john Gill technology header image

National Smart Card Project

Smart Cards: Accessibility and Social Inclusion

Dr. John Gill
March 2004


Executive Summary

Consumers want user friendly systems which have the appropriate level of security, but are simple to use. Local authorities want to optimise their service level, and to maximise their market penetration. If local authorities do not understand the needs of their consumers, they are likely to find consumers reluctant to use smart card based systems.

Cardholder identification should involve the consent of the user who may wish to withdraw their consent at a later date. Authentication provides the user with a secure way to prove their identity during a transaction, but does not necessarily mean that they are authorised to access a specific service.

People with special needs include older people, children, people whose primary language is not English, as well as people with disabilities. However the introduction of smart card systems offers exciting possibilities for making life easier for all these groups, if their needs are considered before new systems are introduced. The Disability Discrimination Act requires local authorities to give consideration to needs of people with disabilities.

The take-up of smart card based services will be affected by the users' perceptions of:

  • the confidentiality of any data on the card or in a related computer system
  • ease of use
  • confidence that there is a simple system for handling lost or stolen cards

Contents

1 Introduction
   
2 Demographics
   
3 Issuing cards
3.1 Identification
3.2 Identifying the user at time of issue
3.3 Re-issuing cards
3.4 Additional information
   
4 Authentication
4.1 Model for citizen authentication
4.2 Identification assurance level
4.3 Authentication token
4.4 Personal identification numbers and passwords
4.5 Biometric identification systems
   
5 Authorisation
   
6 Smart cards
   
7 Terminals
   
8 Recommendations
   
9 Standards
   
10 Further information
   
11 Glossary
   
12 Acronyms and abbreviations

1 Introduction

The take-up of smart card based services will be determined by the consumers' perceptions of ease of use and trust in the system. Ease of use will include aspects such as consistency of the user interface as well as the ease of recovering from errors (both by the user and the system). The provision of appropriate instructions and intelligent help will be important; this implies some form of standardisation of terminology.

This report examines some of the aspects which are likely to affect the user's ability or desire to use smart card systems. Users will include people with disabilities, older people, people whose primary language is not used by the system, as well as people who are left-handed. These 'minority' groups constitute a significant, if not homogeneous, portion of the general public. Ignoring their needs is likely to have an adverse effect on the take-up of smart card services.

Trust is difficult to measure but will depend on the consumer's understanding of the level of security of their personal information. Perceptions of a system can change suddenly influenced by stories in the media. For instance it would only need a passenger at an airport to claim that their vision has been damaged by an iris scan for there to be widespread reluctance to use the system.

The consumer wants a simple process of identification that does not involve providing more information than is needed for the services they wish to access. The consumer must be able to choose the level of identification they provide, but they must be made aware that this may determine what services they can access. The consumer is likely to be concerned that the information they provide will not be passed to third parties without their permission.

An important aspect is that resources need to be devoted to education of card holders so that they understand how to use systems, understand the implications of their actions, and understand how the law will protect them if something goes wrong.


2 Demographics

People with special needs can include:
Children (< 16 years)
20%
Older people (> 65 years)
15%
Also
People with disabilities
10%
Left handed
10%

Another significant group is those people who have limited knowledge of the English language; this includes some immigrants as well as foreign visitors.

Please treat the above percentages of the population in the UK solely as indicative of the order of magnitude. In addition the design of smart card systems should take into account differences in culture, particularly among ethnic minorities, which may render some designs unacceptable to some groups.

The increasing interest in adopting an inclusive design approach is because of a greater awareness of:

  • The increase in the older population
  • Changing consumer expectations, particularly with regard to retirement
  • New legislation
  • New procurement policies (particularly from government departments)

Much of the data on the numbers of people with impairments is derived from clinically based studies, which tend to use diagnostic measures rather than functional ones. These tend to produce figures showing the numbers in the population with hearing loss exceeding particular values, or the extent of specific conditions, such as multiple sclerosis. While such results are important for clinical management and resource allocation, they do not provide reliable information on those who will have problems in using smart card services.

The user groups described here have been defined in terms of their functional ability, with specific emphasis on use of smart card systems. In the elderly population in particular, there may be a tendency towards hearing, vision and mobility impairments arising in parallel. Therefore, while the numbers are 'best estimates' for single groups of users, they should not be aggregated. The group sizes have been estimated conservatively and very much larger numbers would be obtained if lower levels of impairment were included. For example, over half of the population needs some form of optical correction, and about one sixth has a clinically significant level of hearing loss. The lower levels of impairment will not normally lead to difficulties in using smart card systems but can cause problems in adverse circumstances.

Since multiple impairments are prevalent, particularly among older people, the total percentage of the population estimated to have problems using smart card systems is not the sum of the individual percentages in the table.

User group with problems using smart card systems
Percentage of population
Wheelchair user
0.4
Cannot walk without aid
5
Cannot use fingers
0.1
Cannot use one arm
0.1
Reduced strength
2.8
Reduced coordination
1.4
Speech impaired
0.25
Language impaired
0.6
Dyslexic
1
Intellectually impaired
3
Deaf
0.1
Hard of hearing
6
Blind
0.4
Low vision
1.5

In addition to the above groups there are groups for which it is difficult to obtain reliable statistics, such as people with allergies and people sensitive to electromagnetic radiation. Also there are many people who dislike or distrust technological systems.


3 Issuing cards

3.1 Identification

Identity fraud where a person adopts a completely false identity, falsifies part of their identity (for example their age) or adopts the identity of another person is estimated to cost the UK over a billion pounds each year split equally between the public and private sectors.

There are three elements of a person's identity:

Picture of a fingerprint.Things which you 'are' i.e. your Biometric identity. These are attributes that are unique to an individual (e.g. fingerprints).

 

 

Picture of a person holding a birthday cake.Things are given to you i.e. your attributed identity. These include full name, date and place of birth.

