Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to ITSO April 2015. Introduction to ITSO  ITSO is an open Specification which belongs to the Crown. ITSO Limited is the guardian of this.

Published byRhoda Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to ITSO April 2015. Introduction to ITSO  ITSO is an open Specification which belongs to the Crown. ITSO Limited is the guardian of this."— Presentation transcript:

1 Introduction to ITSO April 2015

2 Introduction to ITSO  ITSO is an open Specification which belongs to the Crown. ITSO Limited is the guardian of this Specification  All transport providers can use the same, open, Specification so that their ticketing systems speak the same language - interoperable  In theory, you could use just one smart card as an ‘electronic wallet’ for tickets for your end-to-end journey.  Member transport operators and transport authorities are licensed to use ITSO to enable smart ticketing for concessionary and commercial travel.  The smartcard might be called Pop, StagecoachSmart, Swift or ‘the key’, but the Specification behind it is ITSO.

3 What does ITSO Limited do?  Provides the ITSO Security Management Service (ISMS) – the ‘keeper of the keys’  Tests and certifies equipment to ensure it complies with the Specification  Supports and advises members and suppliers on setting up ITSO-compliant smart ticketing schemes  Liaises with members, government and the industry – both in the UK and Europe – to ensure the Specification is fit for purpose and future-proofed

4 The ITSO Ltd team

5 Timelines  1995 – First EMV standard for bank cards [Non-ITSO]  December 1998 – First pre-ITSO meeting  January 2000 – Version 1.0 of ITSO Specification  2002 – Cheshire Travelcard introduced  2003 limited [non-ITSO] Oyster use after 10 years in development  February 2010 – Version 2.1.4 of ITSO Specification  December 2010 – ITSO Part 11 Remote Download  December 2012 – EMV introduced on London buses

6 Where is ITSO now?  At the heart of concessionary travel in England, Scotland and Wales (42,000 buses, of which 9,000 are in London)  At the heart of many commercial ticketing schemes on-bus, train, tram, ferry, hovercraft and even steam trains.  Big Five multi-operator smart ticketing will be ITSO- compliant  Specified for most current and all future national rail franchises – SEFT and STN  ITSO chairs the Smart Ticketing Alliance in Europe which is pushing transport ticketing interoperability  One size does not fit all - ITSO works alongside other technologies, such as EMV, but also cash

7 Who are ITSO’s Members?

8  c2c Smart on rail  Cheshire Travelcard  Citycard – Nottingham  Iff - Cardiff  MCard - West Yorkshire  mygetmethere – Manchester  Oxford SmartZone  Passport – Newport  Pop card - Tyne and Wear  SimplyGo - Reading  SolentGo – South Hampshire  StagecoachSmart including rail  Swift – West Midlands  the key card – Go-Ahead including rail  Touch Card – First Bus in Bristol  TravelMaster - South Yorkshire  Walrus - Merseyside Some of the ITSO schemes around the UK

9 Some numbers …  8.3 billion passenger journeys on public transport in UK in 2013/14 - DfTDfT  1.1 billion rail journeys, nearly 70% on SEFT operators  9.7 million ENCTS passholders in England alone making more than 1 billion trips a year – mostly smart  We don’t get stats from all of our members but here are a few:  Stagecoach: More than 240 million smart transactions a year on ITSO based systems – StagecoachSmart (including concessionary travel) Stagecoach  Go-Ahead: 43.8 million ‘the key’ transactions a year (not including concessionary travel) Go-Ahead  ACT: 1.25 billion digital transactions a year through their HOPS – most of these are ITSO-based ticketing transactio ns ACT

10 ISMS activity As of end January 2015:  Around 80 different HOPS processing ITSO transactions in the UK  87.2k active ISAMs  1.2k Active products / IPEs (inc 341 concessionary and companion products)  381 Active CMDs

11 Certification As of 13 March 2015, the following number of products have valid ITSO Certificates:  Customer Media: 40  POSTs: 86  PersoPOST: 30  Remote POST: 8  HOPS: 13

12 ITSO scheme components - terminology  CMCustomer Media (deliberately not just a smartcard)  ITSO ShellThe ITSO “wallet” on a CM  CMDCustomer Media Definition (defining a type of CM)  IPEITSO Product Entity (deliberately not just a ticket)  POSTPoint Of Service Terminal  Perso-POSTPersonalistion POST (can add a Shell to a CM)  ISAMITSO Secure Application Module  HSAMHOPS ISAM  ISMSITSO Security Management Service  HOPSHost Operator or Processing System NB: A dictionary is available at http://www.itso.org.uk/about-us/what-itso-does/itso-dictionary

13

14 ITSO Specification - History  The ITSO Specification is an open Specification which belongs to the Crown  ITSO Ltd maintains and publishes the Specification under licence from the Department for Transport (DfT)  The Specification has now been in existence for 15 years, undergoing 7 revisions and the addition of Remote POST functionality:

