From lists at internetpolicyagency.com Tue Sep 9 19:45:12 2014 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 9 Sep 2014 19:45:12 +0100 Subject: Transaction data stored on Contactless Credit Cards Message-ID: Now that Contactless Credit cards are being used as a way for paying for travel ticketing (for example by Transport for London getting sent a series of "swipes" that represent transitioning ticket gates at various tube stations, then working out what fare to charge as an overnight batch job) a question arises about what information travelling ticket inspectors might have access to - if equipped with suitable readers. When a Contactless Credit card is used, does the protocol include storing *on the card* details of where and when it was last[1] used (eg: entering the tube at Kings Cross, 19:38pm today) so that this can be used to verify that the person proffering the card is apparently following the rules? As a secondary issue, does a T&C displayed in TFL's basement behind a sign saying "beware of the Leopard" have full legal force when people start using this payment method - specifically the way in which they claim permission to make unspecified charges in the future. Or is this also covered by something in the Card Company's T&C with the user - along the lines of "Your contactless card is in effect a blank cheque for any merchant you wave it at". "When you touch your contactless payment card on a yellow [formerly Oyster -ed] card reader, or a portable card reader held by staff, you are authorising TfL to charge the cost of your journey, including any unpaid fares, to your card account." [1] FSVO "last", eg just the one most recent, or perhaps the most recent N transactions. -- Roland Perry From pwt at iosis.co.uk Tue Sep 9 20:07:43 2014 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 09 Sep 2014 20:07:43 +0100 Subject: Transaction data stored on Contactless Credit Cards In-Reply-To: References: Message-ID: <540F4FFF.6060602@iosis.co.uk> Roland, TfL (and you) cannot write anything to a basic credit or debit card issued by your bank. Please don't get confused with prepaid bank issued cards of the sort that are a store of value. Or with ITSO spec cards that can have prepaid travel tokens loaded onto them (those tokens are known as Stored Travel Rights in ITSO speak). TfL is not currently accepting ITSO cards but might in the near future accept ITSO spec ENCTS [1] bus passes at Oyster readers (at the moment we just wave the cards as we get on the bus in London, or show them to an inspector). Peter Tomlinson [1] English National Concessiionary Travel scheme, implemented on English buses outside London (Scotland and Wales have their own equivalent schemes). On 09/09/2014 19:45, Roland Perry wrote: > Now that Contactless Credit cards are being used as a way for paying for > travel ticketing (for example by Transport for London getting sent a > series of "swipes" that represent transitioning ticket gates at various > tube stations, then working out what fare to charge as an overnight > batch job) a question arises about what information travelling ticket > inspectors might have access to - if equipped with suitable readers. > > When a Contactless Credit card is used, does the protocol include > storing *on the card* details of where and when it was last[1] used (eg: > entering the tube at Kings Cross, 19:38pm today) so that this can be > used to verify that the person proffering the card is apparently > following the rules? > > As a secondary issue, does a T&C displayed in TFL's basement behind a > sign saying "beware of the Leopard" have full legal force when people > start using this payment method - specifically the way in which they > claim permission to make unspecified charges in the future. > > Or is this also covered by something in the Card Company's T&C with the > user - along the lines of "Your contactless card is in effect a blank > cheque for any merchant you wave it at". > > "When you touch your contactless payment card on a yellow > [formerly Oyster -ed] card reader, or a portable card reader > held by staff, you are authorising TfL to charge the cost of > your journey, including any unpaid fares, to your card account." > > [1] FSVO "last", eg just the one most recent, or perhaps the most > recent N transactions. From lists at internetpolicyagency.com Tue Sep 9 21:28:35 2014 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 9 Sep 2014 21:28:35 +0100 Subject: Transaction data stored on Contactless Credit Cards In-Reply-To: <540F4FFF.6060602@iosis.co.uk> References: <540F4FFF.6060602@iosis.co.uk> Message-ID: In article <540F4FFF.6060602 at iosis.co.uk>, Peter Tomlinson writes >TfL (and you) cannot write anything to a basic credit or debit card >issued by your bank. > >Please don't get confused with prepaid bank issued cards of the sort >that are a store of value. Or with ITSO spec cards that can have >prepaid travel tokens loaded onto them (those tokens are known as >Stored Travel Rights in ITSO speak). I'm not. My question is about the perfectly standard (and issued pretty much as standard for the last couple of years) Contactless Credit/Debit card. No "product" loaded on it, but simply used as a token to track the journeys a holder makes and send him a post-processed bill overnight. >TfL is not currently accepting ITSO cards Digressing slightly, I'm told they *are* now accepting Travelcards loaded onto Southern's ITSO card (branded "the Key"). This is very late - such acceptance [ITSO on Prestige] has been announced as imminent for a long time - but has always been expected to happen. What I think I know from reading ITSO specifications is that in order for the contactless transaction to take place in the sub-second window that travellers expect there isn't time to *both* read the card's credentials *and* write any kind of transaction data *back* to the card. What I'm interested in today is whether the same applies to contactless credit cards, or as you hint whether it's *philosophically* banned as well as being a potential breach of the rules of physics. >but might in the near future accept ITSO spec ENCTS [1] bus passes at >Oyster readers (at the moment we just wave the cards as we get on the >bus in London, or show them to an inspector). That's a different project I expect. ps Again digressing slightly, it's commonly understood that contactless cards require PIN to be used 'at random', or is that 