Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
56 In its response to the survey, however, MTA advised that it is releasing a request for a proposal âfor an Account-Based, Open Payment architecture with Interfaces based on [Application Program Interfaces or APIs] provided by the [Standardiza- tion Initiative or SI] (or its licensors).â747 The MTAâs NFPS will accept contactless bank cards, certain third-party-issued media, MTA/NYCT-issued media, and other media for fare payments via a range of channels that use appropriate security protocols, real-time or near-real-time communication inter- faces with the NFPS backend for all NFPS equip- ment, extended-use smartcards operating as account-based media, and limited-use smartcards operating as account-based or card-based media.748 Although other details are provided in the summary of the transit agenciesâ responses to the survey, the NFPS will include a Customer Relation- ship Management System to allow for the central management of all customer data âand cradle-to- grave tracking of customer service tickets, including creation, escalation and resolutionâ and NFPS Web sites that allow customers, institutions participat- ing in special programs, retail merchants, and MTA/ NYCT staff to interact with the NFPS backend for account management and other purposes.749 The NFPS will include mobile payment applications for a range of operating systems.750 NFC-enabled devices âare one of the media types to be supported by the new NFPS system.â751 As for security, the NFPS will have â[r]obust secu- rity, data redundancy, risk mitigation and fraud protection mechanisms.â The NFPS will also have a âData Warehouseâ to store NFPS data for reporting and back-office processing and monitoring purposes. The system will use a Tokenization process that meets or exceeds PCI Tokenization guidelines, and a certified Point-to-Point Encryption solution for all Payment Data. The Tokenization and encryption solutions will alleviate the need to store, and will allow secure processing of, Payment Data within the NFPS. The NFPS shall also ensure data security to the greatest extent possible.752 D.C. Circuit held that federal agencies are subject to Rule 45 subpoenas.739 Moreover, a federal court in the Eastern District of Louisiana has held that federal agencies must comply with Rule 45.740 The Louisiana court stated that â[t]o hold that the United States and its agencies are not âa personâ as used in Rule 45 solely when they are a non-party is inconsistent with the wording of the Rule as well as with other rules of civil procedure.â741 The court also held that an agency may not âclaim sovereign immunity to avoid compliance with third-party subpoenas.â742 XIV. FOUR LEADERSHIP AGENCIES THAT USE CONTACTLESS OR OTHER ELECTRONIC PAYMENT SYSTEMS A. Metropolitan Transportation Authority MTA, North Americaâs largest transportation network, serves a population of 15.2 million people in a 5,000-sq-mi area that includes New York City through Long Island, southeastern New York State, and Connecticut.743 MTA subways, buses, and rail- roads provide 2.73 billion trips each year to New Yorkersâthe equivalent of about one in every three users of mass transit in the United States and two- thirds of the nationâs rail riders.744 MTA includes the New York City Transit Authority (NYCT), MNR, LIRR, MTA Bus Company, and Staten Island Railway (SIR). MTAâs electronic fare collection system serves NYCT subways and buses, MTA bus companyâs buses, SIRâs railway cars and certain other regional transportation providers. MNR and LIRR have implemented pilots of mobile ticketing applications whereby customers can pay for commuter rail rides using a mobile device. All of the same privacy policies apply to those applications as apply to the MetroCard and NFPS systems described below.745 MTAâs current system is based on the MetroCard. The MetroCard âis a magnetic strip closed-loop card that serves NYCT subways and buses, MTA Bus Companyâs buses, SIRâs railway cars and certain other regional transportation providers.â746 739 Yousuf v. Samantar, 451 F.3d 248, 250 (D.C. Cir. 2006). 740 In re Vioxx Prods. Liab. Litig., 235 F.R.D. 334, 343 (E.D. La. 2006). 741 Id. at 342. 742 Id. at 343. 743 The MTA Network, http://web.mta.info/mta/network. htm (last accessed Sept. 24, 2016). 744 Id. 745 MTAâs response to the survey. 746 Id. The MetroCard can provide stored value (pay-per- ride) and period pass (7-day or 30-day unlimited ride) func- tionality, all of which are prefunded by a customer at pur- chase or reload. The fare products are activated through magstripe read/write technology at a swipe read/write block or a transport unit that has been incorporated into various devices across the MetroCard System. Id. 747 Id. 748 Id. 749 Id. 750 Id. 751 Id. 752 Id. The term âTokenization processâ is defined as âan integral payment technology for every merchant, along with EMV and PCI-validated point-to-point encryption (P2PE). â¦Tokenization enables merchants and enter- prises to safely âstoreâ cardholder data at rest for use in future transactions. Tokenization, like P2PE, effectively renders the data useless to hackers.â See Bluefin Payment Systems, https://www.bluefin.com/products/tokenization/ (last accessed Sept. 24, 2016).
