Reece Martin posted an interesting video, So you built the wrong transit system, that examines the American penchant for building cheap light rail systems that don’t make long term sense. Public transit is a waste of money to Americans with money, so cheap is only way to fund and build public transit infrastructure. The problem is this cheap short term thinking costs more money in the long run. It’s a ‘one size fits all’ mentality.
But as Reece points out, systems can evolve from humble beginnings. Many private Japanese rail lines started out as street trams (that evolved from horse trams) but evolved into the heavy duty regional rail lines we have today. Fare system have evolved too, from paper, to mag strip, to IC smartcard and now mobile devices.
Transit fare systems in America suffer from the same short term cheap thinking, on full display on the MTA OMNY system, the world’s first EMV only open + closed loop fare system. When it’s completed in 2023, barring more delays, MTA will have farmed out every aspect of their fare collection and OMNY transit card issue to banks.
Not to rehash points I already made about OMNY, but Reece’s wrong transit system analogy struck a chord. And unlike rail system evolution, once the transit fare system in locked into the bank payment card infrastructure, from technology (EMV) to payment network processing (VISA, mastercard, AMEX, etc.), it will be extremely difficult, if not impossible to change anything later on.
But why is America so short sighted when it comes to public transit, never investing in a long term self-sustaining viable business model? I ran across an interesting take that explains it neatly. The USA will never have a transit platform business because public transit is a welfare and jobs program, not a self-sustaining business model:
Public transportation in the US is generally very bad and very heavily subsidized. It’s cheap because extremely little service is being run, and the government picks up most of the bill.
Public transportation in the US is less of a way normal people get around, and more of a welfare program and jobs program. Even in places where public transportation is a way normal people get around, e.g., NYC, it is run more like a jobs program than an essential public service.
Open loop fare systems are also vulnerable in new ways nobody predicted: imagine the mess if payment networks go down in a cyberwar, à la the Moscow metro when digital wallets and bank payment card networks were suddenly and omniously turned off. In the case of OMNY where, unlike Moscow metro, everything is EMV payment networked…there is no backup in-house payment settlement system, there is no plan b.
In other words not only is OMNY EMV one size fits all, it’s all or nothing.
Jonathan Seybold said it best in his Computer History Museum interview video, many arguments can be easily demolished by pulling out the hidden assumptions. In our attention span challenged social media era it’s all too easy to believe things at face value. Few people invest time and brain energy to analyze and question arguments to find and examine hidden assumptions.
A reader of this blog might come away thinking I am not a fan of open loop transit fare payments and despise EMV contactless and QR Code payment technology. That would be a mistake. I don’t hate them, everything has its place. I simply don’t agree with ubiquitous assumptions that EMV or QR or open loop are cure alls for every transit fare payment situation that they are praised to be…usually because ‘everybody uses’ bank issued contactless payment cards or smartphone payment QR apps. It’s a one size fits all mentality that blinds people from seeing hidden assumptions. It’s very important to see how all the pieces, seen and unseen, fit together. After all, transit companies and their users have to live with transit infrastructure choices for decades.
In a recent twitter thread Reece Martin thought it would be nice if Canada had a nationwide transit card. This is something Japan has had since 2013 when the Transit IC interoperability scheme was put in place that made the major transit IC cards compatible with each other, but they did this without changing the hardware. The various card architectures were left untouched and linked with system updates, a use-the-same-card backend solution. China on the other hand created a national transit card with the China T-Union • PBOC 2.0 standard that replaced all older transit cards with locally branded T-Union cards, a get-a-new-card hardware solution.
A nationwide Canadian transit card is a great idea but as Samual Muransky answered in the same thread, why bother with ‘obsolete’ dedicated transit cards when everybody uses EMV contactless bank cards and EMV is the new standard. Let’s examine some hidden assumptions at play here.
Assumption #1: Everybody has contactless credit/debit cards The open assumption here that everybody has bank issued credit or debit payment cards is not the case and varies by country, demographics, age, etc. Most people in some countries do, but even so there will always be people who don’t. Transit cards always have the advantage of being available at station kiosks to anyone with cash.
