Introduction to ITSO April 2015. Introduction to ITSO  ITSO is an open Specification which belongs to the Crown. ITSO Limited is the guardian of this.

Slides:



Advertisements
Similar presentations
EzScoreboard.com A Fully Integrated Administration Service.
Advertisements

ITSO An overview March 2010.
Mobile Payment Security The Good, the Bad and the Ugly
Customer First : Strategic Context and Opportunities Rory Mair.
ITSO An Introduction.
Page 2 Agenda Page 3 History –Blue Print, 2000 –GIS Process 1.2, 2001 (training only) –GIS Process 2.0, (ITIL based - not implemented) –Supply/Demand.
Module 13 Oversight Assessment of Auditor Authentication Bodies
Scotland – Concessionary Travel and Smartcards Gordon Hanning Head of Concessionary Travel & Integrated Ticketing.
Welcome Welcome and thank you for agreeing to become an External Examiner for Goldsmiths, University of London. Our External Examiners play an important.
Smart Ticketing: Reducing the barriers to Public Transport John Verity, Chief Advisor, ITSO Limited Chair, Smart Ticketing Alliance.
1 st Nov 05 ATOC & Smart Cards Bob McGivern Smart Card Development Presentation to Smart Card Network Forum 1 st November 2005.
Security Controls – What Works
Software Engineering COMP 201
Digital Asset Protection in Personal Private Networks Imad Abbadi Information Security Group Royal Holloway, University of London
Introduction to SAP R/3.
Electronic Data Interchange (EDI)
Riga’s e-Ticketing System
PCI PIN Entry Device Security Requirements PCI PIN Security Standards
United States Election Assistance Commission Pilot Program Testing and Certification Manual & UOCAVA Pilot Program Testing and Certification Manual & UOCAVA.
Welcome ISO9001:2000 Foundation Workshop.
Discussion Forum Bridge Consulting 9 November 2012.
Joy Oberoi Grade 12. Introduction THEATRE BOOKING SYSTEM (TBS) A system used to perform tasks that one would manually execute at a theatre It is online.
International Business and Technology Consultants AMS confidential & proprietary SPS Help Desk Presentation Army User’s Conference June 2002.
CHAPTER 5 Infrastructure Components PART I. 2 ESGD5125 SEM II 2009/2010 Dr. Samy Abu Naser 2 Learning Objectives: To discuss: The need for SQA procedures.
Customer Cabling Regulation Presenter: Ray Bradford.
1 Freedom of Information (Scotland) Act 2002 A strategic view.
Finding Answers in WIC EBT Documentation Wednesday, July 23, 2014 Bonnie Belza 7/23/20141 Your Document Reference Shelf.
Content Strategy.
FREE CONCESSIONARY TRAVEL Are smart cards going to help? Chris Brown Managing Director MCL.
MPEG-21 : Overview MUMT 611 Doug Van Nort. Introduction Rather than audiovisual content, purpose is set of standards to deliver multimedia in secure environment.
E-NOA/D June 2005 Peter Pallas Tel: Cell: Fax: shipping.com.
FAQs about the new regulatory framework Lucy Rhodes
12 Developing a Web Site Section 12.1 Discuss the functions of a Web site Compare and contrast style sheets Apply cascading style sheets (CSS) to a Web.
Modernising Government Conference 29 October 2004 Mike Eastham Head of Technology ITSO Ltd.
LASSeO card specifications or …here are a couple that we prepared earlier... Using LASSeO Specifications in your sector Mick Davies: Chair LASSeO.
1 Organisational Changes following TM Trieste Decisions J. Poole.
Smart Card Networking Forum English National Concessionary Travel Scheme 2008 Peter Laslett National Pass Delivery Team Concessionary Travel Division Cambridge.
Maritime Arrivals Reporting System Tom Watson Travellers and Vessels September 2015 Biosecurity Information Sessions 2015 Note: Content of presentation.
Publication Schemes Natasha Bodden Freedom of Information Unit November, 2009.
1 Encore Data Distribution Services Workshop February 19, 2004.
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
State of Georgia Release Management Training
The Salvation Army Canada & Bermuda Territory, 2016.
© SmartCard Networking Forum Report from the Core Group Geoff Doggett, Chair May 2nd 2007.
1 Options Clearing Corporation Encore Data Distribution Services April 22, 2004.
ASPEC February 2015 Incidents –0 incidents, 0 near misses Hours 31/01/15-27/02/15 11% Site, 1% Travel, 88% Office ASPEC QSHR February 2015 Minutes.
Systems that support electronically executed business transactions.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
MEA Document Overview Slides 26 February About these slides This slide pack is designed to provide market participants with an introduction to.
Marketing Essentials Mark Davis Senior Examiner Exam guidance June 2014.
RSPS3002 Mostafa Gulam Head of Technology ITSO Commercial Advisory Group 13 Nov 2013.
Financial System Upgrade Agency Change Champion Deployment Session March 16 th, 2006.
N° 1 Possible co-operation between rail and buses in the area of Telematics Applications for Passengers Presented by European Railway Agency (ERA) th.
IDTA level 4 Diploma in Dance Teaching
Software Project Configuration Management
Definition: Pioneer; to take the lead in, be first to introduce.
Module 4: Strategy Formulation: Customer Interface
NHS e-Referral Service (e-RS)
Electronic Manifesting (e-Manifest)
IEEE Participation in NFPA (SCC-18) UL Participation Opportunities
11/30/2018 Approved Evaluator Training Provider on the Colorado State Model Evaluation System Application Process November 2016.
Coordinate Operations Standard
Government Data Practices & Open Meeting Law Overview
Automated Fare Collection 2.0 Next Generation MBTA Fare System
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Government Data Practices & Open Meeting Law Overview
IDTA level 4 Diploma in Dance Teaching
About Quick Base Technical notes
STANDARD ACCOUNT: SOLUTION QUICK GUIDE
Presentation transcript:

