iso 14443 interoperability in transit - ul new science · iso 14443 interoperability in transit -...
TRANSCRIPT
White paper - ISO 14443 interoperability in transit
The contactless interface of existing validation and sales terminals is one of the most used
means for public transport authorities and operators to interact with their customers.
The majority of these contactless interfaces are implemented along the lines of the ISO
14443 international standard. As long as only one specific type of contactless cards is used,
the interface is usually fast, reliable and convenient. However, UL has observed major
interoperability issues as soon as another contactless card is introduced. Examples of the
issues are devices not even able to detect the new card, a substantial decrease in the fault
tolerance or an unacceptable increase in transaction time.
These interoperability issues occur already
as soon as a different card supplier is
contracted for the same kind of contactless
card. In the situation where a new, next
generation card type is introduced claiming
to support the ISO 14443 interface, the
issues are only bigger.
This paper explores these interoperabil-
ity issues, searches for a root-cause, and
proposes a solution. It provides an analysis
of the benefits and the challenges of the
solution, as well as a migration scenario.
Out of the current scope are other aspects
to prepare the infrastructure for next
generation fare management like an always
online connection and enhanced terminal
management. Also, this whitepaper does
not discuss the use of the EMV application
protocol in transit (neither branded by
the major payment networks, nor transit
branded).
This paper primarily targets public
transport authorities and operators with an
existing fare management system.
Contactless interoperability issues
ISO 14443 compliance
Communication between a passive
card and a terminal over the contactless
interface is possible via electromagnetic
induction. The contactless interface
specified by ISO 14443 requires a 13,56
MHz electromagnetic field. The typical
distance between the card and the
terminal is up to ten centimeters.
The ISO 14443 gives suppliers a lot of
freedom to implement it. The large
amount of options present in the ISO
14443 specification displays this freedom.
Examples of options are:
• Type A or Type B technology
• The operating volume
• The polling sequence
• The bit rate
• Waiting time extension
• Antenna sizes
ISO 14443 interoperability in transit - standardizing the contactless interface
page 2
Due this freedom an ISO 14443 compliant
terminal is not always able to interact with
an ISO 14443 compliant card.
Compliance to the ISO 14443 standard
requires two elements:
• A test case specification with a good
coverage of the underlying technical
specification
• A certification authority that verifies
compliance of actual implementations
using the test suite. The certification
authority issues letters of approval to
compliant implementations.
The ISO 14443 functionality is properly
covered by the test cases as specified
in ISO 10373-6. However, by definition
the test case specification cannot be
more restrictive than the base technical
specification. Hence, also ISO 10373-6
gives suppliers lot of freedom to
implement.
Currently, there is no ISO 14443
certification authority. Hence there is no
monitoring and control over suppliers
claiming ISO 14443 compliance. There
is no check if the ISO 10373-6 test
suite is really executed against the
implementation. No letter of approval
is issued for implementations proven
compliant to ISO 14443.
The result of the above is:
• A large number of contactless terminals
and cards are not even ISO 14443
compliant
• Quite a few interoperability issues in the
interaction between contactless terminals
and cards.
• Many transit schemes are not able to
switch from one card supplier to another
(Solving the resulting interoperability
issues is expensive and time consuming.)
• Most of the NFC handsets are proven
compliant against the more strict NFC
Forum and EMV Contactless Level 1
specifications. However, the existing ‘ISO
14443 compliant’ transit terminals will
have many interoperability issues causing
severe hurdles to implement Mobile
Ticketing.
Examples of interoperability issues
The issues that we have observed on
different fare management systems are:
• A 50% varying operating distance for
terminals of a single type and from a
single supplier.
• Terminals with a too weak or too strong
RF field.
• Contactless protocol tuned towards one
specific card type.
• A sharp increase of the communication
retries when replacing a memory card
with a generic miscroprocessor card.
Certify against EMV Contactless Level 1
Contactless card payments as issued by
the major payment brands would face the
same interoperability issues. However,
these issues would severally damage the
brand promise. Cardholders of contactless
payment cards expect that they can pay
with their card anywhere in the world as
soon as the payment terminal carries the
logo of the payment scheme. Together the
major payment brands have addressed
this issue in EMVCo.
