A journey through ITSO

When looking back through previous ITSO articles in Intelligent Transport, I was struck by the number of times I have said “ITSO is coming”.The sentiment behind that was more a promise at that time, but now I can safely say “ITSO is coming” as a statement of fact. This article looks at some of the issues the ITSO journey has addressed and briefly gives an idea of progress.

Whilst not strictly an ITSO matter as ITSO does not run schemes, this is a pertinent question. Perhaps the answer lies in a simple question; What is it about smartcards that make them ideal for being part of local authority service delivery?

The answer comes from the SCASC project in Scotland, as reported in the April issue of their ‘Customer First’ newsletter;

Some of the benefits for the citizen include:

• Reduced card ownership – only need to carry one card
• Users can choose the applications that are loaded on their card
• Single help point for card – saves time in re-issuing multiple cards
• Access to services via remote media using smart card
• Reward points/incentive schemes
• De-stigmatised services – entitlements/concessions can be hidden on the card
• Ease-of-use – e.g. using e-purse for car parking
• Provides a means of photo ID – only form of ID for some
• Seen as worthwhile council activity
• Citizenship and image reinforces belonging

Some of the benefits for the application provider include:

• Shared investment and operational risk
• Reduced fraud – ensuring an audit trail
• Shared branding – individual partners benefit from promotion of card
• Electronic transaction reduces cost of collecting/ managing cash
• Information management costs reduced
• Improved management information
• Access to wider markets

Some of the benefits for the councils include:

• Joined-up service provision
• Reduced costs of card issuance and maintenance – only one card to produce
• De-stigmatised public service provision – increase usage and take-up
• Can contribute to change in behaviour – healthy eating, attendance and bullying
• Improved site security in schools – access control
• Better targeting of services – improved management information

All of these contribute to the business case – perhaps not all in direct financial terms. But there are also other elements which can be added to the case. The following are all justifications used by smartcard schemes in recent months in their cases (see Table 1).

ITSO adds a further dimension to the business case – one of interoperability and sharing at a number of levels (see Table 2).

Much of the material for this section has been taken from schemes who are actually implementing smartcards – for the very reason that they have proved a business case. Invariably it is based on sharing – sharing the card platform, the infrastructure – indeed the ‘scheme’. The even better news is that once you start then future add-ons have an even better case. Let me add just one final quote from ‘an informed Local Authority Source’, which is particular to the introduction of free local concessionary travel but also has a wider context;

“Forget smartcards? I would counter that there is an even bigger case for smartcards in the control,management etc. of schemes because the ‘free’ is only district specific. ETMs and smartcards (especially ITSO ones!) will give zonal control etc, far greater management information than paper, and also reduce fraud!”

What does ITSO do now?

The primary focus of ITSO was the creation of a specification for interoperable smartcards for transport applications. Today, that specification rests at version 2.1 published in March 2004 and is Crown Copyright, so is available to all. The specification is unique in a number of ways;

• It supports a wide range of smart media whereas other specifications usually support only one. In ITSO, the choice ranges from low cost disposable cards to top of the range microprocessor cards. The specification recognises current popular contactless media such as Mifare 1K &4K and Calypso. But all are interoperable giving schemes a choice of card, which is more appropriate to their application. Low cost for single journeys, higher specification for concessionary travel cards which may also be citizen cards.
• It covers the whole life journey of transport applications and so specifies card data, card formats, point of service activities, transaction formats and back office processing – providing a complete end-to-end specification for interoperable smart media.
• It supplies the security environment specification for key management. This again is unique, as usually other schemes only provide a card key. ITSO provides card, shell and product keys.
• It provides the security architecture for both the card and back office transactions necessary for the secure transmission of data amongst interoperable schemes. This includes the architecture for the authority levels of operators’ points of service.
• It enables Interoperability.

