Part 1 - QR, EMV and Fare Collection

Ingo Noka
AFCS

The success of QR-based, realtime, account-to-account payment systems in Asia is remarkable. It introduced a long-overdue element of healthy competition into the payment industry that was dominated by banks and their card payments (domestic as well as Visa/MC).

However, contactless EMV gives traditional payment systems two huge advantages that cannot easily be overcome by the new QR systems: fast, tap-and-go style transactions and account-based ticketing in automated fare collection systems.

In this article, I am trying to explain why EMV is so suitable for mass transport ticketing. In the next article, I will then cover three topics:

  • Can and should QR codes be used for fare collection?

  • Is EMV technology the only solution for account-based ticketing?

  • Can (and should) the new players just pick and choose the parts of EMV that they need for mass transport ticketing?

Contactless EMV

EMV fits the requirements of account-based ticketing very well. That happened not so much by foresight and design, but more by accident. When EMV was developed, Europe apparently still had quite a few places without a reliable network connection and insisted on functionality that would make offline authorization and authentication possible. That functionality added a lot of complexity to the specification and proved to be costly to implement.

When the "original" EMV was finally rolled out in significant numbers, most of the offline functionality wasn’t needed anymore, and many banks did not understand it well enough to use it anyway. Still, it was included in every system.

In the early 2000s, contactless EMV became a thing. The contactless interface by itself did not make such a big difference. But when combined with fast offline below floor-limit transactions, a business case for its use emerged. Most importantly, the contactless interface liberated EMV from the credit card form factor and opened up a road to fast face-to-face mobile phone payments.

Because of the contactless inteface, anything could be a payment device. Initially, only expensive high-end mobile phones included the necessary hardware, and for a while, card manufacturers and all kinds of startups peddled watches, key fobs and even chips implanted under the skin as payment devices. None of this ever took off until more and more smartphones were shipped with an NFC interface and included secure hardware-based environments that could safely store cryptographic keys and account data. That opened the floodgates, and in many countries contactless mobile payments are now the norm rather than the exception.

The ingredients of contactless EMV

Apart from the mobile phone and the contactless interface, a couple of additional ingredients had to be added to make this work:

  1. Offline authentication.

    The magic of public key cryptography allowed payment terminals to verify whether the payment instrument is genuine without the need for an online connection to the issuing bank. Most importantly, the payment terminal has no need to store cryptographic keys that are specific to the issuer or the card. All that is needed is the public key of the card scheme and some assurance of the key’s authenticity.

    Without offline authentication, the card would have to be held against the terminal long enough to receive the online authentication message. A tap-and-go transaction flow would be impossible, and therefore a use in public transport high-volume traffic environment would be out of the question.

  2. Floor limit regulations (no CVM, issuer liability, etc.)

    Offline transactions have one important shortcoming. It is not possible to get an authorization from the issuer at the time of the transaction. The card maybe stolen, or the cardholder may not have enough money to settle the transaction. Merchants would not be very happy if the liability for such transactions was assigned to them. The traditional card schemes already had a solution - the floor limit. Simply put, if the transaction amount is below a predefined limit, the merchant would get their money even if they did not request an online authorization at the time of the transaction. The same applies for the need to ask for a PIN.

    Unfortunately, floor limits had been on the way out already. Under pressure from the US market, which was slow to adopt EMV technology. Instead, realtime online authorization and online PIN were the chosen solutions to manage the risk of cross-border fraud.

    Floor limits were defined by country and merchant category, and only a few of such country/merchant combinations still had non-zero floor limits.

    By adding requirements such as offline EMV authentication, floor limits came back in the form of country-wide limits for offline, no-CVM transactions.

  3. Card-specific accumulative offline limits

    The offline floor limit was not enough to manage the risk of an excessive number of fraudulent transactions below the floor limit. There had to be a way to force an online authorization after a card had been used offline too many times. Thankfully, that functionality was already built into EMV. The card kept track of the number and accumulated value of offline transactions and refused another offline authorization when card-specific limits that are written into the card at the time of personalization are reached.

    In addition, a payment terminal may block a card for future transactions.

  4. Tokenization (to a lesser extent) for making mobile phone provisioning more secure

    Mobile phone manufacturers introduced hardware-based secure processing environments that allowed storage of cryptographic keys and account data on the phone. However, the issuers did not have the same close control over the provisioning process of card data into the phone as for the personalization of cards. To mitigate the risk (and for other purposes), the schemes introduced tokenization. Tokenization means that the card number stored on the phone is just a proxy number. That number may be specific to the phone or the type of transaction. It can be withdrawn or blocked without impacting the actual account number of the cardholder.

Contactless EMV and Account-based Ticketing

Account-based ticketing means that the passenger’s fare medium is linked to an account that holds the funds which will be used to pay for the ticket. This should not be confused with the use of payment instruments to buy a ticket before entering the paid area of the transport system.

Most account-based ticketing systems cannot get an authorization from the entity holding the account when the passenger presents the fare media to the validator or gate. This is usually because of the speed at which passengers move through the gates or because a reliable and fast network connection cannot be guaranteed, for instance, in moving vehicles.

It is therefore necessary, firstly, to authenticate the fare medium offline, and secondly, to collect enough information to work out the fare amount later and to conduct a delayed payment authorization.

Since the passenger has already left the system when an authorization can be obtained, it is not possible to request an alternative means of fare payment when the authorization is denied. Of course, it is possible to keep track of such occurrences and deny entry should somebody try to use the same fare medium again. In the best case scenario, this will amount to the loss of just one fare amount. Realistically, however, it will take some time for a fare medium to be reported as lost or stolen and for this information to reach the AFCS system.

Taking the above into account, it becomes clear why EMV and its implementation by the traditional payment systems is just about perfect for account-based ticketing:

  1. The EMV offline authentication allows validators and gates to verify whether the fare medium is genuine without a connection to the fare medium issuer. The authentication is not as fast as the authentication of dedicated stored value cards based on symmetric cryptography, but it is fast enough.

  2. During an EMV transaction, enough information is exchanged with the validator or gate in order for entry and exit transactions to be linked, which in turn allows calculation of the fare amount, delayed online authorization and settlement.

  3. The operating rules of the traditional payment schemes allow for offline authenticated transactions without cardholder verification up to a limit that is well above the usual fare amount.

  4. The transport operators are protected from liability for fraudulent transactions. This is often a contentious point when account-based ticketing is introduced. AFCS and transport operators are not used to the concept of fraud risk management (rather than avoidance). They usually believe that the payment systems somehow make so much money with ticketing payments that the fare medium issuers should pay for any fraud. [1]

  5. The risk of fraudulent transactions is reduced by an established distribution system for stop lists and relatively fast and reliable online authorization.

Image Reference

W. Commons, “File:Grönt sl kort.jpg — Wikimedia Commons, the free media repository.” 2022, [Online]. Available: https://commons.wikimedia.org/w/index.php?title=File:Gr%C3%B6nt_sl_kort.jpg&oldid=664838799.

1. In fact, some transport operators even believe they should get paid for accepting cards, but this would be a topic for different blog post.