Category: Transit and Travel

What’s next for rail travel?

15th August 2018by Consult HyperionLeave a comment

Rail travel has been much in the news in the last few weeks in the UK, and it’s not been good. There are ongoing sporadic strikes at South Western Railways and Northern Rail. New timetables have not bedded down in some areas, leading to ongoing cancellations. Perhaps it is small wonder that a customer survey by Which?, published today, has indicated that rail travel is the least trusted consumer service, apart from second-hand car sales.

Ticket prices frequently come in for public criticism too. The announcement this week predicts fare increases of 3.5% for 2019, in line with RPI (retail price index) . But it is not only increases, and the absolute level of fares, that are problematic. As has long been the case with airlines, people sitting next to each other on the same journey may have paid a very different fare, based on complex and opaque rules , which may not be available on all sales channels or at each location. For example, this has led to the well-known anomaly where it can be cheaper to purchase multiple tickets to cover a whole journey (known as “split ticketing”) rather than accept the best available point-to-point fare.

In a widely welcomed development, the Rail Delivery Group has announced a consultation on fare simplification , with the aim of producing recommendations by the autumn for the government to consider. If customers are presented with a simple set of options, with understandable rules, they will have more confidence that they have captured the best available fare, and will save time; perhaps making the difference between opting for public transport or adding to congestion and pollution by using a private car.

Ideally, customers will investigate their journey options, pay for their right to travel and present those rights via their mobile phones, instead of adding to their own stress and station congestion by trying to assess their options at a ticket vending machine . If such a facility can be integrated across other modes of public transport, so much the better.

In our assignments with transport authorities and operators on every continent, we have found that implementing politically-mandated changes to fare structures and policies, with legacy ticketing systems is rarely straightforward. Typically, a range of kiosks, vending machines and hand-held devices need to be changed – in ways that may never have been envisaged when they were procured. In the worst case, customer media, such a smart cards could need to be re-issued. In all cases, changes must be introduced across the estate as quickly as possible, to avoid incompatibilities and anomalies.

For these reasons, the focus of our consultancy and technical design services with agencies around the world has been on account-based ticketing. In this concept, the interaction between customer media (preferably, self-provided) is kept very simple: essentially to log the entry and exit of the passenger into the public transport system. Back-office systems check the customer’s right to travel, reconstruct journeys to ensure that the most advantageous fare is paid for pay-as-you-go, and arrange for net settlement between operators, so that all are compensated according to agreed rules. When a necessary change to fare rules is required, there is a one-off change to a central system, which, following adequate testing, can be switched on, universally, overnight.

Consult Hyperion is helping transit operators on all continents across the world to make the right choices and deliver improved customer experiences. Keen to hear more? Contact us at info@chyp.com.

Is HCE secure enough for transit ticketing?

26th June 20187th August 2020by John ElliottLeave a comment

Host Card Emulation (HCE) is the technology in mobile phones that enables them to emulate contactless smartcards, but more about that later. The above question about HCE security was posed by a member of the Transport Card Forum committee when deciding the agenda for the June event in London. I was asked to speak on the subject and this blog is a summary of the presentation I gave.

Cryptography on smart cards

Smart card chips are tamper-resistant hardware running secure operating systems (OSs). They are expensive to design and certify as being secure. However, the design and certification is done once and they are manufactured in high volumes in order to drive the price down.

The cryptographic algorithms execute on the smart chip in order that the secrets they use need not be revealed to the outside world. Only the results of the cryptographic calculations emerge to be used by others within the scheme to achieve authentication, confidentiality and non-repudiation.

Typically, the secrets are loaded to the card before it is issued. Thereafter, it is assumed that the secrets cannot be compromised within the lifetime of the card (e.g. bank cards typically have a 3-year life). Therefore, the cards are not typically designed to allow the secrets to be changed after they have been issued.

Cryptography on mobile devices

As mobile phones became popular and began to be able to emulate contactless smart cards in the noughties, it was at first assumed that a smart chip (or secure element (SE) as they are sometimes known) within the mobile device would be needed to securely hold the secrets and execute the cryptographic algorithms without revealing the secrets. However, the smart card within the phone was typically the SIM card owned by the MNO and not convenient for third parties (e.g. transit operators and banks) to use.

One of the reasons clients like to engage with Chyp is that we have our own lab where we can put leading-edge technologies together in new and interesting ways.

In 2008, Chyp ran a trial of ITSO bus tickets on Nokia 6131 NFC clam phones on the NoWCard scheme in Cumberland.

The trial was considered a success and the trialists did not want to give up their phones. However, the need to load tickets to apps residing on the SIM remained a big inconvenience in the real world. And this factor stopped any such proposals from advancing into production beyond trial.

What is HCE?

Host Card Emulation (HCE) is an alternative to SE-based contactless smart card emulation. The ‘Host’ is the main processor within the mobile device. Typically, SEs within the mobile device are not used and clever software solutions are found instead to allow cryptographic algorithms to execute using secrets without revealing the secrets and without using secure hardware.

HCE timeline

Our work in the field of HCE began before the term was coined. We used to call it ‘NOSE’ which stood for ‘No Secure Element’.