For card payments EMVCo have specified
both the physical and functional aspects
of a contact and a contactless payment
transaction. For contactless the current
specifications are EMV version 2.3 Book A,
B, C, and D.
EMV Contactless Book A specifies the
architecture of a contactless Point of
Sales terminal. Book B and C specify the
functional layer of a payment transaction.
Book D [1] of the contactless specification
specifies the contactless communication
protocol, the physical layer, of a payment
transaction. Book D is tightly coupled to
the ISO 14443 specifications. A number
of options present in ISO 14443 are set in
Book D.
In order to achieve interoperability on
the contactless interface in payment,
EMVCo have specified EMV Contactless
Level 1 (EMV CL L1) tests to verify
implementations of EMV CL Book D in
the terminal or in the card. The EMV CL
L1 tests are categorized in analog [2] and
digital tests [3]. EMVCo have established a
full test & certification procedure with a
number of worldwide accredited test labs.
These procedures are very well defined
and quite strict.
page 3
White paper - ISO 14443 interoperability in transit
page 4
White paper - ISO 14443 interoperability in transit
Thanks to the abovementioned efforts, the contactless interface in payment is globally
interoperable. A growing number of people benefit from the fact that contactless cards
issued by a specific bank in a specific country are accepted by contactless payment
terminals from another bank in another country. In addition most NFC handsets are
certified against the EMV CL L1 specification and benefit from the global interoperability
in payment.
As a result of this approach where a rigid certification scheme is imposed on payment
terminals, EMVCo currently offers a large platform that could be regarded as a de-facto
standard for contactless compliance. UL would strongly advise the transit industry
to mandate EMV CL L1 for the contactless devices (both terminals and cards) used in
transit schemes. This way, transit can achieve global interoperability on its contactless
interface.
Note that EMV CL L1 could be mandated without requiring an implementation of the
EMV contactless application in both the terminal and the card (which would require
EMV compliancy beyond Contactless Level 1). Open loop payment in transit is a rather
different story that is not explored in this whitepaper. UL recommends implementing
the EMV CL L1 part irrespective of any further considerations on open loop payments.
Rationale
Commercial benefits
Bigger market, lower prices
Adopting the de-facto market standard makes it interesting for suppliers to offer their
already EMV compliant devices for use in the transit scheme. This becomes especially
interesting in an account-based setup in which much of the transit-specific complex
logic is moved from the front-end equipment to the back-end. In an account based setup
with front-end equipment that complies to the EMV market standard, it becomes easier
for suppliers of front-end equipment to enter the transit market.
Future migrations become less painful (strategic advantage)
As soon as, on the lower communication level (i.e. EMV CL L1), interoperability has been
achieved, future migrations involving changes on the higher communication levels are
easier. Having established a common base layer, it becomes easier to absorb future
changes affecting only the higher communication layers. Also, stand-in replacements for
the contactless transit card (e.g. one supplied by a different supplier) can be introduced
more easily as such modern cards are very likely to have been designed in conformance
with the EMV Contactless specifications.
Once the transit infrastructure has been
made compliant with EMV CL L1, it
becomes possible to go one step further
and also make the transit infrastructure
suitable for EMV application acceptance.
The transit infrastructure would then be
able to accept bank-issued (open loop)
EMV Contactless cards as a means to pay
for transit. Also the transit scheme could
configure the EMV Contactless application
on a Transit branded card to use it for
account based ticketing. As an alternative
to a contactless card, the EMV Contactless
application could also be hosted on an
NFC enabled mobile device. This would
enable the following additional benefits.
No barriers for (occasional) travellers
Occasional travellers don’t have to go
through a difficult enrolment process;
they just need to bring their own payment
means (either a contactless bank card or
an NFC enabled mobile device).
Reduction of card issuance costs
Each traveller that uses its own means
of payment (EMV card or NFC device) no
longer needs to be issued a transit specific
means of payment. This lowers the
operational cost of issuing transit cards to
travellers (both occasional and frequent
Better service and real-time information to
the traveller
An NFC enabled device allows the existing
transit contactless card to be emulated
on the NFC device. As these devices have
a rich user interface; the traveller can be
provided with real-time travel information
based on information stored on the device
and possibly enriched with information
retrieved form the transit back-office
(through the device’s internet connection).
