Cover Image

Not for Sale



View/Hide Left Panel
Click for next page ( 62


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 61
Findings of Key Information to be Exchanged Between Agencies 61 Table 14. Definition of RIS data elements. Card/Transit Info Field Description Indicates the test or revenue PICC OpsMaintenanceUse Indicates the revenue or operations/maintenance CountryID Numeric value that identifies the country in which this PICC was issued PICCValidityPeriod Card validity period in years RegionID Numeric value that identifies the metropolitan region of a country in which this PICC was issued and intended for the majority of its use. There are 256 possible regions that can be defined on a PICC within each country IssuerID Designates the card and ticketing application of issuing nation, state/region, or agency TransitExpirationDate Represents the transit application's expiration date KeySetIdentifier Represents a logical pointer to a key set that is contained on a PICC to support the transit application. (Note: The actual physical location of the keys, as well as access to the keys, is protected and managed by the specific PICC's operating system) ManufactureID Represents the manufacturer ID code TransitPICCID Represents the unique printed serial number assigned by the PICC manufacturer based upon instructions of the ordering regional clearinghouse IssuingDeviceID Indicates the PICC issuing/encoding device containing the CID ID ProfileBirthDate Represents birth date of the customer to assist with identifying the customer's eligibility for discounts and recording demographics (Format ddmmyy) ProfileStartDate Provides the date this profile becomes valid for use (Format ddmmyy) ProfileExpireDated Provides the expiration date of this customer profile and associated discount if applicable (Format ddmmyy) ProfileLanguage Enables an automatic language of preference to display on smart PICC devices [e.g., PCD (reader), faregate, vending machine, touch-pads at non-transit outlets, etc.]. Different regions can assign other languages, but if a customer travels to a different region and the language code is not supported in the standard, a patron can always select English as a default (continued on next page) The need to access the application data elements in an interoperable equipment independent fashion is another objective of this research project. The objective is to develop an implementa- tion of a transit application using a standard API to serve as a proof of concept of interoperabil- ity between the smartcard readers and the transit application software. The application layer should use ISO/IEC 7816-4 to address the need for a standard approach. Chapter 7 contains the details of the standard approach. 4.2.4 Security Layer Security for interoperable fare collection systems should be implemented at multiple lay- ers of the overall system. Security may be as simple as implementing a security mechanism

OCR for page 61
62 Smartcard Interoperability Issues for the Transit Industry Table 14. (Continued). Card Holder Information Field Description ProfileBirthDate Represents the birth date of the customer to assist with identifying the customer's eligibility for discounts and recording demographics (Format ddmmyy) ProfileStartDate Provides the date this profile becomes valid for use (Format ddmmyy) ProfileExpireDate Provides the expiration date of this customer profile and associated discount if applicable (Format ddmmyy) ProfileLanguage Enables an automatic language of preference to display on smart PICC devices [e.g., PCD (reader), faregate, vending machine, touch-pads at non-transit outlets, etc.]. Different regions can assign other languages, but if a customer travels to a different region and the language code is not supported in the standard, a patron can always select English as a default UserRegistered Indicates that the cardholder has registered prior to card issue ProfileCode Numeric code that represents a patron's specific discount and/or demographic profile if appropriate and available. Although standard profile codes and demographic codes should be recognized by different participating regions for consistency, the criteria defining the profiles may not be consistent between regions and at times may be region specific. As such, profile codes should be processed according to intra- regional and inter-regional policies, or default to adult full fare DepositPaid Indicates that the deposit has been paid PICCHolderGender PICC holder gender description PICCHolderDescription Provided for future assignment at the national, state, or regional level CardHolderDescription Provided for additional PICC holder description such as full name, weight, or other PICC holder required information to gain access to a site, facility, transit system, or building AutoSubscribe Represents the autoload subscription indicator for this load ValueExpires Indicates that this is a Single Load SV product that expires on the date indicated by ExpRecurDate RemValueSign Value designates a positive or negative balance RemValue Provides remaining currency value ExpRecurDate Provides the date that this product expires or last recurring load date (Format ddmmyy) RecurringAutoloadType Used to differentiate SV Recurring Autoload types between the card and reader or implementing multiple security mechanisms in parallel at each layer in the fare payment system architecture. These mechanisms may include one or a combination of the following: Security on each component of the system; Security between each component of the system (i.e., card and reader); and Security extending throughout the system. Security protections may be implemented at the component, application, and network per- spective. The most common areas of protection are Ensuring that the fare products on the smartcard are not changed by an unauthorized entity, Authenticating the use of a card and application within the system, and

