Physical Access Control: What It Is and How It Works

A physical access control system (PACS) is an electronic system that authenticates identity and authorizes entry at access control points. The baseline architecture is the same at every scale: a credential, a reader, a controller, a locking device, and access management software that logs each event. Understanding PACS in 2026 means understanding both the architecture and the specific transitions happening to it.

Key Takeaways

• The same five-layer architecture of credential, reader, controller, locking device, and management software underlies every physical access control deployment, regardless of scale
• The wiring protocol between the reader and the controller sets the effective security ceiling for every credential read in a physical access control system
• Authentication and authorization function as two sequential checks rather than a single combined access decision
• Credential formats, wiring standards, and management delivery models are all shifting in parallel, and upgrade sequencing should follow end-of-life at each layer

Core Components of a Physical Access Control System

Every PACS physical access control system builds on the same hardware and software layers, regardless of site size or industry. Common physical access control examples include badge readers at lobby turnstiles, biometric scanners on data center doors, keypad entry on stockroom doors, and mobile credentials delivered to smartphones for employee entry.

A baseline PACS also includes a door position switch (DPS) and a request to exit (RTE) device. Above the hardware, access management software provides the database and administrator GUI used to configure permissions, monitor events, and generate audit trails.

Credentials

Credentials are the physical or digital items presented to verify identity. They fall into three types: credential devices (cards, fobs, mobile phones), coded devices (PINs and keypads), and biometric devices (fingerprint, iris, facial scanners). Many deployments layer two or more, such as a card plus a PIN, or a card plus a biometric, depending on the security classification of the area being protected.

Readers

Readers gather information from a presented credential and transmit it to a controller. Regardless of the credential format, the reader converts what it captures into a string of ones and zeros sent downstream. Reader form factors range from simple proximity readers and keypads to multi-factor readers that combine card, PIN, and biometric inputs in a single device.

Controllers

Controllers make the access decision. They receive credential data from readers, check it against a local access control database, evaluate permissions and time schedules, and issue a grant or deny. A single controller can manage one or multiple sets of door components and enforces policies including user permissions, time-based restrictions, and visitor rules in real time.

Access Management Software

Access management software ties everything together. Administrators use it to assign access levels, configure schedules, enroll and revoke credentials, and monitor system events. Those events, logged as transactions like "Access Granted," "Access Denied," or "Door Forced Open," provide the system record of access activity.

Authentication Versus Authorization

Authentication and authorization are distinct sequential processes in PACS: authentication establishes identity, and authorization checks whether that identified person is allowed through a specific door under current conditions.

Authentication

Authentication is the identity check. In PACS, the system evaluates the presented credential or factor set against enrolled identity data. Authentication strength is linked to protected-area classifications: Controlled areas require at least one factor, Limited areas require two, and Exclusion areas require three.

Authorization

Authorization determines permissions. A basic check validates the right to pass through a specific door at a specific time. Checks can include anti-passback status, credential expiration, holiday schedules, and use-count limits.

How a Physical Access Transaction Works End to End

A physical access transaction follows a fixed sequence from credential presentation to door hardware response and event logging.

Credential Presentation and Capture

A user presents a credential by tapping a card, holding up a phone, or placing a finger on a scanner. The reader captures the credential data. For a legacy 125 kHz proximity card, an RF field energizes the card, which reflects back a static, unencrypted facility code and card number.

Reader-to-Controller Transmission

The reader transmits the credential data to the controller over one of two wire protocols: Wiegand or OSDP. In a Wiegand installation, the data travels as a one-way, unencrypted bit string. In an OSDP installation, data moves bidirectionally over RS-485 and can be secured with AES-128 encryption, while the protocol also supports supervision and device status monitoring.

Authorization Decision

The controller runs authorization logic against the credential identifier and current conditions. It checks whether the credential is valid for that door and whether current conditions permit entry, including schedules and any active overrides such as lockdowns, extended unlocks, or anti-passback violations. If all conditions are met, the controller issues a grant. If any condition fails, it issues a deny. The controller must log the specific reason for any denial alongside the event.

Door Hardware Response

On a grant, the controller sends a relay output to the door hardware. For an electric strike, the keeper pivots to release the latch bolt. For an electromagnetic lock (maglock), the controller cuts power to the electromagnet, releasing the armature plate. The door remains unlocked briefly, then re-secures.

Door Position Monitoring

The door position switch distinguishes between forced entry and a legitimate access event that remains open too long. If the door opens without any valid access grant, the switch triggers a Door Forced Open (DFO) alarm, typically meaning the door opened without a preceding valid badge read. If the door opens on a valid grant but stays open past the administrator-configured time window, it triggers a Door Held Open (DHO) alarm.

Request to Exit

On the exit side, a REX sensor, usually a passive infrared motion detector, detects someone approaching from the secure side and signals the controller to shunt the DFO alarm so the egress doesn't register as a breach.

Event Logging and Policy Sync

The controller transmits every event in this chain, including grants, denials, alarms, and door state changes, to the access management server, which logs them. The head-end server pushes policy updates in the opposite direction, sending new enrollments, revocations, and schedule changes down to controllers. Controllers store a local copy of the database so operations continue during network outages.

