The three HID 13.56 MHz tiers explained
HID Global's 13.56 MHz smart-card range is not a single product but a family of three architecturally distinct tiers, each with its own security model, chip design, and practical replacement story. Grouping them together is the single most common source of confusion when facilities teams go looking for a hid iclass compatible key fob or a card to replace an ageing credential.
The three tiers are: (1) legacy iCLASS, also called Picopass, which underpins first-generation iCLASS readers; (2) iCLASS SE and iCLASS Elite, which layer additional application diversification on top of the Picopass base; and (3) Seos, HID's current-generation platform built around AES encryption on a dedicated secure element. Each tier presents a different compatibility question, so the rest of this guide treats them in turn.
All three tiers share the 13.56 MHz ISO 15693 / ISO 14443 frequency band and will physically wake a compatible reader. Frequency compatibility is where the similarity ends. The authentication, key-diversification, and credential-storage architectures are substantially different across the three, and that architecture — not the radio frequency — governs whether a compatible credential can carry a working application.
Legacy iCLASS (Picopass) and its compatible path
Legacy iCLASS credentials use the Picopass protocol with an application stored in a defined memory layout. When a site is running standard-configuration legacy iCLASS — the most common deployment in older corporate and government installations — compatible blank cards programmed to the same credential format will authenticate with the existing readers without any firmware or hardware change.
This is the clear-cut compatible case in the iCLASS world. If your reader panel's audit log shows iCLASS 2K or 16K credentials, and the site has not enabled Elite-level key diversification, you are almost certainly in standard-configuration territory. A HID iCLASS Legacy (2K/16K Picopass) format card sourced from a specialist supplier can be encoded with your existing site code and card number and issued to users through your normal programming workflow.
The practical requirement is that you need a sample credential or the site-code data to programme the replacements correctly. Ordinary read-write tools available to any certified installer can read the credential data from a sample card and record it for programming new blanks. No specialist attack tooling is needed or appropriate — this is a routine maintenance process for any integrator familiar with legacy iCLASS.
Fob users have the same options. The same Picopass application runs in clamshell fob form-factors, so a hid iclass compatible key fob carrying the same format encodes and authenticates identically to the card equivalent. Format and memory configuration matter; physical casing is interchangeable in most reader installations.
If you are unsure whether your site is standard configuration or Elite, the safest step is to test one compatible blank against your reader before placing a bulk order. A genuine standard-configuration reader will accept a correctly encoded blank immediately. An Elite reader will reject it, which tells you clearly that you are in the secured-tier category covered in the next section.
For large-scale legacy iCLASS programmes — data centres, server rooms, and campuses that have not yet migrated to SE or Seos — we maintain stock of hid iclass compatible key fob and card formats in standard 2K and 16K Picopass configurations. Our iCLASS, iCLASS SE & Seos: Compatible Card Options by Tier guide covers ordering specifics in detail.
iCLASS SE / Elite: secured by design
iCLASS SE introduced a fundamentally different security architecture. Where legacy iCLASS uses a site-wide application key that is the same across all cards on a deployment, iCLASS SE and the Elite key-diversification scheme derive a unique key per credential from a root key held by the operator. A reader programmed with Elite keys will reject any card that does not present a correctly diversified response — including a legacy iCLASS standard card presented to an SE reader in multi-class mode.
This architecture is intentional. It is why iCLASS SE commands a premium in enterprise and government installations: the installed-reader lock-in created by operator-held diversified keys is a genuine security property, not a commercial inconvenience. A would-be replacement card cannot simply copy the application data from a sample, because the verification step requires the diversified key that only the correct card would produce during a legitimate authentication exchange.
What we supply for iCLASS SE and Elite deployments is therefore a compatible blank credential: a hid iclass se compatible card built on the correct chip platform with the correct application structure, but with no keys pre-loaded. Your system's enrolment process — typically performed through the same access-control management software you already use — writes your site's diversified keys and credential data to the blank during issuance.
This is identical to the process for issuing a brand-new card from your incumbent supplier, with two differences: you source the blank from us rather than HID, and the unit cost is lower. The security properties of the issued credential are determined by the keys your system loads, not by who manufactured the blank carrier.
Similarly, the hid iclass elite compatible card format we stock is built to accept Elite-scheme key diversification through your enrolment infrastructure. If your installer or system integrator has configured your readers for Elite, the same enrolment workflow applies.
For facilities that mix iCLASS tiers — a common reality during multi-year migration programmes — multi-technology cards carrying both a legacy Picopass application and an SE application layer are also available. These let you phase out legacy readers on a building-by-building basis without dual-issuing credentials to every cardholder.
Seos: AES on a secure element
Seos is HID's current flagship platform and represents the most sophisticated credential architecture in the iCLASS family. The application runs inside a dedicated secure element — a tamper-resistant hardware enclave — and all credential operations are protected by AES-128 or AES-256 encryption with keys that never leave the secure element in plaintext.