Introduction to ITSO April 2015

Introduction to ITSO  ITSO is an open Specification which belongs to the Crown. ITSO Limited is the guardian of this Specification  All transport providers can use the same, open, Specification so that their ticketing systems speak the same language - interoperable  In theory, you could use just one smart card as an ‘electronic wallet’ for tickets for your end-to-end journey.  Member transport operators and transport authorities are licensed to use ITSO to enable smart ticketing for concessionary and commercial travel.  The smartcard might be called Pop, StagecoachSmart, Swift or ‘the key’, but the Specification behind it is ITSO.

What does ITSO Limited do?  Provides the ITSO Security Management Service (ISMS) – the ‘keeper of the keys’  Tests and certifies equipment to ensure it complies with the Specification  Supports and advises members and suppliers on setting up ITSO-compliant smart ticketing schemes  Liaises with members, government and the industry – both in the UK and Europe – to ensure the Specification is fit for purpose and future-proofed

The ITSO Ltd team

Timelines  1995 – First EMV standard for bank cards [Non-ITSO]  December 1998 – First pre-ITSO meeting  January 2000 – Version 1.0 of ITSO Specification  2002 – Cheshire Travelcard introduced  2003 limited [non-ITSO] Oyster use after 10 years in development  February 2010 – Version of ITSO Specification  December 2010 – ITSO Part 11 Remote Download  December 2012 – EMV introduced on London buses

Where is ITSO now?  At the heart of concessionary travel in England, Scotland and Wales (42,000 buses, of which 9,000 are in London)  At the heart of many commercial ticketing schemes on-bus, train, tram, ferry, hovercraft and even steam trains.  Big Five multi-operator smart ticketing will be ITSO- compliant  Specified for most current and all future national rail franchises – SEFT and STN  ITSO chairs the Smart Ticketing Alliance in Europe which is pushing transport ticketing interoperability  One size does not fit all - ITSO works alongside other technologies, such as EMV, but also cash

Who are ITSO’s Members?

 c2c Smart on rail  Cheshire Travelcard  Citycard – Nottingham  Iff - Cardiff  MCard - West Yorkshire  mygetmethere – Manchester  Oxford SmartZone  Passport – Newport  Pop card - Tyne and Wear  SimplyGo - Reading  SolentGo – South Hampshire  StagecoachSmart including rail  Swift – West Midlands  the key card – Go-Ahead including rail  Touch Card – First Bus in Bristol  TravelMaster - South Yorkshire  Walrus - Merseyside Some of the ITSO schemes around the UK

