Wombling free

You all watch Only Connect, right? I was amazed to see a question I knew the answer to due to our nerdiness in specifying the software for Transport for London’s Tri-reader that works with Oyster, contactless EMV and even ITSO.

The question was, what do the following have in common (see image)?

Only Connect TfL Underground

Four clues are revealed one by one. The sooner you supply the link, the more points you get. All four were revealed and no-one knew the answer.  As the image shows, London Underground gate error codes, was the answer. COME ON GUYS!

Technology roadmapping

In 2005 when we performed an update to our biometrics and identification technology roadmap for the UK police, body odour was a ‘technology’ that was looking interesting, but not mature enough. The idea was that if dogs can do it, why might it not be automated. And identical twins have a unique smell, apparently.

Police biometrics techs 2005

We identified policing applications of biometrics and identification technologies, one of which was automated identification of police officers. At that time, each Force had it’s own warrant cards (so there was no confidence in what they should look like) and there was no way of using them with machines to authenticate the cardholder as an ‘officer of the lieu’ and grant them access to building and machines.

Automated identification of police officers

We foresaw the benefits of a national police warrant smart card and were retained to specify the standard which is used today across the Forces.

More recently, the technology roadmapping I have been involved in has been for transport applications. As well as the usual technologies in this space (mobile apps with 2-D bar-code; contactless payment cards; NFC mobile devices emulating contactless cards) we have also been thinking about more interesting stuff. Such as USB contactless readers used at home for fulfilment of tickets or value direct to smart cards. Or mobile devices with Bluetooth Low Energy (BLE) interacting with beacons waking the app up to present the appropriate form of ticket for the time and place. And, or course, NFC devices with the Host Card Emulation (HCE) API allowing them to escape the tyranny of the Secure Element (SE) and Trusted Service Managers (TSMs).

You’ll not be surprised to hear that we are still tracking the technology of person identification via body odour. I look forward to being sniffed by a transit gate before being allowed onto the train platform in the near future.

Managing the join

Since 2008 we have been working with Transport for London to allow contactless payment cards (CPCs) to be accepted wherever Oyster cards are accepted. This was first achieved in December 2012 on buses (which are flat fare in London) using a retail payment model. The next step was to introduce a distance-based payment model to allow all the other transport modes to be included which have zoned fares. This was launched in September 2014.

All the convenience of Oyster (such as not having to queue to buy tickets and fares capping so that you do not need to understand the fares structure) but using a card already in your pocket. Whether you are local or just visiting. But this is for London only. And the solution is based on a risk model that knows the maximum charge for a single journey is not very much. The delivery of such a solution relies on the intelligence migrating from the card to the back office. TfL’s back office to allow acceptance of CPCs for transit is complex and took several years to build.

In early 2012 the TfL payment and security models for contactless payment card acceptance in London where pretty much complete and the rest was ‘mere implementation’. TfL asked us to help them consider how it might work if they offered their back office as a service to transport operators outside of London. These might be in the UK, or potentially anywhere in the world (though different payment model are likely to apply outside of the UK). We discussed at length the notion of using your ‘card as a token’, be it a payment card, Oyster, ITSO or, potentially, other secure contactless tokens. Eventually, the ideas were parked to allow TfL to focus on delivery of the system for London in conditions of extreme austerity.

Meanwhile, we were hired by the SEFT (South East Flexible Ticketing) programme to specify the rail validators that could accept ITSO as well as contactless payment cards. At the time, Transport for Greater Manchester was just starting to procure such a back office for their region. We pointed out to SEFT that this CPC back-office-for-tranist stuff is complex and not standardised. It was therefore decided to not include any interfaces to the payment card back office at that time and the SEFT validator specification was ‘mothballed’ for the time being.

Spare a thought for the traveller buying long-distance rail tickets that include travel within the London area. London supports Oyster and CPCs (and a few specific train operator ITSO products, but not many at this point in time). Some train operating companies are implementing 2-D barcode, and some are trying ITSO. But the only technology commonly read across the UK currently and for the foreseeable future is the cardboard ticket with magnetic stripe. Basically, any ticketing innovation is scuppered at the boundary between London and the rest of the UK. This problem is what our friends at Trainline call ‘managing the join’.

Hopes for contactless payment being accepted for transit outside of London were recently dashed with the announcement that Transport for Greater Manchester has sacked their back office supplier. And anyway, it has been speculated that CPCs only work within London because London is a special case and it could not work anywhere else because the operators will not co-operate and/or the fares are too high for the risk model to work.

Enter the cavalry in the form of the UK Cards Association. They are leading a project with the Department for Transport and others (including representing train and bus operators) to develop a contactless transit framework for the UK by the end of 2015. The project to date has identified three contactless transit models:

  • Standard retail model for transit: pay as you go model with a known fare, for buses and trams (like TfL bus retail model).
  • Contactless for transit model: pay as you go model where the fare is aggregated at the end of the day or journey leg, for multi-mode operators (like TfL distance-based model).
  • Card as Authority to Travel (CAATT) model: pre-purchase model.

This last model could be just what we need for ‘card as a token’ or ‘managing the join’ as we have called it. The idea is the customer:

  1. Purchases their ticket online and associates it with their CPC.
  2. Can view their purchase on their statement.
  3. Uses their CPC as their ticket on a train.

