Introduction to ITSO ITSO is an open Specification which
belongs to the Crown. ITSO Limited is the guardian of this
Specification All transport providers can use the same, open,
Specification so that their ticketing systems speak the same
language - interoperable In theory, you could use just one smart
card as an electronic wallet for tickets for your end-to-end
journey. Member transport operators and transport authorities are
licensed to use ITSO to enable smart ticketing for concessionary
and commercial travel. The smartcard might be called Pop,
StagecoachSmart, Swift or the key, but the Specification behind it
is ITSO.
Slide 3
What does ITSO Limited do? Provides the ITSO Security
Management Service (ISMS) the keeper of the keys Tests and
certifies equipment to ensure it complies with the Specification
Supports and advises members and suppliers on setting up
ITSO-compliant smart ticketing schemes Liaises with members,
government and the industry both in the UK and Europe to ensure the
Specification is fit for purpose and future-proofed
Slide 4
The ITSO Ltd team
Slide 5
Timelines 1995 First EMV standard for bank cards [Non-ITSO]
December 1998 First pre-ITSO meeting January 2000 Version 1.0 of
ITSO Specification 2002 Cheshire Travelcard introduced 2003 limited
[non-ITSO] Oyster use after 10 years in development February 2010
Version 2.1.4 of ITSO Specification December 2010 ITSO Part 11
Remote Download December 2012 EMV introduced on London buses
Slide 6
Where is ITSO now? At the heart of concessionary travel in
England, Scotland and Wales (42,000 buses, of which 9,000 are in
London) At the heart of many commercial ticketing schemes on-bus,
train, tram, ferry, hovercraft and even steam trains. Big Five
multi-operator smart ticketing will be ITSO- compliant Specified
for most current and all future national rail franchises SEFT and
STN ITSO chairs the Smart Ticketing Alliance in Europe which is
pushing transport ticketing interoperability One size does not fit
all - ITSO works alongside other technologies, such as EMV, but
also cash
Slide 7
Who are ITSOs Members?
Slide 8
c2c Smart on rail Cheshire Travelcard Citycard Nottingham Iff -
Cardiff MCard - West Yorkshire mygetmethere Manchester Oxford
SmartZone Passport Newport Pop card - Tyne and Wear SimplyGo -
Reading SolentGo South Hampshire StagecoachSmart including rail
Swift West Midlands the key card Go-Ahead including rail Touch Card
First Bus in Bristol TravelMaster - South Yorkshire Walrus -
Merseyside Some of the ITSO schemes around the UK
Slide 9
Some numbers 8.3 billion passenger journeys on public transport
in UK in 2013/14 - DfTDfT 1.1 billion rail journeys, nearly 70% on
SEFT operators 9.7 million ENCTS passholders in England alone
making more than 1 billion trips a year mostly smart We dont get
stats from all of our members but here are a few: Stagecoach: More
than 240 million smart transactions a year on ITSO based systems
StagecoachSmart (including concessionary travel) Stagecoach
Go-Ahead: 43.8 million the key transactions a year (not including
concessionary travel) Go-Ahead ACT: 1.25 billion digital
transactions a year through their HOPS most of these are ITSO-based
ticketing transactio ns ACT
Slide 10
ISMS activity As of end January 2015: Around 80 different HOPS
processing ITSO transactions in the UK 87.2k active ISAMs 1.2k
Active products / IPEs (inc 341 concessionary and companion
products) 381 Active CMDs
Slide 11
Certification As of 13 March 2015, the following number of
products have valid ITSO Certificates: Customer Media: 40 POSTs: 86
PersoPOST: 30 Remote POST: 8 HOPS: 13
Slide 12
ITSO scheme components - terminology CMCustomer Media
(deliberately not just a smartcard) ITSO ShellThe ITSO wallet on a
CM CMDCustomer Media Definition (defining a type of CM) IPEITSO
Product Entity (deliberately not just a ticket) POSTPoint Of
Service Terminal Perso-POSTPersonalistion POST (can add a Shell to