2007: We built prototypes in our lab using standard NFC controller chipsets found in mobile phones that allowed us to perform EMV transactions with contactless readers without using an SE. We were unable to implement this on mobile phones at the time since the mobile device operating systems did not allow it.
2008: Our ITSO mobile ticket trial at NowCard showed that users liked the experience once the phone was provisioned, but provisioning to the SE remained a big barrier, so ‘NOSE’ could be popular in the future.
2012: The term ‘HCE’ was coined by SimplyTapp who used an open-source Android OS called ‘CyanogenMod’ with extensions to allow HCE software implementations to work on mobile devices.
2013: Bankinter (Spain) made an HCE implementation on Blackberry for Visa.
2013: Google decided to allow HCE on the official Android OS release v4.4 known as ‘Kitkat’.
2014: At the World Congress, both MasterCard and Visa made public announcements supporting HCE.
2015: Android Pay launches using HCE on Android.
2015 Chyp designs ‘ITSO with HCE’ for ITSO with the requirement to minimise changes to the existing ITSO infrastructure.

2016: Chyp advise on the Barclays contactless mobile first UK bank HCE solution.
2016: Amex Pay launches with HCE on Android.
2017: Transport for the North trial of ‘ITSO with HCE’ between Leeds and Huddersfield.
2017: ITSO announces working with Nexus (Newcastle) and a ‘global digital distributor’ to bring HCE to the North East.
2018: ITSO on Mobile HCE trials start with Google Pay using the Google wallet on Android phones. Trials are taking place in the West Midlands (TfWM) and the North East (Nexus).

Rambus and ACT both currently have working HCE solutions for ITSO on mobile devices and are waiting for ITSO to carry out the testing and certification before they can be deployed on live ITSO schemes.

Challenges remaining

While HCE implementations free us from the inconvenience of provisioning apps to SEs within the mobile device, they are not without their challenges. In addition to the provisioning of short-life secrets described above, there are the following challenges:

Each HCE implementation is unique and will have aspects of its implementation that are not off-the-shelf and already certified as secure. Typically, penetration testing will be needed to show that the HCE transit app is secure enough and that tickets cannot be easily faked or cloned. This is bespoke testing carried out by specialists.
Mobile handsets are constantly evolving. Typical customers replace them every two years with a newer generation. HCE apps should be maintained to ensure they are available to use on as many of the handsets in use as practical.
Mobile OS updates mean that you need to allow for all the possible combinations of handset running all the possible OS versions.
Security is an arms race. Regular reviews of the latest known attacks are needed and potential updates made to the HCE app in order to remain secure.

So, can HCE be secure enough for transit ticketing? Well, yes, you can imagine, if it can be secure enough for banking, it can be secure enough for ticketing. But HCE implementations are difficult to implement and deploy. They require a dedicated and experienced team and constant maintenance as attacks and handsets and OSs evolve. So, it will be interesting to see how many HCE transit implementations appear and remain on the scene to displace the traditional smart card or whether yet other mobile ticketing solutions replace them altogether.

London taking contactless for half of PAYG

26th April 20187th August 2020by John Elliott1 Comment

Four years ago Consult Hyperion completed a transit project which changed not only the way people paid for their travel, but cemented contactless in the vocabulary of the masses. We were focussed on getting contactless bank cards to work for pay-as-you-go (PAYG) transit payments. This was a significant undertaking since it had not been done before and the customer proposition included a fair-price promise. This fair-price promise required the contactless bank card solution to mimic the existing Oyster “capping” which allows customers to travel without knowing the tariffs, trusting that they will only be charged the best price they could have got had they bothered to research it all beforehand. It required adding contactless payment card acceptance to all TfL readers and the building of a bespoke back office to support this new Account-Based Ticketing (ABT) where no travel information is stored on the card.

Convenience is king in mass transit. And our task was to meet the demands of one of the world’s busiest transit environments but make it cheaper to operate. The long-term vision was that by 2018, Oyster cards would be migrated to use the ABT back office and the legacy Oyster system would be turned off. The Oyster brand would remain alongside bank cards for those not using bank cards, but the technology powering this, would be changed to be ABT.

TfL and Consult Hyperion worked closely with the payment schemes to define the process of card acceptance and with the UK Card Association to establish a harmonized set of rules to balance risk between TfL and the card issuers.

The system launched on buses in 2012 and on the rest of the TfL Oyster network in 2014. Later in 2016 the privately-run river buses were added.

Fare collection costs were reduced from 14% to less than 9% of fare revenue. In 2016, 34% of TfL PAYG journeys were made using contactless bank cards (56% were Oyster and 10% were paper tickets). Is this good, bad or indifferent? Well, this figure needs to be understood in context:

Contactless bank cards were still rolling out. In 2015, less than half[1] of UK bank cards were contactless.
Not everyone has a bank account. In 2015, about 5%[2] of UK adults were unbanked and half of these did not want a bank account.
Loss of government subsidy and a mayor-imposed TfL fare freeze meant that the vision of turning the legacy Oyster system off had to be reconsidered. Existing Oyster users have no incentive to switch over to using their bank cards.
Not all foreigners arriving in London are keen to use their bank cards since they may be subject to bank charges back home, making Oyster the better choice for them.

Despite these barriers to the uptake of contactless bank cards, by April 2016, 9% of all UK contactless transactions took place on TfL services.[3] By 2018 (year 4 of acceptance of bank cards on the full Oyster network), the percentage of PAYG journeys made using bank cards (or their emulations on phones or wearables) has risen from 34% to approximately 50%.

Consult Hyperion were uniquely qualified to help TfL deliver their ambition. Bringing in-depth knowledge and a heritage of working with the major payment networks and their detailed specifications for three decades, a solid understanding of proprietary transit technologies and practical experience of delivering innovative payment methods, outside of the retail community.