Assumption #2: because of assumption #1 open loop (credit/debit cards) is better than closed loop (dedicated ticketing) for paying transit fare The hidden assumption is that open loop covers everything but it does not. Specific transit services such as individual commuter passes, discounted fares for disabled/elderly/children are practically impossible to attach and use with bank payment cards. The best that transit systems and payment networks can do with open loop is fare capping or special discounts when applied universally. The age-old pay ‘x’ times and get one free concept. Open loop works best for occasional transit users.
Assumption #3: EMV contactless is the NFC standard The NFC Forum recognized long ago that credit card companies and transit companies have different needs and objectives. To that end the NCF Forum has 2 basic NFC standards, one for contactless payments (NFC A/B but only A is really used) and one for transit (NFC A-B-F). All NFC devices must support NFC A-B-F for NFC Forum certification.
Assumption #4: EMV contactless for transit is safe and secure There are many hidden assumptions packed into the words ‘safe and secure’: not everybody agrees on what safe is and what level of security is secure. Things also change depending on the situation and the design. I have covered transit gate reader design in many other posts but recap some basics here.
Steve Jobs famously said that designing a product is a package of choices. I have often said that EMV contactless is supermarket checkout payment technology but that’s not a put down, it’s the truth of what EMVCo were aiming for when they grafted NFC-A to their EMV chip for contactless cards.
Because of wide deployment with no direct control, the original EMV contactless spec had a latency window to work reliably even with crappy network installations, and the slow speed has sometimes been cited as a security risk. NFC-A (MIFARE and EMV) transaction speeds are rated for a theoretical 250ms but are usually 500ms on open loop transit gates. Suica is always 200ms, often faster. The speed gap is due to gate reader design, the network lag of centralized processing vs local stored value processing, and the different RF communication distances for NFC-A and NFC-F. JR East presentation slides explain the transaction speed differences.
Japanese station gates are designed to be capable of 60 passengers per minute. To do this the conditions are:
Processing time of fare transaction has to be within 200ms
RF communication distance is 85mm for physical cards and smartphones
European station gates are designed to be capable of 30 passengers per minute:
The processing time takes 500ms
RF communication distance is 20mm for physical cards, 40mm for smartphones
The Suica transaction starts from the 85mm mark while MIFARE and EMV contactless cards start at the 20mm mark. Because of the greater RF communication distance Suica transactions start much earlier as the card travels toward the reader tap area. It you look closely at the 2nd slide you can see that smartphones have a slightly earlier EMV/MIFARE RF transaction starting at the 40mm mark (the 1.1A/m boundary) due to the larger smartphone antenna, physical EMV cards with smaller antennas are limited to 20mm. This is why smartphones seem faster than physical cards on NFC-A gates. Suica physical cards have a larger antenna and the same RF transaction distance as smartphones.
NFC-A transaction speed is slower because it has to be on top of the reader before it can start. This is also the limitation with optical based QR and bar codes, the transaction only starts when the smartphone screen is close enough to the reader for an error free scan. Transit gates using these technologies are not designed for smooth walk through flow.
One of the smart things Nankai is doing in the test phase (limited to a few key stations) is keeping EMV/QR gates separate from standard FeliCa gates. This is practical. Regular users go through the faster regular gates, the occasional open loop or QR users go through slower EMV/QR gates. Keeping different readers separate and clearly marked helps keep walk flow smooth and crowding down at busier stations. The Nankai program has been put on pause for another year due to the collapse of inbound travelers in the COVID pandemic. It’s a trial run as Osaka area transit gear up for an anticipated inbound travel boom in connection with Expo 2025, that may, or may not pan out.
The Nankai VISA Touch gates are designed for physical cards, Apple Pay works but without Express Transit. That’s a plus as Apple Pay EMV Express Transit on TfL and other open loop systems (OMNY) has come under scrutiny for a potential security risk with VISA cards that allows ‘scammers’ (in lab settings) to make non-transit charges to Apple Pay VISA cards via Express Mode, something that is not supposed to be possible.
