By Michael A. Gips
Best practices for RFID in identity management.
The Smart Card Alliance has issued a list of best practices that it hopes will alleviate concerns about the use of radio-frequency-enabled technology for identity-management applications.
The paper calls, for example, for security measures to protect the personal data obtained. It lists various elements in this regard, such as the need to mutually authenticate both the ID credential and the device that would access the information; it also calls for data encryption and for a means of verifying that data on the card has not been tampered with.
Other best practices focus on how companies can make sure that they are serving the people whose data is collected. It call, for notification regarding what the data will be used for and how long it will be retained. It also calls for some means of allowing redress to anyone whose data is listed incorrectly.
The alliance has also issued a FAQ (frequently asked questions) discussing the differences between RF-enabled smart cards and RFID tags. The latter, used largely in inventory tracking, operates over longer distances (measured in feet) and does not have built-in security features, the paper notes. The former has a restricted read range of several inches and has security features. It is this technology that is used in contactless smart cards for ID and payment applications.
Both the FAQ and the best-practice guidelines are available for download from the alliance's Web site.