15 ITSO Specification - Components  The ITSO Specification is officially entitled ITSO TS 1000  Split into 12 component parts:  Part 0: “Concept & Context” Gives a general overview of the Specification  Part 1: “General reference” Contains definitions of ITSO terms, data types, location types  Part 2: “Customer media data structure” Defines the ITSO Shell and data storage within  Part 3: “Terminals” Defines the requirements for a POST in the ITSO environment

16 ITSO Specification – Components (continued)  Part 4: “HOPS” Defines the requirements for a HOPS in the ITSO environment  Part 5: “Customer media data record definitions” Defines IPEs and their structures  Part 6: “Message data” Defines the ITSO message types, elements & data structures  Part 7: “ITSO Security Subsystem” Defines the security system in the ITSO environment  Part 8: “ITSO Secure Application Module detailed operation” Details the commands for use with ISAMs/HSAMs and their behaviour, as well as ISAM file contents

17 ITSO Specification – Components (continued)  Part 9: “Communications” Defines data transmission formats, lossless data transfer, VPN requirements, general communications in the ITSO environment  Part 10: “Customer media definitions” Defines all CM structures and commands  Part 11: “Remote POST” Defines the requirements for a Remote POST in the ITSO environment Quite a complex set of documents, with a lot of cross-referencing required. All (except Part 8) freely available on the ITSO website at: http://www.itso.org.uk/the-specification/specification-resources/publicly-available-specification

18 ITSO Specification – Supplemental information In addition to the formal Specification, there are various types of supplemental documents:  Developer Guidance Guidance on various subjects to assist suppliers in developing to the Specification  Temporary Reference Guide Documents the message structures to/from the ISMS  Frequently Asked Questions (FAQs) Generally taken from Technical Support questions  Operational Guidance Coming soon - a new type of document giving more operational, rather than technical, guidance All available in the members/registered suppliers areas of the ITSO website

19 ITSO Specification - Current version  ITSO currently supports version 2.1.4 of the ITSO Specification and test products against that specification – however some products still have certificates for previous versions  New functionality (LOG1 usage, new IPE/message formats, etc.) introduced in later Specification versions isn’t compatible with previous versions, so consideration needs to be given to equipment levels in a scheme.  The large degree of flexibility allowed by the Specification can cause problems, but there seems to be an appetite to change this.  The Specification isn’t perfect, but we’re working on it (there’s a lot to do!).

20 ITSO Specification – How to make changes In brief:  Suggestions for changes to the Specification can be made by any ITSO member (NB: for the supplier sector, the requester must be a supplier member, not a registered supplier)  The suggestion is made to the ITSO Technical Committee, where the suggestion is reviewed for its technical and operational merits. If the suggestion is approved, it is written into a Technical Note, which requires membership consultation before being ratified by the ITSO Board and the DfT.  Can be a long, complex process!

21  There is a need for a Specification refresh to incorporate new technologies, encryption methods and corrections to identified issues (pending Technical Notes).  Need for widespread adoption of latest Specification versions to assist in interoperability  However, scheme owners are understandably wary that new versions might involve costs in upgrading their systems  ISAM H3 is in development, will give us the ability to support AES  Mobile world – a project is underway to investigate the feasibility of using Host Card Emulation (HCE) on smartphones. This is where a smartphone could be used for downloading & storing ITSO ticketing products. ITSO Specification – the future

22 ITSO Security fundamentals The ITSO system is highly secure, and our goal is to maintain the high level of security Regular ITSO Security Committee meetings chaired by independent security and cryptology expert Fred Piper, Royal Holloway University London The security is subject to regular independent assessment and evaluation, including regular penetration testing

23 ITSO Security fundamentals The scheme is largely based on symmetric security, for which Triple DES is used Asymmetric security is largely used as a means of protecting symmetric keys in transport Transactional data needs to be protected from change and so such details are sealed (with a MAC) using Triple DES In addition to the messaging security ITSO also uses SSL/TLS to protect the HOPS-HOPS traffic

24 Testing & Certification Provided for different devices types: CMD; POST; PersoPOST; Remote POSTs and HOPS POSTs can be certified according to categories defined by their usage and the sectors in which they operate HOPS are subdivided into Collection & Forwarding, Shell Accounting, Product Accounting and Asset Management Services functions (although now all HOPS provide for all such functions)

25 Certificates Suppliers must be a Registered Supplier or Supplier Member to have devices tested and certified Licensed members (operators) also have an obligation to ensure that they use only devices tested and certified by ITSO ITSO certificates last for seven years from issue, after which the device must either be represented for re-certification under the latest Specification version or withdrawn from use All devices certified under ITSO Specifications 2.1 and 2.1.1 have already expired, and devices certified under 2.1.2 will expire most this year, with a few in 2016

26 ITSO Test tools ITSO Test tools are provided by Clear2Pay, and use Micropross hardware ITSO test tools are available for any ITSO member to purchase (under licence) ITSO also provides some basic tools (ISAM Reader tool and Card Checker tool) for members, which are distributed free of charge but require a contact/contactless card reader

27 Interoperability testing Definition according to IEEE 90: “The ability of two or more systems or components to exchange information and to use the information that has been exchanged.” A copy of all devices tested must be lodged with ITSO for inclusion within the ITSO Interoperability Warehouse ITSO certifies a Product’s Compliance with the ITSO Specification and validates its Interoperability with other products through their interfaces A device is compliant with the standard as determined by a series of tests, and is then shown to be interoperable with other devices that meet the same standard

28 Our Interoperability Warehouse in Milton Keynes – we test for compliance with Specification, but not with business rules and configuration

29 Benchmark testing Benchmark Transaction Time Testing is required to evaluate the speed of media and Products in the field Transportation demands fast transaction times and the Benchmark Transaction Time Tests are designed to replicate likely scenarios of simple and complex transactions for each type of Media and POST Benchmark Testing is not carried out on Personalisation POSTs, Remote POSTs and HOPS.