The team at Consult Hyperion is now involved across the globe working with transit agencies looking to emulate the success of London in their own cities. As well as Transport for the North in the UK, these projects have included working in countries where contactless success has outpaced the UK, such as Australia to territories where contactless payments are still emerging, like India and Colombia. Our US team has been working for a number of agencies who, today are developing systems capable of accepting contactless payment cards, even though issuance is less than 0.01%, in the hope that transit will drive banks to start issuing cards. There are early signs of success.

It is clear, that the success of TfL’s Future Ticketing Project has helped drive a sea-change in the payments and transportation industries that can save money in one industry and drive transaction volumes up in another. With our help, we are confident this success will continue.

[1] UK Cards Association Summary Statistics

[2] Financial Inclusion Commission 2015 Report

[3] UK Cards Association Contactless Transit Project Briefing – May 2016

Tickets via Mobile or TVM?—you decide

18th January 20187th August 2020by John ElliottLeave a comment

I often travel from Edinburgh to Leeds by train — pretty much every week in fact. I use the Trainline app (other apps are available) to search for train times. All sensible options I might care to consider (except perhaps for split ticketing) are displayed with their departure times and prices. I click on the one that I want, pay by card and download the barcode ticket to my mobile. All from one device all in seconds. It is very customer focussed because they know they will sell more that way and there is competition. I don’t even mind paying their booking fee and their credit card fee for the convenience.

I also travel regularly from UK airports by train to Consult Hyperion’s offices and use ticket vending machines (TVMs) to buy my train ticket when I arrive. I know I should just use the mobile ticket app even when buying tickets on departure, right? Well, unfortunately that option is not always available so I revert to the TVM. On some routes I would need to ‘Print from a ticket machine using your payment card’ which is a horrible experience requiring not just the payment card but typing in a long code. With barcodes rolling out across the whole of the UK by the end of 2018, it will be possible for some to bypass the TVMs entirely.

It is not always possible to buy in advance since I don’t know when or whether the plane will arrive. On these occasions I buy a ‘ticket on departure’ from a TVM. These machines seem uniformly unpleasant to use compared to the mobile experience. The customer is required to select options such as which route they want to travel to their destination or what kind of ticket they require (peak, off-peak, etc) without being given the other information they need such as when the next train leaves and what time is peak time. It is a stressful situation even for seasoned travellers. Tourists have no hope.

But this is not news. The government published the Action plan for information on rail fares and ticketing in December 2016. Around the same time, RDG published a ten-point plan for the improvement of TVMs. More recently, a progress report was published in December 2017. Descriptions of how the actions relevant to TVMs in these reports will be achieved include:

Ticket vending machines will tell customers when they are configured to sell off-peak tickets so that the customer will know that by waiting (e.g. in 15 minutes) they can purchase a cheaper ticket or by going to the ticket office (!)
DfT and RDG will collaborate on a strategy to ensure a consistent high quality customer experience of ticket vending machines, including the role of the Ticket Vending Machines Design Guidelines; and consider whether these contain principles which should form the basis for obligations in future franchise agreements. (Due early 2018)

TVMs were originally introduced as queue busters at train stations for simple tickets only. However, the reality is that one third of passengers now use them and the options available are highly complex. So, in summary, it does not look as though the customer experience at TVMs is set to improve significantly any time soon due to all the constraints and even if it did, it would almost certainly be less good than the mobile app experience:

Ability to select and buy tickets from anywhere with internet connection with relevant information automatically supplied to aid decision making.
Delivery of tickets directly to the mobile device; no need to print anything out.
Better support for overseas visitors who will usually not want to have to understand the fares and routes details before travelling.
Freeing up space in crowded stations (you think we have problems, we are working in Mumbai where Churchgate station has same traffic as London Waterloo but 25% of the space)
Reduced costs from not having to operate so many ticket windows and TVMs.
Opening up the ticket retail market and promoting competition.
Easier to deploy enhancements due to simple app software updates.

Clearly, mobile is not the whole solution (having spoken to industry colleagues, it seems only about 10% of rail tickets in the UK are sold using mobile apps) but the legacy that is TVMs is a big part of the problem.

I was asked again this year to act as a judge for the TTG18 Transport Ticketing Awards. Imagine my excitement when I spotted not one, but two submissions for TVMs (Ticket Vending Machines) that solve the customer experience problem.

Both solution proposed are to provide an audio (and optional video) link to remote ticket clerks where simple advice can be given or the clerk can also remotely control the TVM’s user interface. While this might provide better accessibility for those unable to use the TVMs (e.g. signing for the deaf, or offering other languages). I realise it does not suit everyone, but I think I’ll stick with my smart phone app.

The train I am on today writing this blog is delayed by over two hours due a broken-down train ahead of us. This means that I will get a full refund due to the Delay Repay regulations. Yay!

We look forward to seeing you in London at TTG18 on 23 and 24 January. If you would like to meet with Consult Hyperion while visiting the event, let us know so we can book a slot.

Contact: Sam.wakefield@chyp.com

Our live five for 2018

18th December 2017by Consult Hyperion2 Comments

It’s that time of year again. I’ve had a chat with my colleagues at Consult Hyperion, gone back over my notes from the year’s events, taken a look at our most interesting projects around the world and brought together our “live five” for 2018. Now, as in previous years, I don’t expect you to pay any attention to our prognostications without first reviewing our previous attempts, otherwise you won’t have any basis for taking us seriously! So let’s begin by looking back over the last year and then we’ll take a shot at the new one!

Goodbye 2017

This was the “live five” of technology-driven changes in the secure transactions field that we thought would have a real business impact over the previous year. In the spirit of openness and honesty and disclosure that we are famed for, let’s see how those predictions fared.

RegTech. I think we did pretty well with this prediction. Interest in regtech has grown throughout the year and the ability of regtech to make real differences in major markets is established.
Digital Identity. As we noted, one of the key regtechs, if not the key regtech, is digital identity. It did shoot up the agenda over the year and some interesting initiatives opened up.
PSD2 (still). No commentary is needed!.
Paying on the Go. We thought that a key use of open APIs will be payments, and very likely mobile payments. MasterCard’s purchase of VocaLink would tend to support this view!
Invisible POS. The shift from “check out to check in” paradigms is underway but it is fair to observe that we did not see the number of launches we were expecting as many of the projects remain in beta and will be holding to wait for the arrival of PSD2 (and CMA remedies in the UK).

Not bad. In fact, pretty good. So now let’s take a look at where we think the action will be in the coming year in our corner of the transactions treehouse. My guess is that you’ll agree with four out of the five – if not… let us know!

Hello 2018

From the perspective of our home base in the UK, the really big trend is easy to predict and wholly uncontroversial, since open banking is going to transform our industry. Thinking around this opens up a couple of adjacent areas as well. So…

Open Banking. In the UK, the regulators’ determination to bring real competition to the financial services world means that we are about to see major disruption in the space. Last year I called this before a “crossing of the streams” (in an hommage to Ghostbusters!) because there are three different initiatives coming together.The first stream is the PSD2 provisions for access to payment accounts. As you may recall, these include a set of proposals that are due to come into force in 2018. A group of those proposals are what we in the business call “XS2A”, the proposals which force banks to open up to permit the initiation of credit transfer (“push payments”) and account information queries. Even at a pure compliance level these PSD2 regulations pose significant questions for the structure of the existing payments industry. While PSD2 does not mandate APIs (I think – it’s all gotten a bit complicated but as far as I know the screen-scrapers have fought a decent rearguard action) an open banking API is the obvious way to implement the PSD2 provisions.
The second stream is Her Majesty’s Treasury’s push for more competition in retail banking. This led to the creation of the Open Banking Working Group (OBWG), which published its report in 2016. It set out was a four part framework, comprising:
- A data model (so that everyone knows what “account”, “amount”, “account holder” etc means);
- An API standard.
- A security standard.
- A governance model.
The third stream is the CMA report that triggered the remedies mentioned above. This envisages APIs to improve competition in retail banking by focusing on the use of APIs to obtain access to personal data that can be shared with third-parties to obtain better, more cost-effective services.

These streams are coming together to create an environment of what is now called Open Banking. And it’s a big deal. And it begins in January 2018 when the nine biggest banks open up their APIs and the UK becomes a fascinating and exciting laboratory for new services. Who will take advantage of this new environment? Well, in our opinion, it’s not the fintechs. And we are not the only ones who think this.

Much has been made of the rise of fintech [but] according to a report by the World Economic Forum (WEF), traditional banks are more vulnerable to competition from another source: tech giants like Amazon, Facebook, and Google.

From Tech firms like Amazon (AMZN), Facebook (FB), and Google (GOOGL) are the biggest competitive threats to the banking industry — Quartz

As we have pointed out for some time, it is not all obvious that what we refer to as the “challenger” banks in the UK (i.e., the new banks who have obtained licences in recent years) are really challengers at all. The era of the “challenger banks” is coming to an end as the internet giants compete to be the front end to the customers transactional financial services.
Conversational Transactions. One class of application that will exploit API integration with banking and payment systems is chat, whether through standard messaging applications or “chatbot” interfaces. This is hardly a wild prediction, but we think that the early steps (e.g., Facebook Messenger’s recent UK payments launch) indicate a major shift in 2018. Right now, when my sons at University ask me for money on WhatsApp, I have to switch to Barclays Pingit to send the money. Not for much longer. And it is important to understand the roadmap here, because the link between conversational commerce and voice commerce is straightforward. It’s all small step from typing “Send £20 for the ticket” to saying “Send £20 for the ticket”.
The Internet of Cars. Anyone who visited Mobile World Congress or CES or, I’m sure, many other events throughout the year, couldn’t have failed to notice the amount of work going on in the “internet of things” (we all understand just how important that will be) and how much of the IoT focus is on the automobile sector. You can see why this is: cars are expensive, so they can stand the cost of adding smart technology that can deliver new functionality. However, as Consult Hyperion have always said, doors are easy but locks are hard. It’s easy to connect the myriad systems in the modern car to the world, but it’s really hard to secure them. This is a great opportunity for organisations with skills in encryption, authentication, key management, operational security and so on to help the automobile industry,It’s one thing when your bank account gets hacked (because the bank has to give you your money back) but when the hackers are crashing cars for fun it’s another thing altogether. If we want our cars to engage in transactions then we have to be sure that the security infrastructure for those transactions is absolutely solid.
Artificial Intelligence. Well, when it comes to money, and indeed absolutely everything else, there is no doubt that AI will be the most disruptive technology of our generation. We may be a long way from Terminators and HAL 9000, but the massive AI investments pouring into financial services around the world mean that the technology is going to our business, and soon. If you examine where banks are spending their AI budgets right now, machine learning is the main focus. An Infosys poll earlier in the year showed that two-thirds of banks were already spending in this area and this is no surprise. Banks have large quantities of data that in the past they have found difficult to extract wisdom from and they have large transactional flows that they find it difficult to manage in the context of increasing regulatory burdens. Machine learning systems excel at finding patterns and exceptions in such data, provided that they can be fed the voracious quantities of raw material, so the main use of the machine learning systems is currently fraud detection and prevention. This throws up an interesting strategic challenge for banks in the new Open Banking world, because there is a threat to risk management, information analysis and sales/marketing processes in the new environment where they may not get to see the data held by third-party providers but those providers have access to bank accounts.
Tokens/ICOs. Well, those first four predictions are mainstream. But it’s fun to pick something out of left field (as our American cousins would say) by looking where technology might mean very different kinds of assets being used in transactions. We might well see a new kind of money emerge in the coming year. Not Bitcoin, but “tokens” (the basis of Initial Coin Offerings, or ICOs). When the current craziness is past and tokens become a regulated but wholly new kind of digital asset, a cross between corporate paper and a loyalty scheme, they will present an opportunity to remake markets in a new and better way. One might imagine a new version of London Alternative Investment Market (AIM) where start-ups launch but instead of issuing equity they create claims on their future in the form of tokens. The trading of these tokens is indistinguishable from the trading of electronic cash (because they are bearer instruments with no clearing or settlement) but there will be an additional transparency in corporate affairs because aspects of the transactions are public. The transparency obtained from using modern cryptography (e.g. homomorphic encryption and zero-knowledge proofs) in interesting way iss, as an aside, one of the reasons why we tend to think of the blockchain as a regtech, not a fintech.