Timur Yunusov, a senior security expert at Positive Technologies…said a lack of offline data authentication allows this exploit, even though there are EMVCo specifications covering these transactions.
“The only problem is that now big companies like MasterCard, Visa and AMEX don’t need to follow these standards when we talk about NFC payments – these companies diverged in the early 2010s, and everyone is now doing what they want here,” he said.
In other words, Apple removing Apple Pay bio-authentication to promote EMV Express Mode for open loop transit puts Apple Pay at the mercy of lax card network payment operation practices who don’t follow their own rules. Not that it’s a real problem in the field but accidents do happen, such as this incident on Vancouver BC TransLink that a reader forwarded:
Just a moment ago, I nearly got dinged on my CC while sitting on a high seat near a door which is where one of the validators are located. The validator picked it up from the backside rather than the front side where the tap area is located. Also, somehow, my iPhone authorized the transaction when I only want to return to the home screen instead.
If the open-loop was implemented in a way where the card must be pre authorized before the card can be tapped at a validator, it wouldn’t get me in a situation where I need to deal with customer service to dispute some charges. Good thing this time, transaction was declined so nothing related to this charge showed up in my account.
And then there is data privacy, a far larger and long term problem is how open loop transit user data is stored and used. Apple always says they don’t know what Apple Pay users are doing as the data stays private. Fair enough, but the same doesn’t apply to the bank card companies. Open loop payment platforms in Japan, like stera transit, love to promote the customer data reporting services they provide to transit companies.
Plastic transit IC cards are basically private, they have a card number but nothing else. Credit/debit cards have your entire profile coming along with your open loop use and stera report a subset of this in their reports. And where is this data stored? In Japan, in Korea, somewhere else, wherever stera has a data sub-contractor? Payment transaction companies have been burned, repeatedly, when caught storing Japanese card transaction data outside of Japan…but they keep doing it again when everybody’s back is turned. This problem isn’t going away because of flimsy laws, lax industry practices and last but not least: personal data is a valuable commodity.
There is also the aspect of the price of cost effectiveness. When data processing stays in the country of origin, that means local employment and tax revenue feeds the national economy. When data processing goes outside the country, those are lost. This kind of discussion never takes place when it comes to transaction data processing, which it should, especially when publicly funded transit operators are involved.
Open loop is only part of a larger picture Canadian transit would certainly benefit from a Japanese transit IC system approach with compatibility on the backend, or even the China T-Union approach of a national card spec that is locally branded but works everywhere.
To come back to the beginning, my point isn’t about slamming EMV or QR open loop transit, just the assumptions that they solve everything. They have their place in intelligently designed fare systems but only constitute part of the larger transit fare system picture. And as I have pointed out many times, card companies have little interest in improving the EMV standard for transit needs. They want to capture transit fare business without investing. The focus will always be the supermarket checkout lane that EMV was designed for.
There will always be a risk involved when ignoring the hidden assumptions of EMV open loop as a one size fits all solution. Dedicated transit cards will always be necessary. Every transit system is unique and deserves the best solution for the transit company and the riders they serve.
After a long gestation, and a COVID related delay, the mighty swipe MetroCard replacement finally shipped. The OMNY card: a white-label EMV bank payment card using the mastercard payment network, not a MIFARE or FeliCa smartcard like San Fransisco Clipper or Tokyo Suica. MetroCard missed the transit smartcard revolution of the late 1990’s, so MTA and their ticketing system management company Cubic Transportation Systems went all in with a new CUBIC designed system built using EMV payment network processing i.e. ‘open loop payment‘ regular EMV contactless credit/debit cards for mainstream transit fare use, and dedicated white-label EMV prepaid debit transit cards that replace MetroCard, relegated to a backup role for users who cannot use regular credit/debit cards for transit.
OMNY is envisioned and designed as a ‘one size fits all’ approach where bank card EMV payment networks (VISA, mastercard, American Express, etc.) are promoted as transit tickets since everybody supposedly already use bank cards for all daily life purchases. The addition of fare capping, basically a OMNY closed loop card feature for open loop, further encourages regular credit/debit card use and reduces the need for issuing OMNY card. And rest assured, MTA very much wants to get out of the card issuing business…good luck with that.
