CHIPS Articles: Safeguarding Your Common Access Cards and Military Identification Cards

You may have heard of an application developed for smart phones called “CAC Scan” that had the ability to decode the barcode containing personally identifiable information (PII) on the front of the Common Access Card (CAC). In May 2016, this app became available in the Google Play store for Android devices and the iTunes store for Apple devices. As of early June, it appears that “CAC Scan” was removed and is no longer available for download. However, its existence offers an opportunity to address such products in case they appear again. Neither “CAC Scan” nor any other CAC reader application that may become available via an app store is sponsored or endorsed by the Department of Defense.

The barcode found on the front of the CAC contains PII for the individual CAC holder, including an individual’s name, full Social Security Number (SSN), and the Department of Defense Identification number (DoD ID). The barcode on the back of the CAC also contains the SSN. Improvements are currently underway to reduce the PII imprint on CAC barcodes. Per the Defense Human Resources Activity (DHRA) Identification Card and Benefits policy office, the SSN will be removed from the barcode on the back of the card by the end of 2016 and from the front of the card by October 2017. SSNs have already been removed from barcodes on all military identification cards.

It is important to understand that non-DoD organizations should not scan or copy an individual’s CAC or military identification card. However, Title 18, Section 701 of the U.S. Code and paragraph 6.1.7 of DoDI 1000.13, authorizes the photocopying of the front and back of the ID card or CAC to establish eligibility to receive medical care. View additional guidance from Defense Health Agency (DHA).

Actions you should take to safeguard your cards:

1. Maintain control of your CAC/Military ID at all times.
2. Remember to remove your CAC from your computer when you leave your desk.
3. Do not display your CAC or any other credentials that contain PII when you leave the workplace. For example, do not have your CAC/Military ID visible while riding public transportation.
4. Except for DoD health care providers, do not allow organizations/businesses to reproduce (photocopy, scan, or other means) an image copy of your CAC/Military ID. If you know of a non-medical organization possessing an image copy of your CAC/Military ID, request destruction of the image.
5. In the event that another CAC scan application comes into the market, do not attempt to use or test it on your mobile device, as the barcode information may be sent to an unknown server, stored, and made available for public release.