 

 

Picture of a graduate holding a diploma.Things which happen to you during your life, i.e. your biographical identity. This includes educational qualifications, electoral register entries, and history of interaction with organisations such as banks.



3.2 Identifying the user at time of issue

The card issuer has the responsibility for ensuring that a card is issued to the legitimate user. For anonymous cards, like public transport pre-paid tickets, this may be just the receipt of the money. However in non-anonymous applications there needs to be some check that the person to whom the card is issued is the legitimate user and that the information supplied by the user is correct.

However the issuer should not ask, or demand, information that is not directly pertinent to ascertaining the legitimacy of the user. If the issuer wants extra information for marketing purposes, then it should be clear that providing this information is optional and does not affect the issuing of the card or the terms and conditions relating to the use of the card.

The identification process must support clearly defined levels of assurance in order to maintain interoperability between card schemes and services. These should be as follows:

Level 0 No checks made: No checks on the users identity, used for anonymous services at the discretion of the service provider.
Level 1 Balance of Probabilities: Some form of verifiable ID (eg driving licence) and proof of address (eg utility bill).
Level 2 Substantial Assurance: As Level 1, but checks made against electoral register and possibly two forms of proof of address rather than one.
Level 3 Beyond Reasonable Doubt: Substantial checks made on ID provided, possibly even involoving face to face identification.
Levels 4-8 Not specified at this time. For use in the future.

Clearly these identification rules will need to be centrally set and agreed. These will need to be clearly explained to the user as will the benefits of higher level identification.

Most importantly it must be left to the user's discretion as to what level of identification assurance they will give. However it must also be clearly explained what the consequences of their decision might be in relation to a given service such as health care or some special eGovernment services which will require high assurance. It must also be possible for a user to raise their level of identification assurance by providing an appropriate body with the extra identification proofs required and this should not normally require card re-issue.


3.3 Re-issuing cards

When a card is lost or stolen, the user requires a fast method of replacing the card. However the issuer needs to ensure that the applicant is the legitimate user. The problem is more complex with multi-application cards where the user has downloaded application modules to the card. In some cases there may be possibilities for crediting the user with the value of some or all the items on the lost card (e.g. in some public transport applications, the transport company has a record of the remaining credit on the card when it was last used).

The card management organisation should keep a record of the applications on a card, even if the user has downloaded extra applications. If the card is stolen, the user should be issued with a new card number.


3.4 Additional information

At the request of the user, extra information could be stored on the card. This information could be the preferred user interface, qualification for a discount (e.g. a registered disabled person may qualify for reduced fares on public transport), or some information which speeds up the process of accessing a particular service (e.g. connecting and logging onto a text relay service).

There are three types of additional data:

  • Data common to all applications
  • Application specific data
  • Dynamic data (eg card checked by a ticket inspector).

The cardholder needs to be provided with the ability to know what is stored on the card; this may involve going to a special terminal that might be in a public library. The cardholder may authorise some or all of this information to be passed to a service provider or a third party, but they should be given clear information so that they are fully aware of the recipients of this information and to what purposes it will be put.

Information should only be stored on the card with the consent of the user. The level of consent will include full use, anonymous use and no use. The user can withdraw their consent at any time. Refusal of consent should not be a reason to withhold any service unrelated to that data.

Qualification for a discount might require an authentication system; for instance a social services department might provide confirmation that a particular individual is registered disabled.

The user may want to store their name and address on the card, but they might want to authorise its access on each occasion. There may be other information that can only be accessed by certain approved types of user (e.g. only medical personnel could access medical insurance information). But for other information (e.g. library borrower number) the user may be happy for unrestricted access such as in a citizen account. In practice there may have to be restrictions on the amount of additional information stored because of the finite amount of spare memory on the card.

Typically the service provider wishes to provide personalisation of the service being offered, both at the portal, and at the application layers. This is often accomplished by maintaining detailed audit records of the user's activities, which are then data mined to drive a personalisation engine.

For example if the user often uses a certain library for books on, say, ethnic issues in society, then the library application may flag up when new books are available in that subject area. Amazon use this technique widely. Often this data is shared with other service providers (or collected centrally at the portal) for use in marketing and sales promotions. The data collected is seen as a business asset that can either be used to differentiate the service or be sold to third parties, often without the user's knowledge or consent.

The user may appreciate this service from a given provider, but may wish this information to be restricted to that provider and not shared with others. Alternatively the user may object to their habits being stored on any given system, or indeed, on any at all.

The key issue is that user permission should be explicitly obtained for the collection of such data where it is not required by statute. Even then it should be clearly explained that such data would be collected. In all cases who will have access, and what it will be used for, should be clearly explained and a non-repudiable record kept of the user's knowledge and consent.


4 Authentication

Authentication provides users with a secure way to prove their identity during a transaction. It can also prove the identity of the other participant (card reader and service provider) back to the user. However it is important that the level of authentication is appropriate to the application; users will get frustrated if they are required to provide information which they deem unnecessary.


4.1 Model for citizen authentication

In the diagram below the roles of the entities shown are as follows:

  • Certification Authority (Root): This entity owns the 'name space' of the PKI domain. For example a <country.gov> name space could contain all government-related services and users for a particular country and each such service or user would have a unique object identifier (UOID) within that name space. Thus a high level object 'police' could exist in many root name spaces, e.g. <police.countryA.gov> and <police.countryB.gov> etc.
  • Certification Authority (CA): An entity that is responsible for maintaining a portion of the root name space, e.g. <police.countryA.gov> and for issuing and validating certificates for that portion.
  • Registration Authority (RA): An entity trusted by one or more CAs to identify unique objects (e.g. services, users, etc) allocate a UOID and authorise the CA to issue appropriate certificate(s). In the model shown the RA is also trusted by the user to hold their identification data and only share such data with the user's explicit consent. The principle of user choice in selecting a RA which they, the user, trusts is a key principle of this model and inherently requires there to be a fairly wide choice of RA's. Since the RA is then trusted by both the user and the CA, it is the key-stone of the trust model.
  • User: The citizen entrusts identification data to the RA in accordance with the scheme rules for gaining an agreed level of identification for use in authentication and authorisation decisions that require a higher level of assurance than that provided by the device (card) on its own.

