Another important consideration is the communications requirements. Can the reader be offline or does it need a direct fast connection to a back-office system? All of the models discussed could operate in either mode, although the primary benefit of the card-based mode is to operate completely offline. The reader and middle-office models can also work offline, but they may need occasional network access to pass data, such as a hotlist to manage fraud and payment card authorization requests.
Once EMV technology is available to the transit operators there are a number of models available to meet the fares policy in operation. Simple, fixed-fare implementations (on buses for example) could just offline authorize against the balance on the card. Conversely, complex transit agencies such as MTA in New York and BART in San Francisco would need to use the authenticated tap as an ID and perform delayed online authorizations and aggregations.
The introduction of payment cards can lead to a number of areas of cost reduction. The most significant of these include the reduction of card issuance to zero, the end of dealing with issues raised around the management of a proprietary system, and the end of the card and ticket distribution networks.
A recent significant cost to Mifare classic issuers was as a result of the hack on the Mifare Crypto-1 algorithm that is used to secure the data on the card. This forced expensive migration in some cases to a more secure platform utilizing publicized cryptographic mechanisms.
The fact is that all of these costs pass to the card issuers and the payment schemes that manage the reader and card specifications. But these are costs that they are paying now anyway — so they see benefits too!
However, you get nothing for free in this world. The cost of acceptance is interchange, which is the charge the schemes make for processing the payment that is passed to the transit merchant through the acquirer.
Reader Certification is Expensive
Reader design is critical to the successful implementation of any project to accept new media. Bad design would increase the cost through unnecessary rounds of re-certification and could affect its vulnerability to security attacks, service denial or data harvesting.
The reader will be required to support numerous applications, so the software for each one — be it card detection, payment card applications such as Visa, MasterCard, AMEX, Discover, or a proprietary application — should be developed and installed separately with an approach that’s more akin to loading applications onto a mobile phone. Otherwise, changes to one application could result in a need to retest the complete reader. Also, the high cost of certification will ensure that developers seek to minimize the number of times the reader is submitted, both initially and when changes are made to specifications and code.
If the reader is, or might be, handling payments data, the implications of PCI-DSS (Payment Card Industry Data Security Standard) must be considered. Payments data cannot be held or transmitted in a format that would allow it to be intercepted in plain text form. The most secure method for securing compliance would be to encrypt all transactional data at source before it is stored and transmitted.
To read more about open payment systems, visit www.MassTransitmag.com/10453727.
Simon Laker is a senior consultant and Mike Burden is a commercial manager with Consult Hyperion and have extensive experience of working with Transport for London, the local government body responsible for most aspects of the transport system in Greater London.