Payment vs. ticketing

Contactless cards are penetrating into more and more market segments day by day. The three most common use cases of contactless cards are clearly ticketing, payment and access control. Now let’s skip the access control and compare the ticketing and payment use cases.

Work Flows

Functional requirements of a contactless ticketing application are generally store a balance, contract, expire date and a log space. Typical work flow of a contactless ticketing transaction is as follows:

  • Identify the card in the field
  • Authenticate the card and the ticketing terminal
  • Read the contract from the card
  • Read the previous transaction logs -if necessary
  • Compute the fare
  • Debit the card with the fare
  • Write the transaction log

When it comes to payment, the work flow of a contactless EMV payment is as follows:

  • Identify the card in the field
  • Authenticate the card and the terminal
  • Debit the card
  • Store the transaction log

As you can see, the main difference of the payment and the ticketing work flow is the fare calculation based on some variables like contract type of the card and the previous transactions performed and stored in the application. This is something EMV is still uncapable of. Both Visa and MasterCard are already working on ticketing extensions of payWave and PayPass, however they will still have many barriers ahead even if the specification are completed and first samples are out for testing.

Authentication and cryptography

EMV relies on RSA and Triple DES, while ticketing applications use mainly DES variants and AES. Contactless EMV transactions are quite secure with DDA (Dynamic Data Authentication) and it is a perfect solution for an interoperable environment of different banks.

Almost all ticketing systems are proprietary and each transport operator or provider has its own application. Every system has its own infrastructure and interoperability between ticketing systems are quite rare. So each system has its own authentication alghoritm and of course key types and lengths.

Main differences

EMV is designed for securing the transaction between card and terminal, terminal and host systems, host system and the card. It’s the underlying standard of Visa, MasterCard and JCB. Each organization has its own application of EMV but essentially they are mostly identical. Contactless ticketing application depend heavily on the chip platform and operating system they are using. Every transport authority, system integrator or solution provider has its own ticketing application. There are efforts in Europe to standardize the ticketing applications but they are not mature enough yet. So basically ticketing is proprietary for now.

Some time in the near future, payment and ticketing is supposed to meet on the NFC platform, but it seems it’s still a long way there.

{ Comments are closed! }