The interaction of service objects is not shown in the diagram in order to reduce complexity. In summary though, service objects interact at both CA level to check certificate validity and, less frequently, at RA level to validate identification data when authorised by the user.

This picture shows the authentication levels.

Using this model, the following authentication levels can be supported:

Level 0 - Device
This is authentication at the card - terminal level; it identifies the card but only assumes the user. Normally used for high transaction rate, low security services such as access to transport, buildings, library services etc.

Level 1 - User
Level 0 plus a user supplied PIN. The user supplies a PIN, which is checked by the terminal against a PIN stored on the card in an encrypted format. This gives a level of assurance in the actual user identity. This level requires cryptographic processing. Acceptable for many applications which do not require access to the central portal.

Level 2 - User Verified
As level one but with a second PIN verification (note: this is the same PIN, not an additional second PIN) carried out by the central security database. This provides a check against the PIN on the card being altered. This is the default for applications accessed via the portal.

Level 3 - Enhanced User
As level two but with a second 'proof' - this could be something else the user knows (e.g. mothers maiden name), or biometrics. This level would require strong encryption and digital certification to prove both card and user via PKI.

Level 4 - Application
This is an undefined application specific level of authentication. Any application can require further 'proofs' from the user to check their identity. As per level three this could be communicated via a PKI infrastructure. This level would not be supported directly by the security platform except in so far as it is necessary to record data for audit and non-repudiation purposes. At this level it is entirely the responsibility of the Service Provider to set the level of identification they will accept.


4.2 Identification assurance level

Each level will, in addition, have an assurance level indicator. This will reflect the confidence the original Registration Authority (RA) had in the identity of the user. Note that each RA will have a maximum level that they are trusted to allocate by any given service provider, i.e. it is up to the service provider to decide how much they trust the issuing RA.

Level 0 No checks made
Level 1 Balance of Probabilities
Level 2 Substantial Assurance
Level 3 Beyond Reasonable Doubt
Level 4-8 Unspecified at this time


4.3 Authentication token

Each message from the user should carry an authentication token (data object), digitally signed by the card. The token should contain the following data:


4.4 Personal identification numbers and passwords

The usual method for authentication has been a four digit personal identification number (PIN). If the system is on-line, then the PIN is stored in the host computer. However for off-line transactions, the PIN has to be stored in an encrypted form on the card.

Many users have problems remembering more than one PIN, so are likely to keep a written record of their PINs (hopefully not written on the back of the card). An alternative is that the user changes all their PINs to be the same number, with the obvious risk that someone else finding out their PIN could then undertake fraudulent transactions with the other applications. It is technically possible to have a common set of authenticators (eg PIN, password, biometric) with the application choosing the level it needs to satisfy its requirements.

The PIN must not be displayed visually or audibly during the transaction. However it is useful to provide a visual (e.g. an 'X') and an audible indication that the user has entered a digit.

People with dyslexia often have problems in remembering a four digit PIN in the correct order, so are likely to prefer alternative biometric systems for authentication. Also some people with an intellectual impairment have problems in not telling other people their PIN.


4.5 Biometric identification systems

Biometrics permits the automatic identification of an individual based on his or her distinguishing physiological and/or behavioural characteristics. Biometric identification involves comparing with a database of templates to find out who you are, but biometric verification is where the template is compared to the one supplied with your claimed identity. Some biometric systems cannot do identification but can only verify the claimed identity of a person.

Biometric technologies include:

Picture of a face representing facial imaging. Facial imaging

Picture of a hand representing hand and finger geometry. Hand and finger geometry

Picture of an eye representing iris pattern. Iris pattern

Picture of an x representing dynamic signature. Dynamic signature

Picture of someone talking representing voice. Voice

Picture showing a vein representing vein geometry. Vein geometry

Picture of a finger pressing a key on a keyboard representing keystroke. Keystroke

Picture of a hand representing finger and palm imaging. Finger and palm imaging

For the user, it should be easy and comfortable to use the system. Many users would prefer methods which do not require physical contact between the individual and the device. Consumers need confidence that the system will reliably correctly identify them while not permitting other users access; no current biometric system achieves 100% success in both these aspects.

Depending on cultural background, some users will feel that some biometric systems are a threat to their privacy or unacceptable for some other reason. Therefore designers should be sensitive to these aspects, otherwise consumers could decline to use the services.

It is important that clear instructions are provided on how to use a biometric system. To establish consumer confidence, it may be necessary to provide human assistance for first time users.

Facial recognition can have an unacceptable level of either false positives or false negatives. It is technically best used to say "is this the same person" rather than "who is this person". Thus it is an appropriate technology when used with a secure token such as a smart card. From the users perspective it's non-intrusive nature is a major advantage and users are likely to accept such a system if it can provide a decision quickly, and is seen to be protecting their interests.

Fingerprint systems are good for the low number of false acceptances, but can be problematic for those with damaged fingers or with prosthetic hands. Some users will associate fingerprints with criminal investigations, so may be reluctant to use the system.

Iris recognition is a secure system, but the user has to position their eye in relation to a camera. This can give problems for users who are very tall, very short, or in a wheelchair. There are obvious problems for users who are blind or have a visual prosthesis. In addition some ethnic and religious groups may consider such a system unacceptable.

The biometric information can be stored in a central database or on the smart card. Users are likely to have more trust in biometric systems if they are not worried that the personal data on them stored in a central database could be misused.

