Card, mobile credential, payment and security
Somewhere on your campus there is, very likely, a magnetic stripe stored value system in operation. Maybe it is a full-blown part of your campus ID card enabling cashless purchases in vending machines, photocopiers, and laundry facilities. Or maybe it is a stand-alone system for copiers in some renegade department, an internal control device for tracking departmental office equipment usage, or on the back of a dedicated library card issued only for use in the law library. Whatever the case, the little black stripe is likely on the back of some plastic cards on your campus.
The thin black stripe was nicknamed a “junkstripe” in the higher education market because of its frequent use as a means to purchase junkfood from vending machines. It looks like any other magnetic stripe, only more narrow. In fact, it is actually just a single track magnetic stripe–as compared to bank cards and most campus card that use a two- or three-track stripe. It contains a strip of magnetic material capable of recording data—just like its wider counterpart. It is made of a high coercivity (HiCo) material and thus is resistant to incidental erasure.
A handful of companies provide magnetic stripe stored value programs to campuses, but the technology originally was developed by Debitek (now Ingenico) and DANYL (formerly Schlumberger but recently sold to ESD). In the early 1990’s, the two companies worked in tandem developing the code and building the readers. In the mid-1990’s, the companies parted ways, each agreeing to continue to use the system and ensure compatibility in an effort to maintain a satisfied customer base. Both retain rights to develop the technology in perpetuity and both continued production of their own readers.
How the technology operates
A site code, or conditional acceptance number, is a short numeric identifier for the card, typically four-digits in length. An institution is granted a series of site codes specific to them. This code is the first data read during a transaction. If the code is not authorized for acceptance by a particular reader, the card is rejected. These codes ensure that a card from one school cannot be used at another location, unless the schools have agreed to share usage. Different codes can be used at a single institution to allow demographic data to be collected. For example, by assigning a different code to class levels it is possible to determine the volume of Diet Cokes purchased by sophomores. Additionally, variable pricing can be assigned to different site codes so that, for example, students pay less for products than visitors would. Readers can be programmed to accept as many as 32 separate site codes.
Value is the other significant piece of data recorded on a stripe. When a transaction is debited from a card, the entire value is erased from the card and the new value is written in its place.
The security behind the system
The security utilized in these systems does not rely on encryption. Instead it relies on the codes used to authorize transactions and the physical means by which data is encoded on the stripe. First, the numeric signals or messages that specify transactions are unknown outside of the companies. Therefore, outside parties cannot fraudulently initiate meaningful commands in an attempt to emulate reading and encoding. Second, the encoding heads that write data onto the magnetic stripe are positioned precisely at a specified angle which renders data on the stripe invisible to a read head positioned at any other angle. Other card readers and encoders cannot see the data encoded on the stripe.
While this security is by no means foolproof, our research found no reported cases of fraud against these systems. Perhaps this is because the dollar values for junkstripe transactions are typically quite low. As vended products, copies, and laundry are the typical uses for this type of payment the incentive to crack the system is unlikely to be financial in nature. Another reason for this apparent lack of fraud could be that it is difficult, if not impossible, to catch if it was occurring. Because the cards are not personalized to the cardholder, it would be extremely difficult to detect.
The process in a nutshell …
To use the technology, a customer needs the following components:
A blank card is made valid using the system software and the encoding device. Value is loaded by the cardholder and the card is used for payment in a single, or in a range of, card controlled devices. The value from the transaction is subtracted from the card balance and the new balance is rewritten to the stripe. At the same time, the reader credits its log with the amount of the transaction. Periodically, a staff member collects the data from the readers. It is then downloaded loaded into the system and total transaction values by merchant, machine, and site code are available.
In some cases, the campus may collect from the readers. In other cases, the vendors—such as the soft drink provider—collects the data and bills the school for the amount reported. An unresettable grand total counter exists in most readers which enables one party to periodically audit the reports of another. In the example above, the school could check this counter to ensure that they were not over-charged by the soft drink provider.
While junkstripe technology is not receiving the same level of attention that it did in the mid-1990’s it remains a powerful tool for tracking, controlling, and conducting transactions. The large base of schools that continue to utilize the technology today and the numbers still implementing the ensure that the systems will continue to play an important role in campus ID projects.
