Open Bank Card Payments for Transit - … · Open Bank Card Payments for Transit ... PayPass Visa – Pay Wave ... Bank card spec Contactless EMV 17

Property of the Smart Card Alliance © 2011

Alternative Architectures Craig Roberts Manager, Technology Development Utah Transit Authority

Open Bank Card Payments for Transit A Smart Card Alliance Educational Institute Workshop

2011 Mobile and Transit Payments Summit Marriott City Center Hotel, Salt Lake City, UT ― February 15-18, 2011


Presentation Scope  Describe the features, characteristics and components of account based open payment contactless fare collection systems

 Discuss options in their deployment  Compare to traditional card based systems  Presented from the perspective of the Utah Transit Authority’s full system deployment of an account based open payment system

2


Architecture System Architecture – a formal description and representation of a system, organized in a way that supports reasoning about the structure of the system which comprises system components, the externally visible properties of those components, the relationships (e.g., the behavior) between them, and provides a plan from which products can be procured, and systems developed, that will work together to implement the overall system.

A system architecture is primarily concerned with the internal interfaces among the system's components or subsystems, and the interface between the system and its external environment, especially the user.

Source: Wikipedia

3

Property of the Smart Card Alliance © 2011 4


Definitions Meaning may vary according to context

 Open systems  Open payment  Open source  Closed system  Closed loop  Proprietary

5


Intersecting Cultures  Culture defined by vocabulary (acronyms, slang, special

meaning of terms)  Here we are at the intersection of four:

 Transit  Payment   Information technology  Federal

 It is never rude to ask for a definition of terms  It is helpful if we remember to use full terms rather than

initials

6


Contactless Smart Cards

•  Customer brings card into radio frequency (RF) field (~2 inches); “tap”

•  Powered antenna in reader powers antenna and chip in card; reader obtains data from card, may write data to card

•  Standards ISO 14443 (proximity) or ISO 15693 (vicinity); both 13.56 MHz radio frequency


Overview of a Transaction  Present Card (or medium)  Authenticate card  Authenticate account  Accept card (green light; “welcome”; open gate)  Calculate fare  Store and forward transaction  Transfer funds from card holder’s to agency account (settlement)

8


Card vs. Account Based Architectures

Card based  E-purse  Record of transaction and account status carried on

card and mirrored in back office  Status of fare calculation recorded on card  Read/write

Account based  Card as token or credential  Card ID, time, place, service, etc created in record and

sent to back office  Fares calculate; business rules applied in back office

9


Card Based Systems

 Hong Kong – Octopus

 London – Oyster

 Washington D.C – SmartTrip

 San Francisco – Clipper

 Boston – Charlie Card

 Atlanta – Breeze

 Houston – Q

10


Characteristics of Card Based Systems

 Closed – agency issues and manages own media  Proprietary systems and formats  Network of revaluing machines  External revaluing networks require special point of sale (POS)

devices  Fare calculations performed between card and reader; stored on

card  System can perform well without on-line communications  Hardware/software optimized due to limitations or memory,

processors speed and communications  Fare changes require code changes on all validators  New products require new cards  Interagency product integration requires extensive requirments

coordination

11


Examples of Account Based Systems

 Credit and debit cards  Gift cards  Loyalty card  Building/facility access  On-line commerce  Ski-lift access

12


Characteristics of Account Based Systems

 Card as token  Creation of record at tap

  Authenticated card ID   Bus number, block number, operator number   Service type – local, express, BRT, etc.   Time stamp   Location – GPS coordinates and/or stop location designator   Encrypted track II and hash (if bank card)

 Application of business rules in back office   Analogous to toll collection systems   Taps to trips if check-in/check-out   Linked trips for transfers   Application of appropriate fares

 Fare changes made in by changing a configuration table in back office

 New product programming and application development takes place in back office; does not require changes to cards and validators

13


Bank Issued Contactless Payment Cards

 Been in the market for about five years  Brands

  American Express – ExpressPay   Discover – Zip   MasterCard – PayPass   Visa – Pay Wave

 Jointly established standards  Centralized device testing – individual brand

certification  Available through most banks – not aggressively

promoted in most markets

14


Recent Conditions That Allow for Contactless Bank Card Use in Transit

 Issuance of products by banks  New regulations re receipts and signature requirements

for micro-payments  Development of standards and certification processes  Communications advances – fiber and wireless  Processing speed advances  Cheap memory

15


The Appeal of Open Payments for Transit Electronic Fare Collection

 Others issue payment media   Integration with payment mainstream:

payment at the fare box, gate or platform as a merchant POS transaction

 Automatic interagency interoperability  Customer service with issuers  Security standard  Architecture provides flexibility in product

development  Robustness of open payments ecosystem  Commoditization of devices  Potential for pathway to elimination of cash  Speed of deployment  Cost  Co-promotion


Third Party Pass Programs  Third party paid passes

  ECO,   Ed,   Ski

 Cards as tokens using unique identification number (UID)