Users should have the facility to choose an alternative verification system even if it is a PIN. However this choice may be subject to regulatory or legal requirements imposed on the service provider. The user should be advised if the alternative is less secure, but the decision to use an alternative system should be left to the user.


5 Authorisation

Authorisation is the process where the user is allowed to access a given service or data set. Effectively the user's current authentication level, time and place of authentication, etc. are checked against the business rules applicable to a given service.

For example health services may require the user to be located at a private workstation in a secure place such as a government building rather than at a kiosk in a public area. Banking services may require the user to be at an ATM and to have authenticated to a given level in the last, say, 2 minutes.

It is important to note that there are three possible responses to an authorisation request:

  1. Granted
  2. User may access this service but re-authentication is required
  3. Refused

Where access is denied the reasons for such denial or request for re-authentication should be clearly explained and help should be provided to advise the user on the actions they should take to remedy this situation.

For example:

Picture of a computer screen that reads: unable to display the information requested at this time and at this terminal. Picture of a computer screen that reads: move to a more secure terminal. Picture of a computer screen that reads: or see the person at the desk for further informaiton.


6 Smart cards

A smart card is a card, the size of a conventional credit card, which incorporates an electronic chip. These cards can be:

  • Memory only for applications such as pre-payment telephone cards.
  • Memory plus a microprocessor for applications requiring more security such as credit and debit cards.
  • Proximity where the card has to be held within 20 cm of the reader - mainly used for public transport applications.
  • Vicinity where the card is between 10 cm and 2 metres of the reader.
  • Distant contactless where the card is more than 2 metres from the reading device - for instance in road charging applications.

This picture shows a smart card.

Smart cards are able to carry larger amounts of information than magnetic stripe cards. Smart cards provide the opportunity to make machines much more 'user friendly' than they have ever been before. For disabled and elderly people, a smart card can carry information that tells a terminal to:

  • allow the user more time. Many elderly people and those with a cognitive impairment do not like to be rushed or to think that they are likely to be 'timed out' by the machine, so it is necessary to allow for such people to use the terminal at their own pace
  • simplify the choices such as issuing a pre-set amount of money
  • larger characters for people with low vision
  • audio output of non-confidential information. The coding of user requirements is specified in the European standard EN1332-4.

Embossing on cards
For blind persons, there is the problem of selecting the right card from their wallet. Cards could incorporate embossed symbols according to the draft standard prEN 1332-5.

Contactless smart cards
A contactless proximity card, working at a distance of up to 10 cm, will help those who have problems placing a card in a slot. This is of particular importance to wheelchair users, those with Parkinson's disease or arthritis, and people with a visual disability.

A vicinity card is one that operates in the range 10cm to 2 metres. The main applications are in public transport where a passenger could be logged both entering and leaving a vehicle. Vicinity cards offer the possibility of incorporating a number of facilities useful for disabled passengers; these vary from automatically requesting a wheelchair ramp to triggering audible announcements of the destination of a bus.

Card orientation
Blind persons, and many elderly persons, have problems in inserting the card in the correct orientation; this is a particular problem with cards which are not embossed. It is recommended that a 2 mm notch is incorporated in the trailing edge (according to EN 1332-2).

This picture shows the 2 mm notch in a smart card.


7 Terminals

Locating and accessing a terminal
In places such as shopping centres, car parks, railway and bus stations, locating an information terminal or cash machine can be difficult - particularly for people who are blind or have low vision.

There are many things that can be designed around a terminal to make it more accessible to disabled and elderly users. For example, a space beneath the facia of the terminal will allow for the footrest of a wheelchair. A notch adjacent to the facia would be useful for those needing to prop their walking sticks while using the terminal. It is also important to ensure that the pathways around a terminal are clear and uncluttered.

Where queuing is likely, consideration should be given to some non-obstructive method of queue control such as variation in colour of flooring or pavement. The system should maintain privacy and security for the user.

Location signs
For low vision users, signs showing where a terminal is should be large and high contrast (preferably white or yellow characters on a dark background) and illuminated (preferably internally illuminated).

Lighting
It is recommended that a background illumination of at least 50 lux be provided at floor level so that dropped objects can be easily located. The illumination on the interactive areas of the terminal should be at least 200 lux. The lighting should not cause any direct glare to the eyes of the users, or reflections from the screen.

Wheelchair users
Where possible, there should be a continuous clear accessible path of travel for a wheelchair from car parking places to the terminal.

Floor surface
The floor surface should be level in the direction parallel to the facia of the terminal. The gradient of any crossfall should not exceed 1 in 20.

Clear area
There should be a clear area of 1.5 metres radius directly in front of the terminal, which should not be obstructed by litter bins or other street furniture.

Audible location
If a blind person is not familiar with the environment it can be difficult to find a terminal. One possibility is to use a contactless smart card, carried by the blind person, to trigger an audible signal from the terminal at a distance of a few metres.

Swipe card readers
Because of the need to accurately control the way the card is swiped, elderly and disabled persons are likely to find these difficult to use.

External features, labels and instructions
When a person has located a terminal they need to know what type of machine it is, what it will do and how they can interact with it. The initial instructions are usually in the form of labels and signs applied to the surface of the terminal casing or as messages on the screen.

Positioning labels
Labels should be placed where they can be easily read. If labels are positioned near the keyboard it is important that the labels are not scuffed or worn away. If this is likely then the labels should be replaced periodically.

Braille instructions
On outdoor terminals, braille has limited value in cold weather since tactual sensitivity is dramatically reduced with decreasing temperature. The estimated number of braille readers in the UK is less than 0.03% of the population; so although useful for some blind users, braille is not a total solution for visually impaired users.

Legibility
Any instructions applied to the surface of the terminal should be written in simple and clear language. Type sizes as small as 10 point are not legible for many people. It is recommended that type size of at least 16 point (4 mm cap height) be used for labels.

