VR Blog Thumbnail

A special guest post from Consult Hyperion Associate Victoria Richardson. As she points out with this vivid example, sometimes money can be the new identity.

I’m a big fan of City Car Club. I don’t have a car because mostly, I don’t need one as I’m a short walk to trains and buses. But City Car Club fits the bill for occasions where it’s just easier to travel by car. As well as being super convenient for people like me living the suburban dream, it makes a great case study about how payment and identity services are evolving in the UK.

The sign up process is the trickiest part and somewhat insightful as to the challenges that businesses face if they want to remotely verify specific customer attributes. Before letting me loose on the roads in one of their cars, clearly City Car Club needs to know whether I have a valid driver’s license and how many points I have on this license. They do this by setting up a three-way call with DVLA. City Car Club calls me, then they patch in DVLA and I agree to DVLA divulging information about my driver’s license. This must be a hugely costly process for City Card Club and one that will surely be replaced by a digital process, just as soon as Gov.UK Verify gets going.

Once you get over the clunky sign up process (which is no fault of City Car Club’s), it’s plain sailing. Using the slick app, which is protected by a four digit passcode, you select the location of the car you want (there are three within a few minutes walk of my house), the date and start/finish time and that’s it. As you’ve already linked a credit card to your account at sign up, there’s no additional payment step. Your card is charged at the end of your journey once a final calculation has been made, based on the actual length of the booking (you can extend a booking from the app if you need extra time) and mileage.


Accessing the car is simple too. City Car Club sends you a contactless membership card through the post and this is how you unlock the car. There’s a contactless reader fixed to the inside of the windscreen, which you tap with your card. Once inside the car, you open the glove compartment, tap your passcode into a nifty piece of hardware which releases the physical key to the car and also lets City Car Club remotely control the car. In City Car Club lingo it’s the “onboard computer”.

What makes City Car Club so interesting from a payment card perspective though is that (as I discovered last weekend in a moment of panic when I realised three minutes before my booking was due to start, that of course I had lost my membership card) anything with a standard contactless interface (i.e., ISO/IEC 14443) can be used to open the car (once it has been linked to your account of course). So now my RBS debit card is the key to my City Car Club but I could equally have used my Oyster Card.

The customer experience here is great. There’s no replacement membership card fee (for me or City Car Club) and no delay waiting for a new card to come through the post. In order to set my debit card as the key to the car, I pressed “phone Clubhouse”. I told City Card Club that I had lost my membership card and they logged this against my account. Then, when I got to the car, I simply tapped my contactless debit card on the windscreen and the card reader took the serial number of the chip, and associated the card with my account. Once inside the car I punched my passcode into the “onboard computer”, confirming the link between me and the card.

It’s hugely encouraging to see new services built on the existing payments infrastructure that deliver a better customer experience as well as cost savings to the service provider. Now I’m just waiting for it all to end up on my phone, with some magic from Apple Pay.


  1. Great initiative by the City Car Club. One question about the details, though… what did you have to tell them in order for this to work? Your card PAN? If so, does that 1) mean they have PCI-DSS obligations? 2) mean that the RBS Debit Card is providing the PAN when used over a contactless mode? I’d always assumed issuers implemented a “poor-man’s” tokenisation and put a different number in the contactless chip to the one embossed on the front – that they then tied back to your account at their end. But perhaps not?

    Or perhaps there’s some other way of making it work?

    Wondering if it would work if/when tokenisation is more broadly rolled out?

  2. Richard, I didn’t have to tell CCC the PAN so no compliance issues. The reader just reads the serial number on the chip.

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights