article

Moving to open standards for future-proof automated fare collection systems

Posted: 17 February 2012 | Laurent Cremer, Executive Director, OSPT Alliance | No comments yet

Mass transit system operators are witnessing a paradigm shift in automated fare collection (AFC) technology. These changes include outsourcing of AFC programme operations and real-time acceptance of third party-issued cards – changes that are likely to reshape the way that AFC is viewed by the industry for decades. As a result, transit agencies are facing new challenges and opportunities as they define the next generation of AFC systems. To ease this transition and to promote higher data security without the need for proprietary solutions, the OSPT Alliance, a vendor-neutral industry association, has introduced CIPURSE™, a new standard designed specifically for the next generation of fare collection technologies.

Fare collection systems hit the wall

For the past two decades, the default solution for AFC systems has been a contactless smartcard-based programme. Such systems have been based on proprietary technologies and customised to the unique needs and fare policies of each agency. Over time, systems built on proprietary solutions have proven to lack flexibility for adapting to changes in fare policy, smartcard features, or the addition of new system components. In addition to requiring specialised expertise, updating proprietary fare collection systems usually incurs substantial expense. However, until recently, the lack of comprehensive standards for card data structures and security has inhibited opportunities for alternatives to evolve.

Moving to open standards for future-proof automated fare collection systems

Mass transit system operators are witnessing a paradigm shift in automated fare collection (AFC) technology. These changes include outsourcing of AFC programme operations and real-time acceptance of third party-issued cards – changes that are likely to reshape the way that AFC is viewed by the industry for decades. As a result, transit agencies are facing new challenges and opportunities as they define the next generation of AFC systems. To ease this transition and to promote higher data security without the need for proprietary solutions, the OSPT Alliance, a vendor-neutral industry association, has introduced CIPURSE™, a new standard designed specifically for the next generation of fare collection technologies.

Fare collection systems hit the wall

For the past two decades, the default solution for AFC systems has been a contactless smartcard-based programme. Such systems have been based on proprietary technologies and customised to the unique needs and fare policies of each agency. Over time, systems built on proprietary solutions have proven to lack flexibility for adapting to changes in fare policy, smartcard features, or the addition of new system components. In addition to requiring specialised expertise, updating proprietary fare collection systems usually incurs substantial expense. However, until recently, the lack of comprehensive standards for card data structures and security has inhibited opportunities for alternatives to evolve.

The role of security in AFC

A prime example of the need for standards is evident in the areas of card data and system security. Over the past several years, the frequency and severity of hacking and data theft has escalated dramatically in systems of all types worldwide. The proprietary security protocols most frequently used for transit, such as MIFARE’s Crypto1 protocol, have been breached, creating public embarrassment and loss of passenger trust. This is forcing transit operators to upgrade their security measures.

Assuring secure transactions is a challenge and the security methods used are often deter – mined by the type of AFC system implemented:

Card-based systems

In card-based systems, where essential fare data is recorded in card memory, the reader requests the data stored in the card memory when it detects the presence of a card. The card responds by transmitting its data. The reader receives the data, calculates the fare, and then sends commands to the card to update its memory with revised data. In such systems, security measures focus on protecting the data stored in the card memory and the exchange of data between the card and reader, since fraudsters are most likely to attack these points in order to alter data stored on the card. When the security protocol is broken, as in the case of MIFARE Crypto1, data at the card/reader interface and/or stored on the card becomes vulnerable. If a proprietary security scheme is employed, the agency must rely for the life of its AFC system on the original developer of that scheme, since only that developer would be qualified to assist with changes to the cards, readers, and data exchanges between them.

Account-based systems

Account-based systems, where data on the card is static and fare calculation is done within a central system, offer attractive benefits to transit agencies. They offer the potential to reduce the complexity and expense of readers and facilitate the acceptance of bank-issued credit and debit cards in addition to agency-issued cards. In these systems, the security protocols must be designed to protect data from the reader all the way to the central system and beyond, since that data now includes sensitive bank card information.

Since security protocols for the card/reader interface for bank-issued debit and credit cards are dictated by the card networks, such as Visa, MasterCard, and American Express, agencies that accept these cards must implement those security protocols without alteration. Many transit passengers, however, do not have or are not aware that they have a contactless credit or debit card or they may choose not to use it due to privacy and fraud concerns. Therefore, all agencies must also provide agency-issued cards to ensure that the entire population of riders can use the new AFC system. Since contactless cards comprise only a small percentage of the total bank cards in circulation, it is likely that agency-issued cards will be the default fare media for most passengers for the next few years. Although an agency cannot alter the security associated with bank-issued cards, it has the freedom and obligation to define the security for the agencyissued cards.

New consumer payment trends

Although users of contactless bank-issued cards represent only a small percentage of an agency’s ridership, this percentage is expected to grow over time with the emergence of virtual cards on mobile devices using Near Field Communications (NFC), an international standard for mobile device interoperability. Companies such as Google, partnering with First Data Corporation and Citibank; ISIS, a joint venture of AT&T, Verizon, and T-Mobile; and others have introduced platforms for processing mobile payments and distributing NFC-compliant handsets and are planning pilot programmes for mobile payment to AFC systems. Whether or not contactless bankcard and/or mobile fare payments will become commonplace remains to be seen but some agencies are already including bank-issued card acceptance and NFC compliance as key requirements for their new AFC systems.

Addressing the need for an open standard: The OSPT Alliance

Whether transit agencies are defining specifications for a new AFC system, an upgrade to an existing system, or a traditional card-based system, they can specify that their solutions be based on open standards, such as CIPURSE™. The CIPURSE open standard is designed specifically for fare collection based on contactless smartcard and NFC technologies. Compliance with the CIPURSE open standard eliminates the headaches and dramatically reduces the risks associated with proprietary solutions for data structure, security, and certain elements of the card/reader interface.