Numbered instructions
It is useful to number instructions and then associate the physical parts of the interface with the numbers. The numbers can also be shown on the visual display.

Wheelchair users
For many wheelchair users, such as those with arthritis, it is not just a problem of reaching the card reader, but still having any useful grip as the arm is raised above the horizontal. This is particularly acute for swipe card readers.

Modern wheelchairs and buggies no longer come in a standard height, so much of the previous recommendations are of dubious validity.

This picture shows 3 wheelchair users with different reach and height dimensions.  Wheelchair 1 with a reach of 30 cm and a maximum height of 1.3 metres. Wheelchair 2 with a reach of 45 cm and a maximum height of 1.2 metres. Wheelchair 3 with a reach of 60 cm and a maximum height of 1.1 metres.

This picture shows the difference in height of a wheelchair user and a person standing at a card reader.

Card entry
For the naïve user, it is often far from obvious where to insert the card. A flashing light around the card entry slot has been found beneficial. For those with hand tremor, it is useful if the entrance to the card reader acts as a funnel to guide the card in correctly.

This picture shows a smart card being inserted into a funnel shaped slot and flashing lights either side of the slot and a

Screens and interaction
On most terminals the visual instructions on the screen are the main guide for the user. There are a large number of factors that determine whether reading the screen will be difficult or easy for disabled or elderly persons.

People who wear bifocals find it difficult to read the screen of most public access terminals, since the screen may not be at a suitable distance for the near or far segments of their spectacles. In addition many people leave their spectacles in the car or do not wear them in public. So the number of people who have problems in reading the screen is much more than the 1.5% of the population considered to be blind or to have low vision.

Colour blindness
The most common forms of colour blindness are inherited and are associated with the inability to discriminate red and green wavelengths. Because these defects are inherited as recessive traits, the incidences are much higher in UK males (c. 8.0%), who possess a single X-chromosome, than in females (c. 0.5%), who possess two. Total colour blindness is rare.

Screen position
Sunlight can degrade the viewability of the display for all users. The screen should be shielded from direct or reflected sunlight or other bright light sources. The display should be viewable from the eye level of a person sitting in a wheelchair. People with low vision should not be prevented from getting their faces close to the screen.

This picture shows a wheelchair user and 3 different screen positions dimensions.  Position 1 with a maximum height of 0.9 m and screen position of 60 degrees to 90 degrees. Position 2  with a maximum height of 1.1 m and screen position of 30 degrees to 60 degrees.  Position 3 with a maximum height of 1.3 m and screen position of 0 degrees to 30 degrees.

Parallax problems
The conflicting requirements of tall pedestrian users and short wheelchair users can lead to a significant group of users having parallax problems when lining up the function keys with the displayed option. Lines on the user-interface leading from the key to the surface of the display can alleviate this problem.

Other languages
Ideally users, including foreign visitors, should be able to choose the language; frequently this is only viable if the instructions are displayed on the screen or given audibly. It would be preferable if the user's card stored their preferred language so that the terminal automatically switches to this as soon as the card is inserted.

Wireless interface
Developments in infra-red and short-range radio interfaces links make it feasible for a disabled user to have a hand control unit with a remote link to the terminal. This would require all terminals to use the same interface protocol, and care would be needed to ensure confidentiality of sensitive information.

Operating Instructions
Few people are trained to use public terminals. It is therefore very important that the instructions for using the terminals are carefully designed, particularly for elderly and disabled users.

Concise and simple sentences
Sentences should be concise and simple in structure, and only natural vocabulary should be used. Informative messages which advise the user of the progress of the transaction and inform the user when or how to perform a step in the transaction, should be clear and to the point, and provide confirmation of task completion.

Messages
Message content should be chosen very carefully since a message that might be acceptable to the users for the first few times they hear it may become unacceptable when they hear it for the hundredth time.

Hearing aid users
If there is an inductive loop for hearing aid users, there should be a clear visual indication that this is the case. (NB not all hearing aids have facilities for loop connection).

This picture shows a card reader screen. This screen reads have you used this type of terminal before? The screen also shows yes and no boxes. This picture also shows a jack socket for a hearing aid socket. Finally, this picture also shows  the induction loop icon.

Jack sockets
To help a visually disabled person locate a jack socket there should be a raised ridge around the socket. A funnel into the centre of the socket will also help guide the plug into the socket.

Audible instructions
On some terminals a 'beep' will sound when a key press has been registered. However, this does not help a visually disabled person know whether they have pressed the correct key; one solution is for coding on the user's card to request speech output of key pressed for non-confidential information.

It is recommended that new equipment should provide guidance in the form of audible instructions. Audio guidance can assist people with visual or cognitive impairments, as well as first time users. For example an audible message could be "Your card has been inserted upside down. Please remove your card, turn it over and insert it again."

Speech output
Digitally stored speech can give very good audio quality, but it is effectively limited to pre-stored messages. Full vocabulary synthetic speech is often difficult to understand for naïve users, particularly if they have a hearing impairment. Many users with impaired hearing, can only hear lower frequencies, so they can more easily hear a male voice than a female one.

Video links
Terminals can include a small television camera and microphone. Users can talk over a video link to a customer service assistant at a remote location. This human assistance can be very helpful to an elderly person having difficulty.

Privacy
If audio output is used to provide private information to the user, then it should be through a telephone handset located at the terminal or through a headset connected through a standard mini jack to the terminal; however, it is essential that the position of the jack socket is standardised. If a handset is provided, inductive coupling and amplification should also be incorporated. Non-confidential information can be output on a loudspeaker, but the volume should be a function of the ambient noise level.

Keypads

This picture shows a number keypad and 3 colour coded keys.

