Advertisement

Keeping transportation payment systems safe from security threats

Standardizing transportation payment systems would make it easier to use transit systems around the world, but it will require better security.

One of the best ways to get to know a new city or region is to take public transportation. As they whisk you to that must-see park, museum, or shopping district, local rail and bus systems give you a taste of what it’s like to live in the area. Many metropolitan regions use their own proprietary transportation system cards or e-tickets. While the prepaid cards make nice post-trip souvenirs, they’re not exactly the most efficient or eco-friendly way to pay for a trip. And both the prepaid cards and e-tickets typically won’t work outside of a city or region.

There’s now a movement toward a standardized payment system that can be used across different modes of transportation and different regions of the world. This can be realized in a couple of ways: credit or debit cards and via QR codes on smartphones. One of the challenges, however, is ensuring that these modes of payment will be safe from security threats. In this article, we’ll take a look at the advantages of standardized transportation payments and how to protect payment systems from tampering.

standardized transportation payment systems

Local rail systems provide passengers with a convenient way to get across town. Standardized payment systems would only add to the convenience. (Image: Maxim Integrated)

Market opportunities for standardized transportation payment systems

In China, there are some 400,000 buses1 and 5,500 train stations,2 supported by an estimated 675,000 payment card readers. The U.K. has 32,000 buses3 traversing its roads and more than 2,500 train stations,4 with an estimated 160,000 payment card readers. New York state boasts nearly 83,000 buses5 and more than 400 train stations,6 with an estimated 104,000 payment card readers. There are now more than 50 different transportation payment protocols in use in the world. The market is, indeed, ripe for a standardized, global transportation payment solution.

A standardized solution would save time and bring a great deal of convenience to travelers. No more need to order train tickets in advance online, stand in a long queue to buy tickets, or manage top-up cards that are running low on funds. No need to procure foreign currency to get from place to place and carry around different transit cards or flip through different smartphone apps while traveling across different regions. As technology brings benefits like real-time public transit tracking and route suggestions, it only makes sense that paying for a ride should become easier and more convenient.

transit payment reader

Standardizing transportation payment systems would give riders the freedom to pay for their fares via their smartphones or a contactless bank card across a variety of transit systems and across regions. (Image: Maxim Integrated)

Designing a trustworthy transportation payment device

A transportation payment device for a standardized global system would need to support payments via:

  • QR code, which entails having a camera module as well as the proper software
  • Contactless bank cards, which require Europay, Mastercard, and Visa (EMV) compliance for contactless payments
  • Near-field communications (NFC) phones, which require an NFC interface as well as EMV compliance for contactless payments

EMV is the industry’s global interoperability standard for bank cards, point-of-sale (POS) terminals, and automated teller machines (ATMs). The standard is now overseen by EMVCo, a global consortium that also defines the stringent testing and certification process to ensure device compliance. The standard is intended to help reduce fraud and provide better security of card payments.

To meet the EMV Contactless L1 Specification v3.0, a payment terminal would need to adhere to certain electromagnetic, communication, signal quality, and software validation requirements. In addition, payment systems should also adhere to security standards outlined by the Payment Card Industry (PCI) Security Standards Council. This global organization’s PIN Transaction Security (PTS) standard, PCI-PTS, provides direction for robust security controls for payment systems.

Payment terminals must also provide network access for payment processing, and they should be designed to prevent tampering and protect the sensitive data that is transmitted. Hackers continue to get creative in their attempts to seize sensitive information from terminals. For example, hackers will sometimes attempt to gain access to sensitive data by changing the temperature of the microcontroller inside the payment terminal, causing the device to freeze as it attempts to execute a program. In addition to protecting against physical threats, the payment terminal must be confident that the firmware is authentic and can be trusted to handle the payment transactions.