All in all, the coming year will see much more disruption than might be apparent at first because the shift to open banking, starting in the UK, is what will drive the reshaping of the sector while at the same time the advance of AI into the transaction space (transactions of all types, from buying a train ticket to selling corporate bonds) begins to reshape the way we do business.

Crossing continents for knowledge sharing

13th November 20177th August 2020by John ElliottLeave a comment

Chyp believes that collaboration and knowledge sharing across markets can help the advancement of the industry and this is particularly true in transport ticketing. For example, we have found that our work for TfL with a large population and high journey count is not all directly applicable to smaller countries who cannot make such significant investments in infrastructure to serve small populations.

Recently, we have been working for MMRDA in Mumbai, India. While the environment is very different in some respect, compared to the UK, they have large passenger numbers and administer a system that makes extensive use of private transport operators, two factors similar to Transport for the North (TfN).

Sharing knowledge not only helps speed to market of deployments but creates a trusted environment and one with credibility. MMRDA asked Chyp to facilitate meetings for them in the UK with transport operators and suppliers in order that they could learn from those who have done it before or are planning to deliver a similar project. The result was a tour of the UK starting in London and taking in Transport for the North. The picture above shows the meeting which was held in Leeds and included presentations from:

Transport for the North

Alastair Richards (Director Integrated and Smart Travel (IST))
Jo Tansley Thomas (Programme Manager (IST))
John Elliott (ABT Back Office Requirements Team Lead (Consult Hyperion))

MMRDA

Ashish Chandra (PWC India)

Partnerships are hard to form. We hope that MMRDA will benefit from the organisations they met and their sharing in experience planning and deploying ABT in complex environments in the UK, remembering that differences can be as important to learn as similarities.

Paying for Transit

16th October 20177th August 2020by John ElliottLeave a comment

I recently presented at the Transport Card Forum 2017 in Birmingham. The subject I was asked to speak about was “How will we pay for transit in the future”. Knowing how slowly things move in the transport industry, the easy answer would have been, exactly as we pay now.

However, I thought it would be more helpful to assume that the answer is not cash, and to survey the categories of payments available and emerging today and put them into the context of paying for transit.

The direction of travel of the transit ticketing industry is to use Account Based Ticketing (ABT) and so I further assumed that ABT lies at the heart of any solution. Next, the travelling customer has a choice of media used to identify them to their payment mechanism. This is ring 1.

These customer media can be categorised as either open- or closed-loop. Open loop means that they can be used to make payments generally, whereas closed loop means they can only be used within the transit ticketing scheme.

Next comes the ‘authority to travel’ and ‘time of payment’ rings. Either the customer pays for authority in advance (e.g. season ticket) or they pay for it at the time of travel (e.g. pay on a bus or train) or they pay later. ‘Authority to travel’ might take the form of a ticket, but increasingly there will be no tickets issued. These are rings 2 and 3.

Finally, the outer rings (4 and 5) were added to show what kind of account might be used and how these relate to existing models such as those from the UKCA for the use of contactless bank cards in transit.

The UKCA models on the left-hand side have been discussed in previous blogs. Models 1 and 2 are what are being used in the UK building on what was achieved in London on TfL between 2008 and 2014. UK buses are now implementing Model 1 (and some are implementing parts of Model 2). Transport for the North (TfN) is implementing Model 2 for the whole of the North of England. Model 3 seems to have been abandoned as too hard to run in parallel with the other models. Perhaps other technologies will continue to dominate, such as bar code and ITSO smartcard ticketing for Pre-purchased authority to travel on national rail. Perhaps there is no need for a third way?

