Common Access Card (CAC) Security
The CAC—which is roughly the size of a standard credit card—stores 144K of data storage and memory on a single integrated circuit chip (ICC). This CAC technology allows for rapid authentication and enhanced security for all physical and logical access.
CAC and Your Privacy
The CAC meets or exceeds applicable privacy laws and Geneva Convention requirements. More importantly, the data it stores can only be accessed through secure CAC applications. In fact, the information stored on a CAC cannot be accessed without:
- A Personal Identification Number (PIN)
- System access to the secure CAC applications required to interpret the data
To provide additional security, the card is:
- Issued according to sound criteria of personnel identification
- Resistant to identity fraud, tampering, counterfeiting, and exploitation
- Designed to provide an electronic means of rapid authentication
Information Stored on a CAC
These cards contain only selected, abbreviated data relating to your work functions or benefits and privileges provided as a uniformed member of the Armed Forces, U.S. Public Health Service, or NOAA, DoD Civilian, or DoD Contractor. Sensitive data such as passwords or highly personal medical information are not contained on your smart card.
Also, effective June 1, 2011, the Social Security Number (SSN) is being replaced on all cards by the DoD Identification Number. Eligible beneficiaries will also have a DoD Benefits Number printed on their ID card. Medical providers have the option of using the SSN or the DoD Benefits Number to validate eligibility and to process claims. CACs with the SSN remain valid until replaced.
Card Body Information
- Public Key Infrastructure (PKI) certificates that enable cardholders to "sign" documents digitally, encrypt and decrypt emails, and establish secure online network connections.
- Two digital fingerprints
- Digital photo
- Personal Identity Verification (PIV) certificate
- Organizational affiliation
- Expiration date
Card Bar Code Information
- Social Security Number (to be removed in 2012)
- Date of birth
- Personnel category
- Pay category
- Benefits information
- Organizational affiliation
- Pay grade
The magnetic stripe is reserved for Service/Agency use.
Only individuals who have authorization to perform normal identification processes and run CAC applications have access to the information on your CAC. For example, if your card contains dental information, only someone who has an authorized application can access and review the data in your dental file. Each application on the CAC is firewalled from the other, and someone who has access to one application does not typically have access to another application.
Each application can be secured with different levels of protection. Some applications can have encrypted levels of security while others may not have any encryption at all. The ability to read a field does not necessarily mean that the person has the ability to alter the information in a file.
You can release your information using your PIN at Real-Time Automated Personnel Identification System (RAPIDS) sites or facilities using CAC applications. For more about your PIN, read more about keeping your CAC secure.