Some regional mass transit systems are beginning to explore using credit or debit cards as a standard transportation payment solution. For example, in New York City, the Metropolitan Transportation Authority (MTA) is rolling out One Metro New York, or OMNY, over the next few years. OMNY allows riders to use their own contactless card or smart device to pay for fares and enter the transit system (subways, buses, and commuter rail).7 Visa has a program called Visa Ready for Transit, which provides an open-loop system that allows riders to pay using contactless cards or mobile device wallets.

As part of its program, Visa has created global models that work with various scenarios, such as when the fare is known at the start of a trip or when the fare is known only at the end of the trip. Transit operators must get their systems certified to become a Visa Ready solution provider. Mastercard also provides an EMV open-loop, contactless transit solution.

Choosing the right microcontroller

Inside payment terminals is a variety of electronic components. The microcontroller, in particular, plays a central role, providing the processing power to handle the payment transactions. In fact, a microcontroller with certain features can also help designers comply with not only the standards but also security requirements for transit payments. Look for features such as:

  • EMV and PCI compliance
  • Contactless and QR code-based payments
  • Secure bootloader for firmware authentication and integrity check
  • Tamper and environmental sensors

Recommended
MCUs address industrial automation and IIoT challenges


Let’s take a closer look here at the security features. To push the payment transaction through, a payment reader must be sure that its firmware is authentic and comes from the manufacturer. A secure boot loader integrated into a microcontroller would, prior to downloading the firmware to the reader, ensure that the firmware has been signed by the manufacturer to ensure authenticity and also perform an integrity check. If the firmware doesn’t pass the tests, the transaction doesn’t go through.

As discussed previously, some hackers attempt to change the temperature of the microcontroller to gain access to sensitive information. This is where environmental sensors such as temperature monitors and voltage monitors can provide alerts to such scenarios. A tamper sensor would serve a similar purpose in the event of a physical tampering activity.

Maxim Integrated offers several secure microcontrollers based on Arm Cortex-M3 and Cortex-M4 processors that meet the requirements for transit payment terminals. Each of these compact devices has an integrated contactless interface for card reader designs and features tamper and environmental sensors. They are either compliant with, or in the process of achieving compliance with, the EMV and PCI payment standards. The devices are:

  • MAX32560 108-MHz Cortex-M3 DeepCover secure microcontroller
  • MAX32561 108-MHz Cortex-M3 DeepCover secure microcontroller
  • MAX32570 150-MHz Cortex-M4 secure microcontroller, which also features support of a parallel camera interface for QR code reading, a TFT controller, and Ethernet and secure digital host controller (SDHC) for Wi-Fi module connection

For security, these devices have system-level protection features such as secure boot loader, cryptographic engines, and true random-number generators. If a hacker attempts to change the voltage of these devices, the device places itself in a reset state or erases the transaction key to thwart the attack.

With the functions already integrated into these devices, designers do not need to seek discrete chips to meet the EMV 3.0 standard, as they would with other available solutions. The secure microcontrollers already comply with the latest contactless card standards. Last but not least, Maxim Integrated also offers EMV Contactless L2 kernels via its subsidiary company, Amadis. The EMV Contactless L2 kernels are proven solutions for payment transactions all over the world.

Summary

With more people paying for more things via credit cards and mobile devices, it only makes sense that transit payments follow suit. Eliminating the need for proprietary transit cards makes the transit experience easier and more convenient. And with highly integrated secure microcontrollers, designers of payment terminals can rest assured that these financial transactions can be conducted safely and securely.

References:

1 https://www.pri.org/stories/2019-10-08/china-dominates-electric-bus-market-us-getting-board

2 https://www.travelchinaguide.com/china-trains/station.htm

3 http://www.mistral-bus.com/planning-contactless-payment-32000-buses-uk-2020/

4 https://www.thetrainline.com/stations

5 https://www.statista.com/statistics/196342/total-number-of-registered-buses-in-the-united-states-by-state/

6 https://en.wikipedia.org/wiki/New_York_City_Subway

7 https://omny.info/about-omny

Advertisement



Learn more about maxim
Maxim Integrated

Leave a Reply