But what about those unable to use, or who do not wish to use, their own contactless bank cards? The right-hand side shows the equivalent models needed for them. As the figure below shows, there are two options for them, Either:

They fund a pre-paid transit account (a bit like loading value to an Oyster card, but value is loaded to the account instead for ABT. Or …
They allow payment to be taken directly from their payment account outside of the transit scheme. Payment is claimed from an open-loop account such as a payment card, bank account, online wallet (PayPal, Google Wallet, etc.).

The challenge for the latter option is that the transit scheme will struggle to manage the risk since the cannot tell whether the payment account has funds in it to pay for travel. Therefore, the preference at this stage is likely to be for for pre-paid transit accounts. And, therefore, this is what is likely to be chosen by TfN and other places as their solution for those not using bank cards with ABT schemes.

Thanks are due to my colleague, Alex Lithgow Smith, for developing my original idea of the rings showing aspects of payment in transit.

Does it matter if people tap their phones or not?

24th April 2017by Consult HyperionLeave a comment

How are mobile payments getting on in the UK? According to the most recent figures from Transport for London, mobile phones now account for about 8% of their contactless transactions, so clearly there are plenty of people who already use the phone in their hand rather than reach for the card in their pocket. Yet as many commentators have observed, out in the wider world — whether AndroidPay or Tesco PayQiq, PayM or Barclaycard Mobile — mobile payments seem to be facing something of a struggle to become mainstream.

With Consult Hyperion’s annual Tomorrow’s Transactions Forum coming up this week, we asked our good friends at Crescendo to use their array of clever Twitter sentiment analysis tools to give us an up-to-the-minute snapshot of the UK. They found that in conversations about mobile payments (which are dominated by Apple Pay, accounting for almost four-fifths of the conversations) there are roughly twice as many negative conversations as positive ones! Now that might be because people are quick to vent on Twitter when something doesn’t work properly but slower to praise when it does (I’m certainly guilty of this), but if we take the sentiment analysis at face value it seems to show that customers by and large like mobile payments when they work but are frustrated with the experience because it just doesn’t work the way it should and where it should.

There are a variety of reasons for this, ranging from gaps in the training of checkout staff to a failure of education (most people still don’t realise that the £30 limit that applies to contactless cards does not apply to contactless mobile payments so you can use your phone for your weekly shop) and confusion about acceptance (in some shops, for example, you can pay by contact with some cards but not pay with those same cards using mobile contactless).

Now, mobile payments is not all about mobile contactless. It’s about mobile initiated transfer of money from one account (the consumer’s) to another account (the merchant’s). And while we use cards for this now (except in Starbucks where we all use our app), with PSD2 on the horizon and MasterCard’s purchase of VocaLink we can certainly expect to see more direct-to-account credit transfers in the consumer marketplace. So we asked Crescendo to see if there’s any talk around this. They found that right now those conversations are dominated by Barclays PingIt and while the negative comments still outweigh the positive comments it is, rarther interestingly, by a much smaller margin than for mobile contactless. I wonder if this is perhaps a weak signal that mobile payment apps will be more popular than mobile contactless taps?

Does any of this matter? Perhaps the way that mobile payments work now isn’t much of a guide to the way they will work in the future. Maybe tapping on things, whether a card or a phone or a wristband or anything else is all a bit last year? Maybe it doesn’t matter whether people tap phones or cards because in time all payments will be going in-app (or in-browser) and that’s where we should be focusing for the future. The web’s standard body, the World-Wide Web Consortium (W3C), is currently working on a standard for these payments and this will likely hasten the physical and virtual convergence.

You can hear about the status of the standardisation process from the W3C themselves at the 20th annual Consult Hyperion Tomorrow’s Transactions Forum in London this week. Oh, and you’ll hear all about the status of PSD2, the future for mass market payments, financial inclusion, innovative uses of the blockchain, privacy, the Internet of Things, transit payments and much else besides.

At this point I would normally implore you to head over to our web site to score a ticket for this unique event. But there’s no point today because all the tickets have been sold and there are no places left. If you’re one of the lucky few with a delegate place, see you Wednesday.

Dominating the city centres in the next five years

3rd April 2017by Consult Hyperion1 Comment

On 25 January 2017, I moderated a panel discussion at Transport Ticketing Global 2017 entitled “which public transport technology solution will be dominating city centres in the next five years”.

On the morning of the event, I get together with the panellists to consider how the discussion might go. I start to think about my experience of the past as a proxy for the future. Past performance is no guarantee of the future, I know, but my mind races:

In the 1990s, things started to move from paper and plastic tokens to smart card-based solutions. ITSO was born. In 2005, we worked with ITSO and the DfT to assess the suitability of ITSO for a national travel e-purse. We were asked by the DfT to help develop Part 11 of the ITSO specification in order that ITSO could be made more suitable to an online world and not require every reader to contain an ISAM.

In 2005, we worked with DfT to help them understand how their planned new smart ID card and driving licence might be used to modernise life for citizens in the UK. In 2007 we worked with DVLA on their planned pilot of smart driving licences to be issued from their new production plan in Swansea. UK gov decided not to issue any smart driving licences.

In 2008 we worked with DfT to determine the benefits and costs of a national smart ticketing infrastructure. In the same year, we ran a trial of how ITSO tickets could be supported on the primitive NFC phones available at the time. Mobile was going to be the next big thing. Also in the same year, we started working with TfL on how Open Loop ticketing could be deployed across the whole of the London Oyster reader estate.

