How to Modernize Old EAC Systems

April 3, 2020
Knowing when to update equipment and credentials will keep your client — and your business — secure.

How old should an electronic access control (EAC) system be before you, as a security professional, suggest an upgrade? Specifically, how much time should you allow between the date of system installation and when you suggest that a client modernize it? Should you wait until your client’s system fails, should you mention it when there’s been a loss, should you wait until they ask or should you be more proactive? For an ethical locksmith, these are legitimate questions borne out of a sense of fairness and honesty.

“I have no problem mentioning upgrades to my clients when there are improvements that could make their access control system more effective, convenient and accommodating,” says Kevin Babin, security sales technician with FireQuest Fire Alarm Service Associates of Baton Rouge, Louisiana. “Look at it this way: If I don't tell them about a better card reader or maybe a better door strike, and if someone breaches their system and something bad happens, I would feel responsible to some small degree.”

In this story, we’ll discuss the methodologies behind an “upgrade proposition.” We’ll look at the technologies, devices and systems that dovetail with older access systems, and we’ll discuss the potential credentials one would require to access an upgraded system.

Sell the Upgrade

The best time to suggest an upgrade is when you perform a yearly inspection or perhaps when you’re on-site during a service call. The next best time is when the system is a couple of years old. Computer programs exist that allow for scheduling with respect to the date of installation for the purpose of automatically sending letters, emails or both.

Compose a letter ahead of time that can be sent automatically to a commercial client two years after an installation. In that letter, explain why it’s important for the client to maintain its EAC system on a yearly basis. Offer to send a tech by to inspect batteries, keypads, card readers, locking hardware, door closers, electric openers, etc. Follow up with a phone call to see whether you might stop by to chat about some developments in access control that you believe would serve them well.

Subsequent letters can be sent on a routine basis, providing new promotional messages. Some letters should tell of the latest credentials and how they can assist the client. Each letter should have a clear call to action, such as a link that leads to more information, a contact form and a phone number.

When a client is receptive to an upgrade, the best course of action, unless you know the system intimately, is to visit the location. Take a full inventory. Start at the head-end, which typically includes a computer that the system administrator uses to program user PINs, cards and biometric credentials. In most cases, you’ll want to replace this computer with a newer, more powerful model that’s capable of handling newer programs for newer credentials. The credentials certainly will require more processing power and data storage space.

“Some of these existing access control computers, depending on the software, require more-dedicated resources than regular productivity software,” Babin says. “If the [client is] running all kinds of office software, the access control system may need more resources than what’s left in the machine. All too often this is exactly what happens, and it’s the access control system that ends up the worst for it. This is why I try to convince my clients to purchase a dedicated computer just for the access control system.”

If you aren’t sure of what to sell or where to find it, discuss the overall job with the manufacturer or distributor that handles the EAC system you use.

Where the Action Is

Looking at the EAC market as a whole, a significant amount of emphasis has been placed on research and development in the area of credentials. Here, a broad number of high-security technologies have been designed to replace legacy devices, such as keypads, mag-stripe readers and prox readers.

Let’s say you have a client that has an EAC system that uses keypads at the doors. The client has experienced several incidents where expensive items have gone missing, and management has no idea when it happened, how or who did it.

The problem in this case is that the system in use obviously doesn’t have the ability to collect and store events that occur. If it did, management could determine the identity of the person who held the access credential that was used. If a modern system had been in place, management could ask the PIN holder if they entered the facility the evening of the theft to determine whether the employee committed the theft or saw something that might help authorities in their investigation.

One possible upgrade that could have proven helpful in the previous scenario is a closed-circuit TV (CCTV) system. By integrating the access control and CCTV system, an image of the person who entered the building using the employee PIN would have been captured.

“Even a normal user under the best of circumstances, I would encourage them to get rid of their keypads and replace them with [radio-frequency ID] readers that accept a modern credential containing two or more technologies,” Babin says. “One of the problems with a keypad is that almost anyone nearby can see the PIN that’s entered. And, when there’s a loss, I always recommend they replace their old readers with a biometric model, such as a fingerprint reader.”

HID Global, for one, manufactures a growing number of high-tech credentials. According to HID, it also embeds a wide range of commercially available contact smart chips. Customers also can select HID’s off-the-shelf Crescendo multitechnology smart card, which provides strong authentication options.

The Right Credentials

How many stars are in the night sky? Not that many credentials exist, but there are more to choose from than you might think.

An EAC credential is something known, physically possessed or an actual physical characteristic of an EAC system user. The purpose of a credential, no matter which one you use, is to provide a degree of authentication, which is necessary to maintain adequate security. “Adequate security” is whatever level of protection that’s necessary to meet a client’s demands.

The following is a list of credentials that you’re likely to encounter, but it certainly isn’t complete:

  • PIN (personal identification number)
  • Keyfob
  • Magnetic stripe card
  • Proximity card
  • Smart card
  • Smartphone
  • Biometric characteristic
    • Fingerprint
    • Thumbprint
    • Retina scan
    • Iris scan
    • Hand geometry
    • Voice
    • Facial recognition

Many technologies are involved in the creation of each of the above. Some of the newer technologies include RFID, while others involve the transmission of encrypted data, as in the case of a smart card. Here, each smart card and its accompanying reader must authenticate one another through an encrypted connection before data can be exchanged. This constitutes a second layer of protection through which sophisticated hackers must penetrate to enter a facility unchallenged.

The security requirements of every client are sure to vary, so the criteria needed to attain “adequate security” also will vary from client to client. For example, where some might require only a prox credential, others might require a biometric reader. Dual-factor authentication provides a higher level of security, requiring two different credentials, such as a PIN or card and a biometric characteristic.

“To this day, there are still a lot of people who have generic prox readers,” Babin says. “In fact, we’re still installing prox, which is something we may not always want to do, but if it’s in the bid specification, it’s what we’re forced to install. If the client has had a loss of some kind, I always suggest a biometric fingerprint reader along with a prox card, [so] access requires two credentials before the door will open.”

HID Global, for instance, makes an RFID sticker that can be applied to a prox card, or even an ID badge. Now, when the user presents their prox card, the RFID portion of the system receives the user’s identification data through the proximity and RFID readers. In some cases, both technologies are built into a single reader; in others, two distinct readers might be side by side. In this case, perhaps an upgrade merely consists of adding a second RFID reader.

If you have questions about selling upgrades or the various credentials in use, feel free to contact the author via email: [email protected]