As issuing banks in the United States consider how to migrate from magnetic stripe card to EMV, it’s important to consider the lessons learned from similar projects. “EMV” comes from Europay, MasterCard and Visa, the companies that initiated development of a global standard for credit and debit cards based on chip card technology in 1994.
Public transit ticketing has come a long way over the last 30 years, moving from printed paper-based tickets and magnetic stripe to smart cards in Europe, to NFC-enabled mobile phones in the Far East. However, these are usually in the form of proprietary schemes developed by a single supplier, within a closed network, which require considerable capital investment and have substantial operating costs.
As technology has developed in other sectors, most noticeably through mobile communications and the switch to contactless cards in the banking industry, opportunities are opening up for operators to make public transport ticketing more convenient for users and cheaper to run. They also offer new ways of collecting revenue, breaking away from traditional ticketing methods and their inherent constraints.
Public transit operators are already appreciating the benefits of smart card ticketing, including faster gate entry or boarding, particularly at peak times. Ticket selling is also more cost-effective with a wider range of sales outlets, including the Internet, while the security advantages over magnetic stripe and paper tickets have helped to cut known fraud and highlight other fraud. More information is also available about passenger movements, allowing operators to refine their services and offer loyalty products.
However, customer expectations are changing rapidly. Online retail has changed consumer buying habits and there is an expectation that all transactions can be undertaken in a fast, customer-friendly way. Standing in a queue at a ticket machine does not fit this model. Therefore, leading U.S. transit operators such as MTA, CTA and WMATA are beginning to look at a new generation of open payment systems.
From Owners to Merchants
By moving to open payments, operators would become “merchants” participating in a bank-led scheme rather than owners of a dedicated ticketing infrastructure. This could reduce costs through the use of off-the-shelf equipment from a range of suppliers, rather than bespoke equipment made to proprietary specifications.
In all the cases discussed so far, with the exception of cash, the means to distribute the travel token has had to be considered as part of the process in deciding the media type used. This broader consideration of issuing tickets, printing or personalizing them with products, and accepting them at the point of entry is far removed from the transit operator’s primary objective of running buses, trains, subways and trams.
Payment cards offer the transit authority the opportunity of relinquishing the distraction of card issuance and focuses its time on running transit systems and accepting cards.
But what is the best way of achieving this? In the United States, the contactless magnetic stripe card is ubiquitous and introduces significant challenges in acceptance for transit merchants where there are tight transaction time constraints, and, without the right level of transaction authorization, fraud could be rife.
Introduction of EMV schemes can dramatically change the concept of ticket purchase, offering more sophisticated facilities that take advantage of being able to verify the cards’ authenticity at the gate before entry.
There are a variety differences between magnetic stripe contactless cards and contactless EMV and what it means for a transit operator.
Magnetic Stripe Data Cards
Contactless payment cards, widely issued in the United States, fundamentally work in the same way as standard magnetic stripe cards except that instead of swiping the card through a reader, the card can be tapped against a reader that activates the electronic circuit within the card enabling data transfer. As for traditional magnetic stripe cards, the security of the contactless cards is minimal and the only way for a merchant to guarantee funds is to authorize the transaction with the issuer online.
In the world of retail, where the cardholder presents the goods they wish to purchase to the cashier who totals the goods and processes the payment, this all works very well since, without a successful authorization from the issuer, the cardholder doesn’t get his goods! But take that card into any other environment, especially transit, and the experience — and risks — are very different.
One of the benefits of the contactless magnetic stripe is its fast transaction speed: it takes just around 200 milliseconds to complete the transaction. This is comparable with proprietary technologies and significantly faster than EMV cards. However, this is only a 10th of the story, as we’ve previously discussed. The “real” transaction is performed with the issuer while the cardholder waits for a response. This is a real problem for operators who are demanding fast transaction times to meet throughput and safety requirements at the same time as managing the risk of a not completing a fully authorized transaction.
There is some mitigation to this problem. The first is to rely on high-speed communication networks, both fixed and cellular, to pass the authorization request and response to and from the issuer while the cardholder waits at the bus or subway entrance. But are these networks reliable enough? What happens if an engineer drills through a cable? What guarantees payment if the cellular network is down in the area the bus is picking up passengers? Or if there is a power outage? Or if lightning strikes? The point is — there are no guarantees.
The other option is to get cardholders to pre-register. They would register via the transit operator’s website, where suitable authorizations and address verifications could be carried out in advance of travel and when successful, the card number can be added to a white list that is held on the readers. This certainly is the most resilient and risk-free method, but how can it support the traveler who wants to turn up and travel. The walker, who is caught in a rain shower?
So this doesn’t really have the feel of a 21st-century solution. It can only end up forcing passengers back to queuing up for paper tickets as they demand an instant solution to their immediate need to travel.
So are we are left with trying to perform end-to-end transactions at the point of entry? This seems to be the solution so far employed by some transit operators who have had to build the additional pre-registration systems or who have specific agreements with single issuers for acceptance.
If that’s not enough for transit operators to worry about, the stability of the magnetic strip payment mechanism is definitely more in question now than it has ever been with data breaches at Heartland and TJ Maxx and the resultant fraudulent use of the magnetic stripe card data signaling the start of the end of the technology.
So What’s Next?
Some commentators talk about the impending use of mobile technology as the future of payments, however, a mobile device on its own does not have the capability to perform payments without an application to carry it out. In this space we are starting to see the modern IT giants PayPal and Google presenting their ideas on a modern payments network in competition with the established technologies of the traditional banking industry, EMV.
Contactless EMV cards, issued widely in Canada, Mexico and much of Europe, have been developed with offline capabilities. That is, the card does not require online authorization for the merchant to be guaranteed funds; the card has the capability of authorizing small amounts offline.
So why are merchants in the United States demanding migration? Primarily, this is due to the reduction in card fraud EMV delivers against magnetic stripe. In the United Kingdom, the Payments association has reported a dramatic drop in fraud: "Fraud on lost and stolen cards is now at its lowest level for two decades and counterfeit card fraud losses have also fallen and are at their lowest level since 1999. Losses at U.K. retailers have fallen by 67 percent since 2004; lost and stolen card fraud fell by 58 percent between 2004 and 2009; and mail non-receipt fraud has fallen by 91 percent since 2004."
In Australia, a recent adopter of EMV, reductions on skimming fraud of 25 percent and a 50 percent drop in fraud on overseas cards has vindicated the adoption of EMV.
The opportunity to perform offline transactions is really beneficial for transit operators who are now able to assure that they are at the very least dealing with a genuine card through the offline authentication method. The majority of contactless EMV cards are now issued supporting the highest level of dynamic data authentication.
On the flip side, the card reader interaction time with EMV cards does take longer than the equivalent time taken for magnetic stripe. However, compared with the end-to-end transaction time required to authorize a magnetic stripe, EMV offers a comparable alternative.
The payments schemes have also specified a data area that can be used by merchants to record tap data in the future. This could be used in the transit space for capping calculations, other payment models and revenue inspection.
What Should Transit Operators Do?
New merchants in the United States, including transit operators, are now caught in limbo and waiting to see if and when the EMV acceptance finally comes. Migration will have to be driven either by overwhelming merchant demand, which as we have seen has already started, and/or government directive, where some banks are pushing the Fed to act.
Either way, sooner or later, it seems likely that EMV will come to the United States. Without EMV, the United States opens itself up to all card fraud as it migrates away from EMV-adopting areas to the weakest link in the payments chain. Therefore, the message for transit operators thinking about rolling out payment card adoption is: “Go EMV capable now!”
EMV capable readers are also capable of reading contactless magnetic stripe cards. All payment readers have to be capable of communicating with cards of the least common denominator and therefore, the benefits on EMV can be realized now at the same time as meeting the needs of most of your customers who are still on existing technology cards. Those cards that are issued as EMV in the United States or come visiting from overseas can be authenticated, thereby guaranteeing to the transit operator that it is a genuine card from a genuine issuer, while magnetic stripe cards request the existing online mechanisms.
Of course these readers will be more expensive than standard magnetic stripe readers; they are capable of advanced cryptographic functions — but wait. Actually all modern reader should have these capabilities now due to the requirements of PCI-DSS to encrypt all payment-related data. Therefore, why pay more for EMV + Magnetic Stripe + PCI when Magnetic Stripe + PCI fundamentally have the same core cryptographic functions?
Transaction Models
Three key areas to consider when designing a new ticketing infrastructure are the scope of the network, interoperability and the likely cost savings. Urban operators have different priorities to their inter-urban or rural counterparts. Speed and self-service are both key in the urban environment, while inter-urban operators need to offer a greater range of customer-focused products and services, perhaps including integrated ticketing with connecting urban or rural services.