ITSO also provides the environment to enable schemes to implement the ITSO specification;

• Certification & Testing (often refereed to erroneously as accreditation)
• An ISAM (ITSO Secure Application Module)
• A Security Management Service
• A set of ‘club’ rules in the form of Operating Licenses

There are two areas of this environment which deserve particular mention;

Certification

The ITSO certification process is unique in that it not only tests the product against the specification (nothing new there) but goes further and tests against/with other products already certified, which are held in the ITSO warehouse.We hope this will help to ensure interoperability.

The broad categories against, which ITSO tests equipment, are those found in the specification: Customer Media Devices (CMD), Point of Service Terminals (POSTs) and Host Operator Processing Systems (HOPS). Normally, equipment and software will be certified for the full functionality of one or another of these categories. However, in some circumstances, full functionality may not be either appropriate or necessary: e.g.A Personalisation POST may only load ITSO Shells onto a single specific media. In these circumstances, ITSO provides Conditional Certification.

The demand for Certification from schemes and suppliers has been so great that ITSO have had to increase resources by 50 per cent and still the process is fully booked until March 2006.

The ISAM

This integrated circuit card, which must reside in any ITSO-based point of service or back office, provides the cornerstone of the security architecture for both the key and transaction processing.

Where can I see an ITSO scheme?

The implementation of ITSO has not progressed as fast as everyone would have liked for a number of reasons:

• It has taken suppliers longer to develop fully compliant kit. Perhaps not surprising when you consider the breadth of the ITSO specification.
• The key management system from ITSO (the SMS) was late in arriving due to the complexity of both the contract negotiations and the software. Even now, schemes are only just taking delivery of the market provided interface suite known as the AMS (Asset Management system).
• Developers have been delayed in implementing the full range of cards, but with the availability of the Innovision card the full set is now on the market.

ITSO has taken a pragmatic approach to these issues and has introduced a number of steps in conjunction with schemes and suppliers to enable progress to be made despite the above. For example:

• An early adopters scheme, which provides Security Access Modules with embedded keys prior to the SMS service availability.
• Phased certification for suppliers kit, which matches the partial functionality against the early scheme requirements.
• The I2F/suppliers group, which allows suppliers to jointly develop and demonstrate particular aspects of the ITSO specification.

So,where is ITSO being implemented?

Most of these are schemes where the card is issued for concessionary travel and Free Local Concessionary Travel, which was announced in the last UK Treasury budget, has coincidentally encouraged more schemes to consider smartcards (increased risk of fraudulent use which can only be resolved by the use of smartcards). Free Concessionary Travel, should this be extended nationwide (as per Scotland and Wales), can only be achieved if those smartcards provide the necessary interoperability through an Industry Specification. ITSO is that standard specification.

Using ITSO has a number of other advantages;

• ITSO is the only industry specification compliant with European Standards such as EN 1545, which Local Authorities must include in their procurements.
• ITSO provides more management data – securely – allowing for better settlement with operators, better customer data etc.
• ITSO based equipment provides ‘Interchangeability’ of system elements, removing the old issue of ‘supplier tie-in’.
• ITSO is an open specification (Crown Copyright) freely available to all and as such has stimulated a considerable number of new players to the market. This last point is particularly exciting, as we can see suppliers and schemes from outside transport realising both the benefits of the ITSO specification and the relationship of, say, a tourist card with a transport application. From the scheme viewpoint it seems to be opening up what was a limited market. The current list of ITSO supplier members illustrates this:

ITSO and Government

• ITSO is mandated by the DfT for any smartcard scheme requiring financial support from them.
• ITSO is highly recommended by E-Gov for ticketing and would have had a higher standing if there had been active schemes at the time of recommendation.
• Government Connects is providing ITSO approved modules to cover transport in their approach to smartcards.

The final destination?

here are so many strands in the smartcard world coming together now – and we do believe ITSO was the (unknowing) catalyst – that the vision we had some years ago is now happening.What was that vision? Well perhaps one last piece of plagiarism, from Merseytravel this time, will demonstrate it best.