This improves the traveller’s experience
and simplifies delivery of services to the
traveller (e.g. instant top-up and instant
delivery of travel products such as a
subscription).
Technical benefits
EMV offers the only contactless certification
scheme
The contactless communication between,
typically, a contactless card and a
contactless terminal (e.g. transit front-end
equipment) is standardised in the ISO
14443 set of standards. To guarantee
interoperability (i.e. one device to
successfully interact with another device)
it is not sufficient when compliance to
the standard is merely claimed by the
suppliers. Compliance to the standard
needs to be independently verified in
order that each and every compliant
device can seamlessly interoperate with
any other compliant device.
In addition to the standard itself,
usually a test specification is defined
that determines how compliancy is
to be verified. For the ISO 14443 set
of standards, the corresponding test
specification is the ISO 10373-6 set of
standards. Having the test specification
is still only a starting point. There must
further be accredited testing labs that test
implementations against the standard
using the test specifications. Based on
the findings of the accredited labs, the
accreditor can then issue a certificate of
compliance.
Although there is a test specification
(ISO 10373-6) for the ISO 14443 set
of standards, there is no established
certification scheme. Contrarily, EMV
offers all of the following:
1. A standard that provides further
details to ISO 14443, or chooses between
options left open by the ISO 14443 set
of standards. For example, the required
minimum field strength offered by the
contactless front-end device (terminal) is
specified in much more detail by EMV than
the general requirement of ISO 14443.
2. A test specification to test the
compliancy of implementations against
the EMV standard.
3. A certification scheme including a
number of accredited test laboratories
Therefore, de facto, EMV offers the only
certification scheme available to date for
future proof contactless implementations
of ISO 14443.
EMV compliancy brings NFC compliancy
NFC enabled devices (handsets) are also
being certified against the EMV standard.
Therefore, if the transit infrastructure is
certified against the EMV standard, future
interoperability with NFC enabled devices
is assured.
page 5
White paper - ISO 14443 interoperability in transit
page 6
White paper - ISO 14443 interoperability in transit
Assessment
When adopting the EMV CL L1 standard and the EMV CL L1 certification scheme in
a transit context, any potential disadvantage should be assessed, in addition to the
benefits identified in section 4. Transit has some characteristics that distinguish it from
payment. As EMV is intended for payment, there may be some aspects that make it
less suitable for transit. This chapter lists the most mentioned aspects and gives an
aggregated response from the major payment brands.
Q: Bit rate: the EMV CL L1 specification limits the communication speed between a
contactless terminal and a card to 106 kbit/sec. No exception is made for non-payment
transactions.
A: Studies show that the actual improvement in transaction time due to higher bit rates
is marginal. Higher communication speed introduces more transmission errors. Just a
single retry in the dialogue removes almost all the benefits of the higher rate. Despite
these studies allowance of a higher bit rate is an item for consideration within EMVCo.
Q: Polling sequence: EMV CL L1 requires the polling sequence over all the configured
technologies to complete before any further processing is allowed over the technology
that where a positive response is received.
A: Indeed the terminal shall poll for the presence of a card on both Type A and Type B
and any configured ‘proprietary technology’. However, the improved interoperability
outweighs any impact of this on the total transaction time.
Q: Antenna Configurations: in transit a wide variety of terminals is used. Would EMV CL
L1 allow this?
A: During EMV CL L1 certification every terminal will be certified on its own. The EMV
CL L1 specifications are not prescriptive about antenna sizes or geometry; the primary
requirement is interoperability; and whatever the geometry, provided it produces an
interoperable solution, is fine. For hand held terminals deviations from EMV CL L1 are
accepted by the major payment brands.
Q: Collision Detection / Card Clash: how does EMV CL L1 enable the terminals to detect
that multiple contactless cards are present in its RF field?
A: The ISO 14443 specified collision detection is present in the EMV CL L1 specifications
as well. However, it is not guaranteed that all contactless cards/devices are powered up
at the same time. Dependent on the field strength, a memory card might be faster then
a generic microprocessor card. If the ‘discovery time’ is shorter than the power up time
for the microprocessor card, the terminal would not detect a collision. The resolution
of the collision is not addressed in EMV CL L1. The major payment brands advocate
travellers to present the card they want to use.
page 7
White paper - ISO 14443 interoperability in transit
To conclude all the above listed technical
issues might lead to the same business
issue: the total transaction time and
the passenger throughput. The major
payment brands require however a
total transaction time below 500 msec.
