is in which the card is read by inserting it in a special reader. These are known as proximity cards. The second is a remote card which can be read from a distance, such as at a toll booth as you may expect to find on a motorway in Europe. The Estonian Institute of Cybernetics (1995).
Recommended Technological Requirements
For the purpose of this report, I believe that the multiple application/intelligent smart card is the most appropriate because three different systems will be on the card. It is also flexible enough for both changes to be made and additional systems to be implemented if and when necessary. The card should be proximity based whereby the card is placed into a reader to receive data. Obviously a remote card would not be practical in a busy corridor.
The choice of system to implement in the main seems to be between Java, Multos and Microsoft Smart Card, albeit the smart card industry en masse is very fragmented. Microsoft Smart Card would be my first choice to implement. The idea that their smart card systems can integrate with existing Microsoft products such as NT is helpful, especially as most organisations (including UNN) predominantly use their products already. The cost is around 1.50 a card. I would also suggest that there should be at least one card reader in each department in order to avoid crowding and congestion in a particular area of the campus. The cost per reader is approximately 40. By using Microsoft Smart Card there is no need to replace the existing system infrastructure as it works with Windows 95, Windows 98, Windows NT and Windows 2000. Microsoft (1999). Again, these are systems already used by UNN.
Staff will be required to enter the relevant data onto the system using a computer before being relayed to each of the meters on campus. It may be possible to use the existing computer hardware already available. If an upgrade was necessary then perhaps new computers would be required. In this instance, hardware such as monitors, hard drives (10mb), CD ROM s (48x), keyboards, Pentium III processor (preferably 500mhz), motherboard, RAM (preferably 128mb) will also be a necessary technological requirement. In terms of networking, a LAN (Local Area Network) is likely to suffice although if UNN were to consider going multi-campus (ie. Carlisle and Coach Lane) then a WAN (Wide Area Network) would be more suitable.
It would be advisable to implement a “back-up” system to protect data should the system fail due to a malfunction. This will ensure the system is able to “pick itself up” and keep running without major problems. There should be provision should a power failure occur. Thus a backup power system should also be seriously considered. It may also be helpful if the card was used for registration and access. At the moment, the manual methods used for registration are piecemeal and access checks to computer labs for example is non-existent.
This could also be an opportunity to makes a number of changes to the three current system as opposed to simply transplanting all three exactly as there are. In the first instance, there should be a degree of documentation examination through looking at forms, system reports, instruction manuals, job descriptions and any previous studies. This exercise may highlight any pitfalls in the current system and technological adjustments may be required (ie. More RAM). Also, for example, there is currently the problem of accidentally creating duplicate records of students. In relation to the SAS, if a student takes a break from studying then upon their return they may be registered a second time, thus producing a duplicate record. A similar problem may occur when students switch between modules etc. Therefore, perhaps there also needs to be a certain degree of integration, rather than to maintain the status quo of having three separate systems albeit on a card.
A decision also needs to be made in regards to whether a ready made system package should be implemented or whether a new system should be designed specifically. Such requirements may depend on the ” volume to be processed and the desired format the speed of processing and its response time, expansion requirements and certain standards. Cotterell & Hughes (p112, 1994).
Finally, for those who are opposed to the storing of their personal information on a card that could be lost, it is technically possible for the card to be configured as an identification mechanism only. Information would reside on the server and the user’s Smart Card would act as the identity key. Microsoft (1999).
2. Potential Benefits
I now turn to the potential benefits of using this technology, as discussed by the Smart Card Forum (1996). Smart cards provide data portability, thus avoiding any network disruptions for example. They are convenient, as they can easily be carried in a persons wallet. There is likely to be a clear reduction in bureaucracy in terms of eliminating the need for staff to administer time consuming paperwork, as changes in the course structure for example could automatically be copied to all participating students smart cards. Hence there would also be a radical increase in the speed in which data is processed. The card also can record its history, can instantaneously access multiple services and networks and hence will reduce mistakes. “Technical support calls for companies implementing smart cards have been reduced by 40 percent by automatically performing the error-prone authentication process for users.” Microsoft (1999). Overall, this may actually allow for savings in terms of staff numbers. At present
Another important point is that staff currently have no formal mechanism for collecting attendance information. In future, students could not only use their card to register their attendance but it could also be used to access a room (particularly useful for computer labs). Lecturers could also use the new system to gain information regarding a students course or marking structure and to make amendments to the course structure without having to resort to administrative protocol.