57 The NFPS will collect sales and usage data, system performance data, equipment performance and maintenance data, and customersâ personal data, including travel data. MTA will use the data that it collects to âfacilitate convenient, secure, and efficient fare collection. We will also be using the dataâ¦to provide an enhanced level of customer service, including self-service options, that requires the collection and use of personal data to set-up, administer, and manage customer accounts.â753 B. Metropolitan Transportation Commission In 1970, the California legislature created the MTC. At first, MTC was âlargely focused on planning for the expansion of the regionâs transportation network. In the ensuing years, lawmakers in Sacramento and D.C. [gave] the agency broad powers for the planning, financing, coordination, and management of transpor- tation.â754 The MTC region âhousesâ more than 7 million people in 9 counties and 101 cities in the San Francisco Bay Area.755 MTC also âcollaborates with dozens of agencies and organizations to manage and maintainâ¦transportationâ in the Bay Area.756 In its response to the survey, MTC explained that it manages a closed-loop contactless payment system for public transit that is used by 22 regional opera- tors under the brand name of âClipper.â Patrons may register on the Clipper® Web Site or via their employer to establish a payment related account. Customer information [that is] retained may include name, contact information, and funding source information, such as a credit card or employer program. The information is retained on a secure back-office server and retained until an account is closed. Customer travel transactions do not contain personal information[] but are recorded with the card account number within the transaction. This data is retained for up to 4.5 years and then is purged to comply with [California law] to remove travel patterns. MTC also reported that customers may use credit cards to fund a closed-loop NFC card. Funds may be added at a ticket vending machine, transit office terminal, or via the Web site. The transactions are processed via a payment gateway maintained by the Clipper primary contractor, acting as merchant on behalf of MTC, or by one of the participating transit operators.757 MTC uses customersâ personal data âto process business transactions, such as payments, refunds or customer service questions. In the case of patrons who opt in to receive communications, email or mail- ing addresses may be used to inform patrons of tran- sit related information updates (e.g., fare changes, etc.).â758 Benefits include the facilitation of âconve- nient, secure and efficient fare collection and [the ability] to provide an enhanced level of customer service, including self-service options, that requires the collection and use of personal data to set-up, administer, and manage customer accounts.â759 The contractor who manages the program on behalf of the agency and participating transit oper- ators has access to customersâ electronic data. MTCâs employees, contractors, and participating operators also have access to the data âunder specif- ically designed controls and business processesâ¦.â760 Furthermore, â[a]ll individuals who receive access are managed by audited access controls operated by the contractor. Access by additional parties is restricted in compliance with applicable state law.â761 MTC stated that it has âa comprehensive security architecture in place that is audited on an annual basis.â MTC has a designâbuildâoperateâmaintain agree- ment with California-based Cubic Transportation Systems, Inc. (Cubic), which is also responsible for MTCâs annual PCI DSS compliance certifica- tion.762 Nevertheless, MTC is evaluating the Clipper system âfor replacement at the end of the current vendor contract. Requirements are still under development.â763 C. Regional Transportation Authority In 1983, the Illinois legislature reorganized the Regional Transportation Authority (RTA) and also created Pace, a suburban bus division. RTA is the financial and oversight body for the three transit agencies serving northeastern Illinois: CTA, Metra, and Pace.764 CTA, Pace, and Metra customers now may use their smartphone, credit or debit card, or Ventra account to buy any type of ticket. The Ventra payment system was designed by Cubic to replace the Chicago Card, Chicago Card Plus, and paper fare cards. As reported by the Chicago Tribune, the systemâs initial introduction in 753 MTAâs response to the survey. 754 MTC History, http://mtc.ca.gov/about-mtc/what-mtc/ mtc-history (last accessed Sept. 24, 2016). 755 What is MTC?, http://mtc.ca.gov/about-mtc/what-mtc/ nine-bay-area-counties (last accessed Sept. 24, 2016). 756 Nine Bay Area Counties, http://mtc.ca.gov/about- mtc/what-mtc/nine-bay-area-counties (last accessed Sept. 24, 2016). 757 MTCâs response to the survey. 758 Id. 759 Id. 760 Id. 761 Id. 762 Id. See also Cubic Transportation Systems, http://www. cubic.com/Transportation (last accessed Sept. 24, 2016). 763 MTCâs response to the survey. 764 Metra, https://metrarail.com/about-metra/our-history (last accessed Sept. 24, 2016).