a CM) ISAMITSO Secure Application Module HSAMHOPS ISAM ISMSITSO
Security Management Service HOPSHost Operator or Processing System
NB: A dictionary is available at
http://www.itso.org.uk/about-us/what-itso-does/itso-dictionary
Slide 13
Slide 14
ITSO Specification - History The ITSO Specification is an open
Specification which belongs to the Crown ITSO Ltd maintains and
publishes the Specification under licence from the Department for
Transport (DfT) The Specification has now been in existence for 15
years, undergoing 7 revisions and the addition of Remote POST
functionality:
Slide 15
ITSO Specification - Components The ITSO Specification is
officially entitled ITSO TS 1000 Split into 12 component parts:
Part 0: Concept & Context Gives a general overview of the
Specification Part 1: General reference Contains definitions of
ITSO terms, data types, location types Part 2: Customer media data
structure Defines the ITSO Shell and data storage within Part 3:
Terminals Defines the requirements for a POST in the ITSO
environment
Slide 16
ITSO Specification Components (continued) Part 4: HOPS Defines
the requirements for a HOPS in the ITSO environment Part 5:
Customer media data record definitions Defines IPEs and their
structures Part 6: Message data Defines the ITSO message types,
elements & data structures Part 7: ITSO Security Subsystem
Defines the security system in the ITSO environment Part 8: ITSO
Secure Application Module detailed operation Details the commands
for use with ISAMs/HSAMs and their behaviour, as well as ISAM file
contents
Slide 17
ITSO Specification Components (continued) Part 9:
Communications Defines data transmission formats, lossless data
transfer, VPN requirements, general communications in the ITSO
environment Part 10: Customer media definitions Defines all CM
structures and commands Part 11: Remote POST Defines the
requirements for a Remote POST in the ITSO environment Quite a
complex set of documents, with a lot of cross-referencing required.
All (except Part 8) freely available on the ITSO website at:
http://www.itso.org.uk/the-specification/specification-resources/publicly-available-specification
Slide 18
ITSO Specification Supplemental information In addition to the
formal Specification, there are various types of supplemental
documents: Developer Guidance Guidance on various subjects to
assist suppliers in developing to the Specification Temporary
Reference Guide Documents the message structures to/from the ISMS
Frequently Asked Questions (FAQs) Generally taken from Technical
Support questions Operational Guidance Coming soon - a new type of
document giving more operational, rather than technical, guidance
All available in the members/registered suppliers areas of the ITSO
website
Slide 19
ITSO Specification - Current version ITSO currently supports
version 2.1.4 of the ITSO Specification and test products against
that specification however some products still have certificates
for previous versions New functionality (LOG1 usage, new
IPE/message formats, etc.) introduced in later Specification
versions isnt compatible with previous versions, so consideration
needs to be given to equipment levels in a scheme. The large degree
of flexibility allowed by the Specification can cause problems, but
there seems to be an appetite to change this. The Specification
isnt perfect, but were working on it (theres a lot to do!).
Slide 20
ITSO Specification How to make changes In brief: Suggestions
for changes to the Specification can be made by any ITSO member
(NB: for the supplier sector, the requester must be a supplier
member, not a registered supplier) The suggestion is made to the
ITSO Technical Committee, where the suggestion is reviewed for its
technical and operational merits. If the suggestion is approved, it
is written into a Technical Note, which requires membership
consultation before being ratified by the ITSO Board and the DfT.
Can be a long, complex process!
