Common Questions about Card Readers
This KB article covers common questions (and FAQ) about card readers and their use with PaperCut for photocopier access control and secure print release.
PaperCut supports various card readers in a number of areas such as controlling access to photocopiers, providing a quick method of authenticating to a stand alone release station and also being used with the PaperCut Fast Release product.
Card readers can be used with PaperCut in a variety of ways. The following sections explain the different ways card readers can be used and how card reader support is affected.
- MFDs/MFPs and terminals for authentication:
When performing copying, scanning or faxing at an MFD with PaperCut, users typically first authenticate by username and password, entering their id number, or presenting their card (authentication support between platforms differs so not all of these options may be available).
A variety of card reader brands and card technologies may be supported. Common card reader brands include RFIDeas and Elatec. Common card reader technologies include magnetic stripe (AKA magstripe, swipe card, magswipe), MIFARE, HID iCLASS, HID Prox, Indala and barcode.
The types of card reader supported depends on the copier/MFD platform. In general, card readers supporting the USB HID specification (e.g. devices that “emulate” a keyboard) are supported on most platforms. PaperCut resellers possess a detailed matrix of copier brands and their supported card readers, so contact your PaperCut reseller if you need further information about a particular platform, card reader brand or card technology.
- PaperCut print release stations for authentication and/or payment
Users can authenticate to a PaperCut print release station using username and password, entering their id number, or if configured, presenting a card. Card authentication provides the convenience of less typing.
Any keyboard emulating card reader is supported here.
- Workstations for Web Cashier operators to look up users
PaperCut Web Cashier is a system for charging for arbitrary disbursements (e.g. binding in a print room) and/or entering cash payments. When selecting a user to charge/credit, the operator may user a username or a card/id number. Using a card reader here allows the operator to identify a user without having to type in the number, e.g. by asking the user to present their card for identification.
Any keyboard emulating card reader is supported here.
- Workstations for administrators to look up users
In PaperCut’s web-based administrator interface (check out the demo at demo.papercut.com) administrators may search for a user by username or card/id number. Administrators may find it helpful to have a card reader attached to quickly find the matching user, e.g. if they are in the process of distributing cards or testing a particular user account that they have the card for.
Any keyboard emulating card reader is supported here.
- Other 3rd party devices for authentication and/or payment
Other 3rd party devices such as payment kiosks commonly support card readers. Consult the hardware supplier for more information.
Card self-association allows a user to associate their card with their account without needing any administrator assistance. If the admin enables this feature for the MFP device in “Authentication Methods”→”Swipe Card”, then when a user presents a new card for the first time, they will be taken to a screen for entering their username and password. If the username and password are entered correctly, then the card is linked with their account. On subsequent card swipes, the user will be logged straight in as their card is now associated.
Please do not confuse card self-association with user self registration, documented under the “Scenario Two: Automated guest management (self-registration)” section of Internal users (users managed by PaperCut NG/MF). User self registration is a less popular feature used in selected scenarios such as large universities offering public access to printing services in a library.
Simple card number conversion such as from Hexidecimal to Decimal can be implemented quickly using a number of methods:
- Hardware - reprogramming your card reader
- Software - Using one of the in-built filters in PaperCut such as
You’ll find more information about this in the FAQ question about changing card number formats below, and also in the manuals for the PaperCut embedded solutions. Reach out to your reseller or PaperCut Authorized Solution Center (ASC).
Fast Release is a short cut method to release the jobs held in a hold/release queue using commodity off-the-shelf card reader hardware (secure print release). The solution does not rely on embedded software and hence will work with any printer type. Specifically the solution works as follows:
- The administrator places a networked card reader next to the printer. The card reader in PaperCut (identified by an IP address) is linked with a queue.
- A user prints to the queue. The job will not print immediately and will be held.
- The user walks up to the printer and presents their card at the reader.
- The card number is sent to the PaperCut server and the user identified.
- Any jobs in the queue for the adjacent printer (which belong to this user) will automatically start printing.
Some general information about secure print release can be found in the product tour.
An common alternative to Fast Release is Mobile Print Release. This option provides an alternative to card readers and allows your users to release held print jobs via their mobile smart phone.
Yes. The same reader types used on most embedded solutions can also be used for Fast Release. This ensures the maximum level of card compatibility. The two popular readers are Elatec and RFIDeas. The standard USB Elatec reader can be turned into an Ethernet/IP networked reader with a simple TCP Converter Box. In some cases special firmware needs to be loaded onto the reader to support Fast Release. For example, the specially written scripts for the Elatec reader allows the PaperCut server to send different audible tones and lights on different conditions (e.g. no jobs, unknown card).
As well as card readers the Elatec TCP converter can also be used with USB keyboards. This can be useful when customers wish to enter in a number to release jobs. Please note not all USB keyboards/Number pads work so please contact support for models we have tested.
All PaperCut Authorized Solution Centers are able to advise on appropriate technology for a given situation/setup.
