A card reader system is a type of electronic identification system that is used to identify a card and then perform an action associated with that card. Depending on the system, the card may identify where a person is or where they were at a certain time; or it may authorize another action, such as disengaging a lock. For example, a security guard may use his card at card readers located throughout a facility to indicate that he has checked a certain location at a certain time. The reader will store the information and/or send it to a central location, where it can be checked later to ensure that the guard has patrolled the area. Other card reader systems can be associated with a lock, so that the card holder must have their card read and accepted by the reader before the lock disengages. Cards can also be used as simple identification badges; however, this type of application does not involve a card reader system, and thus it will not be covered in this document.

A complete card reader system typically consists of the following components:

A "card" may be a typical card or another type of device, such as a key fob or wand. These cards store electronic information, which can range from a simple code (i.e., the alphanumeric code on a Proximity card) to individualized personal data (i.e., biometric data on a Smartcard). The card reader reads the information stored on the card and sends it to the control unit, which determines the appropriate action to take when a card is presented. For example, in a card access system, the control unit compares the information on the card vs. stored access authorization information to determine if the card holder is authorized to proceed through the door. If the information stored in the card reader system indicates that the key is authorized to allow entrance through the doorway, the system disengages the lock and the key holder can proceed through the door.

There are many different types of card reader systems on the market. The primary differences between card reader systems are different in the way that data is encoded on the cards and in the way these data are transferred between the card and the card reader, and in the types of applications for which they are best suited. However, all card systems are similar in the way that the card reader and control unit interact to respond to the card. Because the interaction between the card reader and the control unit is similar for different systems, these components will be discussed in general terms below. The different types of cards will be discussed in greater detail in the following sections.

The main function of the card reader is to read the code from the card and send that information on to the control unit. Some card reader systems require that the card be physically inserted into the card reader, while others, such as the Proximity system, only require that the card be in the general proximity of the reader. The specific methods by which data is transferred from the card to the reader are discussed under each card technology below.

A control unit is typically composed of both hardware and software. This unit is the main connection point for the card readers, locks, location monitoring points, and other wired inputs and outputs of the system. The primary function of the control unit is to record the information on the card, and respond, as appropriate. As described above, the appropriate response may be to disengage a lock or to record that the cardholder was at that location.

Depending on the needs and complexity of the system (i.e., the number of card holders, the number of card readers, the number of different permission levels, the types of transaction data tracked, etc.), a control unit can range from a localized control panel to a basic stand-alone PC to a more complex network, such as a Windows NT server or a UNIX-based RISC platform. For some simple systems that do not require the storage of large amounts of data, a localized control panel may be sufficient. For example, in a basic Proximity card system that controls access to an exterior door, the control unit must only determine whether or not the signal from the card is the same as the signal stored in its database. If the signal is correct, the system performs the appropriate action, such as unlocking the door. In this type of system, the only data that is required is whether or not the signal is correct; the card system does not have to identify, track, or store individual data that distinguishes one card from another. Thus, any individual having the correct Proximity card can access this system, but the system will not know which individuals have accessed it. This type of system may utilize individual, stand-alone card readers that do not share information - such as individual card readers at each door of a facility - because the decision logic is simple and each control unit can store all of the information it needs to function correctly. Other systems, such as a smartcard system, typically store and use data that identifies an individual user with an individual card. These systems are likely to require more data processing power and a user database that stores information on each user. This type of system would typically have a centralized host computer that stores all of this information, and communicates back and forth with all of the card readers connected to it. "Permission" decisions (see below for a discussion of permissions and permission levels) for readers located at various points in the system would be made from the central control unit and would be communicated to each card reader for local implementation.

As described above, the control unit is the main data storage and control center for the system. The control unit functions through a combination of hardware and software. The software is used to execute decision logic based on the interaction of the data stored on the card and its permissions stored in the system database, and the hardware then carries out this logic by powering locks, turning on switches, etc.