The actual price of the technology also appears to be reasonable. As stated by Microsoft (1999) in relation to their product: “At a price of approximately $20 per card reader and a maximum of $5 per card, Smart Card for Windows is smart and inexpensive ..”. Moreover, the Smart Card Forum (1996) suggests ” [the price of] chip cards range from $.80 to $15 depending upon their capacity and quantities.” The initial costs may prove cost effective in the long run when faced with lesser staff levels and a reduction in technical support costs regarding the previous system.
Security is another important issue. The information held on a smart card is secure and protected from the likes of network or power failures should the data have otherwise been held on a conventional database. Even if the card is lost or stolen which is almost inevitable to some degree, encryption techniques can be used to protect the data and PIN numbers or even fingerprint recognition can be used. Thus information transfer will also be secure. For example, Microsoft boast: “Using the most secure crypto-algorithms . and built on the most reliable chips, Smart Card for Windows is virtually inviolable .. If the card is tampered with, either by consecutive incorrect PIN entries, electron microscope, sawing open or any other method, it automatically implodes, rendering it useless to meddlers.” Microsoft (1999). A number can even be dialled to actually turn off the card by remote control. Hence data is available only to the appropriate user. The cards are also more durable than traditional magnetic stripe cards as the chip cannot be affected by magnetic fields or
There is also an issue of prestige here in terms how it would be perceived as a result of implementing cutting edge technological practices, especially if constructed “in-house”. I believe the outcome is likely to be favourable, and this seems to have happened at Exeter University in relation to the implementation of their smart card system. For example, Exeter was praised by a national newspaper: “The university s (Exeter] involvement in the revolution of the information age is reflected in its academic and research work.” (The Times 1997).
Finally, the prospects for the future of smart cards are good, and the consensus seems to be that its going to happen anyway, and is not merely the next fad. “Dataquest forecasts that by the year 2001, 3.4 billion smart cards will be used world-wide. Smart card activities are growing at 30 percent a year ” Smart Card Forum (1996). Moreover, it would be possible for additional functions to be added to the card, and this has been the case at other universities world wide. Smart cards which had initially been used to store similar academic information later became used for extra services, such as enabling students to buy books and food, use the library, pay course fees and even use the laundrette.
3. Potential Information Problems
It has to be said that Smart Card technology is still in its infancy and therefore I think it is reasonable to suggest that there may in fact be “bugs” within any given system or even worse a fundamental design flaw. On the former point, Windows 95 was notorious for bugs and this problem was not fully addressed and rectified until Windows 98 was released. This is a factor which UNN should be prepared for should any system be implemented. However, some comfort could be taken if the system was IS09000 compliant.
Smart card technology has not yet been standardised and there is more than one type of hardware and software. Most importantly, however, is that these cards are all incompatible. “The smartcard market now has three operating systems, all incompatible Windows for Smart Cards . Multos and Java ” (Computer Weekly News: 5th November 1998 “Microsoft’s Smart Move: is it Carte before horse?) At present, the International Organisation for Standardisation (ISO) is currently developing standards for smart cards. As pointed out in the Newsgroup: alt.technology.smartcards (1999) “The goal is to ensure uniform standards for smart cards that will allow interoperability of cards among a wide array of industries.” The worst case scenario in a similar context is in comparing VHS video to Betamax in the early 1980’s. When Betamax videos became obsolete, millions of people were eventually stuck with useless hardware. Hypothetically, UNN could spend a vast sum of money on a system which is obsolete in five years. Although the system will still being usable within its own confinements, it may be unable to integrate with other systems which may be different.
It should also be clear that although the price of individual cards and readers is not hugely expensive, the overall cost due to the inclusion of thousands of students into the system in likely to be high in the short term. Even in the longer term, there is the added necessity of ongoing maintenance and technical support which again will serve as a drain on resources. There is also the risk that the system provider may go bust in which case there may no longer be means of appropriate technical support. This is a real danger as the market is so fragmented at the moment, and as mentioned, the lack of universality in standards will not help.
It will also be costly, time consuming and disruptive to train staff in using the new system, and mistakes could be made in the short term as staff adjust. Staff costs will also be incurred in teaching thousands of students how to use the technology and also in long term helpdesk facilities.