This was nine years ago. We worked with TfL for seven years on that project, from specification of the readers and revenue inspection devices to designing the end-to-end security.

In 2012, TfL launched Open Loop ticketing on buses. In 2017 (approximately five years later) we are seeing the large bus operators outside of London launching their Open Loop ticketing systems, as well as collaborating with Transport for the North on a multi-modal, multi-operator solution.

I’m back into the room. The panellists and I quickly agree that the answer to the panel discussion questions is, pretty much, that the same technology solutions that are dominating now will be dominating in five years’ time, because of the slow speed at which the industry moves. There is a lot of work going on under the surface, but it takes years to emerge. I am sure that Account-based ticketing is coming next and some of that will be Open Loop. Various operators across the globe are talking to us about this at present.

A final example, last year we conducted a study on beacons for Be-In Be-Out (BIBO) style transit ticketing. Our research showed that the industry has been looking at this since around 1997. There are still very few examples of it being successfully used, and yet it is still regularly cited as one of the next big things.

In April this year, Consult Hyperion is celebrating 20 years of annual Tomorrow’s Transactions conferences. I will be chairing a session on Transit ticketing on the second day about what is coming next. Confirmed speakers include:

Will Judge, MasterCard
Ben Whitaker, Masabi
John Henkel, Transport for the North

Come and hear what they think is coming next. I expect we will have to look beyond five years.

Our live five for 2017

19th December 2016by Consult Hyperion1 Comment

It’s that time of year again. No matter how much I complain that silly lists of what will be big in the New Year are trivial and superficial and not really representative of a more detailed analysis of key trends… I still feel I have to annoy my colleagues at Consult Hyperion into giving me a few ideas so that I can surf the end of year blog wave.

Goodbye 2016

Here we go then. As for the last few years, I’ve put together a “live five” of technology-driven changes in the secure transactions field that will have a real business impact over the coming year. But first, in the spirit of openness and honesty and disclosure that we are known for, I think it’s not right to bother you with this kind of thing without first assessing how we did last time so that you can judge whether to pay any attention to this year’s list or not! So let’s see how our live five for 2016 did:

Amazonisation. We got this one right. The focus on APIs increased through the year and not only for the interfaces to 3rd parties but also as a mechanism for restructuring internal processes and operations.

the more far thinking will be re-engineering their businesses to develop a whole bunch of APIs outside of PSD2 and will be working out the business models behind opening them out to developers and businesses.

From Open Banking APIs: Threat and Opportunity | Consult Hyperion

It’s been really interesting see how the bank (in particular) attitudes to the priority and scope of API strategies has evolved over the year.
Mobile ID and Authentication. Again, largely correct. The European Directive on Strong Customer Authentication (SCA) means that banks and other financial services organisations have had to up their game and make significant investments in improving their authentication methods. For most, this has meant moving to solutions that somehow involve the mobile phone. The impact of the NIST report on 2FA (which said that one-time password sent by text message can no longer be considered a secure authentication method) has yet to be felt, but the shift to more sophisticated and comprehensive mobile identity solutions is underway.

The NIST guideline goes on to talk about using push notifications to applications on smart phones, which is how we think it should be done.

From SMS authentication isn’t security. And that’s official | Consult Hyperion

Of course, this means doing proper risk analysis on the mobile applications to make sure that they have the appropriate levels of security built in, but at Consult Hyperion we’re rather good at doing that, so it’s a sensible way to proceed.
EMV Next Generation. Big for us, but I wouldn’t say it’s touched the mainstream yet. EMV is getting long in the tooth and needs to be refreshed.

We celebrate St. Valentine’s Day on 14th February every year to commemorate the introduction of chip and UK In the UK on 14th February 2006. I am a payments romantic, so this is very special day.

From Ten more years! Ten more years! | Consult Hyperion

The work that we have been involved in, helping clients to assess and shape their strategies towards the future of EMV, continues.
The Push for Push. When I wrote this I couldn’t have imagined just how right I would be. MasterCard spent a billion dollars on VocaLink.

mark my words it was one of the most significant events in the evolution of the UK payments industry since Reg Varney got a tenner out of that first ATM in Enfield half a century ago.

From MasterCard and VocaLink is a big deal | Consult Hyperion

Enough said.
Transparency. Mixed, I would say. I had expected shared ledgers to proceed further in the exploration of new markets and new kinds of markets but actually most of the work that we have been involved with (I mean paid professional services, not academic research) has continued to look at the ways in which this interesting new class of technology could be used to emulate, essentially, existing centralised systems. But I think our analysis, as set out in this paper, stands.

The paper that Richard Brown of R3, my colleague Salome Parulava and I put together what seems like an age ago (a year is a long time in fintech) has finally been published!

From A legacy of transparency | Consult Hyperion

However, in one or two of the projects, the focus did begin to shift to new ways of doing things and we remain of the opinion that more transparent markets will come.

On the whole, not too bad I think. A good enough score, I hope, to make our thoughts about 2017 worth at least a glance.

As you know, I’m all about new technology at the point of sale or service, so I’m going to choose five areas where new technology will make a significant difference to retail financial services – not only payments – over the coming year.

Hello 2017

On to the predictions for the coming year. I’m playing the same game as always here. I don’t want to give away any of the really cool stuff that our teams are working on for clients in business, NGO and government sectors right now, but I do want to make predictions that I already sort-of know will come true because we are already working with the technologies so that I can look clever! I’m sure you all understand how this works. Anyway, here goes…

RegTech. A number of the new technology projects that we have been involved with recently have come to a similar conclusion, which is that the use of new technology to reduce the cost of transactions is a struggle, but the use of the new technology to reduce the cost of regulating the transactions has a much better business case.