Slide 21
There is a need for a Specification refresh to incorporate new
technologies, encryption methods and corrections to identified
issues (pending Technical Notes). Need for widespread adoption of
latest Specification versions to assist in interoperability
However, scheme owners are understandably wary that new versions
might involve costs in upgrading their systems ISAM H3 is in
development, will give us the ability to support AES Mobile world a
project is underway to investigate the feasibility of using Host
Card Emulation (HCE) on smartphones. This is where a smartphone
could be used for downloading & storing ITSO ticketing
products. ITSO Specification the future
Slide 22
ITSO Security fundamentals The ITSO system is highly secure,
and our goal is to maintain the high level of security Regular ITSO
Security Committee meetings chaired by independent security and
cryptology expert Fred Piper, Royal Holloway University London The
security is subject to regular independent assessment and
evaluation, including regular penetration testing
Slide 23
ITSO Security fundamentals The scheme is largely based on
symmetric security, for which Triple DES is used Asymmetric
security is largely used as a means of protecting symmetric keys in
transport Transactional data needs to be protected from change and
so such details are sealed (with a MAC) using Triple DES In
addition to the messaging security ITSO also uses SSL/TLS to
protect the HOPS-HOPS traffic
Slide 24
Testing & Certification Provided for different devices
types: CMD; POST; PersoPOST; Remote POSTs and HOPS POSTs can be
certified according to categories defined by their usage and the
sectors in which they operate HOPS are subdivided into Collection
& Forwarding, Shell Accounting, Product Accounting and Asset
Management Services functions (although now all HOPS provide for
all such functions)
Slide 25
Certificates Suppliers must be a Registered Supplier or
Supplier Member to have devices tested and certified Licensed
members (operators) also have an obligation to ensure that they use
only devices tested and certified by ITSO ITSO certificates last
for seven years from issue, after which the device must either be
represented for re-certification under the latest Specification
version or withdrawn from use All devices certified under ITSO
Specifications 2.1 and 2.1.1 have already expired, and devices
certified under 2.1.2 will expire most this year, with a few in
2016
Slide 26
ITSO Test tools ITSO Test tools are provided by Clear2Pay, and
use Micropross hardware ITSO test tools are available for any ITSO
member to purchase (under licence) ITSO also provides some basic
tools (ISAM Reader tool and Card Checker tool) for members, which
are distributed free of charge but require a contact/contactless
card reader
Slide 27
Interoperability testing Definition according to IEEE 90: The
ability of two or more systems or components to exchange
information and to use the information that has been exchanged. A
copy of all devices tested must be lodged with ITSO for inclusion
within the ITSO Interoperability Warehouse ITSO certifies a
Products Compliance with the ITSO Specification and validates its
Interoperability with other products through their interfaces A
device is compliant with the standard as determined by a series of
tests, and is then shown to be interoperable with other devices
that meet the same standard
Slide 28
Our Interoperability Warehouse in Milton Keynes we test for
compliance with Specification, but not with business rules and
configuration
Slide 29
Benchmark testing Benchmark Transaction Time Testing is
required to evaluate the speed of media and Products in the field
Transportation demands fast transaction times and the Benchmark
Transaction Time Tests are designed to replicate likely scenarios
of simple and complex transactions for each type of Media and POST
Benchmark Testing is not carried out on Personalisation POSTs,
Remote POSTs and HOPS.
Slide 30
Testing & Certification - Process Supplier submits details
of device to be tested Scope of tests based on device type and
functionality Supplier representation encouraged through testing
sessions ITSO test scripts made available to suppliers Self testing
by suppliers encouraged prior to testing commencement at ITSO
Slide 31
Smart Media
Slide 32
How to join the ITSO community You can become: An ITSO Member
full ITSO membership means helping determine the Specification and
the working of ITSO Limited through consultation and voting rights
An ITSO Licensed Operator as above but also with the ability to run
ITSO-certified smart ticketing schemes An ITSO Registered Supplier
can be a member or not. You will have had your smart ticketing
equipment tested and certified by ITSO as being compliant with the
ITSO Specification Contact Relationship Manager Kim Clarke on 01908
255485 email [email protected][email protected]
Slide 33
ITSO fees and prices see full schedulesee full schedule
Slide 34
How to contact ITSO Kim Clarke Relationship Manager ITSO
Limited Deltic Avenue Milton Keynes MK13 8LW Tel: 01908 255485 Fax:
01908 255450 Email: [email protected]@itso.org.uk
Website: www.itso.org.ukwww.itso.org.uk