Making the leap from prox to contactless ID cards
Organizations struggling with the contactless conundrum
08 May, 2013
category: Contactless
IMS Research puts the life spans anywhere between 10 and 15 years, Everett says. When new systems are deployed they typically choose smart cards, so at least enterprises are not replacing old prox systems with more prox technology, he notes.
Some enterprises don’t feel the need to move because the security profile doesn’t demand it, says Dave Helbock, a senior security specialist at XTec. “Do you want to keep the local populace out or do you want high security?” he asks. “Do you need to card into every door or suite or do you just have one on the front door and in the garage?” Depending on an enterprise’s answers to questions like these, they may find prox sufficient for their current needs.
Some contactless cards are comparable in price to prox so the main issue Comes down to the cost to swap out readers
The other factor is that prox technology still works very well for its intended function – passing a short numeric string to a reader quickly and reliably. “Prox is very well established and the problem you face is that if it works, why change it?” says Everett. “People are resistant to change because it does the job on the low security side.”
So why switch?
A security breach can lead to change. Hart says the use of prox technology – due to either cloning or lax access rules – has enabled unauthorized individuals to access facilities.
Often such breaches lead to a discussion about high-security credentials, but so too can an IT department’s desire for convergence of credentials, Hart says. In addition to greater security, smart cards create opportunities for additional applications such as logical or network access control.
“Enterprises need to think about physical access control as one piece of a larger ecosystem,” Hart says. “Pick one point and then grow from it.”
The same contactless technology that gets an employee in the front door securely could also then be used to make purchases from a cafeteria or vending machines. Even more importantly, the credential could be used for logical access to secure networks and web sites, Ardiley says.
The issue of cost
These reasons would seem on the surface to be enough to encourage mass migration if other factors were not at play. But factors such as replacement cost fight against migration at every turn.
Vendors are understandably hesitant to talk about cost as quantity and a host of other variables can factor in, but this does not remove the reality of the issue.
Typically, prox cards cost $3 to $5 each, sources say, though it is not uncommon for small volume issuers to pay double this amount. Price can vary depending on printing options, lead times, quantity and other features.
Pricing for contactless cards runs the gamut. Contactless smart cards with small memory and older technology are often cheaper than prox at just $1 to $2 per card, sources say. There are many mid-range options that are comparable in price to prox as well. At the expensive end of the spectrum, contactless smart cards with large memory, high-end cryptographic capabilities and the latest security features can cost $8 to $12 or more, sources say.
Some may scoff at the cost of the higher end cards but vendors say the tangible and intangible benefits of increased functionality and security warrant the added expense.
As for the readers, again, on the low end the cost for contactless readers is often lower than or comparable to prox, sources say. Multi-technology readers with different features are more expensive but can provide greater longevity and the flexibility to support legacy cards as the migration to contactless proceeds.
Since some contactless cards are comparable in price to prox, the main issue for an enterprise often comes down to the costs to swap out readers. A smaller organization with a handful of doors might not think twice, but for an enterprise with hundreds or even thousands of doors the cost of readers can be intimidating.
Standards-based technology
While the capital investment up front may be daunting, there are potential long-term savings from making the switch to an open-standard contactless smart card. Theoretically, open standard products free end users from being locked into a single vendor for cards and readers. “Contactless smart cards enable a move away from a proprietary to a vendor neutral position,” Ardiley says.
Contactless smart cards operate on the ISO 14443 or ISO 15693 standards. If an enterprise deploys technology that uses one of these technologies it should be able buy cards and readers from any vendors as long as the standards are supported. “You don’t want to get locked into one technology,” Hart says. “We’ve seen a lot of problems sticking with a one vendor implementation.”
Using standards-based technology also means a certain amount of future proofing. As long as the new technology adheres to the same standard, enterprises should be able to upgrade without ripping and replacing, Hart says.
The access control supply chain has grown accustomed to proprietary technology and, sources say, the idea of open standards and open sourcing makes some dealers and system integrators nervous. They want to protect the lucrative recurring sale of cards and readers into their client base, but they fear that the switch to open standards – where these products could be purchased anywhere – could hurt business, insiders say.
“Prox is easy and repeatable and they are making handsome profits on legacy systems and repeat sales,” says one security source. “Replacing a physical access system is a big deal and usually stays in place for a decade or more. Where is the incentive to move to new, more secure system? Prox works today for physical access – even though it’s a weak system.”