There’s been a lot of spin churned out lately about “compatible” card reader technologies. Several manufacturers offer card readers that claim to be "HID-compatible", “iCLASS-compatible” or “MIFARE-compatible”. What exactly does that mean? A popular layman’s assumption might be that the reader can read the access control format data contained in the contactless smart card IC memory. But let the buyer beware! Sometimes it means that the reader product conforms to only a portion of the ISO standard, or does not incorporate the proper security features that allow access to the information stored in the card IC’s memory. In that case, the reader may only be able to read the Card Serial Number (CSN) of the IC. Some manufacturers can't even read the entire CSN and end up cutting off, or "truncating", part of the number - which further diminishes the security of the card.
There have been instances where “compatible” products were specified with the assumption that the internally programmed card format number would be read; however, it is a shock to the end-user when it is discovered that the random CSN is being read instead. The result is that now, a single card will transmit one number when read on the legacy reader, and another different number (CSN) when read on the “compatible” reader. In some cases, the access control software could not effectively handle two separate, and distinctly different, numbers for the single cardholder; requiring a massive database administration effort (adding unplanned time and expense) as a second cardholder record was required to handle this condition. Many manufacturers will qualify their “Compatible” reader as “CSN Only” in fine print. Regardless, it is good business to drill down to find out what “compatible” really means and what the liabilities could be if you are using CSN as your only means of card access identification.