Card, mobile credential, payment and security
University opts to own encryption keys to foster flexibility
In 2017, the University of Georgia made the advancement of card technology a priority on campus. UGA’s OneCard Oversight Committee was formed and turned the lens inward, examining its card environment from within. The Committee was tasked with ensuring the review process enhanced security, created a collaborative phased approach and proactively prevented any future service disruptions while minimizing overall cost impacts. Part of the overhaul was a desire among the relevant card-related departments at the university to own the entire process — encryption keys and all.
Knowing that mag stripe and prox were considered insecure and easily duplicated, the committee feared the card system wasn’t offering the desired level of security or flexibility
The university’s access control, vending, sporting events, POS transactions and more were all being propped up by a combination of magnetic stripe and low frequency proximity card technology. Knowing that these technologies were considered insecure and easily duplicated, the committee feared the card system wasn’t offering the desired level of security. Moreover, the combination of mag stripe and prox provided little flexibility for new applications.
Recognizing the need for a new credential and card system, UGA’s OneCard Oversight Committee began researching new solutions. After issuing an RFP for a card consultant to aid in the decision-making process, the team ultimately determined that the expertise needed was already on campus at UGA and the process of defining its new card system could be accomplished internally. The OneCard Oversight Committee was created, consisting of representatives from Finance and Administration, Student Affairs, the University Library System, Legal Affairs, University Housing, Payroll, Bursars Office, Internal Auditing, Facilities Management, Police, Auxiliary Services, IT and Athletics. Having such a broad partnership across campus was key to the success of implementing the program internally.
The committee’s first decision was that an encrypted smart card would be necessary. After researching commercially-available options, they concluded that DESFire EV2 contactless technology was the right fit. It offered the best performance, and crucially, the flexibility to enable multiple applications on the card each with its own a dedicated encryption key.
To the UGA team, the most intriguing feature of DESFire EV2 was the ability to add applications to the card via an NFC-equipped device, while keeping those applications under sole control of the university.
Next the committee explored solution vendors that could support their selected DESFire EV2 card technology.
“We had on-site demonstrations from vendors, and it was evident that the offerings were very proprietary and that once you signed a deal with a particular vendor you were locked in,” recalls Bill McGee, Director of IT for Auxiliary Services and member of the OneCard Oversight Committee. “They own the keys, set rules and standards, and you then buy all your products and readers from them. We wanted to stay away from that.”
We spent months researching options and we found WaveLynx, a US-based operation that builds DESFire EV2 compatible readers and does programming on EV2 cards
The team visited a host of other campuses and attended educational events to gather information. They also spoke to vendors, other universities and corporate entities like Fidelity that were starting to move to DESFire EV2. “Finding universities was hard because it was newer concept at the time, and universities were primarily using the precursor DESFire version, EV1. We realized whether they knew it or not, these entities were tied to their vendor,” says McGee. “We spent months researching options and we found WaveLynx, a US-based operation that builds DESFire EV2 compatible readers and does programming on EV2 cards.”
The team solidified its recommendation of DESFire EV2 with the aid of WaveLynx, and following a successful onsite presentation and walkthrough, the system moved into the beta testing phase.
“We beta tested at our university health center with 65 to 70 readers,” says McGee. “Readers were installed by UGA staff to ensure we understood the ins and outs of the hardware, software troubleshooting, etc.”