A standard layout for keypads is essential for blind people. There are currently two common layouts for numeric keys; the telephone layout and the calculator layout. It is recommended that the telephone layout be used exclusively on public access terminals. To help blind people, there should be a single raised dot on the number 5 key. This should be positioned so as not to reduce legibility.

Visual markings on the keys should be characters at least 4 mm high and should have good contrast with the colour of the key (eg. white characters on matt black keys). However if the keys have alphabetic characters as well as numeric characters (as on some telephones), then the size of the numerals is of paramount importance; the legibility of the alphabetic characters is better if the characters are widely spaced. There is a typeface designed specifically for labelling the tops of keys (see www.tiresias.org/fonts).

Colour coded keys should be:

Red: Cancel
Yellow: Clear or Correct
Green: Enter or Proceed

All keys or buttons should be tactually discernible.

The arrangement of keys
Function keys should be clearly separated from the numeric keys.

When command keys are vertically arranged, 'cancel' should be the uppermost key and 'enter' the lowest.

When the command keys are horizontally arranged, 'cancel' should be located the furthest left, 'enter' the furthest right.

It is better to position the command keys to the right of the numeric keys. They are then less likely to be inadvertently touched when entering numerals.

Where command keys are positioned beneath the numerical keys they may be a problem to visually disabled persons because they are likely to be pressed accidentally when entering numbers.

Command keys should be as large as possible so that the words on them can be larger and thus easier to read.

Shaped keys
Colour should not be the only distinguishing feature between keys, since red/green colour blindness is not uncommon; if possible, the keys should have different shapes and be marked with symbols. People with poor manual dexterity or a hand tremor benefit from key tops which are concave.

Illumination
Ideally keys should be internally illuminated when the terminal is waiting for input from that keypad.

Sound
Sound feedback in the form of sounds such as a 'beep' or 'click' when a key is pressed is helpful to many people.

Tactile feedback
Tactile indication can be provided by a gradual increase in the force, followed by a sharp decrease in the force required to actuate the key, and a subsequent increase in force beyond this point for cushioning.

More time
Many elderly people and those with a cognitive impairment do not like to be rushed or to think that they are likely to be 'timed out' by the machine, so it is necessary to allow for such people to use the terminal at their own pace; this requirement could be stored on the user's card.

Speech input
Speech input for commands is an option in some situations. If this is adopted then the user should have the choice of keyboard or speech input. It is likely that speech input would be preferred by people without hands and those with intellectual impairments, but the keyboard is easier for those with a speech impediment.

PIN input
Personal identification numbers (PINs) are a particular problem for many dyslexic and intellectually impaired people. In Europe it is estimated that over 25 million people have dyslexia to the extent that they cannot reliably remember and use a four digit PIN, unless they can choose their own number. The main problem for people with an intellectual impairment is to keep the number secret. Therefore both groups would find it advantageous to have the option of using a biometric method for identification (eg. fingerprint).

The user's PIN should not be displayed, printed or broadcast by any means. However it would be useful to have both an audible feedback and a visual one (eg. an X or a tick on the screen) to show that a digit has been input. Many people with even slight memory problems find it difficult to remember and input their PIN quickly, so it would be helpful to allow a generous amount of time before they are timed out.

Passwords
Passwords are easier to remember than PINs so tend to be more secure. Alphanumeric passwords can be input from a numeric keypad but this requires good manual dexterity (as demonstrated by many teenagers sending text messages on their mobile phones). However many elderly people would have the greatest difficulty if restricted to using a numeric keypad, so it would be preferable to provide an alphanumeric keypad (an actual keyboard is easier for the uninitiated than a virtual keypad on a touch screen) if space permits.

Touchscreens
It is possible to increase the size of the characters on the screen for individual customers who require this facility. This can be done by selecting this option from a menu or, preferably, by storing this information on the customer's card. With touchscreen systems, it could be arranged that holding one's finger in the bottom right corner for at least two seconds indicates that one would like larger characters on the screen. Large characters will be difficult to implement on small screens.

To help elderly people and those with hand tremors, key fields should be as large as possible and separated by a 'dead area'. There should be high contrast between touch areas, text and background colour.

Graphical symbols, such as icons, should be accompanied by text.

For blind users, it is possible to arrange that holding one's finger in a specified corner of the screen for at least two seconds or tapping twice in the corner, initiates speech output. Another method would be to store this requirement on the user's card.

Touchscreens can either be triggered by insertion or withdrawal of the fingertip. With the latter system, it is technically possible for the user to pass their fingertip over the screen and get speech output describing the active area they are touching at the time. Then the system is only triggered by withdrawing the fingertip from over an active area.

Privacy
Information, which is sensitive and private to the cardholder, should not be visible to any other person; screen filters improve privacy but often at the expense of visual quality. However, the user may wish to display information with large character size, but they should be made aware of the privacy problem.

Retrieving money, cards and receipts
Retrieving items from a terminal can be very difficult for people with poor manual dexterity and persons with low vision. Often more time is needed, retrieval points need to be clearly indicated and within reach for wheelchair users.

This picture shows a receipts and money retrieval point.

Security
Security at cash dispensers is a major concern for many elderly people, and is often given as a reason for not using such terminals. Therefore anything which improves the user's perception of safety is to be welcomed (eg. better illumination in the vicinity).

Money retrieval
Cash, receipt, or any other document issued from the terminal for withdrawal by the user should protrude at least 3 cm beyond the slot surround.

Persons with poor manual dexterity often find taking a card from a terminal and then taking the money difficult to do in the allowed time. Increasing the time for everybody, increases the security risk. However it would be possible to let users decide if they want more time than the norm and store this requirement on their card.

Card retrieval
Many people with arthritis have difficulty in gripping and pulling the card from the reader, particularly when the arm is extended above the horizontal. The card should protrude at least 2 cm from the slot surround. It is recommended that the force necessary for the user to retrieve the card from the terminal should be not any greater than that needed to stop the card from falling out of the reader.