As mentioned above, the majority of card reader systems use software packages (usually Windows-based) to control the system. This software is the decision-making "brain" of a card reader system. It is used to develop and populate the card user database, to establish user "permissions," and to execute the decision logic (such as disengaging locks or recording a card location) when the card is read by the card reader. These functions are discussed in more detail below.

In order to implement a card reader system, the system administrator must first set up a database that contains information on system users and the cards assigned to them. Each system user must have a card, and this must be tracked in the database. The system administrator manages this database, and can add and delete cards/users or change card user permissions as necessary (see next paragraph for a discussion on permissions).

Card reading software is also used to assign different "permissions" to each card holder. Permissions are defined as the authorization levels given to users specifying the different things they can do within the system. For example, in a card system that controls locks, the system can be programmed so that users cards can only disengage locks in certain locations so that they can only access specific areas of a facility; or the system can be programmed so that users can only disengage locks at certain times. Depending on its sophistication, the software can also store data on "transactions" that occur within the system. For example, a door access control system could be set up to record a signal indicating that the door is properly closed. The system can also be programmed to send any alarms and communicate all historical card transactions - such as when a person using a specific card enters or exits a building through a card reader door.

It should be noted that the control of a location through a card reader system is limited only by what can be programmed into the system. Once data from a card has been read by the card reader, it can be used for any purpose that was written into the software. This could include disengaging locks, activating cameras, turning on lights, recording the card's location, etc. While the different types of cards have different features, each of these cards can be used in conjunction with the proper software to exert any type of required control in the system.

Finally, it should also be noted that vendors for card reader system can provide software, hardware, or both. Utilities wishing to purchase and implement a card reader system must work with the proper vendors to ensure that they purchase and integrate all of the required system components. The Vendor section below indicates which vendors sell which card reader components. Although the control unit operating systems may be different, the functionality of the application code for all the systems is similar.

As described above, while card readers are similar in the way that the card reader and control unit interact to control access, they are very different in the way data is encoded on the cards and in the way these data are transferred between the card and the card reader. There are several types of technologies available for card reader systems. These include:

Each of these technologies offers unique design features and attributes that contribute to the security of the system. The following sections provide a detailed discussion of each technology, and then a comparison of the technologies with respect to major features affecting their security, including their durability, their life expectancy, and their overall level of security. The level of security offered by each technology type is based on how difficult it is to reproduce/duplicate the technology.

Proximity technology uses changes in magnetic fields to control door locks. A Proximity card is embedded with radio frequency circuits encoded with unique alphanumeric codes. The card is also embedded with a small coil of wire that acts as an antenna. When the card comes near the card reader, the magnetic field generated by the card reader excites the magnetic coil embedded in the card. The coded information on the card is then transmitted to the card reader, which then sends the information on to the control panel. Based on the information received from the card, the control panel either accepts the information and communicates with the reader to disengage the lock, or rejects the information and does not disengage the lock.

Proximity cards typically do not include any personalized information, and thus any person using the proper Proximity card can use it access the protected asset. Therefore, Proximity card systems cannot be used to track individuals (such as what individual accessed a doorway), and they may be most appropriate in applications where it is important that only authorized persons access the asset, but it does not matter which particular individual access the asset. An example may be a door at an office complex: it is important that only employees enter the building, but it is not necessary to know which employee is accessing the building.

The uniqueness of this technology (embedded radio frequency circuits encoded with unique alphanumeric codes) makes reproducing cards difficult. Thus, proximity card technology is considered to offer a moderate to high level of security. One advantage of these systems is that they do not require that the card be inserted into or come into physical contact with a reader in order for its code to be read and for the lock to be disengaged. Proximity reader technology has recently dropped in price due to increased competition between manufacturers, thus increasing its popularity.

Wiegand technology is based on a highly secure, patented reader that utilizes a series of small-diameter, special alloy wires with unique magnetic properties. Two rows of Wiegand wires are inserted into a code strip and embedded in an identification card. When the card is put in the reader, the wires move past the read head and are subjected to a changing magnetic field. This induces the wires to produce a discrete voltage, which is sensed in a sensing coil. This series of pulses is read and interpreted as binary code. Based on the information received from the card, the control panel either accepts the information and allows the reader to disengage the lock, or rejects the information and does not allow the lock to be disengaged. Wiegand card technology is considered to offer a high level of security because code strips are factory encoded and embedded within the card, making duplication or counterfeiting very difficult. Additionally, the supply of Wiegand wires is controlled by the manufacturers; thus, accessing the necessary tools to reproduce a card would be difficult.

