Convergence Q&A: The Facility Code Vulnerability

July 17, 2013
Be sure to close this potential loophole in your access control

Many long-time physical security practitioners understand the two purposes of “Facility Codes” in a card access control system; however, the user manuals and help files of systems that support this feature rarely highlight the risks that can be involved in enabling this feature.

Q: I just discovered that card access to our building’s data center is being granted to anyone holding a company access card, even though only four people have been assigned access to it. In troubleshooting I discovered that the reader status is “offline.” Why is anyone being granted access at all if the card reader is not even communicating to its controller?

A: The card reader has “Facility Code mode” enabled, which is a feature whereby the reader will grant access to any card containing a Facility Code that’s listed in the reader.

“Facility Code mode” is an optional card reader mode that engages when a reader goes offline. One purpose of this mode is to prevent having to prop doors open and revert to manual inspection of access cards to screen entering personnel if a card reader loses its connection to its controller. Facility Codes are programmed into readers at the factory mode or by the customer’s access control system. They allow an offline reader to read and validate the Facility Code portion of a card’s encoded data, to identify a valid company access card and grant access, even though the reader cannot validate all of the card’s encoded data. For example, during peak access hours, an offline reader at an employee entrance can grant access to any valid company card, even though it cannot validate individual cards against their assigned access privileges.

The question above turned out to be a case where Facility Code mode was enabled for the facility’s data center, to ensure that emergency access to the room could be obtained even if the card reader went offline. However, at some point in time, the IT department stopped monitoring access on a real-time basis, and began reviewing access history quarterly. Thus the “offline-reader” alarm message was not seen for more than two months, during which time access to the room was available to any cardholder!

What is a Facility Code?

A Facility Code is a number encoded on access cards that is intended to represent a specific protected facility or building. Not all card formats support a Facility Code, but the most common card data format in use today does support it — the industry’s original open (i.e. non-proprietary) 26-bit format. The 26-bit format has two data fields: a Facility Code (8 bits) and a Card Number (16 bits), plus two parity bits; thus, the Facility Code number can be a number be between 0 and 255, and the Card Number can be between 0 and 65,535.

With only 65,535 card numbers available across the cards of all customers using the 26-bit card data format, duplicate card numbers are inevitable; therefore, the first purpose of the Facility Code was to enable customers in close proximity to each other to differentiate their set of cards from another customer’s cards. Ideally, each manufacturer would try to manage the facility numbers it issued to various customers in a specific area to minimize the occurrence of duplicates. A card with a Facility Code not matching those used by that specific customer would be denied access, typically generating “Access Denied – Wrong Facility Code” messages.

Closing the Vulnerability

One reason that many organizations have switched to smart cards, or to cards with a much larger card data format, is to reduce or eliminate the likelihood of outsiders having duplicate cards. Enabling Facility Code mode for selected readers constitutes a security vulnerability, so it is important to monitor reader online status in real time, with offline status notifications going to appropriate personnel. If a reader’s Facility Code mode is enabled for a door where logged card access control is mandated by regulatory requirements, card readers that can buffer offline transactions are required so that access granted by an offline reader can be logged.

It is important to understand what card format your organization uses and determine whether Facility Code mode is enabled for any readers. If a review of access transactions shows that access has been granted or denied to someone who claims not to have presented a card at that time, realize that the transaction may be from an outsider’s card with duplicate card data. Disable access for that card (but continue tracking its use) and reissue a new card in its place.

Write to Ray about this column at [email protected]. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information about Ray Bernard and RBCS go to or call 949-831-6788. Follow him on Twitter: @RayBernardRBCS. Mr. Bernard is also a member of the Content Expert Faculty of the Security Executive Council ( 

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (, a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (

Follow him on LinkedIn:

Follow him on Twitter: @RayBernardRBCS.