Arguably it’s a good thing that the Ventra prepaid debit card is going the way of the dinosaur. The debit card function debuted with a long list of fees that had the potential to siphon of much of the money stored on the card, including:
A $1.50 ATM withdrawal fee A $2 fee to speak to someone about the retail debit account. A $6.00 fee for closing out the debit balance A $2 fee for a paper statement A $2.95 fee to add money to the debit account using a personal credit card A $10 per hour fee for “account research’’ to resolve account discrepancies
“These fees were probably not any different than other bank cards offered by Money Network or Meta Bank or other predatory banks,” says Streetsblog Chicago’s Steven Vance, who reported on the issue at the time. “But it was shameful for the CTA to be aligned with that.”
After a backlash, most of these fees were reduced or eliminated, but CTA retail outlets were still allowed to charge Ventra card holders a fee of up to $4.95 to load cash on the debit sides of their cards. So maybe it is for the best that the CTA is getting out of the bank card business.
Let’s hope the OMNY card issuer and MTA do a better job of hiding their white-label OMNY prepaid debit card fees. Because let’s face it, even though OMNY card is ‘closed loop’ it still uses the same EMV payment network that open loop cards do. I call it faux closed loop because OMNY doesn’t process their own fare payments, nor does OMNY (as of this writing) offer commuter passes, student discounts, etc. OMNY station kiosks that have yet to be installed will likely be modified ATM machines that take money instead of dispensing it.
A digital version of OMNY was advertised to launch on Apple Pay and Google Pay ‘soon’, although MTA now says it ‘expects’ to launch OMNY iOS and Android apps necessary for adding OMNY to Wallet sometime in 2023. We shall see. When the OMNY digital card does finally launch, expect the same rebranded version of mastercard closed loop Ventra and Opal digital cards, all managed by Cubic. As most of the open loop systems in North America, UK and Australia are designed and managed by Cubic it’s helpful to compare their ticketing system profiles.
Transition bumps in road When you carefully analyze the different systems and Express Mode transit support listed on the Where you can ride transit using Apple Pay support page, one condition becomes clear: current transit systems do not support Apple Pay Transit cards and EMV Express Transit when the system uses both MIFARE and EMV open loop. It seems to be a choice between supporting one or the other, not both. I suspect transit system operators do this because of the complexity supporting MIFARE and EMV mixed mode operations on the same transit system.
OMNY is a new system however, built exclusively on EMV. When Apple Pay OMNY launches, OMNY will be the first system to support both EMV as an Apple Pay transit card and EMV Express Transit mode for credit/debit cards. There is a catch however similar to using Apple Pay China T-Union cards: turning on one card for Express Transit turns off other cards.
This happens when cards share the same NFC ID number which results in card clash at the gate reader. When cards share the same ID, only one card can be set for Express Transit mode at any one time. For EMV cards this applies to payment cards as well so Express Transit Card settings will likely turn off any activated payment cards when an OMNY card to turned on, and vice versa. Otherwise the complaints from Apple Pay MTA users would be endless.
The last big OMNY headache: MTA Railroad ticketing After OMNY card is launched on Apple Pay and Google Pay, the next OMNY challenge will be integrating Metro-North and LIRR commuter rail ticketing. A difficult task as none of the train line are equipped with NFC card readers. MTA has yet to unveil any commuter rail ticketing integration details. Ventra has the same problem, commuter rail ticketing remains the age old conductor visual inspection, no tap and go contactless. And as ever there are thorny open loop user data privacy issues.
OMNY truly represents the state of American public transit as it tries to get on board with mobile payments. Progress is good and welcome but instead of real meaningful development, American public transit will continue to be a confused mess of endless broken promises. This can’t change as long as America treats public transit as a subsidized welfare and jobs program instead of essential public infrastructure.