8 Recommendations

  1. The consumer must be able to choose the level of identification they provide, in the knowledge of what limitations this will impose on the services they will be able to access.
  2. The card holder should be able to operate in a pseudo-anonymous mode where they are authenticated to a high level but personal information is not divulged without their consent or after due legal process.
  3. The cardholder should know what information about him or her is stored on the card and should be able to decide who else has access to this information.
  4. Refusal of consent should not be a reason to withhold any service unrelated to that data.
  5. >
  6. At the request of the user, extra information could be stored on the card. This information could include the user's preferred interface.
  7. The authentication system must be of a level appropriate for the application.
  8. Consumers often have problems in remembering more than one PIN. Passwords are easier to remember than PINs, but are not appropriate for all applications.
  9. There is no perfect biometric system of identification. Facial imaging has high consumer acceptance, but requires significant processing by the card acceptance device.
  10. The user should have the facility to choose an alternative to a biometric identification system; this is particularly important for disabled users.
  11. There should be a consistent user interface for all applications.
  12. When communicating with consumers, consistent non-technical terminology should be used, otherwise consumers will be confused.

9 Standards

Standards Australia
GPO Box 5420, Sydney, New South Wales 2000, Australia.
Tel: +61 2 8206 6010; Fax: +61 8206 6020; Email: sales@standards.com.au

  • AS 3769 (1990) Automatic teller machines: User access.
  • AS 1428.1: 1992, Design of Access and Mobility - Part 1, General Requirements for Access - Buildings, Australian Standards.
  • AS 1428.2: 1992, Design of Access and Mobility - Part 2, Enhanced and additional requirements - buildings and facilities.
  • AS 1428-4: 1992, Design of Access and Mobility - Part 3, Requirements for children and adolescents with physical disabilites.
  • AS 1428-4: 1992, Design of Access and Mobility - Part 4, Tactile ground surface indicators for the orientation of people with vision impairment.

Comité Européen de Normalisation
Avenue Marnix 17, B-1000 Brussels, Belgium.
Tel: + 32 2 550 08 11; Fax: + 32 2 550 08 19; Email: infodesk@cenorm.be

  • EN 726 Requirements for IC cards and terminals for telecommunications use.
  • EN 1332 Machine readable cards, related device interfaces and operations.
    Part 1 Design principles and symbols for the user interface.
    Part 2 Dimension and location of tactile identifier for ID-1 cards.
    Part 3 Keypads.
    Part 4 Coding of user requirements for people with special needs.
  • EN 29241
    Part 4 Keyboard requirements.
    Part 11 Usability statements.
  • Guide 6 (2002) Guidelines for standards developers to address the needs of older persons and persons with disabilities. Equivalent to ISO/IEC Guide 71.

Canadian Standards Association
5060 Spectrum Way, Mississauga, Ontario L4W 5N6, Canada .

  • B65.1.1-01 (2001) Barrier-free design for automated banking machines
  • B480-02 (2002) Customer service standard for people with disabilities (Developed in partnership with the Government of Ontario)

European Telecommunications Standards Institute
650 Route des Lucioles, F-06921 Sophia Antipolis Cedex, France.
Tel: +33 4 92 94 42 00; Fax: +33 4 93 65 47 16.

  • ETR 029 Access to telecommunications for people with special needs: Recommendations for improving and adapting telecommunication terminals and services for people with impairments.
  • TCR-TR 023 (1994) Assignment of alphabetic letters to digits on push button dialling keypads.
  • ETR 160 (1995) Human factors aspects of multimedia telecommunications.
  • DTR/HF 02003 (1996) The implication of human ageing for the design of telephone terminals.
  • DEG HF 00031 Human factors guidelines for ICT products and services: Design for all.
  • TR 102 068 (2002) Requirements for Assistive Technology Devices in ICT.
  • EG 202 048 (2002) Guidelines on the Multimodality of Icons, Symbols and Pictograms.
  • EG 202 116 (2002) Guidelines for ICT Products and Services: Design for All.

International Electrotechnical Commission
3 rue de Varembé, CH-1211 Geneva 20, Switzerland.
Tel: +41 22 73 40 150; Fax: +41 22 73 33 843

  • IEC 73 Colours of pushbuttons and their meanings.

International Organisation for Standardisation
1 rue de Varembé, Case postale 56, CH-1211 Geneva 20, Switzerland.
Tel: +41 22 749 0111; Fax: +41 22 733 3430

  • ISO 7000 (1989) Graphical symbols for use on equipment.
  • ISO 7001 (1991) Public information symbols.
  • ISO 7176-5 Wheelchairs - Part 5: Determination of overall dimensions, mass and turning space.
  • ISO 7816 Identification cards: Integrated circuit cards with contacts. Part 6 includes provision for storing language preferences.
  • ISO/TR 9527 (1994) Building construction - needs of disabled people in buildings - design guidelines.
  • ISO/IEC 9995 Information technology: Keyboard layouts for text and office systems.
  • ISO/CD 11550 Technical aids for blind and visually impaired persons: Tactile ground surface indicators.
  • ISO/IEC 11581 User symbol interfaces and symbols: Icon symbols and functions.
  • ISO 13407 (1999) Human-centred design processes for interactive systems.
  • ISO/IEC Guide 71 Guidelines for standards developers to address the needs of older persons with disabilities.

International Telecommunications Union
Place des Nations, CH-1211 Geneva 20, Switzerland.
Tel +41 22 730 5111; Fax +41 22 733 7256

  • E134 Human factors aspects of public terminals: Generic operating procedures.
  • E135 Human factors aspects of public telecommunications terminals for people with disabilities.
  • E161 Arrangements of figures, letters and symbols on telephones.