Wiegand cards are similar to Proximity cards in that they typically do not include any personalized information, and thus they cannot be used to track individuals. Applications for Wiegand card systems would be similar to those for Proximity cards.

Smartcard technology involves the use of chips embedded in plastic cards. The cards contain gold or metallic contacts that temporarily contact the card reader equipment when the card is run through the reader. Up to 1 kilobyte of RAM, 24 kilobytes of ROM, 16 kilobytes of programmable ROM, and an embedded 8-bit microprocessor running at 5 MHz may be embedded in a smartcard. In this technology, the host computer, card reader, and microprocessor communicate, and the microprocessor enforces access to the data on the card. Because the microprocessor enforces security, this type of technology is very difficult to duplicate, and thus it offers a very high level of security. In addition, because of its large data storage capacity, smartcard technology can encode a great deal of personal information, and thus it is ideal for systems where individuals need to be identified. It is gaining widespread use in the banking industry because of its high security. It is also used extensively in Europe for health insurance cards.

Magnetic Stripe technology is one of the most widely used card technologies, especially in the banking sector, where it is used for credit and automatic teller machine cards. Magnetic stripe technology uses electromagnetic charges to encode information on an oxide-coated piece of tape, which is attached to the back of a card. Typically, the oxide stripe contains three magnetic tracks of alphanumeric data bit strings of varying lengths. The card is placed in a magnetic stripe reader, which uses magnetic heads to read the information on one or more of the three magnetic tracks. This technology can store a large amount of personalized information (such as personal account numbers for use in credit transactions), and thus these card systems are ideal for tracking individuals.

Magnetic stripe technology is efficient because the configuration of the three magnetic tracks of alphanumeric data bit strings make it easy to access the data. However, there are several potential drawbacks to this type of technology. First, this type of technology has a limited lifetime because the magnetic stripe can become worn due to the frequency with which it must be swiped by the read head. Additionally, magnetic stripe cards are sensitive to magnetic fields, which can erase encoded information. Finally, the cards are also subject to duplication using computerized track readers and a magnetic stripe encoder. Based on these characteristics, magnetic stripe technology is considered to offer a low to moderate level of security.

Barium ferrite is the earliest magnetic encoding technology. It uses small bits of magnetized barium ferrite that are placed inside a plastic card. When the card is passed through the reader, the magnetic orientation of all the barium ferrite "spots" inside the card can be influenced and arranged to produce different magnetic field patterns. The polarity and location of the "spots" determines the coding. This type of technology is inexpensive. In addition, because the "spots" are embedded in the material and are therefore somewhat protected from wear, it can be durable. Barium ferrite cards are factory-encoded, and because the technology is embedded within the card, they have medium resistance to unauthorized duplication, and thus offer a moderate level of security. Barium ferrite cards are typically used for access control, and typically do not have individual data associated with them. Thus, applications for barium ferrite cards are similar to those for Wiegand and Proximity cards.

Bar Code technology consists of information printed in a pattern or series of narrow and wide bars and spaces. Certain types of bar code readers use fixed infrared LED light sources to read the symbol. Bar code technology typically contains personalized data. For example, this technology is used extensively on driver's licenses in many states.

As with magnetic stripe technology, there are potential security problems with this technology. For example, bar codes are susceptible to reproduction by using a computer scanner or photocopier. Bar code technology is considered to offer a relatively low level of security due to the ease with which they can be counterfeited.

