One pass for all mass transit?

New standard could pave way for interoperable fare collection systems

An alliance of chip and smartcard makers is introducing an open security standard for securing transit fare collections that it hopes will open the way for interoperable public transit systems and enable a new generation of electronic payment methods.

The standard, named Cipurse, includes strong encryption and a common set of commands applicable to transit systems that have moved to electronic fare collection. Proponents hope the platform will replace current proprietary security schemes.

“We’re trying to create something basic that will scale across legacy systems and be incorporated into new systems,” said Charles Walton, chief operating officer of INSIDE Security, one of the founding members of the Open Standard for Public Transport Alliance.


Related stories:

Access control: Feds search for scalable solution

Smart IDs could soon control physical access


Cipurse is built on existing standards, including the 128-bit Advanced Encryption Standard for encryption, the ISO 7816 smart card standard and the ISO/IEC 14443-4 protocol layer. The use of accepted open standards is intended to enable implementation in upgrading existing systems as well as in new systems.

Creating a common standard could provide not only more options for governments building or upgrading transit systems, but could also open up a new market for mobile devices such as smart phones using wireless Near Field Communications (NFC) to pay fares. NFC allows mobile devices to mimic fare cards and card readers, but Mobile applications for paying subway, bus and train fares now are limited because of the use of proprietary fare collection systems.

Electronic payment, using mag stripe cards or contactless chip cards, are replacing cash, paper tickets or tokens for fare payment in public transit systems. But a lack of standards has resulted in proprietary systems that OSPT says increase costs and limit choices for the systems. It also has prevented development of payment schemes that would be interoperable across transit systems. For example, such a system would allow travelers from the Washington D.C. area to use their Metro SmarTrip cards on Chicago Transit Authority vehicles.

Cipurse would not provide this interoperability by itself, but providing a common security stack it could remove one barrier to it, Walton said.

The standard defines an authentication scheme, a secure messaging protocol, four mandatory files types, a command set to access them and specifies encryption keys and access conditions. It also includes software-based protection against differential power and fault analysis that could let an attacker decipher and interfere with intercepted traffic.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • cybersecure new york city

    Cybersecurity for smart cities: Changing from reactionary to proactive

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group