'every ~N transactions' and I've even seen 'on the first transaction, and then sporadically afterwards'. Is the usage data which would trigger such a PIN request a result of things written and re-written to the card, or only a result of a very-real-time authorisation request [and refusal pending PIN] to the issuer? The rules for transport tickets on contactless are laxer, of course, because the (eg) TfL gates don't have a PIN pad on them. The other side of the coin is that fraudulent transport use doesn't cost them any tangible money, because the trains/buses were running anyway. But if you were buying a cup of coffee, then it costs the merchant something tangible to provide. -- Roland Perry From pwt at iosis.co.uk Tue Sep 9 22:06:52 2014 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 09 Sep 2014 22:06:52 +0100 Subject: Transaction data stored on Contactless Credit Cards In-Reply-To: References: <540F4FFF.6060602@iosis.co.uk> Message-ID: <540F6BEC.6090102@iosis.co.uk> An ITSO transaction very often involves both read and write to the card, particularly when you have pre-purchased a ticket and the gate has to mark it as 'in use'. ITSO reads the entire ticket, checks its signature, writes back if necessary. ITSO terminals have a SAM. Peter On 09/09/2014 21:28, Roland Perry wrote: > What I think I know from reading ITSO specifications is that in order > for the contactless transaction to take place in the sub-second window > that travellers expect there isn't time to *both* read the card's > credentials *and* write any kind of transaction data *back* to the card. From lists at internetpolicyagency.com Wed Sep 10 09:01:50 2014 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 10 Sep 2014 09:01:50 +0100 Subject: Transaction data stored on Contactless Credit Cards In-Reply-To: <540F6BEC.6090102@iosis.co.uk> References: <540F4FFF.6060602@iosis.co.uk> <540F6BEC.6090102@iosis.co.uk> Message-ID: In article <540F6BEC.6090102 at iosis.co.uk>, Peter Tomlinson writes > >On 09/09/2014 21:28, Roland Perry wrote: >> What I think I know from reading ITSO specifications is that in order >>for the contactless transaction to take place in the sub-second window >>that travellers expect there isn't time to *both* read the card's >>credentials *and* write any kind of transaction data *back* to the card. > >An ITSO transaction very often involves both read and write to the >card, particularly when you have pre-purchased a ticket and the gate >has to mark it as 'in use'. ITSO reads the entire ticket, checks its >signature, writes back if necessary. ITSO terminals have a SAM. That makes sense, as does taking money from an ITSO "purse". But I nevertheless have a strong recollection of reading a technical document which said that ticket barriers didn't have time to do two sets of handshakes (one to read and the other to write). Perhaps that was CPC after all - although it's understandable if banks don't want "other people" writing to "their" card; but the whole CPC-for-travel thing is a bit of a leap in the dark when it comes to trust between the three parties involved. If it helps, information dribbling out from train companies (such as C2C) about ITSO currently indicates that if you have more than one pre-purchased ticket on the card then their gates will only use them in the order they were purchased, which sounds like a way to simplify that decision. However, even then that "first bought" ticket is going to have to be marked as 'used' at some point. ps Regarding ITSO on Prestige, I found this just now: "Will the key smartcard work in London? "Yes, the existing London Oyster card system has been updated to also accept the key for travel. From 20th August 2014 you will be able load a Travelcard onto the key for use on National Rail, London Underground, DLR and buses." -- Roland Perry From pwt at iosis.co.uk Wed Sep 10 10:27:59 2014 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Wed, 10 Sep 2014 10:27:59 +0100 Subject: Transaction data stored on Contactless Credit Cards In-Reply-To: References: <540F4FFF.6060602@iosis.co.uk> <540F6BEC.6090102@iosis.co.uk> Message-ID: <5410199F.5090200@iosis.co.uk> Roland, Lots of the work on the ITSO methodology has been done in a volunteer capacity, and it was really only 2 years ago that a serious move to make the whole ITSO environment ready for deployment in a fully integrated manner across all surface and sub-surface public transport in the UK (including deploying ITSO on Prestige) got going. ATOC is now fully on board (sic). All new heavy rail franchisees are now required to deploy full ITSO compliant ticketing. What we therefore need is broad regulation for electronic ticketing and related journey management methods across all surface and sub-surface public transport - regulation that ensures that the customer experience comes first. The ITSO Specification is owned by the Crown. ITSO Ltd (a company limited by guarantee without shares) is responsible for the Specification, specifying and procuring the SAMs, operating a key management and distribution service, testing all equipment and system types for compliance... The company has recently appointed a Programme Manager; moves to raise more funding for development are under way. You and all others on this list are welcome to join ITSO Ltd as a Member (min fee ?1K p.a. plus VAT - that's for a small business, more for a larger organisation). (Please note that the views expressed in this email are solely the views of the writer who has been a Member of ITSO Ltd since it was first opened up to all comers.) Peter On 10/09/2014 09:01, Roland Perry wrote: > That makes sense, as does taking money from an ITSO "purse". But I > nevertheless have a strong recollection of reading a technical > document which said that ticket barriers didn't have time to do two > sets of handshakes (one to read and the other to write). Perhaps that > was CPC after all - although it's understandable if banks don't want > "other people" writing to "their" card; but the whole CPC-for-travel > thing is a bit of a leap in the dark when it comes to trust between > the three parties involved. > > If it helps, information dribbling out from train companies (such as > C2C) about ITSO currently indicates that if you have more than one > pre-purchased ticket on the card then their gates will only use them > in the order they were purchased, which sounds like a way to simplify > that decision.