4. Implementation Strategies
Next I will turn to the Implementation Strategies of which I have identified three distinct options. They are Direct Changeover, Parallel Running and Three-Phase Implementation. These distinct strategies were looked at by Yeates et al (1994).
First, Direct Changeover is defined as “when at a given time on a given date, one system must end and its replacement must start.” Yeates et al (p391, 1994). The advantages of this approach are that it is cheaper (and on the face of it more efficient) to switch from one system to another almost overnight. The disadvantages are apparent if something goes wrong. For example, this approach was employed when the London Stock Market implemented a new computer system overnight and the computers couldn’t cope as too many users were logged in. The system simply hadn’t been properly tested in real conditions.
The second solution is to use a Parallel Running strategy. “[Parallel Running] aims to validate the new system by checking the results it produces against the results produced by the old system.” Yeates et al (p391,1994). This option is the most expensive as both systems have to be run together at the same time and temporary staff may have to be employed to staff both systems. However, it is also possible to test against a small part of the old system in order to save both costs and time, and to use this as a benchmark for the new system. Obviously, this is a safer option as if the new system doesn’t perform as required, the old system is still in place as a backup.
Thirdly, there is Three-Phase Implementation. In this scenario, “phased installation is where one part of the system is installed and run live for a period of time then a second part of the system is added and both are run live for a period any remaining parts are dealt with in the same way.” Yeates et al (p391, 1994). The advantages here are that the an organisation will get the core part of the system faster than if they had to wait for the complete system, so they system may start to pay for itself earlier and will also help spread the cost. In addition, the permanent employees will be able to pick up on the new system at a more manageable rate than if everything was turned on over night.
Proposed Information Strategy
Before deciding on which system to implement, I think it is important to firstly explore a number of other considerations. These were looked at by Yourdon (1989).
Both staff and students should be initially consulted through the use of a questionnaire. In particular, staff could be asked to comment on the current system and to point out any reoccurring problems and difficulties or indeed anything which is missing from the system. As Yourdon (1989) importantly points out “it is the interview where the tire meets the road between user and system analyst”.
It may even be helpful to observe staff engaging the current system in order to reinforce points they have made on improving the system or indeed an analyst could discover a flaw himself. Overall, this will hopefully result in an all inclusive approach which at the end of the day the majority of users will find as being a vast improvement and at the very worst acceptable.
Next, there should be a consultation with other universities already using smart cards (there being several in the UK) and which has implemented a similar system. A fact finding visit to such an institution may also be helpful in order to get first hand information.
Once UNN has a better understanding of a typical system which could be implemented, then it would be prudent to invite several suitable vendors to give presentations on their solutions. These bids could then be evaluated and a contract drawn up.
As a precursor to the system going live, there needs to be a mass information campaign to inform both relevant staff and students of the change in status. Thus, the email system could be used to forewarn relevant staff and students of the changeover, and this could be reinforced at staff meetings, in student publications, on notice boards throughout the university and lecturers could be tasked with briefing students at the beginning of lectures. I would also suggest that a helpdesk be set up to assist with any student queries and concerns.
I would recommend using the parallel system and to initially base it within one department only (in essence a pilot scheme). This will accommodate both the old and new systems at the same time and is, I believe, the safest option. As for Direct Changeover, such a venture is far too risky in my opinion when dealing with such huge numbers of dependant users. The three-phase system is unnecessary as there is no real hurry for implementation. In the first instance, the parallel system should be used to service a couple of thousand students and hence should not be too great a number to manage and study compared to full implementation. This will allow time for students to get acquainted with the system and hopefully address any problems which can later be avoided when the system goes live across the rest of the campus. Staff too will also have to be educated on the new system. Recent information obtained from the internet newsgroup: alt.technology.smartcard (1999) suggests a number of recommended guidelines. For example: “To identify, recognise and respect the privacy expectations of users and make applicable privacy guidelines available to them and take appropriate disciplinary measures with [staff] who fail to adhere to such standards.”
As the pilot scheme will only concern a fraction of the entire student population I don t think set timing is as crucial as would be the case with a system such as Direct Changeover. However, it may be helpful to implement this first stage at the start of semester two, giving staff seven months to iron out any difficulties between then and September and to allow for the remaining infrastructure (such as additional card readers) to be installed. As card readers are installed, each should be rigorously tested and all types of information be loaded onto the card.
In concluding, the evidence appears to be strongly in favour of the implementation of smart cards.