PaperCut offers a variety of ways to get card numbers into the PaperCut database, including:
- By automatically importing the number from a field Active Directory or LDAP.
- By configuring PaperCut to perform a lookup on an external database system (e.g. a security card system).
- By importing the numbers from a text file.
- Users can self-associate their card by swiping and entering their username/password on supported MFD and other hardware.
- Using the server-command or web service APIs.
- By manually entering the card number in the user details page.
The common methods are 1 and 2 as these are simplest to implemented and most automated. If you’re using Microsoft Active Directory, a common selection is to re-use the pager number field (not many people have pages these days so it’s a good choice for a card number store!).
For more information see: Importing card numbers KB
Normally customers obtain card readers at the same time as they make arrangements to install devices from their hardware supplier. Please note that the card reader hardware required can depend on the multi-function devices being used, as some manufacture only support their own proprietary card solutions.
Specific information about which card readers work is given in the embedded manual for each of our supported solutions and you PaperCut MF reseller can usually assist with with obtaining any necessary hardware. If you are a PaperCut reseller you should contact your PaperCut Authorised Solution Centre or your local supplier (e.g. Local RFIDeas or Elatec supplier)
It is down to the reader what information PaperCut readers from a card. Typically a magnetic strip reader will read data from 1 of 3 tracks on the magnetic strip. Some “multi” track magstrip readers can be config to read data from a specific track if needed. This is configured via a downloaded configuration utility.
Typically a prox reader will read a unique serial number from a card. This is generally what an organisation would want, in reality a PaperCut Admin would not mind what number was read as long as it was unique for each user. If you wish to read a different sector from a proximity card then it is possible to read other sectors assuming you have a “playback reader”. These look and cost much the same as normal card readers but the firmware on the device acts differently. Playback readers can be programmed using a configuration utility to read certain sectors from a card. Reading other sectors requires you to know an encryption key. Most sectors would be encrypted by whoever created the card (the door access supplier for example) The configuration utility needs to have an encryption key entered into it, so it can read from that sector. Most cards are protected by two keys, A and B. Key A allows a user to read the sector and key B allows you to read and write to the sector. Key A is all you would need in most cases. It is not often anyone needed to change the sector to read from as part of a PaperCut install.
The simplest method is to directly attach a card reader to the device with double-sided tape, or 5 minute epoxy resin, however in educational environments a more permanent, tamper-proof approach is called for, and many devices provide a cavity for this purpose. Alternatively a card reader may be mounted within the MFD itself. A common internal mounting option is to double-sided tape in the reader inside the scanner feeder hopper on the copier’s lift lid (note: some minor disassembly will be required if mounting inside the feeder, and PaperCut recommends that this only be performed by a certified copier technician or a PaperCut certified ASC). If mounting internally, where space is at a premium, it may be necessary to remove the card reader’s protective case. Ensure to mount the reader behind a prominent flat surface.
“Swipe Here” stickers marking the card reader’s location can be obtained from our Marketing Resources page.
A keyboard emulating USB card reader is a card reader that acts just like a keyboard by “typing” the card number each time a card is swiped. Keyboard emulation can be easily tested. To do this, plug in the card reader, open a text editor application (like Notepad or Word) and then swipe the card. If the card number appears in the text editor as if it was typed, this card reader is said to be “keyboard emulating”.
Keyboard emulation depends on driver support, although the majority of card readers available support the USB HID specification and do not require any additional drivers or software to enable keyboard emulation (the drivers are typically bundled with the operating system).
Some card readers require specific drivers to enable keyboard emulation.
A small number or card readers do not support keyboard emulation at all (software wanting to support these card readers must build-in support for their specific driver). Where possible PaperCut’s embedded solutions aim to support a wide array of readers. Internally PaperCut’s embedded software includes a number of ‘drivers’ and will auto-detect as appropriate.
Card readers are configured to expect cards to be formatted in a certain way. Sometimes you may be in a position where a card reader is expecting a format that is different to the format your cards are written in. If you’re only using cards readers for self-association then there may not be a need to change any configuration; just as long as each card produces a unique number. However, if you have existing user records with card numbers and want those to match the card reader output then you will need to ensure all of your card readers are working as expected.
If you find the your card readers are not reading the correct number then you need to either reconfigure PaperCut or the card reader hardware. Hardware configuration is ideal if you only have a small amount of devices to update (see option 1). The process is different for each card reader manufacturer, and you will need physical access to the device as well as the configuration software that the manufacturer provides. Alternatively, if you have many devices then it may be quicker to configure the card number format conversion in “software” - that is in PaperCut itself.
- Option 1: Hardware (Re-program the card reader)
Most card readers have the ability to be reconfigured to read in different formats. Refer to the utilities and manuals provided by your card reader manufacturer.
