One pass for all mass transit?
New standard could pave way for interoperable fare collection systems
- By William Jackson
- Dec 07, 2010
An alliance of chip and smartcard makers is introducing an open security standard for securing transit fare collections that it hopes will open the way for interoperable public transit systems and enable a new generation of electronic payment methods.
The standard, named Cipurse, includes strong encryption and a common set of commands applicable to transit systems that have moved to electronic fare collection. Proponents hope the platform will replace current proprietary security schemes.
“We’re trying to create something basic that will scale across legacy systems and be incorporated into new systems,” said Charles Walton, chief operating officer of INSIDE Security, one of the founding members of the Open Standard for Public Transport Alliance.
Access control: Feds search for scalable solution
Smart IDs could soon control physical access
Cipurse is built on existing standards, including the 128-bit Advanced Encryption Standard for encryption, the ISO 7816 smart card standard and the ISO/IEC 14443-4 protocol layer. The use of accepted open standards is intended to enable implementation in upgrading existing systems as well as in new systems.
Creating a common standard could provide not only more options for governments building or upgrading transit systems, but could also open up a new market for mobile devices such as smart phones using wireless Near Field Communications (NFC) to pay fares. NFC allows mobile devices to mimic fare cards and card readers, but Mobile applications for paying subway, bus and train fares now are limited because of the use of proprietary fare collection systems.
Electronic payment, using mag stripe cards or contactless chip cards, are replacing cash, paper tickets or tokens for fare payment in public transit systems. But a lack of standards has resulted in proprietary systems that OSPT says increase costs and limit choices for the systems. It also has prevented development of payment schemes that would be interoperable across transit systems. For example, such a system would allow travelers from the Washington D.C. area to use their Metro SmarTrip cards on Chicago Transit Authority vehicles.
Cipurse would not provide this interoperability by itself, but providing a common security stack it could remove one barrier to it, Walton said.
The standard defines an authentication scheme, a secure messaging protocol, four mandatory files types, a command set to access them and specifies encryption keys and access conditions. It also includes software-based protection against differential power and fault analysis that could let an attacker decipher and interfere with intercepted traffic.
William Jackson is a Maryland-based freelance writer.