Transaction data stored on Contactless Credit Cards
lists at internetpolicyagency.com
Wed Sep 10 09:01:50 BST 2014
In article <540F6BEC.6090102 at iosis.co.uk>, Peter Tomlinson
<pwt at iosis.co.uk> writes
>On 09/09/2014 21:28, Roland Perry wrote:
>> What I think I know from reading ITSO specifications is that in order
>>for the contactless transaction to take place in the sub-second window
>>that travellers expect there isn't time to *both* read the card's
>>credentials *and* write any kind of transaction data *back* to the card.
>An ITSO transaction very often involves both read and write to the
>card, particularly when you have pre-purchased a ticket and the gate
>has to mark it as 'in use'. ITSO reads the entire ticket, checks its
>signature, writes back if necessary. ITSO terminals have a SAM.
That makes sense, as does taking money from an ITSO "purse". But I
nevertheless have a strong recollection of reading a technical document
which said that ticket barriers didn't have time to do two sets of
handshakes (one to read and the other to write). Perhaps that was CPC
after all - although it's understandable if banks don't want "other
people" writing to "their" card; but the whole CPC-for-travel thing is a
bit of a leap in the dark when it comes to trust between the three
If it helps, information dribbling out from train companies (such as
C2C) about ITSO currently indicates that if you have more than one
pre-purchased ticket on the card then their gates will only use them in
the order they were purchased, which sounds like a way to simplify that
However, even then that "first bought" ticket is going to have to be
marked as 'used' at some point.
ps Regarding ITSO on Prestige, I found this just now:
"Will the key smartcard work in London?
"Yes, the existing London Oyster card system has been updated to also
accept the key for travel. From 20th August 2014 you will be able load a
Travelcard onto the key for use on National Rail, London Underground,
DLR and buses."
More information about the ukcrypto