Watch this space …

Secure-enough transit mobile ticketing

ITSO with HCE app and Handy

This year, I’ve been mostly working on ITSO ticketing in NFC mobiles devices with HCE and without secure elements. ITSO is the e-ticketing specification supported by the Department for Transport in the UK.

So far, high level design, risk analysis and proof of concept have been carried out by our team. Suitable controls are being developed. We are heading towards a trial this year on live schemes. More details to follow in next few weeks. But for now, see page 10 of the latest ITSO News.

 

Bring Your Own Token

I’ve just attended the Smartex Transport Card Forum (TCF) 2014 annual two-day event where I was presenting. The first day was about requirements and we heard from Passenger Focus that customer convenience is high on the list. Over and over we heard others repeating that convenience is a key requirement. At the end of day 1 I took a stroll through Oxford for half an hour and then caught a bus to my hotel. As the bus approached, I realised that I might be in trouble. Three or four smart card emblems were on display in the window, none of which I recognised. I boarded the bus and asked whether they accept cash. “Yes,” was the reply. I tendered my Scottish £10 note. “But not those,” he said. “We used to, but our systems no longer accept them. The other bus company might take them.”

Not having the energy to argue, and feeling a very inconvenienced customer indeed, I got off and continued to walk until I found a taxi happy to take my £10. In fact, none of the taxi drivers I used over the last two days batted an eyelid at the dazzling array of Scottish notes I tendered. I joked with one of them that no-one knows what Scottish notes should look like, so I make them myself at home in Edinburgh. He asked if he could borrow the machine, but he was not inclined to refuse my money.

The next day, the morning started with presentations from suppliers about how they are starting to roll out remote download of smart tickets to ITSO cards. If you find one of the suppliers’s terminals (or you have registered and have one of their contactless readers installed on your PC) and you have obtained the right operator’s card, you can have the ‘convenience’ of not having to buy or collect a ticket immediately before boarding. Basically, this is aimed at the frequent traveller in restricted geographical areas and seems to deliver Oyster-like convenience. And in addition, this could be extended to long-distance rail, something not offered by Oyster.

Right now, Transport for London (TfL) offers what I would term Choose Your Own Token (CYOT). You can travel anywhere on the Oyster network (bus and all forms of rail: tube, train, DLR, tram) using either an Oyster card or a contactless payment card. You don’t need to worry how much the journey costs and you are guaranteed to be charged the best fare and that will be capped after a certain amount of travel within a certain time period. None of the details of which I need to know; you simply trust TfL to always give you the best deal.

Now that’s what I call convenience — unless you neither have an Oyster card nor a contactless payment card. Or you happen to be outside of London, say, in Oxford, trying to board a bus with Scottish money. So, no, we are not really close to general customer convenience.

There are examples of existing tokens already being used to access multiple services, which include:

  • Utah ski pass being accepted on local buses during the validity period of the ski pass. The Super Pass includes round-trip travel on UTA ski buses and TRAX light rail. To gain free access on UTA Ski Buses and TRAX light rail it is necessary to both tap in and tap out with the Super Pass card.
  • Larger cities in Estonia allow residents to purchase “virtual” transportation tickets linked to their ID cards. Period tickets can be bought at public kiosks. Customers have the option of e-mail or SMS notification when the ticket is about to expire, or of setting up automatic renewal. To use the virtual ticket, customers must carry their ID card with them whenever they use public transport. During a routine ticket check, users are asked to present their ID card, which is then inserted into a special device. Ticket information is stored in a central database, not on the ID card itself. Thus, to order a ticket, it is not necessary to have an ID-card reader.
  • British Columbian driving licence being used to access various government services such as health.
  • In the next phase of TfL’s Ticketing Project (FTP), TfL plans to allow season pass holders to associate a contactless payment card with the season pass. This will be their first us of payment cards as tokens and will mean that the customer will not need to also carry an Oyster card.

However, again, these all rely upon the customer obtaining the appropriate token that is accepted, whereas the real convenience vision I have for a country such as the UK which may never have a national electronic ID (eID), is what I call Bring Your Own Token (BYOT). Certain standardised tokens that meet common security requirements and we all carry anyway would be used to prove to any merchant that we are good to pay for their services, or we are eligible for them. I don’t care what that token happens to be, so long as I have one with me at all times. I don’t expect all other customers to use the same token as me and I have a vision of a variety of such tokens being accepted and there being a central service (in the cloud, of course) which all merchants or service providers use to verify eligibility of the token.

Some say that it would be impossible to get all the parties to agree to sign up to such a central token verification service. And to them I say, look at TfL. After several years of negotiation with the Train Operating Companies (TOCs) operating in the London area, agreement was achieved that TfL collects all the Oyster or contactless payment card ‘taps’ on Oyster readers for trains, calculates the journey, deduces the fare payable by the customer, collects the fare from the customer and distributes the portion of the fare due to the TOCs.

It is no longer tenable to say TfL achievements are only possible because London operators are regulated. The TOCs are deregulated and they have agreed to trust TfL to reimburse them fairly without knowing how many journeys passengers have actually made using Oyster or payment cards. Like the taxi drivers, the TOCs would rather be paid than not, unlike the bus operator in Oxford.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.