Transaction data stored on Contactless Credit Cards

Roland Perry lists at
Wed Sep 10 09:01:50 BST 2014

In article <540F6BEC.6090102 at>, Peter Tomlinson 
<pwt at> writes
>On 09/09/2014 21:28, Roland Perry wrote:
>> What I think I know from reading ITSO specifications is that in order 
>>for the contactless transaction to take place in the sub-second window 
>>that travellers expect there isn't time to *both* read the card's 
>>credentials *and* write any kind of transaction data *back* to the card.
>An ITSO transaction very often involves both read and write to the 
>card, particularly when you have pre-purchased a ticket and the gate 
>has to mark it as 'in use'. ITSO reads the entire ticket, checks its 
>signature, writes back if necessary. ITSO terminals have a SAM.

That makes sense, as does taking money from an ITSO "purse". But I 
nevertheless have a strong recollection of reading a technical document 
which said that ticket barriers didn't have time to do two sets of 
handshakes (one to read and the other to write). Perhaps that was CPC 
after all - although it's understandable if banks don't want "other 
people" writing to "their" card; but the whole CPC-for-travel thing is a 
bit of a leap in the dark when it comes to trust between the three 
parties involved.

If it helps, information dribbling out from train companies (such as 
C2C) about ITSO currently indicates that if you have more than one 
pre-purchased ticket on the card then their gates will only use them in 
the order they were purchased, which sounds like a way to simplify that 

However, even then that "first bought" ticket is going to have to be 
marked as 'used' at some point.

ps Regarding ITSO on Prestige, I found this just now:

"Will the key smartcard work in London?

"Yes, the existing London Oyster card system has been updated to also 
accept the key for travel. From 20th August 2014 you will be able load a 
Travelcard onto the key for use on National Rail, London Underground, 
DLR and buses."
Roland Perry

More information about the ukcrypto mailing list