Innovation in contactless technology?

It makes sense to say that contactless technology will be an issue in the near future. Although the beginning was difficult, contactless technology is now so well accepted that the question is not ‘do we need contactless technology?’ but more ‘what can we do with contactless technology?’ If you are still sceptical, just go to any big smartcard event – take Cartes 2006 for instance, and you will be overwhelmed by the number of applications and products using contactless technology. In the following article we will look at where the technology is coming from and where it is going.

History behind contactless technology

In the 1990s the transport industry was the first sector to investigate and then implement contactless technology. At that time different transport companies found themselves in different situations. Some companies were looking to renew their ticketing systems, while others wanted to set up new systems from scratch. However, both groups had the same goal: to invest in a solution that could evolve, providing a maximum return of investment and durability for this investment. Contactless technology was an obvious solution. Different ways in which to deal with the transmission, such as infrared and high and low frequencies, had been tested. However, these were ’prehistoric’ times. So a European Commission (EC) project was created to deal with transmission issues, as well as with other aspects such as interoperability and the definition of the mandatory level of security for such applications. Transport companies from Belgium, France, Germany, Italy, and Portugal were part of the project which was first called first Icare and then Calypso.

As mentioned, all these companies had different requirements and needs, and all modes of public transport were represented (subways, suburban rail, bus, tram and boat). Fares and fare principles, the number of passengers and customer segmentations for all the transport organisations differed. Because of this a range of solutions and products, based on Calypso technology, have been developed. The first result of this work was the Type B ISO 14443 standard – which is still used today.

How can we define Calypso technology?

To surmise, it is a way to perform a secure contactless transaction between a portable object and a terminal. And this is where its power lies. One of the main results of the EC project was to define that in order to meet the high level of security needed the technology must:

• Be able to be used on buses, trams and boats that are not always on-line
• Offer a high level of service to customers
• Offer multiple applications.

A high level of decentralised security, based on evaluated components was required.

These principles are described in different specification documents managed by Calypso Networks Association through its Technology Work Group. The specifications define mandatory rules to ensure security. Other documents, based on the experiences of the members, are also issued as guidelines. Suppliers, integrators and service providers can join this not for profit association to contribute to the work.

To be as open as possible Calypso is based on existing standards, as Figure 1 shows.

It is important to stress that Calypso does not define a system. In this way its scope is different from a national approach such as VdV or ITSO for example. As previously stated, it is a way to perform a secure contactless transaction and technology compliant with Calypso specifications can be used to work in any existing schemes, or in a more global specification (like ITSO) as soon as the minimum mandatory requirements are met.

As a result, Calypso compliant technology has been used for a range of applications in over 80 big cities, with more than 80 different back office architectures (information systems). It is of great interest that in different locations, for example Lisbon or Paris, different architectures have been implemented between all the transports companies involved, but the technical interoperability between portable objects is being ensured by Calypso technology. If we want to go on a wider interoperability, we need to agree on commercial aspects to interface each information system. Actually, Calypso provides specifications defining tools to build a technical contactless system with a total freedom to define rules in order to design a full system.

How can we obtain Calypso products?

As an industry, there are two ways:

• Either, you become a licensee and then you can design, develop and supply Calypso compliant products.
• Or, you buy products from licensees and integrate them into your own offering.

As an end user (a service provider), you just have to specify that you want Calypso products for your system.

More than 40 suppliers are now licensees and cover all the range of products needed to build a ticketing system including chip suppliers, card vendors, mask developers, terminal manufacturers and security application modules (SAM).

Just to give a few more figures, more than 30 millions cards are used on over 130,000 terminals. This ensures the durability of investment for end users by offering several different suppliers for the same product. In fact, the association manages the specifications in a joint way with all its members and, the industrial world supplies products.

Examples of multiple applications using Calypso technology

With several existing schemes, based on the same portable object (now cards), you can deal with several applications such as transport, staff member applications and parking. Figure 2 illustrates multi-applications of the Brussels scheme which is planned to be in operation before the end of this year.

What is next for Calypso technology?

In fact, lots of things. New technologies and more mature needs are emerging. And the good news is that they are converging and totally compatible with the latest version of the Calypso specifications.

Let’s first look at the ‘needs’. A customer may want to add a new application on his portable object. Ideally this would be done in the simplest possible way, just like he would add a new song on his MP3 player, for example. However, there are three difficulties:

• First, nearly all the portable objects are ’native’. This means that when you deliver the portable object the software inside is blocked and so can not be updated. Different solutions exist: designing a universal application which can meet all the requirements of the potential service providers… ok, let’s stop dreaming or replacing the obsolete portable object with a new one with the risk that when we have replaced it, there will be no new demand…
• Second, service providers want to offer related services (downloading applications, downloading contracts) using the ‘anytime, anywhere, on any device’ (ATAWAD) concept. Furthermore, the customer wants to be free from constraints regarding how to get what is needed to use the service. In this case, there are also several solutions: offering a maximum of both, 24 hours a day, or installing machines in public areas and being able to deal with every different portable object…
• Third, if several service providers share the same support (the portable object), they want insurance that security is relevant to their stated needs. This point is reinforced if the downloading transaction should be performed in a remote way (that is to say not on a dedicated device). In fact, the service provider wants the portable object to behave as if there was only its application in the object.

Let’s have a look now, at the latest technology developments:

• The capacity and power (capability to do more complicated operations within a shorter time) is increasing without becoming more expensive.
• Contactless chips can be integrated in various devices other than just a smartcard such as phones, USB keys, tags and watches. NFC is just a new way to deal with the transmission, and is compliant with ISO 14443.
• The Java platform for smartcards (called JavaCard) and Global Platform are two successful platforms. They allow the development of software (called Applet) which can be downloaded and installed (in a secure way) on any JavaCard compatible chip.
• This leads to two advantages: first, the cost for developing an Applet is much less expensive than developing a native solution (see before); second, these new platforms allow you to manage (from a technical point of view) applications in the same way that you would install and uninstall software in your PC.
• A certification process regarding Applet is emerging which meets the needs of service providers to ensure that different applications can coexist on the same portable objects without causing security problems.

You have probably noticed that there is a certain convergence between user’s needs and what the technology offers. Furthermore, service providers are very interested in these new possibilities. Actually, it allows for easier dissemination of new applications, reducing the cost of issuing the support and allowing the customer to get contracts without any dedicated machine or staff members.

Calypso Networks Association and its members

At Cartes 2006, the world’s biggest card event – located in France, we (Calypso Networks Association) demonstrated several operations and products on our booth:

• On the JavaCard portable objects (smartcard and USB device), we have been able to personalise them with two different applications: one called ‘Navigo’ which is the Paris region application and an ITSO (UK) application. Once the objects have been personalised, we have added contracts on both applications and been able to perform transactions within both applications (with their respective and different security and security application modules) using the same object.
• We have integrated a JavaCard chip in a device with a USB interface. This USB interface was first used to download and install two different applications with two different set of keys and then to buy contracts as if you were performing the transaction on a dedicated automatic machine but just through your PC. We have also demonstrated the same capability with a smartcard reader and a JavaCard smartcard. This meets the ATAWAD concept for the service providers and customers.
• On a mobile, we have bought contracts using the telecom network i.e. Over The Air (OTA).
• We have performed transactions on a cash dispenser to buy contracts on a portable object with security being processed between a distant server and the portable object.

All these operations have been performed using the highest level of security that the standards and Calypso requires.

The main goal of the Calypso Networks Association is to provide the means to ensure the technical interoperability of these tools and their durability. With this aim in mind we have issued a new version of our specifications and we will be working this year on the following areas:

• Guidelines to design a reader and implement a full system
• SAM specifications
• Applet Java specifications and downloading specifications
• Remote (re)load protocol for products
• Product certification process
• Contactless ticket specifications (without a microprocessor).

All interested members will work on these areas in order to increase the capability of our tool specifications and the service we can offer to companies which want to be involved in Calypso. A big effort will be done to set up the certification process which is needed by industry and also by the tender companies.