2017 will see the emergence of the next generation of innovation in fintech that addresses risk management and regulation for the bank. We expect that regulatory technology, also known as regtech, will emerge as a separate area of innovation…

From 2017 predictions | Business Analytics 3.0

For many of our clients, the costs of regulation are both high and out of control. If the blockchain or cloud or big data or biometrics or whatever can do anything to address the spiralling costs of compliance, they will have significantly more impact on the transaction space than if they could deliver a marginal reduction in transaction costs.
Digital Identity. One of the key regtechs, if not the key regtech, is digital identity. It has finally risen to the top of the agenda and this year it will finally change the way business works. I notice that Karen Webster has come to a similar conclusion in her piece about the major trends for next year.

More than just authenticating a consumer for a particular transaction, creating a secure digital identity will mean capturing a variety of attributes about that consumer that then can be selectively presented as needed.

From 8 Big Shifts In FI, Retail, Payments | PYMNTS.com

Indeed. What’s more, implicit in this prioritisation, is the start of the identity wars as various constituencies struggle to deliver the mass-market identity solutions that we need. In some areas, it may be the government that does this, in other areas it may be the banks. But in some areas, it may be the big five: Facebook, Google, Amazon, Microsoft or Apple. Either way, there are big implications for our clients long-term strategies.
PSD2 (still). One of the immediate needs for digital identity infrastructure is to help with the delivery of PSD2 in Europe. Along with the Secure Customer Authentication directive mentioned above, a practical identity infrastructure is an urgent requirement if the industry is going to make open banking and API access work cost effectively .

European banks and payments companies will spend much of 2017 preparing for the second phase of the EU’s Directive on Payment Services (PSD2).

From Predictions 2017: What financial services executives can expect | ZDNet

Right now this is all a bit of a mess because the “standards” that the industry is waiting for our being delayed and it seems to me that the timescales will be further extended in the New Year. However, she is still possible for banks to develop their strategies around the demands of PSD2 even if the details of the specific standards are not yet known.

Specifications.
Paying on the Go. A key use of open APIs will be payments, and very likely mobile payments. Mobile payments are coming front and centre as a means to authorise access to payment accounts. Not for tap-and-go NFC but for the next generation of retail, transit, utility and other payments across all channels. As everyone has been saying, payments are vanishing inside the mobile phone and whether it is ordering your Starbucks via a voice interface or jumping out of an Uber or shopping at an increasing number of websites, the transaction will complete because of the identification and authentication (I tend to label these “recognition” for short) functionality of the mobile. Since the mobile delivers both convenience and security it seems to me unstoppable in this regard.

Retailers across the board will adopt mobile payment solutions.

From Retail Trends and Predictions 2017 | 12 Retail trends and predictions to watch for

It is natural for retailers to want to manage the shopping experience in order to deliver the best possible service to their customers. As the bumper sticker says, they want to go from check-out to check-in. One of the implications of this shift for our clients is that they will be delivering services to mobile app developers rather than end customers! Testing these mobile apps to make sure that they have the security necessary for the mass market needs specialist skills that Consult Hyperion has and that customers can rely on.
Invisible POS. In many of the markets where we provide professional services and indeed software to the transactions value network, the day when non-cash transactions will no longer be dominated by cards is now within the strategic planning horizon.

No checkout lines. No registers. No self-checkout. No cash, credit or debit.

From How To ‘Shoplift’ Legally With Amazon

I’m not expecting the Amazon Go science fiction model to dominate world retailing any day soon, but the combination of mobile apps, instant payments and alternative payment solutions will combine to see volume shift away from the card dip, swipe or tap. Card payments (by card, by token etc) will continue to grow but as more and more of them vanish inside apps, so the nature of the card industry and the shape of the value networks will shift. And if you this is rose-tinted techno-determinist hype from engineers, have a look at what someone whose business this is think about it:

Amer Sajed, the chief executive of Barclaycard, says it will spell the steady demise of the physical plastic credit card, which his company introduced to the UK 50 years ago. “People will be able to seamlessly shop going between the web, an app or in store,” he says.

From The invisible credit card of the future – BBC News

When customers check in and then check out without plastic in their hands, the point of sale will undergo fundamental change. The competition between payment methods will be subject to new dynamics that are not yet visible or understood. Trying to introduce a new payment scheme to Tesco’s stores is one thing, but introducing a new payment scheme inside the Tesco app (with no changes to the stores, POS or any other infrastructure) is quite another. Our knowledge of both new payment methods and new POS environment help clients to make to informed decisions about their future retail environments.

What does this mean for our clients for the coming year? Given that by and large we work for the incumbents who currently dominate their markets, whether banks or card issuers or acquirers or retailers or government agencies, it’s all about linking these key trends together at a strategic level in order to be able to take advantage of the opportunities offered by the new technologies at the tactical level, working with new players where necessary, to stay on top.

My feeling is that these strategic trends will interact to cause some pretty interesting changes in our markets across the coming year, driven above all by the absolute necessity to restore sanity to the cost-benefit calculations around compliance. It will be regulatory pressures, not technology drivers, that shape most decisions in the next few months but we understand how to make effective use of new technology in responding to those pressures so that’s all good. Here’s to another great year in the world of secure electronic transactions!