The current reality for the London bus
is that 95% of the contactless payment
transactions are below 500 msec. Hence,
EMV CL L1 combined with EMV level 2 and
3 is fit for the ticketing purpose.
Migration plan
The migration towards an EMV CL L1
compliant infrastructure requires a careful
approach. The following aspects are
relevant for the migration:
• Nature of the required change: either
a software update or a replacement of
the reader module is needed to make the
existing terminals compliant with EMV CL
L1.
• Remote upgradeability: if a software
update is sufficient, the migration
depends on the presence of a remote
upgradeability interface between the
back-end and the terminals. Note that
in specific cases of drivers/controllers in
the firmware an update might only be
possible via a replacement and cannot be
done remotely.
• Age of the terminals: if a hardware
update is required, the migration differs
for terminals at the beginning or at the
end of their economic life (typically 15
years).
In general UL advises fare management
scheme owners to start the migration
with specifying the ISO 14443 options
like the operating volume in accordance
with EMV CL L1. In addition, the existing
certification shall be augmented with
the verification on these options and
registering the actual reader module
version of the certified terminals.
UL recommends this for at least all
new terminals (sales, validation and
inspection).
UL advises individual participants in a
fare management scheme to purchase
fully EMV CL L1 compliant terminals when
replacing end of life terminals. Currently
more than five well-known suppliers have
EMV CL L1 certified terminals in their
portfolio. If the new terminals support
the EMV payment application (kernel)
and the Visa/MasterCard brands as
well, these transit operators can accept
EMV contactless payment cards for fare
management. Note that during this
gradual migration the ‘one card for all
public transport’ principle is degraded, as
the EMV contactless payment cards will
not be accepted at devices that have not
yet been upgraded.
Migrating front-end equipment towards
EMV CL L1 before their end of life is very
costly. UL advises in this case to consider
the high level transit objectives that the
fare management seeks to achieve. Cost
savings or additional revenue caused by
additional system changes enabled by the
migration towards EMV CL L1 might create
a positive business case.
In addition to the EMV CL L1 compliant
contactless interfaces, UL advises the fare
management scheme owners to require
a maximum time for the fare payment
transaction of 500 milliseconds. Based on
actual measurements UL is convinced that
this performance can be achieved via an
efficient card-terminal dialogue. Both the
number of command-response pairs and
the size of the dialogue shall be reduced
as much as possible. The transmission
time element could be reduced when the
communication speed is increased (from
bit rate 106 kbit/sec to e.g. 424 kbit/sec).
Finally, transit schemes with the vision
to do cloud based ticketing [4] should
consider additional changes to the existing
infrastructure:
• Connect their terminals to the back-end
with a fast and always online link.
• Reserve memory space in their terminals
to host other ID/payment applications
• Establish remote terminal management
UL will address these additional changes in
a separate whitepaper.
page 8
White paper - ISO 14443 interoperability in transit
Conclusion
Conformance to a strict specification of the contactless interface in transit is the only way to achieve interoperability. Especially
the acceptance side of the interface (electronic gates, validators, inspection devices etc.) shall comply. Only then transit cards from
different suppliers and/or mobile handsets can be accepted. EMV CL L1 is currently the only full test and certification process that
offers this. Therefore UL recommends transit schemes to mandate EMV CL L1 for any new device from now on. In addition the transit
schemes should upgrade the existing devices in a phased approach.
References
Ref. Title Author Status Version Date
[1] EMV Contactless Book D Contactless Communication
Protocol
EMVCo Final 2.3.1 November 2013
[2] EMVCo Type Approval Contactless Terminal Level1 -
PCD_L1_Analogue Test Bench Test Case Requirements
EMVCo Final 2.3.1 November 2013
[3] EMVCo Type Approval Contactless Terminal Level1 –
PCD Digital Test Bench & Test Cases
EMVCo Final 2.3.1 November 2013
[4] Cloud Based Ticketing – Next generation fare collection G.R. Boogaard Final 1.0 November 2013