The practical consequence for replacement purchasing is the same as for iCLASS SE, but even more clearly defined: there is no compatible path that writes a working Seos application from the outside. The AES keys that authenticate a Seos credential to a Seos reader reside inside the secure element and are loaded exclusively through HID's Trusted Identity Platform or a licensed enrolment infrastructure. A HID Seos blank we supply is therefore exactly that: a blank credential with the correct secure-element chip and the correct Seos application container, ready to receive your system's keys through your normal issuance process.
This matters for procurement teams replacing lost or damaged Seos cards. You do not need to purchase replacements through your original system integrator at list price. You can source the blank credential from a compatible-card supplier, run it through your existing enrolment station, and issue it to the cardholder. The reader does not know or care who manufactured the blank; it cares only that the credential presents a valid AES response using the keys your system loaded.
Seos is also the platform behind HID's mobile and wearable credential ecosystem, but that is a software-licensing question separate from physical card supply. Physical Seos cards and fobs for personnel who prefer or require a physical credential remain straightforward to procure as compatible blanks.
For high-security environments such as data centres, research facilities, and financial operations rooms — the kinds of deployments in our Data Center & Server Room High-Security Credentials solution set — Seos blank credentials provide a cost-effective issuance path without compromising the AES security properties the platform was designed to deliver.
Operators running Seos alongside other 13.56 MHz technologies may also find our The MIFARE Family Explained: Classic, Plus, DESFire, Ultralight guide useful for understanding the parallel smart-card landscape, since mixed-reader panels reading both Seos and MIFARE DESFire credentials are increasingly common in enterprise access programmes.
What we actually supply for each tier
To remove any ambiguity, here is exactly what Security ID Systems stocks and ships for each tier of the HID iCLASS family.
For legacy iCLASS (Picopass) in standard configuration: we supply fully compatible blank cards and fobs in 2K and 16K formats. These can be ordered pre-encoded to your site code and card number range, or ordered as blanks for encoding through your own installer toolchain. The iclass csn passthrough card compatible format is also available for deployments that rely on CSN read-only mode rather than a full application.
For iCLASS SE and Elite: we supply compatible blank credentials on the correct chip platform, ready for enrolment through your access-control management system. We do not supply pre-loaded SE or Elite credentials because the keys belong to your system, not to us — that is the security model working correctly.
For Seos: same model. Compatible blank Seos credentials, correct secure-element chip, correct application container, zero pre-loaded keys. Enrolment through your infrastructure loads your keys and your credential data.
We also carry a range of multi-technology formats that pair iCLASS applications with other protocols — useful during migrations. For example, sites moving from legacy 125 kHz proximity to iCLASS or Seos often need cards that carry both technologies simultaneously during the transition period. Our 13.56 MHz HF Smart Cards catalogue and High-Security & Custom Formats section cover the full multi-technology range.
Buyers sourcing for Bosch, TESA, Mul-T-Lock, or other OEM systems that embed iCLASS readers will find the same tier logic applies. A bosch access control card compatible, tesa hotel key card compatible, or smartair compatible card that uses an iCLASS credential layer follows the same standard-config vs secured-tier split. Check which iCLASS tier the OEM reader is running before ordering.
If you are migrating an older 125 kHz Wiegand estate at the same time, the HID compatible proximity card range provides the 125 kHz side of any multi-technology pairing.
Our broader Compatible vs Genuine Access Cards: An Honest Buyer's Guide covers the procurement argument in full — when compatible blanks make commercial sense, what to verify before ordering in volume, and how to manage the enrolment process through your existing infrastructure.
Security ID Systems is an independent supplier of compatible access credentials. We are not affiliated with, endorsed by, or in any commercial relationship with HID Global. HID, iCLASS, iCLASS SE, Seos, and Picopass are trademarks of their respective owners.
HID 13.56 MHz credential tiers: security model and compatible supply path
| Tier | Protocol / Chip | Authentication model | Compatible path | What we supply |
|---|---|---|---|---|
| Legacy iCLASS Standard | Picopass (ISO 15693) | Site-wide application key, same across all cards | Direct: compatible blank encoded with your site code and card number | Pre-encoded or blank 2K/16K Picopass cards and fobs |
| Legacy iCLASS Elite | Picopass + Elite key diversification | Per-card key diversified from operator root key | Enrolment-only: blank accepts your system's diversified keys on issuance | Compatible blank Elite credentials for enrolment through your system |
| iCLASS SE / SE Elite | Picopass SE + application diversification | Per-card diversified key, SE application layer | Enrolment-only: blank accepts your system's SE keys on issuance | Compatible blank SE credentials; multi-tech (legacy + SE) also available |
| Seos | Secure element, AES-128/256 | AES credential operations inside tamper-resistant secure element; keys never exposed in plaintext | Enrolment-only: blank accepts your system's AES keys via licensed enrolment infrastructure | Compatible blank Seos credentials with correct secure-element chip and application container |