After posting the update chart a reader asked a very good question: why not add the FeliCa reader logo as that is what you’ll often see on NFC readers in Japan. To which I say: ignore reader logos in Japan. Why? Because the reader physical compatibility mark that indicates the antenna location has nothing to do with what payments actually work at checkout. Apple isn’t doing anybody a favor listing the EMV logo in the Apple Pay Japan lineup. It only confuses users.
Let’s play that game again, the ‘which logo is the official NFC logo’ game. Choose:
The correct answer is #2, the NFC Forum logo. The reader physical compatibility mark for EMV is #1, FeliCa is #3. But you never see the NFC Forum logo on NFC readers, what you see is usually something like this:
The Panasonic reader shown above has both EMV and FeliCa logos on the tap area. The store has also attached a card that displays what payments are accepted, in this case both EMV (VISA, mastercard) and FeliCa (iD, Suica•PASMO, WAON, nanaco) are accepted. Looks good right? Not really. The EMV and FeliCa marks are the physical compatibility mark that indicate the antenna location. However, most people assume the physical compatibility mark mean the reader works for all payments…which it does not. Some stores with an EMV physical compatibility marked reader don’t support EMV, and vice versa: FeliCa is supported on the reader but not the POS checkout.
What to do? Let’s see…the NFC Forum is responsible for basic certification of all NFC devices so let’s put their logo on reader instead. Oh wait, can’t do that because people will think it’s a Nespresso machine instead of an NFC reader:
Time for a new NFC logo.
It might seem like a good idea to separate NFC hardware from the payment services that run on top of the hardware. The reality is, it’s impossible to do because all-in-one NFC chips do it all. The NFC Forum could spend a ton of money creating a new NFC logo that can be used everywhere…but what’s the point? Nobody will use it even if they do.
NFC readers come in all kind of shapes and sizes for all kinds of end uses, from supermarket checkout, to transit gates, and vending machines, and much more. If nothing else remember this: the physical compatibility mark is there to indicate the antenna location and show you where to tap, that’s all it’s there for. It can be anything. It should match the service it’s intended to fulfill.
“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.
“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”
FBI, MI5, unnamed sources? Sounds like a spy novel. The original Jacksonville WOKV report is down to earth local news reporting with the official statement from the FBI: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”
PAX NFC terminals and POS systems support EMV, FeliCa and MIFARE protocols and are used extensively in Japan in nationwide POS systems such as FamiMart and Doutor Coffee chains. However it’s important to remember that each protocol has a hardware certification process, for EMVCo, for FeliCa Networks and for MIFARE. Card companies also have their own hardware security and certification. And even though the story sounds scary, we don’t know what ‘major financial provider’ POS systems are pulling PAX readers*, what hardware models are involved and what kind of POS software they run (provided by PAX? Developed in-house?), or what exactly the FBI are investigating.
That said, this is much more real and interesting than the silly Apple Pay EMV Express Transit VISA security scare story pushed by the BBC, mindlessly repeated by tech sites and dubious ‘security experts’ who scare people into buying their ‘services’. The so-called Apple Pay EMV Express Transit VISA exploit was just a lab experiment, this is happening in the field. The PAX story won’t get much press however because it does’t have ‘Apple Pay’ in the headline. At least not yet…I’m sure some media hack out there will come up with one, something like ‘Apple Pay sends your personal payment data to China’. Only then will people start paying attention.
*UPDATE 2021-11-03 Bloomberg reports FIS Worldpay (also based in Jacksonville next door to PAX…interesting eh?) is pulling PAX NFC readers from client systems and replacing them with Verifone and Ingenico NFC readers. FIS said, “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.” No evidence but Worldpay is replacing PAX readers anyway…based on what exactly, heresy?
PAX NFC readers comprise less than 5% of Worldpay client POS installations so we’re not talking big numbers. Meanwhile PAX has issued a long winded statement (PAX Technology announcement and resumption of trading) addressing and refuting the security risk claims from Krebs and FIS saying it’s only a geolocation feature. We don’t know which PAX reader models are involved but I suspect they are Android based. That’s the problem with all those crappy Android OS based POS+NFC all in one terminals: not only do they have lousy Android performance, they have all the Android security risks too. Dedicated hardware is way better, performance-wise and security-wise.