Infrared technology is similar to bar code technology, but instead of having the bar code on the outside of the card, the bar code is encased within the card. The card is passed through a swipe or insertion reader that uses an infrared scanner. The bar code casts a shadow which is deciphered by the head of the reading equipment. The card can exhibit different color contrasts and shadows by using different levels of PVC thicknesses over the bar codes. This allows the light to penetrate to different degrees. Infrared cards are considered to be difficult to reproduce due to the light sensitive technology and embedded bar codes and, thus offer a high level of security.

Like bar code technology, infrared technology is often used to track individual data, and thus it can be used to to identify individuals accessing specific assets.

Hollerith technology is one of the earliest card technologies. A Hollerith card consists of a series of holes punched in a plastic or paper card. The card is read optically to decipher the pattern of light transmitted through it. Personal information is typically not encoded into Hollerith cards, and thus they are not typically used to track individuals. One of the most prevalent examples of Hollerith technology is encoded hotel room keys. Hollerith technology can be easily duplicated and, thus offers a low level of security.

Mixed technologies combine a variety of technologies on one card and provide different functions by combining these different technologies. For example, Proximity technology can be combined with bar code, magnetic stripe, Wiegand, or Smart card technologies. One of the most popular combinations is magnetic stripe technology combined with Wiegand technology. Magnetic stripe technology is efficient at accessing data and Wiegand technology provides a high degree of security for gaining entry to designated areas. The two technologies together therefore provide quick, secure access. Another very common combination is magnetic stripe technology used in conjunction with Proximity technology. For this particular technology combination, the readers themselves are able to read both types of cards. This is very useful to businesses that are transitioning from older magnetic stripe technology to a more reliable, high functionality Proximity card technology.

Table 1 below summarizes various aspects of these card reader technologies. As discussed above, the determination for the level of security rating (low, moderate, or high) was based on the level of technology a given card reader system has and how simple it is to duplicate that technology, and thus bypass the security. Vulnerability ratings were based on whether the card reader can be damaged easily due to frequent use or difficult working conditions (i.e., weather conditions if the reader is located outside). Often this is influenced by the number of moving parts in the system - the more moving parts, then greater the system's potential susceptibility to damage. The life cycle rating is based on the durability of a given card reader system over its entire operational period. Systems requiring frequent physical contact between the reader and the card often have a shorter life cycle due to the wear and tear to which the equipment is exposed. For many card reader systems, the vulnerability rating and life cycle rating have a reciprocal relationship. For instance, if a given system has a high vulnerability rating it will almost always have a shorter life cycle.

Cards must be encoded using a specialized card encoder or card read/writer. The encoder allows cards to be modified (for example, to change cardholder permissions) or added or deleted from the system. If the end user wishes to be able to encode cards themselves, they must purchase the encoder as an addition to the basic card system. Typically, the first batch of cards is encoded by the manufacturer. Subsequent changes may be made by the user if they have purchased the card encoder; otherwise, they must contact the manufacturer whenever changes are necessary.

Each of these technologies can be implemented for facilities of any size and with any number of users. However, because individual systems vary in the complexity of their technology and in the level of security they can provide to a facility, individual users must determine the appropriate system for their needs. Some important features to consider when selecting a card reader system include:

Costs for card reader systems can vary greatly depending on the level of system sophistication, including the size and level of security needed for a given facility. The cost for a card reader, which is required at every door that is part of the system, ranges from $85 to $250 per unit. Access cards, which must be issued to all personnel that will be accessing the facility, can range from $0.75 to $7 per card. As shown in Table 1, magnetic stripe, bar code, Hollerith, and barium ferrite systems would be on the low end of this cost scale, and Wiegand, infrared, and smart card systems would be on the higher end. The higher costs for these technologies would be reflected in higher costs per unit for both the cards and the readers. Control panels start at around $500 and can reach up to $3,200. Software necessary to control the system is usually included with the package for basic-type systems, while software for more complex systems may be an additional cost and may range from $200 to $1,000. Optional card encoders or read/writers usually range from $1,000 to $1,500 each.

Installation of card reader systems can be complex, and therefore most, if not all, card reader systems are installed by a manufacturer's representative. This will be an added cost, and will depend on the number of card readers and control units in the system, as well as the type of data transmission system implemented