OCR for page 61
Findings of Key Information to be Exchanged Between Agencies 63 Table 14. (Continued). Stored Value Information Field Description AutoloadThreshold Indicates when the T-Purse will be threshold-loaded and a funds charge transaction will be sent to the customer's bank. SVThreshholdLoadAmount Indicates value to add for a threshold autoload SVRecurringLoadAmount Indicates value to add for a recurring autoload CurrencyCode Provides the currency of the value of this product. The currency code is considered fixed and permanent where indicated and consistent for all regions that recognize and adhere to this transit smart PICC Regional Interoperability Standard. The fare collection system conforming to these specifications will recognize the defined currency and deduct the equivalent of that currency from the T-purse CIDTransactionNumber Represents the LSB of the Event Identifier assigned by the issuing machine's CID CIDID Represents the issuing machine CIDID, used to identify the encoding equipment AutoSubscribe Represents the autoload subscription indicator for this load ValueExpires Indicates that this is a Single Load SV product that expires on the date indicated by ExpRecurDate RemValueSign Value designates a positive or negative balance RemValue Provides remaining currency value ExpRecurDate Provides the date that this product expires or last recurring load date (Format ddmmyy) AutoSubscribe Represents the autoload subscription indicator for this load ValueExpires Indicates that this is a Single Load SV product that expires on the date indicated by ExpRecurDate RemValueSign Value designates a positive or negative balance RemValue Provides remaining currency value AutoloadSubscribed Provides the autoload type PaymentType Represents the payment code. Indicates the manner in which revenue is collected or returned LocationEncodingType Describes the type of location validity encoding depicted by LocationEncoding Field RemTripRidesTransfers Indicates the number of remaining transit trips/rides/ transfers (maximum number of trips = 255) (continued on next page) Ensuring that the transaction data are unaltered when transferring within an agency and between agencies. The appropriate security mechanisms will depend on several factors. At a minimum, these factors are Assessment of the functionalities and capabilities of a specific system element and its components, A risk and risk mitigation cost model for the element, A risk assessment and threat analysis performed by the region and its agencies of the specific system element and its relevance upon the overall system, and The complexity of encryption algorithms and key management structure.

OCR for page 61
64 Smartcard Interoperability Issues for the Transit Industry Table 14. (Continued). Pass/Transfer Info Field Description ExpDate Indicates the expiry date for the product ExpTime Indicates the time this product expires. Time in minutes past midnight RenewedInAdvance Indicates that this product has been renewed in advance of its expiry date AutoThreshold Code representing the time in advance that a threshold load will occur (N/A for Transfers) ProdID Product code specifically owned by the transit agency of use. The code is defined by the transit agency within the region and posted to the PICC when the customer buys the product either at any add-value vending machine, ticket booth, or other device in the future. There are 255 possible product codes for each Agency of use. These codes are not fixed and permanent and can be changed by the owning transit agency within the region via tables/fare rules. The code is captured by the faregate reader and used for accounting, demographic reporting, and other downstream fare collection system processing LocationEncoding Represents the valid locations indicator CIDTransactionNumber Represents the LSB of Event Identifier assigned by the issuing machine's CID CIDID Indicates the issuing machine CIDID used to identify the Encoding equipment LoadType Represents the payment type code. Indicates how revenue was collected or returned ValueExpires Represents the expiry indicator. Indicates that this is the load of a Single Load SV product AgencyID For agency-specific SV purses, this is set to the relevant Agency ID The Agency ID for the Regional T-Purse is set to 0 Date Indicates the purchase date (Format ddmmyy) Time Indicates the purchase time in minutes past midnight RecurringAutoloadType Used to differentiate SV Recurring Autoload types SVTransaction Indicates the value added or deducted inclusive of any bonus for cash, bank card, directed autoload, or threshold autoload transactions SVTransactionNegative 0 = Positive, 1 = Negative RegionID Provides the value of the regional ID LocationID Represents the unique location of the device within the regional system. Based on the research team's experience, technology and system suppliers make products as secure as the procuring agency specifies them to be. For any IT system, a threat and vulnerability analysis is the first step in determining the security features required to mitigate the security risk. The objective of this discussion is to define security and provide a framework for establishing a smartcard fare payment system security policy that meets system needs cost effectively.As discussed, a smartcard fare payment is an automated data-collection system, thus an information systems secu- rity framework applies. The Information Security Handbook defines security as three components: Confidentiality of information is ensuring that any information exchanged between two or more parties remains private to the authorized entities.