Japanese Industrial Standards Committee
1-3-1 Kasumigaseki, Chiyoda-ku, Tokyou 100-8901, Japan.

  • JIS S 0012:2000 Guidelines for all people including elderly and people with disabilities - Usability of consumer products.
  • JIS S 0021:2000 Guidelines for all people including elderly and people with disabilities - Packaging and receptacles.
  • JIS S 6310:1996 Prepaid cards - General specification.

National Committee for Information Technology Standards
1250 Eye Street NW, Suite 200, Washington DC 20005, USA.
Tel: +1 202 737 8888; Fax: +1 202 638 4922; Email: ncits@itic.org

  • Alternative Interface Access Protocol

Norges Standardiserings Forbund
Drammensveien 145A, PO Box 432, Skøyen, NO-0213 Oslo, Norway.
Tel: +47 22 04 92 30; Fax: +47 22 04 92 12

  • NS 3937: 1981 Functional measurements for use of wheelchairs.

10 Further information

Guidelines for Designers of Public Access Terminals.
www.tiresias.org/pats/index.htm

Automatic Service Machines - In Our Way.
http://www.hi.se/templates/Page____832.aspx

ITM accessibility checklist from US Department of Justice.
www.usdoj.gov/crt/508/archive/olditm.html

Section 508 guidelines on self-contained closed products.
www.section508.gov/index.cfm?FuseAction=Content&ID=12

Trace EZ Access.
trace.wisc.edu/world/ez/

United Nations Accessibility for the Disabled.
www.un.org/esa/socdev/enable/designm/AD5-02.htm

Irish Accessibility Guidelines for Public Access Terminals.
accessit.nda.ie/technologyindex_2.html

Developments in Smart Card Systems User Requirements for Cardholder Identification, Authentication and Digital Signatures.
www.tiresias.org/reports/user_requirementsv2-2.htm

Selecting Cards by Touch.
www.tiresias.org/reports/tdiff.htm

The Use of Electronic Purses by Disabled People: What are the Needs?
www.tiresias.org/epurse/index.htm

Making Cash Dispensers Easier to Use.
www.tiresias.org/reports/mcdeu.htm

Tactile Identifier.
www.tiresias.org/reports/hdti9.htm

Smart Cards in Australia: The Impact of Smart Cards on People with Disabilities.
www.softspeak.com.au/screp10.txt

EN 1332-4 Coding of User Requirements for People with Special Needs.
www.tiresias.org/reports/en1332_4.htm

Raised Tactile Symbols for Differentiation of Application on ID-1 Cards.
www.tiresias.org/reports/diff.htm

Smart Card Systems: Interoperable Citizen Services: User Related Information CWA 13987-1: 2002.
www.uninfo.polito.it/WS_URI/default.htm


11 Glossary

For the purpose of this report, the following definitions are used:
Advanced electronic signature: An electronic signature which is uniquely linked to the signatory, is capable of identifying the signatory, is created using means that the signatory can maintain under his sole control, and is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

Anonymous usage: The citizen has not provided any identification information which can be assured to an acceptable level.

Application: A service which can be used by a cardholder and/or his card proxy with a smart card.

Authentication: Provides users with a secure way to prove their identity, to a known level of assurance, during a transaction. It can also prove the identity of the other participant (card reader and service provider) back to the user.

Authorisation: Permission to carry out a specific task, transaction, or application access at a given time via a given access route (e.g. at 11.45pm from a bus stop via a public kiosk).

Biometrics: A means of identifying the user by their physical characteristics rather than the card. This forms the third part of the "something you hold, something you know, and something about you" authentication paradigm.

Card: A physical object carried by the user that can carry authentication and application data and applications (this may be credit card sized, a mobile phone sim or u-sim, a token or pendant, or even sub-dermally embedded). This forms the first part of the "something you hold, something you know, and something about you" authentication paradigm.

Card holder: A person who can be regarded as the rightful user of a smart card.

Card issuer: The party that issues the card to the card holder or has it issued, and that is responsible for the card management activities during the entire life cycle of the card.

Card provider: The party that on behalf of the card issuer issues the card to the card holder or has it issued.

Certification authority: An authority trusted by one or more users to create and assign certificates. Optionally the certification authority may create the users' keys.

Encryption: A means of protecting the confidentiality of information by using a shared secret to convert the information into apparently meaningless data that is difficult to decipher.

Identification: The process by which a potential card user's identity is established in order for the card issuer to issue a card with a defined level of assurance for authentication purposes.

PIN (or password): A shared secret known by both the card holder and the service provider, often a four digit number but can be a longer alphanumeric sequence where the terminal supports this capability. This forms the second part of the "something you hold, something you know, and something about you" authentication paradigm.

Public key infrastructure: A trust based system where sets of Private and Public keys are used to authenticate, digitally sign and encrypt data as necessary. This is a centrally managed system involving a 'trusted third party' rather than a 'peer to peer' system and thus enables secure communication between parties who have never met or exchanged mutual secrets.

Pseudo-anonymous usage: The ability to act in any anonymous manner but with the user's identity assured to a given level by a trusted third party. The service provider allows access based upon the trust model and does not, and cannot, know the user's personal information without their consent or after due legal process.

Qualified certificate: A certificate which is provided by an approved certification service provider.

Registration authority: An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates.

Third party: Any other party than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data.


12 Abbreviations and acronyms

CA Certification Authority
CEN European Committee for Standardisation
CVM Cardholder Verification Method
eGIF e-Government Interoperability Framework (UK)
GIF Global Interoperability Framework (European, eESC)
ISO International Organisation for Standardisation
PIN Personal Identification Number
PKI Public Key Infrastructure
POS Point of Sale
RA Registration Authority

Acknowledgement
The author is grateful for the help of the late Phil Perry in compiling this report.

 

 



John Gill Technology Limited Footer
John Gill Technology Limited Footer