“Pre-issued” media, such as the bank credit or debit cards, offer the opportunity to develop a ticketing or payment strategy with zero issuance costs, making use of a device that the passenger already carries and which is fully interoperable worldwide. But current payment cards are read-only. As a result, transaction data, value top-ups and ticketing products cannot be stored on the card. Plans are in place to introduce payment cards that can hold transient data, supporting possible future ticketing applications. Meanwhile, the operator can choose to use the card to collect a payment at the “point of tap” or sometime later. In this case, a new “middle-office” infrastructure would collect the taps and charge an “end-of-day” amount.
Mifare media, used in a closed network, can use the card as the primary device and maintain shadow data in the back office. In this case, all tickets and value are held on the card and the fare calculation is carried out by the reader at every tap. If payment cards are selected, two basic options are available. In a reader-focused model, a payment transaction is performed and value is taken from the card’s offline balance. At the end of the day, the transactions are settled via a merchant acquirer. In a back-office model, the tap would authenticate the card and harvest payment data, but the real transaction would be performed later, after the fare had been calculated.
Another important consideration is the communications requirements. Can the reader be offline or does it need a direct fast connection to a back-office system? All of the models discussed could operate in either mode, although the primary benefit of the card-based mode is to operate completely offline. The reader and middle-office models can also work offline, but they may need occasional network access to pass data, such as a hotlist to manage fraud and payment card authorization requests.
Once EMV technology is available to the transit operators there are a number of models available to meet the fares policy in operation. Simple, fixed-fare implementations (on buses for example) could just offline authorize against the balance on the card. Conversely, complex transit agencies such as MTA in New York and BART in San Francisco would need to use the authenticated tap as an ID and perform delayed online authorizations and aggregations.
Operational Costs
The introduction of payment cards can lead to a number of areas of cost reduction. The most significant of these include the reduction of card issuance to zero, the end of dealing with issues raised around the management of a proprietary system, and the end of the card and ticket distribution networks.
A recent significant cost to Mifare classic issuers was as a result of the hack on the Mifare Crypto-1 algorithm that is used to secure the data on the card. This forced expensive migration in some cases to a more secure platform utilizing publicized cryptographic mechanisms.
The fact is that all of these costs pass to the card issuers and the payment schemes that manage the reader and card specifications. But these are costs that they are paying now anyway — so they see benefits too!
However, you get nothing for free in this world. The cost of acceptance is interchange, which is the charge the schemes make for processing the payment that is passed to the transit merchant through the acquirer.
Reader Certification is Expensive
Reader design is critical to the successful implementation of any project to accept new media. Bad design would increase the cost through unnecessary rounds of re-certification and could affect its vulnerability to security attacks, service denial or data harvesting.
The reader will be required to support numerous applications, so the software for each one — be it card detection, payment card applications such as Visa, MasterCard, AMEX, Discover, or a proprietary application — should be developed and installed separately with an approach that’s more akin to loading applications onto a mobile phone. Otherwise, changes to one application could result in a need to retest the complete reader. Also, the high cost of certification will ensure that developers seek to minimize the number of times the reader is submitted, both initially and when changes are made to specifications and code.
If the reader is, or might be, handling payments data, the implications of PCI-DSS (Payment Card Industry Data Security Standard) must be considered. Payments data cannot be held or transmitted in a format that would allow it to be intercepted in plain text form. The most secure method for securing compliance would be to encrypt all transactional data at source before it is stored and transmitted.
Lessons from London: From Oyster to EMV
Even with all this information, how can operators know that everything will work to specification and that transactions will not take minutes instead of milliseconds? The answer is to prototype the system and test the more complex processing which the reader must undertake. This includes activating the card and selecting the correct application, deny-list processing, and any other management processes required to meet PCI-DSS. This is the time to make mistakes and fix them.
There are still many challenges to implement readers that are capable of accepting cards from several schemes as contactless EMV is introduced and older technologies are phased out. Some transit operators, such as UTA, have successfully implemented open payments and other operators, such as Transport for London, are getting close to the point of implementation and will start to test their propositions shortly.
As the convergence of payment methods begins, bringing together payment card schemes and transport operators, there are many institutional issues that need to be addressed. But in the long term, convergence will produce benefits for all stakeholders and passengers. And, once this has been successfully addressed, it may be time to look at the next steps and get to grips with implementing NFC.
Simon Laker is a senior consultant and Mike Burden is a commercial manager with Consult Hyperion and have extensive experience of working with Transport for London, the local government body responsible for most aspects of the transport system in Greater London.