Smart Cards From Scratch - Page III

Printer Friendly Version

Vendor Selection

The leading smart card vendors are ActivCard, Datakey, GemPlus, Oberthur, and Schlumberger. Since the price disparity between microprocessor and memory cards is so great, I recommend starting with figuring this requirement near the beginning of your smart card project. A microprocessor smart card is about $3.80 a card, and a memory smart card is about $00.48 a card. Most vendors will discount those prices if you order a large volume.

Leading smart card life-cycle management vendors are Bellid and Litronic. Both of these companies have advanced card management systems that have withstood the tests of major large-scale implementations.

Implementation Recommendations

The CIO should assign a program manager to manage the smart card project, and make sure that the right decisions are made. Without endorsement and support from the CIO, a large smart card project is doomed to fail.

The first thing the program manager should do, before ordering any smart cards, is figure out what the organization wants the smart cards to do. Your organization needs to select its smart card applications, and define its unique requirements, before the cards and life-cycle management software is purchased. Interview the life-cycle management software vendors first, and the smart card vendors second. There might only be a couple smart cards that work with the life-cycle management software that you want to use, which will eliminate the playing field of card vendors you need to interview.

If you plan a large implementation, be sure to select a Java capable smart card. Java capable smart cards can be programmed for different security domains, which means that with the same card, you can have different divisions of your organization manage different pieces of the card. For example it might make sense to have one division or department manage the physical security or proximity access, and another division or department manage network access. You should plan out your smart card security domains, and where they fit on a topological network map of your organization, before you begin your implementation.

A project leader should be identified for each smart card security domain that you plan to implement. Involving the project leaders in the selection and decision making usually increases your chances of a successful roll-out. For example, whoever is in charge of the proximity access decisions, will need to decide if they want to the card to use a contactless system (requiring the card to have an embedded antennae), a PIN that the card holder types into a PIN pad, or a mag stripe reader.

The project leaders of the individual security domains should submit requirements to the smart card program manager for review and approval. The smart card program manager should collate all the requirements, and document them into a consolidated project plan for approval and review by the CIO. Before anything is purchased, everyone who is participating in the project should have a chance to review the recommended products to ensure that the right components are being ordered. The project leaders of the individual security domains need to be held responsible for the successful roll-out of their particular domain.

The card issuance system, and the card readers, are probably the last components of your project you need to make a decision about. The important thing is to make sure your card readers work with your desktop operating systems, or whatever systems the device driver will be installed on. The card issuance system is what programs the cards. Your card life-cycle management vendor should be able to give you a list of which card issuance systems will work with their software. With some advanced card readers that can write to cards, a card issuance system might not be necessary.

A lot of components are involved in a smart card project, and it behooves the program manager to write a detailed project plan, listing all the components necessary, and the end-state architecture before you begin your implementation. You need to make sure you involve your vendor in the implementation. Ask both your smart card vendor and your life-cycle management vendor to review your plan before you begin the implementation. If the vendors are not willing to help review your plan, or offer implementation advice, it's probably worth looking at other vendors. Without a successful implementation, your smart card project will not gain acceptance in your organization.

Go to page: 1  2  3