30 Testing & Certification - Process Supplier submits details of device to be tested Scope of tests based on device type and functionality Supplier representation encouraged through testing sessions ITSO test scripts made available to suppliers Self testing by suppliers encouraged prior to testing commencement at ITSO

31 Smart Media

32 How to join the ITSO community You can become:  An ITSO Member – full ITSO membership means helping determine the Specification and the working of ITSO Limited through consultation and voting rights  An ITSO Licensed Operator – as above but also with the ability to run ITSO-certified smart ticketing schemes  An ITSO Registered Supplier – can be a member or not. You will have had your smart ticketing equipment tested and certified by ITSO as being compliant with the ITSO Specification  Contact Relationship Manager Kim Clarke on 01908 255485 email kim.clarke@itso.org.uk kim.clarke@itso.org.uk

33 ITSO fees and prices – see full schedulesee full schedule

34 How to contact ITSO Kim Clarke Relationship Manager ITSO Limited Deltic Avenue Milton Keynes MK13 8LW Tel: 01908 255485 Fax: 01908 255450 Email: kim.clarke@itso.org.ukkim.clarke@itso.org.uk Website: www.itso.org.ukwww.itso.org.uk

Download ppt "Introduction to ITSO April 2015. Introduction to ITSO  ITSO is an open Specification which belongs to the Crown. ITSO Limited is the guardian of this."

Similar presentations

EzScoreboard.com A Fully Integrated Administration Service.

EzScoreboard.com A Fully Integrated Administration Service.
ITSO An overview March 2010.

ITSO An overview March 2010.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
Customer First : Strategic Context and Opportunities Rory Mair.

Customer First : Strategic Context and Opportunities Rory Mair.
ITSO An Introduction.

ITSO An Introduction.
Page 2 Agenda Page 3 History –Blue Print, 2000 –GIS Process 1.2, 2001 (training only) –GIS Process 2.0, 2003-4 (ITIL based - not implemented) –Supply/Demand.

Page 2 Agenda Page 3 History –Blue Print, 2000 –GIS Process 1.2, 2001 (training only) –GIS Process 2.0, (ITIL based - not implemented) –Supply/Demand.
Module 13 Oversight Assessment of Auditor Authentication Bodies

Module 13 Oversight Assessment of Auditor Authentication Bodies
Scotland – Concessionary Travel and Smartcards Gordon Hanning Head of Concessionary Travel & Integrated Ticketing.

Scotland – Concessionary Travel and Smartcards Gordon Hanning Head of Concessionary Travel & Integrated Ticketing.
Welcome Welcome and thank you for agreeing to become an External Examiner for Goldsmiths, University of London. Our External Examiners play an important.

Welcome Welcome and thank you for agreeing to become an External Examiner for Goldsmiths, University of London. Our External Examiners play an important.
Smart Ticketing: Reducing the barriers to Public Transport John Verity, Chief Advisor, ITSO Limited Chair, Smart Ticketing Alliance.

Smart Ticketing: Reducing the barriers to Public Transport John Verity, Chief Advisor, ITSO Limited Chair, Smart Ticketing Alliance.
1 st Nov 05 ATOC & Smart Cards Bob McGivern Smart Card Development Presentation to Smart Card Network Forum 1 st November 2005.

1 st Nov 05 ATOC & Smart Cards Bob McGivern Smart Card Development Presentation to Smart Card Network Forum 1 st November 2005.
Security Controls – What Works

Security Controls – What Works
Software Engineering COMP 201

Software Engineering COMP 201
Digital Asset Protection in Personal Private Networks Imad Abbadi Information Security Group Royal Holloway, University of London

Digital Asset Protection in Personal Private Networks Imad Abbadi Information Security Group Royal Holloway, University of London
Introduction to SAP R/3.

Introduction to SAP R/3.
Electronic Data Interchange (EDI)

Electronic Data Interchange (EDI)
Riga’s e-Ticketing System

Riga’s e-Ticketing System
PCI PIN Entry Device Security Requirements PCI PIN Security Standards

PCI PIN Entry Device Security Requirements PCI PIN Security Standards
United States Election Assistance Commission Pilot Program Testing and Certification Manual & UOCAVA Pilot Program Testing and Certification Manual & UOCAVA.

United States Election Assistance Commission Pilot Program Testing and Certification Manual & UOCAVA Pilot Program Testing and Certification Manual & UOCAVA.
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.

Similar presentations

Ads by Google