58 bus routes throughout the region, including 29 routes that connect to downtown Albany. The North- way Xpress (NX) is CDTAâs commuter service between Saratoga and Albany. NX tickets may be purchased on the bus or through the CDTA sales office. BusPlus, CDTAâs version of Bus Rapid Transit (BRT), is a limited-stop service along a 17-mi portion of Route 5 between downtown Albany and down- town Schenectady. The Authority states that âBusPlus combines benefits of commuter rail with flexibility and cost advantages of buses, offering limited stop operation which move customers quickly and efficiently.â771 CDTA uses a fare collection system provided by SPX-Genfare.772 The system includes FastFare⢠fareboxes placed on board all fixed-route vehicles capable of processing cash; magnetic stripe, contact- less limited-use Ultralight C cards;773 and DESFire long-term smartcards, 2D bar codes, proximity cards, and adhesive smart media.774 CDTAâs electronic payment system includes a fully hosted central data system for ridership and revenue reconciliation, point of sale, and customer account management for internal management staff, while offering customers retail and administrative point of sale terminals, and customer facing web portals to purchase and replenish all forms of CDTA payment media.775 CDTAâs current system will also be able to process EMV-compliant payment cards and mobile ticketing transactions in the future.776 Personal data collected by CDTA include real- time travel location. Moreover, each registered smartcard customer provides his or her name; email address; telephone number; boarding location, time, and date; as well as purchase location, time, and date. A customer may use a âcredit or debit card on CDTAâs website or in person at a point of sale termi- nal to purchase products or add value to existing products on their smartcard.â777 Although a credit or debit card payment may not be made on a transit vehicle, CDTA reported that â[i]n the future, 2013 disclosed problems that caused CTA to post- pone the âfull rollout until summer 2014.â765 As described by Metra, which responded to the survey for this digest, Ventra enables a mobile ticket to be stored on the customerâs phone. A customer then activates the ticket on boarding and displays the phoneâs screen, showing the ticket.766 Metra explained that the Ventra app allows a customer to manage and add value to a Ventra account, purchase CTA and Pace passes, and track Metra trains, CTA buses and trains, and Pace buses. A Ventra account allows a customer to get account alerts. Metra notes that a Ventra account also allows a customer to divide a payment between two cards, a feature that is âvery handy for those who use a pre-tax transit benefits debit card that does not cover the full cost of a monthly pass.â767 Metraâs response to the survey stated that it has agreements with third-party developers that involve the sharing of customersâ personal data for the purpose of offering certain benefits or options to customers. As for the type of electronic payment system or systems that Metra is currently using, Metra identified âVeriFone MX915 devices that utilize contact point of sale (POS) transactions; Ticket by Internet (TBI); mobile ticketing; and credit card ticket vending machines (CCTVM).â768 Metra collects some customersâ personal data when customers make elec- tronic payments. Metra collects a customerâs name and mailing address when he or she uses TBI, whereas a customerâs name, email address, and birthdate are collected for those using mobile ticketing. Metra is now âmigratingâ TBI and CCTVM to utilize the Bank of America Payeezy system.769 D. Capital District Transportation Authority In 1970, the New York State Legislature created CDTA, serving Albany, New York, as a public benefit corporation that would provide regional transporta- tion services by rail, bus, water, and air. CDTA âis the premier mobility provider in the Capital Regionâ and attained a record annual ridership of 17,106,322 as of March 31, 2016.770 CDTA provides 50 public 765 chicago tribune, http://www.chicagotribune.com/topic/ business/transportation-industry/ventra-EVGAP00070- topic.html (last accessed Sept. 24, 2016). 766 Metraâs response to the survey. 767 Metra, Opening the Ventra App, https://metrarail. com/tickets/ventra-app/opening-ventra-app (last accessed Sept. 24, 2016). 768 Metraâs response to the survey. As for VeriFone, see http://www.verifone.com/products/hardware/multimedia/ mx-915/ (last accessed Sept. 24, 2016). 769 Metraâs response to the survey. See features at âBank of America Payeezy,â http://www.cardpaysolutions.com/ features (last accessed Sept. 24, 2016). 770 CDTA history, https://www.cdta.org/history (last accessed Sept. 24, 2016). 771 CDTA, http://www.albany.org/listings/Capital-District- Transportation-Authority-CDTA-/1138/ (last accessed Sept. 24, 2016). 772 CDTAâs response to the survey. For more information, see Genfare, http://www.genfare.com/ (last accessed Sept. 24, 2016). 773 For a description of the Ultralight C, see MIFARE Ultralight C, https://www.mifare.net/en/products/chip-card- ics/mifare-ultralight/mifare-ultralight-c/ (last accessed Sept. 24, 2016). 774 For more information, see MIFARE, https://www. mifare.net/en/ (last accessed Sept. 24, 2016). 775 CDTAâs response to the survey 776 Id. 777 Id.