 Track usage to inform negotiations with third party payers

 Preference for partner issued ID cards  Security handshake needed as used for

decrementing stored value accounts and as NFC is deployed   OPACITY   Mifare Ultralight C   Bank card spec   Contactless EMV

17


Federal Standard Cards  HSPD-12: Homeland Security Presidential Directive 12  FIPS 201: Federal Information Processing Standards

Publication 201  PIV: Personal Identity Verification  CAC: Common Access Card  Physical and logical access  Contact and contactless interfaces  Contact side has strong encryption and trust model  Contactless side data in open  Feds exploring additional uses of contactless interface   ISO 14443  CHUID: Cardholder Unique Identifier  PIV-I: interoperable; for non-federal entities with trust model  PIV-C: PIV system specs without trust model  DOT/UTA Proof of Concept – PIV acceptance as transit pass

18


Validator Characteristics Validator vs. reader vs. POS (point of sale) device Functions

 Read cards   Bank card only reader commoditized   To read all 14443 and 15693 cards requires more capable readers, but are available

 Create transaction records  Encryption  Transmit through communications links  Receive configuration data including hot and cold lists  Receive software updates  Monitor diagnostics and report problems

Connections  Operator console  Portal from bus (wireless, wifi and 3G); fiber to platform

19


Hot and Cold Lists  Also known as positive/negative or white/black  Cold list – accept card if on list  Hot list – reject card if on list  Lists may reside on validator or back office

20


Modular vs. Integrated Approaches

 Common to deploy technology systems as turnkey projects as it is viewed as easier to manage.

 Often results in multiple devices   Driver consoles   Antennae   Communications

 A modular approach allows leveraging of devices for multiple uses - examples:   Communications   Communications gateways   Consoles   Data store

 Modular approach creates greater burden on agency for systems integration

21


Open Interfaces or APIs  API: Application

programming interface

 User owned or open interfaces among various system components allow flexibility for expanding the system and enable system additions, expansions or component replacements to occur in a competitive environment

22


Check-in/Check-out  In UTA known as Tap-on/Tap-off

  Requested of all patrons   Validators at all doors of buses and entry and exit to platforms   Must comply for transfer credit with contactless bank cards   70% compliance rate

 Enables linked origination/destination data  Needed for distance based fares

23


Real Time Validation  Demonstrated in New York/New Jersey pilots  Requires advance wireless communications for buses  Needed for account authentication  Balance check for prepaid  Stand-in authorization for bank cards

 Improves reliability of hot and cold lists  UTA uses near-real-time approach, working to add real-

time

24


Back Office  Account based systems typically require continuous

direct connection via internet; card based system use a hierarch of servers (station, depot, agency, interagency)

 Use of hosted back office  Simplifies PCI compliance   Insulates agency personnel from sensitive data  Customer service?

 Conversion to taps to trips  Business rules, e.g., transfers  Fare calculation engine  Account management

 External vs. internal  Web services

 Settlement through acquiring bank

25


NFC  Near field communications for mobile payment  Embedding contactless payment applications in mobile

phones  Systems that can accept contactless open payment

brands should work without modification  Interest in card based legacy systems for development

of special payment apps to support their architectures

26


Inspection  Challenge for proof of payment, open platform systems

– light rail and commuter rail  Card based system have payment history on card that

can be verified with handheld device  Account based systems require interrogation of back

office to determine compliance  No off the shelf device  Tradeoffs with inspection speed requirement, weight

and battery life  NFC device advances show promise  UTA in development of second iteration to have a

satisfactory device

27


Multiagency Integration and Post Deployment Partnerships

 Different agencies in a region can deploy account based/open payment system separately and subsequently connect or integrate back offices with shared fares or business rules

 Opportunity to link with toll collection and parking  Prepaid, gift card and third party account management

arrangements can also be added

28


Maximize at every level Needed post award as much as pre award Modularize and use open interfaces The problem of being owned by your vendor

29


Privacy Should address privacy policies and values up front,

discuss publicly, and incorporate into system design

`UTA approach  UTA values the linked origination-destination data enabled by this

system for service evaluation and planning  But does not need or want to know who is traveling  Third party payers keep identities of who is authorized to ride  Third party payers should not need information of who made what

trips  Contractor to separately maintain records and processes for credit/

debit processing, application of business rules for prepaid or registered accounts and PCI assurance


Agency Approaches to Transition to Open Payment

 Some agencies have requested card based/open payment solutions in their requests for proposal

 To date, plans for deployments for open payments in Utah, Philadelphia, Chicago, Washington D.C. and New York appear to be replacement of legacy systems with pure account based approaches rather than integration with them

 Unclear as to the difficulty of deploying hybrids or retrofitting open payment into card based systems

31


Thank you.

32

Documents

Open Bank Card Payments for Transit - … · Open Bank Card Payments for Transit ... PayPass Visa – Pay Wave ... Bank card spec Contactless EMV 17