- Option 2: Software (Regex settings inside PaperCut)
If you just want to use a subsection of the card number as an identifier you can use regular expressions to define which part of the card number is the identifier. This can done in the advanced configuration page; either globally, or for the specific device you wish to configure. Set the ext-device.card-no-regex key to the regular expression you need.Example: You have a batch of cards that start with the same value, with only the last 4 digits being the unique identifier. Eg
1234–5677–9992An appropriate regex would be:
\d*-\d*-(\d)*Resellers will find more information in the embedded manual chapter titled “Configuring Swipe Card Readers”.
- Option 3: Software (filter/converter settings inside PaperCut)
946EBD28), but your records are kept in decimal (
2490285352). Activating the hex2dec converter would make PaperCut do the conversion from hexidecimal to decimal.Resellers will find more information in the embedded manual chapter titled “Configuring Swipe Card Readers”.
Contact your nearest Authorized Solutions Centre, who will be able to answer any questions you may have, or organize any necessary tests.
The Ricoh platform only supports a limited number of specific card readers. Please refer to the PaperCut Embedded manual for Ricoh (Appendix A) for details.
Toshiba MPFs, both eB3 and eBX types, support a variety of card readers. To support a card reader’s, it’s important that the Toshiba copier is correctly configured. Recently, eBX devices have added support for Magtek card readers. A number of things should be checked (as described in the Toshiba Embedded Manual):
- The 08 codes and values are set correctly for the type of card reader. The 08 code is different for eBX versus eB3 but both these devices use the same 08 values depending on the card reader type.
- Check that LDAP card authentication is turned on for the correct PaperCut LDAP server.
- Ensure that the card reader is connected prior to the MFD boot up.
- If using an Elatec TWN3 card reader, then it needs to have Toshiba firmware installed on it.
Make sure that the MFD works without the card reader by using a different authentication method. Once you have verified that you can authenticate to the device, swap the reader, MFD or user to see if the problem can be isolated. If you are still not able to get it working, contact the card reader supplier or PaperCut Support with the steps that you have followed.
We’ve heard of this as a common problem when organizations merge, or on sites where there are multiple security solutions for door access. The challenge is that many users have cards that work differently or are incompatible with existing card readers. Thankfully there are some multi-readers available from vendors that may work as a solution. Some factors which have precluded the use of a multi-reader in the past are:
- Multi-readers are more expensive. It may be a viable solution for small deployments, however can get quite expensive in organizations with large MFD fleets.
- Some multi-readers are quite slow at reading as they need to scan a wider frequency range.
An alternate and popular option is “dual frequency” the cards using RFID data dots (RFID ID stickers). Rather than using a multi-reader a single reader type is selected and cards not compatible with this reader have a data-dot sticker applied. Care needs to be taken to ensure the data dots selected don’t clash with the physical cards. We recommend careful testing to validate your selection prior to production deployment.
Two factor authentication means “something you know” and “something you have”. For PaperCut and card authentication this means turning on Card + PIN authentication (Card - you have, PIN - only you know).
Yes, you can enforce a minimum length by changing the value of the config key
user.card-id-min-length. The default value is 1. You can set it to a value of your choice. Change the value of a config key via
Options → Config Editor. Information on how to use the config editor is given here.
My users employ their PIN instead of their network passwords to authenticate. Are they able to perform card self-association using their PIN?
We’ve spoken with a number of sites wherein users aren’t privy to the passwords for their network accounts, and instead use a PIN exclusively. In the past, card self-association would require a user to authenticate with their formal network credentials, rendering it an unviable feature for those sites. As of PaperCut MF 17.3, it is now possible to authenticate during card self-association using a PIN instead of a password.
To enable PIN authentication for card self-association, you’ll need to modify an advanced configuration key via the Config Editor. The key in question:
By default, attempting to authenticate with a username and PIN when self-associating will fail. When the above configuration key is changed from
Y, self-association with either a username and PIN or a username and password will be possible.
I maintain the PINs for my users within my domain user listing. Can I synchronize these with PaperCut MF in the same way that I synchronize card/ID numbers?
PIN synchronization with common directory services is achievable as of PaperCut MF 17.3. To get this working, you’ll need to tell PaperCut MF what field to retrieve these PINs from in your directory listing; this is done using an advanced configuration key, modifiable via the Config Editor.
If your Primary sync source is configured to be Windows Active Directory, the configuration key to populate with the name of your PIN field is as follows:
If your Primary sync source is set to LDAP, you’ll instead want to use this key:
Alternately, if you wish to retrieve PINs from an LDAP synchronization source which is configured as your Secondary sync source, you’ll need this key:
You can find more information about how to customize your synchronized LDAP fields in the following section of our online User Manual.
If you’re using PaperCut MF, then it’s worth contacting your Reseller or MF Partner to help out with initial card reader configuration or to start the troubleshooting process. They’ll often have any specific configuration for the card reader / device combination that you’re using in your local environment.
Their contact details can be found in the PaperCut admin interface, under the ‘About’ tab - find your local partner or contact under the ‘Sales and Solutions Contact’ and ‘Support’ sections.
Keywords: nfc, near field communication, near field card, proximity reader, copier authentication, mf-only