Some numbers …  8.3 billion passenger journeys on public transport in UK in 2013/14 - DfTDfT  1.1 billion rail journeys, nearly 70% on SEFT operators  9.7 million ENCTS passholders in England alone making more than 1 billion trips a year – mostly smart  We don’t get stats from all of our members but here are a few:  Stagecoach: More than 240 million smart transactions a year on ITSO based systems – StagecoachSmart (including concessionary travel) Stagecoach  Go-Ahead: 43.8 million ‘the key’ transactions a year (not including concessionary travel) Go-Ahead  ACT: 1.25 billion digital transactions a year through their HOPS – most of these are ITSO-based ticketing transactio ns ACT

ISMS activity As of end January 2015:  Around 80 different HOPS processing ITSO transactions in the UK  87.2k active ISAMs  1.2k Active products / IPEs (inc 341 concessionary and companion products)  381 Active CMDs

Certification As of 13 March 2015, the following number of products have valid ITSO Certificates:  Customer Media: 40  POSTs: 86  PersoPOST: 30  Remote POST: 8  HOPS: 13

ITSO scheme components - terminology  CMCustomer Media (deliberately not just a smartcard)  ITSO ShellThe ITSO “wallet” on a CM  CMDCustomer Media Definition (defining a type of CM)  IPEITSO Product Entity (deliberately not just a ticket)  POSTPoint Of Service Terminal  Perso-POSTPersonalistion POST (can add a Shell to a CM)  ISAMITSO Secure Application Module  HSAMHOPS ISAM  ISMSITSO Security Management Service  HOPSHost Operator or Processing System NB: A dictionary is available at

ITSO Specification - History  The ITSO Specification is an open Specification which belongs to the Crown  ITSO Ltd maintains and publishes the Specification under licence from the Department for Transport (DfT)  The Specification has now been in existence for 15 years, undergoing 7 revisions and the addition of Remote POST functionality:

ITSO Specification - Components  The ITSO Specification is officially entitled ITSO TS 1000  Split into 12 component parts:  Part 0: “Concept & Context” Gives a general overview of the Specification  Part 1: “General reference” Contains definitions of ITSO terms, data types, location types  Part 2: “Customer media data structure” Defines the ITSO Shell and data storage within  Part 3: “Terminals” Defines the requirements for a POST in the ITSO environment

ITSO Specification – Components (continued)  Part 4: “HOPS” Defines the requirements for a HOPS in the ITSO environment  Part 5: “Customer media data record definitions” Defines IPEs and their structures  Part 6: “Message data” Defines the ITSO message types, elements & data structures  Part 7: “ITSO Security Subsystem” Defines the security system in the ITSO environment  Part 8: “ITSO Secure Application Module detailed operation” Details the commands for use with ISAMs/HSAMs and their behaviour, as well as ISAM file contents

ITSO Specification – Components (continued)  Part 9: “Communications” Defines data transmission formats, lossless data transfer, VPN requirements, general communications in the ITSO environment  Part 10: “Customer media definitions” Defines all CM structures and commands  Part 11: “Remote POST” Defines the requirements for a Remote POST in the ITSO environment Quite a complex set of documents, with a lot of cross-referencing required. All (except Part 8) freely available on the ITSO website at:

ITSO Specification – Supplemental information In addition to the formal Specification, there are various types of supplemental documents:  Developer Guidance Guidance on various subjects to assist suppliers in developing to the Specification  Temporary Reference Guide Documents the message structures to/from the ISMS  Frequently Asked Questions (FAQs) Generally taken from Technical Support questions  Operational Guidance Coming soon - a new type of document giving more operational, rather than technical, guidance All available in the members/registered suppliers areas of the ITSO website

ITSO Specification - Current version  ITSO currently supports version of the ITSO Specification and test products against that specification – however some products still have certificates for previous versions  New functionality (LOG1 usage, new IPE/message formats, etc.) introduced in later Specification versions isn’t compatible with previous versions, so consideration needs to be given to equipment levels in a scheme.  The large degree of flexibility allowed by the Specification can cause problems, but there seems to be an appetite to change this.  The Specification isn’t perfect, but we’re working on it (there’s a lot to do!).