Wiegand, OSDP, and Why the Protocol Matters

The protocol between reader and controller sets the security ceiling for every credential read. That link is the most operationally significant communication path in a PACS.

Wiegand

Wiegand takes its name from a hardware effect where specially treated ferromagnetic wires embedded in a card generated a distinctive pulse as they passed a reader head. The industry standardized the resulting bit pattern into a common wiring interface that has dominated reader-to-controller communication since the 1980s, and the name stuck long after proximity, smart card, and mobile credentials replaced the original card technology.

In operational terms, Wiegand is a short-range, point-to-point wiring standard that carries credential data as an unencrypted, one-way bit string, typically a 26-bit frame with a facility code and card number. It has no line supervision, so a cut or shorted cable looks the same to the controller as an idle reader.

OSDP

OSDP, approved by the IEC as IEC 60839-11-5 in 2020, addresses the structural flaws of Wiegand. OSDP provides bidirectional communication over RS-485, AES-128 encryption via Secure Channel, and supervised-line detection that alerts the controller if the communication line is cut or tampered with. OSDP does not eliminate reader-controller security concerns on its own, however. Secure Channel is a necessary but not sufficient control.

Key PACS Concepts for Practitioners

Beyond the transaction flow, a handful of concepts shape how a PACS is configured and how operators respond when something goes wrong. Each addresses a specific gap the basic grant-or-deny logic does not cover on its own, from preventing credential misuse to accounting for people during an emergency.

Anti-passback

Anti-passback prevents a single credential from being used to grant entry and then passed back to another person. If anti-passback status is not cleared through the expected sequence of entry and exit events, the system can deny the next attempted use of that credential.

Mustering

Mustering uses in/out tracking data to account for personnel during an emergency. Access management software can query which credentials have badged in but not out to produce a real-time occupancy roster for evacuation accountability.

Tailgating and Piggybacking

Tailgating is an unauthorized person slipping through a controlled door behind an authorized user without presenting a credential. Piggybacking covers the variant where the authorized user knowingly holds the door for someone else. Both defeat the credential check the rest of PACS is built on, because the grant and the door-open sequence read as a legitimate event in the log.

Countermeasures live at the door rather than in the software: optical turnstiles, speed lanes, and mantraps restrict passage to one person per credential, and anti-tailgate sensors at the threshold can flag multi-entry events for review. Video correlation at the access point is increasingly used to spot the pattern after the fact and surface it for operator review.

Visitor Management

Visitor management sits adjacent to PACS. Temporary credentials, time-boxed access windows, and host-approval workflows extend the system to non-employees without enrolling them into the permanent badge population. Many sites still run visitor tracking on spreadsheets or paper logbooks, which breaks the audit trail that the rest of the PACS produces automatically.

Physical Access Control in 2026 and Beyond

New deployments are displacing 125 kHz proximity cards with mobile and biometric credentials. Most installed readers still run Wiegand, but new installations are moving to OSDP. Management is following a parallel arc from on-premises servers toward cloud and hybrid models.

Credentials in Transition

Mobile credentials, delivered via BLE, NFC, or UWB to smartphones, are a major growth area in access control. Released by the Connectivity Standards Alliance in February 2026, the Aliro specification establishes the first interoperable mobile credential specification designed for digital wallets and access control systems. Legacy proximity cards remain deployed despite being unencrypted and easily cloned.

Cloud and Hybrid Delivery

Cloud-based SaaS continues to erode on-premises dominance, driven by flexibility and remote access. On-premises configurations still account for a substantial majority of installed access control spending. Hybrid deployments combining on-premises controllers with cloud-hosted management are gaining share in new installations.

Integration Replacing Silos

Access control, video surveillance, and intrusion platforms historically operated in isolation. Buyers now specify unified platforms with a single-pane-of-glass view across security technologies, identified as a primary growth driver in the 2026 SIA's Security Megatrends report.

Physical Identity and Access Management (PIAM) platforms extend this by integrating PACS with HR and IT identity systems, enabling cross-domain detections like a badge swipe at one facility coinciding with a VPN login from a different city, an anomaly that surfaces only when physical and cyber identity systems are connected.

Zero-Trust Principles Reaching Physical Space

Zero trust extends no implicit trust to assets or user accounts based solely on physical or network location, a direct challenge to traditional badge-based access. Physical security infrastructure increasingly requires zero-trust designs to prevent unprotected edge devices from becoming lateral-movement footholds for attackers.

AI and Video Correlation Are Emerging Above PACS

In PACS, the primary role of AI is correlation and triage: cross-referencing access control events with video feeds, reducing false alarm loads, and surfacing genuine anomalies, rather than replacing the access decision logic itself.

Where This Leaves Practitioners

Any PACS upgrade in 2026 faces a timing problem. The installed base is not where new deployments are heading, and replacement cycles for readers, controllers, and management software run on different clocks. Practitioners should identify which layer at their sites is closest to end-of-life, confirm what the adjacent layers can interoperate with, and sequence the upgrade from there rather than ripping and replacing the full stack at once.

‍