CIPURSE is offered to the industry by the independent Open Standard for Public Transit (OSPT) Alliance. With the mission to address the need for secure, interoperable, flexible fare collection systems, the OSPT Alliance is helping the transit community move toward the next generation of AFC systems through a global, multi-provider community, industry education and workgroup opportunities.

As of January 2012, the OSPT included its four founding technology company members – INSIDE Secure, Giesecke & Devrient, Oberthur Technologies and Infineon – as well as Samsung Semiconductors, Watchdata, Ecebs and SMARTRAC. Transit operators are represented by the Open Ticketing Institute (Netherlands), UTIITSL (India) and NSB (Norway). Working together, these organisations are continuing to evolve CIPURSE.

CIPURSE for future-proofing fare collection

In addition to being an open standard for AFC system security, CIPURSE establishes a common set of commands to be used between card and reader and a standard card data structure – key ingredients for plug and play interoperability of disparate cards and readers. This enables CIPURSE-compliant solutions for both card and NFC-based media to support 21st-century transit operations. It offers developers essential ingredients for creating fare collection solutions that deliver the highest levels of security, flexibility, and mobility:

● Cost-effectiveness: Cost-efficiently guard against counterfeiting, cloning, eaves – dropping, man-in-the-middle attacks, and other security risks that threaten the integrity of transit fare collection systems.

● Built on proven standards: CIPURSE is built on proven international standards, includ – ing ISO/IEC 7816-4 and ISO/IEC 14443.

● Advanced security based on AES 128: CIPURSE’s advanced security mechanisms include a state-of-the-art cryptographic protocol that encourages fast and efficient implementations. The protocol provides robust, inherent protection against differential power analysis (DPA) and differential fault analysis (DFA) attacks.

● Consistent command set: A consistent command set and architecture supports multiple applications and payment schemes with easy interoperability.

● Independent testing: Independent testing helps ensure interoperability between solutions and with legacy systems, as well as consistent application of the standard.

Surpassing security strength

In addition to its advanced, standards-based security foundation, CIPURSE supports a secure messaging protocol, four minimum mandatory file types, and a minimum command set; all of which promote interoperability and facilitate end-to-end security for account-based systems. Core security mechanisms include a unique cryptographic protocol that encourages fast and efficient implementation with robust protection against hacker assaults such as differential power analysis (DPA) and differential fault analysis (DFA) attacks.

With CIPURSE-compliant fare collection solutions, agencies can significantly reduce the risk of card data security breaches. CIPURSE security capabilities complement a wide range of security key storage solutions and key lengths (where longer key lengths equals greater security) in order to meet an equally wide range of customer require – ments. Unlike other fare collection standards, CIPURSE-based solutions preserve complete independence between the application, operating system, and hardware layers. Independent, interchangeable components offer operators the greatest choice of suppliers and greatest flexibility in migrating systems.

Designed for performance and growth

Products compliant with the CIPURSE open standard will provide superior, real-time card/reader authentication and card data protection with fast transaction times. Formfactor flexibility allows products to be based on limited use tickets; smartcards; dual-interface cards; advanced, multi-application cards; and NFC-compliant mobile devices. The CIPURSE standard can make it easier to expand the lowend market of single-trip or limited-use tickets without sacrificing security or future flexibility.

Open standards also enable CIPURSEcompliant solutions to work with the common financial networks’ open-loop prepaid cards and contactless payment systems. The infrastructure is already in place, eliminating the need for transit authorities to create and maintain their own payment infrastructures.

Driving a flourishing market

CIPURSE’s flexibility promotes vendor neutrality, cross-vendor system interoperability, and lower technology adoption risks – all of which result in lower operating costs and greater flexibility for transport system operators. CIPURSE is also the way to achieve cross-device, cross-transitsystem commonality and faster transition to the use of NFC devices.

CIPURSE compliance helps ensure con – tinuous, long-term access to cards from a variety of suppliers and supports commoditisation of card readers, since interaction with the card data structure can be standardised and replicated. Introduction of new CIPURSE-compliant card and NFC technologies will require minimal effort. CIPURSE can offer true plug-and-play compatibility using properly defined reader interfaces. It enables operators to reduce or eliminate the headaches, costs, and delays associated with the loss of reliable card supplies and the associated need to introduce new cards and/or readers in the future.

An open opportunity

Open standard, account-based systems are the future for AFC, and the CIPURSE open standard is a secure, flexible option for agency-issued cards, NFC applications, and other payment technologies and NFC-based applications. Compliance with the CIPURSE open standard ensures better security and flexibility while eliminating the negative impacts and costs associated with proprietary solutions. Gaining these benefits is as easy as specifying CIPURSE compliance for new and existing systems as well as for upgrades to enhance or enable contactless card or NFC acceptance.

For agencies wishing to get involved in shaping future open standards, joining the OSPT Alliance as an Associate Member is free of charge. For more information about CIPURSE and the OSPT Alliance, please visit www.osptalliance.org.

About the author

Laurent Cremer brings extensive experience in strategic international sales, consulting, and executive man – agement to his role as Executive Director for the OSPT Alliance. He has been involved with smartcard tech nology for more than 20 years, working in verticals such as telecom, transportation, banking, and ID markets. Laurent has been developing those business lines in both mature (Europe) and emerging markets (Latin America, Africa, Middle-East). Mr. Cremer has served in business development and strategic sales for a number of companies, including Ipico in Canada, specialising in RFID, where he held the position of VP for EMEA and Latin America. He also held GEO roles at Gemplus (formerly Gemalto) and Goldkey Technology (Taiwan). He earned an electronic Engineering degree from ESIGElec in France and a MBA from EM Lyon.