OCR for page 61
Findings of Key Information to be Exchanged Between Agencies 65 Table 14. (Continued). Add Value History Info Field Description CIDTransactionNumber Represents the LSB of the event identifier assigned by the issuing machine's CID CIDID Represents the issuing machine CIDID used to identify the encoding equipment TransactionType Denotes the type of transaction In/Out Indicates in or out of "paid area" for closed systems ProdID Or RegionID Provides the product ID for in-region product use or region ID for out-of- region T-Purse use AgencyID Represents the service providing agency/agencies for the associated product LocationID Represents the unique location of the device within the regional system DateStamp Indicates the date of transaction (Format: ddmmyy) TimeStamp Indicates the time of transaction. Time in minutes past midnight when transaction occurred (Format: mmm [01339]) TransactionLinked Provides linkage to previous transaction TransferStartTime Indicates the transfer start time for the journey and used to determine transfer validity. Time in minutes past midnight. Set to Time of Use if not applicable TransValue Indicates the value of the SV transaction, where applicable TransValueSign Value designates a positive or negative transaction value TransferCode Provides the transfer service code Special Indicates the bits reserved for agency-specific usage Integrity of information is to guarantee that changes to information due to entering and edit- ing errors, faulty data transmission, and unauthorized modifications are detected and if pos- sible corrected. Availability of information is to balance availability to those allowed access against information- protection measures. Figure 10 identifies the most common breaches in security and provides an overview of the associated effects. To determine the level of security required for a transit smartcard fare pay- ment system, the methodology presented in Figure 11 provides a systematic approach to assess- ing the threats and associated risks. The methodology consists of the following key activities: Analyzing business processes to provide the basis for identifying weak links and vulnerabili- ties to fraud and exploitation; Assessing threats to identify how the smartcard fare payment system may be misused, which depends on card use. The most common forms of misuse are Counterfeiting--Creation of a duplicate card, Misrepresentation--Using someone else's access authorization or card, Alteration--Unauthorized modification of data, and Collusion--Circumventing procedures and technology through illegal arrangements;

OCR for page 61
66 Smartcard Interoperability Issues for the Transit Industry Embarrassment Loss of Credibility Fraud Theft Insolvency Loss of Profit Privacy Virus Violation Attack Confidentiality Accidental Strikes Damage Hardware Failure Data Sabotage Integrity Availability Software Communications Failure Failure Operating Wiretapping Prison System Alteration Loss of Emanations Insertion of Customer Interception Data Dismissal Competition Figure 10. Data security breaches and impacts. Assessing technology to identify inherent vulnerabilities that present system risks. According to the orange book, vulnerabilities include Modification, Unavailability, Data corruption, and Data exposure; Analyzing risks and developing options to provide the basis for conducting the cost-benefit analysis. The objective of this activity is to develop a set of logically sequenced metrics that identify countermeasures and risk mitigation strategies as follows: Threat vulnerability and countermeasures and Security versus risk and mitigation measures; and Conducting cost-benefit analysis to determine the most cost-effective solution for the per- ceived risks Security in a smartcard fare payment system is achieved by combining the following three basic elements: Encryption--This is the transformation of data that is only readable through the use of a secret key.