ITSO Specification – How to make changes In brief:  Suggestions for changes to the Specification can be made by any ITSO member (NB: for the supplier sector, the requester must be a supplier member, not a registered supplier)  The suggestion is made to the ITSO Technical Committee, where the suggestion is reviewed for its technical and operational merits. If the suggestion is approved, it is written into a Technical Note, which requires membership consultation before being ratified by the ITSO Board and the DfT.  Can be a long, complex process!

 There is a need for a Specification refresh to incorporate new technologies, encryption methods and corrections to identified issues (pending Technical Notes).  Need for widespread adoption of latest Specification versions to assist in interoperability  However, scheme owners are understandably wary that new versions might involve costs in upgrading their systems  ISAM H3 is in development, will give us the ability to support AES  Mobile world – a project is underway to investigate the feasibility of using Host Card Emulation (HCE) on smartphones. This is where a smartphone could be used for downloading & storing ITSO ticketing products. ITSO Specification – the future

ITSO Security fundamentals The ITSO system is highly secure, and our goal is to maintain the high level of security Regular ITSO Security Committee meetings chaired by independent security and cryptology expert Fred Piper, Royal Holloway University London The security is subject to regular independent assessment and evaluation, including regular penetration testing

ITSO Security fundamentals The scheme is largely based on symmetric security, for which Triple DES is used Asymmetric security is largely used as a means of protecting symmetric keys in transport Transactional data needs to be protected from change and so such details are sealed (with a MAC) using Triple DES In addition to the messaging security ITSO also uses SSL/TLS to protect the HOPS-HOPS traffic

Testing & Certification Provided for different devices types: CMD; POST; PersoPOST; Remote POSTs and HOPS POSTs can be certified according to categories defined by their usage and the sectors in which they operate HOPS are subdivided into Collection & Forwarding, Shell Accounting, Product Accounting and Asset Management Services functions (although now all HOPS provide for all such functions)

Certificates Suppliers must be a Registered Supplier or Supplier Member to have devices tested and certified Licensed members (operators) also have an obligation to ensure that they use only devices tested and certified by ITSO ITSO certificates last for seven years from issue, after which the device must either be represented for re-certification under the latest Specification version or withdrawn from use All devices certified under ITSO Specifications 2.1 and have already expired, and devices certified under will expire most this year, with a few in 2016

ITSO Test tools ITSO Test tools are provided by Clear2Pay, and use Micropross hardware ITSO test tools are available for any ITSO member to purchase (under licence) ITSO also provides some basic tools (ISAM Reader tool and Card Checker tool) for members, which are distributed free of charge but require a contact/contactless card reader

Interoperability testing Definition according to IEEE 90: “The ability of two or more systems or components to exchange information and to use the information that has been exchanged.” A copy of all devices tested must be lodged with ITSO for inclusion within the ITSO Interoperability Warehouse ITSO certifies a Product’s Compliance with the ITSO Specification and validates its Interoperability with other products through their interfaces A device is compliant with the standard as determined by a series of tests, and is then shown to be interoperable with other devices that meet the same standard

Our Interoperability Warehouse in Milton Keynes – we test for compliance with Specification, but not with business rules and configuration

Benchmark testing Benchmark Transaction Time Testing is required to evaluate the speed of media and Products in the field Transportation demands fast transaction times and the Benchmark Transaction Time Tests are designed to replicate likely scenarios of simple and complex transactions for each type of Media and POST Benchmark Testing is not carried out on Personalisation POSTs, Remote POSTs and HOPS.

Testing & Certification - Process Supplier submits details of device to be tested Scope of tests based on device type and functionality Supplier representation encouraged through testing sessions ITSO test scripts made available to suppliers Self testing by suppliers encouraged prior to testing commencement at ITSO

Smart Media

How to join the ITSO community You can become:  An ITSO Member – full ITSO membership means helping determine the Specification and the working of ITSO Limited through consultation and voting rights  An ITSO Licensed Operator – as above but also with the ability to run ITSO-certified smart ticketing schemes  An ITSO Registered Supplier – can be a member or not. You will have had your smart ticketing equipment tested and certified by ITSO as being compliant with the ITSO Specification  Contact Relationship Manager Kim Clarke on

ITSO fees and prices – see full schedulesee full schedule

How to contact ITSO Kim Clarke Relationship Manager ITSO Limited Deltic Avenue Milton Keynes MK13 8LW Tel: Fax: Website: