iso 14443 interoperability in transit - ul new science · iso 14443 interoperability in transit -...

ISO 14443 interoperability in transitStandardizing the contactless interface

White paper - ISO 14443 interoperability in transit

The contactless interface of existing validation and sales terminals is one of the most used

means for public transport authorities and operators to interact with their customers.

The majority of these contactless interfaces are implemented along the lines of the ISO

14443 international standard. As long as only one specific type of contactless cards is used,

the interface is usually fast, reliable and convenient. However, UL has observed major

interoperability issues as soon as another contactless card is introduced. Examples of the

issues are devices not even able to detect the new card, a substantial decrease in the fault

tolerance or an unacceptable increase in transaction time.

These interoperability issues occur already

as soon as a different card supplier is

contracted for the same kind of contactless

card. In the situation where a new, next

generation card type is introduced claiming

to support the ISO 14443 interface, the

issues are only bigger.

This paper explores these interoperabil-

ity issues, searches for a root-cause, and

proposes a solution. It provides an analysis

of the benefits and the challenges of the

solution, as well as a migration scenario.

Out of the current scope are other aspects

to prepare the infrastructure for next

generation fare management like an always

online connection and enhanced terminal

management. Also, this whitepaper does

not discuss the use of the EMV application

protocol in transit (neither branded by

the major payment networks, nor transit

branded).

This paper primarily targets public

transport authorities and operators with an

existing fare management system.

Contactless interoperability issues

ISO 14443 compliance

Communication between a passive

card and a terminal over the contactless

interface is possible via electromagnetic

induction. The contactless interface

specified by ISO 14443 requires a 13,56

MHz electromagnetic field. The typical

distance between the card and the

terminal is up to ten centimeters.

The ISO 14443 gives suppliers a lot of

freedom to implement it. The large

amount of options present in the ISO

14443 specification displays this freedom.

Examples of options are:

• Type A or Type B technology

• The operating volume

• The polling sequence

• The bit rate

• Waiting time extension

• Antenna sizes

ISO 14443 interoperability in transit - standardizing the contactless interface

page 2

Due this freedom an ISO 14443 compliant

terminal is not always able to interact with

an ISO 14443 compliant card.

Compliance to the ISO 14443 standard

requires two elements:

• A test case specification with a good

coverage of the underlying technical

specification

• A certification authority that verifies

compliance of actual implementations

using the test suite. The certification

authority issues letters of approval to

compliant implementations.

The ISO 14443 functionality is properly

covered by the test cases as specified

in ISO 10373-6. However, by definition

the test case specification cannot be

more restrictive than the base technical

specification. Hence, also ISO 10373-6

gives suppliers lot of freedom to

implement.

Currently, there is no ISO 14443

certification authority. Hence there is no

monitoring and control over suppliers

claiming ISO 14443 compliance. There

is no check if the ISO 10373-6 test

suite is really executed against the

implementation. No letter of approval

is issued for implementations proven

compliant to ISO 14443.

The result of the above is:

• A large number of contactless terminals

and cards are not even ISO 14443

compliant

• Quite a few interoperability issues in the

interaction between contactless terminals

and cards.

• Many transit schemes are not able to

switch from one card supplier to another

(Solving the resulting interoperability

issues is expensive and time consuming.)

• Most of the NFC handsets are proven

compliant against the more strict NFC

Forum and EMV Contactless Level 1

specifications. However, the existing ‘ISO

14443 compliant’ transit terminals will

have many interoperability issues causing

severe hurdles to implement Mobile

Ticketing.

Examples of interoperability issues

The issues that we have observed on

different fare management systems are:

• A 50% varying operating distance for

terminals of a single type and from a

single supplier.

• Terminals with a too weak or too strong

RF field.

• Contactless protocol tuned towards one

specific card type.

• A sharp increase of the communication

retries when replacing a memory card

with a generic miscroprocessor card.

Certify against EMV Contactless Level 1

Contactless card payments as issued by

the major payment brands would face the

same interoperability issues. However,

these issues would severally damage the

brand promise. Cardholders of contactless

payment cards expect that they can pay

with their card anywhere in the world as

soon as the payment terminal carries the

logo of the payment scheme. Together the

major payment brands have addressed

this issue in EMVCo.

For card payments EMVCo have specified

both the physical and functional aspects

of a contact and a contactless payment

transaction. For contactless the current

specifications are EMV version 2.3 Book A,

B, C, and D.

EMV Contactless Book A specifies the

architecture of a contactless Point of

Sales terminal. Book B and C specify the

functional layer of a payment transaction.

Book D [1] of the contactless specification

specifies the contactless communication

protocol, the physical layer, of a payment

transaction. Book D is tightly coupled to

the ISO 14443 specifications. A number

of options present in ISO 14443 are set in

Book D.

In order to achieve interoperability on

the contactless interface in payment,

EMVCo have specified EMV Contactless

Level 1 (EMV CL L1) tests to verify

implementations of EMV CL Book D in

the terminal or in the card. The EMV CL

L1 tests are categorized in analog [2] and

digital tests [3]. EMVCo have established a

full test & certification procedure with a

number of worldwide accredited test labs.

These procedures are very well defined

and quite strict.

page 3



Thanks to the abovementioned efforts, the contactless interface in payment is globally

interoperable. A growing number of people benefit from the fact that contactless cards

issued by a specific bank in a specific country are accepted by contactless payment

terminals from another bank in another country. In addition most NFC handsets are

certified against the EMV CL L1 specification and benefit from the global interoperability

in payment.

As a result of this approach where a rigid certification scheme is imposed on payment

terminals, EMVCo currently offers a large platform that could be regarded as a de-facto

standard for contactless compliance. UL would strongly advise the transit industry

to mandate EMV CL L1 for the contactless devices (both terminals and cards) used in

transit schemes. This way, transit can achieve global interoperability on its contactless

interface.

Note that EMV CL L1 could be mandated without requiring an implementation of the

EMV contactless application in both the terminal and the card (which would require

EMV compliancy beyond Contactless Level 1). Open loop payment in transit is a rather

different story that is not explored in this whitepaper. UL recommends implementing

the EMV CL L1 part irrespective of any further considerations on open loop payments.

Rationale

Commercial benefits

Bigger market, lower prices

Adopting the de-facto market standard makes it interesting for suppliers to offer their

already EMV compliant devices for use in the transit scheme. This becomes especially

interesting in an account-based setup in which much of the transit-specific complex

logic is moved from the front-end equipment to the back-end. In an account based setup

with front-end equipment that complies to the EMV market standard, it becomes easier

for suppliers of front-end equipment to enter the transit market.

Future migrations become less painful (strategic advantage)

As soon as, on the lower communication level (i.e. EMV CL L1), interoperability has been

achieved, future migrations involving changes on the higher communication levels are

easier. Having established a common base layer, it becomes easier to absorb future

changes affecting only the higher communication layers. Also, stand-in replacements for

the contactless transit card (e.g. one supplied by a different supplier) can be introduced

more easily as such modern cards are very likely to have been designed in conformance

with the EMV Contactless specifications.

Once the transit infrastructure has been

made compliant with EMV CL L1, it

becomes possible to go one step further

and also make the transit infrastructure

suitable for EMV application acceptance.

The transit infrastructure would then be

able to accept bank-issued (open loop)

EMV Contactless cards as a means to pay

for transit. Also the transit scheme could

configure the EMV Contactless application

on a Transit branded card to use it for

account based ticketing. As an alternative

to a contactless card, the EMV Contactless

application could also be hosted on an

NFC enabled mobile device. This would

enable the following additional benefits.

No barriers for (occasional) travellers

Occasional travellers don’t have to go

through a difficult enrolment process;

they just need to bring their own payment

means (either a contactless bank card or

an NFC enabled mobile device).

Reduction of card issuance costs

Each traveller that uses its own means

of payment (EMV card or NFC device) no

longer needs to be issued a transit specific

means of payment. This lowers the

operational cost of issuing transit cards to

travellers (both occasional and frequent

Better service and real-time information to

the traveller

An NFC enabled device allows the existing

transit contactless card to be emulated

on the NFC device. As these devices have

a rich user interface; the traveller can be

provided with real-time travel information

based on information stored on the device

and possibly enriched with information

retrieved form the transit back-office

(through the device’s internet connection).

This improves the traveller’s experience

and simplifies delivery of services to the

traveller (e.g. instant top-up and instant

delivery of travel products such as a

subscription).

Technical benefits

EMV offers the only contactless certification

scheme

The contactless communication between,

typically, a contactless card and a

contactless terminal (e.g. transit front-end

equipment) is standardised in the ISO

14443 set of standards. To guarantee

interoperability (i.e. one device to

successfully interact with another device)

it is not sufficient when compliance to

the standard is merely claimed by the

suppliers. Compliance to the standard

needs to be independently verified in

order that each and every compliant

device can seamlessly interoperate with

any other compliant device.

In addition to the standard itself,

usually a test specification is defined

that determines how compliancy is

to be verified. For the ISO 14443 set

of standards, the corresponding test

specification is the ISO 10373-6 set of

standards. Having the test specification

is still only a starting point. There must

further be accredited testing labs that test

implementations against the standard

using the test specifications. Based on

the findings of the accredited labs, the

accreditor can then issue a certificate of

compliance.

Although there is a test specification

(ISO 10373-6) for the ISO 14443 set

of standards, there is no established

certification scheme. Contrarily, EMV

offers all of the following:

1. A standard that provides further

details to ISO 14443, or chooses between

options left open by the ISO 14443 set

of standards. For example, the required

minimum field strength offered by the

contactless front-end device (terminal) is

specified in much more detail by EMV than

the general requirement of ISO 14443.

2. A test specification to test the

compliancy of implementations against

the EMV standard.

3. A certification scheme including a

number of accredited test laboratories

Therefore, de facto, EMV offers the only

certification scheme available to date for

future proof contactless implementations

of ISO 14443.

EMV compliancy brings NFC compliancy

NFC enabled devices (handsets) are also

being certified against the EMV standard.

Therefore, if the transit infrastructure is

certified against the EMV standard, future

interoperability with NFC enabled devices

is assured.

page 5



Assessment

When adopting the EMV CL L1 standard and the EMV CL L1 certification scheme in

a transit context, any potential disadvantage should be assessed, in addition to the

benefits identified in section 4. Transit has some characteristics that distinguish it from

payment. As EMV is intended for payment, there may be some aspects that make it

less suitable for transit. This chapter lists the most mentioned aspects and gives an

aggregated response from the major payment brands.

Q: Bit rate: the EMV CL L1 specification limits the communication speed between a

contactless terminal and a card to 106 kbit/sec. No exception is made for non-payment

transactions.

A: Studies show that the actual improvement in transaction time due to higher bit rates

is marginal. Higher communication speed introduces more transmission errors. Just a

single retry in the dialogue removes almost all the benefits of the higher rate. Despite

these studies allowance of a higher bit rate is an item for consideration within EMVCo.

Q: Polling sequence: EMV CL L1 requires the polling sequence over all the configured

technologies to complete before any further processing is allowed over the technology

that where a positive response is received.

A: Indeed the terminal shall poll for the presence of a card on both Type A and Type B

and any configured ‘proprietary technology’. However, the improved interoperability

outweighs any impact of this on the total transaction time.

Q: Antenna Configurations: in transit a wide variety of terminals is used. Would EMV CL

L1 allow this?

A: During EMV CL L1 certification every terminal will be certified on its own. The EMV

CL L1 specifications are not prescriptive about antenna sizes or geometry; the primary

requirement is interoperability; and whatever the geometry, provided it produces an

interoperable solution, is fine. For hand held terminals deviations from EMV CL L1 are

accepted by the major payment brands.

Q: Collision Detection / Card Clash: how does EMV CL L1 enable the terminals to detect

that multiple contactless cards are present in its RF field?

A: The ISO 14443 specified collision detection is present in the EMV CL L1 specifications

as well. However, it is not guaranteed that all contactless cards/devices are powered up

at the same time. Dependent on the field strength, a memory card might be faster then

a generic microprocessor card. If the ‘discovery time’ is shorter than the power up time

for the microprocessor card, the terminal would not detect a collision. The resolution

of the collision is not addressed in EMV CL L1. The major payment brands advocate

travellers to present the card they want to use.


To conclude all the above listed technical

issues might lead to the same business

issue: the total transaction time and

the passenger throughput. The major

payment brands require however a

total transaction time below 500 msec.

The current reality for the London bus

is that 95% of the contactless payment

transactions are below 500 msec. Hence,

EMV CL L1 combined with EMV level 2 and

3 is fit for the ticketing purpose.

Migration plan

The migration towards an EMV CL L1

compliant infrastructure requires a careful

approach. The following aspects are

relevant for the migration:

• Nature of the required change: either

a software update or a replacement of

the reader module is needed to make the

existing terminals compliant with EMV CL

L1.

• Remote upgradeability: if a software

update is sufficient, the migration

depends on the presence of a remote

upgradeability interface between the

back-end and the terminals. Note that

in specific cases of drivers/controllers in

the firmware an update might only be

possible via a replacement and cannot be

done remotely.

• Age of the terminals: if a hardware

update is required, the migration differs

for terminals at the beginning or at the

end of their economic life (typically 15

years).

In general UL advises fare management

scheme owners to start the migration

with specifying the ISO 14443 options

like the operating volume in accordance

with EMV CL L1. In addition, the existing

certification shall be augmented with

the verification on these options and

registering the actual reader module

version of the certified terminals.

UL recommends this for at least all

new terminals (sales, validation and

inspection).

UL advises individual participants in a

fare management scheme to purchase

fully EMV CL L1 compliant terminals when

replacing end of life terminals. Currently

more than five well-known suppliers have

EMV CL L1 certified terminals in their

portfolio. If the new terminals support

the EMV payment application (kernel)

and the Visa/MasterCard brands as

well, these transit operators can accept

EMV contactless payment cards for fare

management. Note that during this

gradual migration the ‘one card for all

public transport’ principle is degraded, as

the EMV contactless payment cards will

not be accepted at devices that have not

yet been upgraded.

Migrating front-end equipment towards

EMV CL L1 before their end of life is very

costly. UL advises in this case to consider

the high level transit objectives that the

fare management seeks to achieve. Cost

savings or additional revenue caused by

additional system changes enabled by the

migration towards EMV CL L1 might create

a positive business case.

In addition to the EMV CL L1 compliant

contactless interfaces, UL advises the fare

management scheme owners to require

a maximum time for the fare payment

transaction of 500 milliseconds. Based on

actual measurements UL is convinced that

this performance can be achieved via an

efficient card-terminal dialogue. Both the

number of command-response pairs and

the size of the dialogue shall be reduced

as much as possible. The transmission

time element could be reduced when the

communication speed is increased (from

bit rate 106 kbit/sec to e.g. 424 kbit/sec).

Finally, transit schemes with the vision

to do cloud based ticketing [4] should

consider additional changes to the existing

infrastructure:

• Connect their terminals to the back-end

with a fast and always online link.

• Reserve memory space in their terminals

to host other ID/payment applications

• Establish remote terminal management

UL will address these additional changes in

a separate whitepaper.


Conclusion

Conformance to a strict specification of the contactless interface in transit is the only way to achieve interoperability. Especially

the acceptance side of the interface (electronic gates, validators, inspection devices etc.) shall comply. Only then transit cards from

different suppliers and/or mobile handsets can be accepted. EMV CL L1 is currently the only full test and certification process that

offers this. Therefore UL recommends transit schemes to mandate EMV CL L1 for any new device from now on. In addition the transit

schemes should upgrade the existing devices in a phased approach.

References

Ref. Title Author Status Version Date

[1] EMV Contactless Book D Contactless Communication

Protocol

EMVCo Final 2.3.1 November 2013

[2] EMVCo Type Approval Contactless Terminal Level1 -

PCD_L1_Analogue Test Bench Test Case Requirements


[3] EMVCo Type Approval Contactless Terminal Level1 –

PCD Digital Test Bench & Test Cases


[4] Cloud Based Ticketing – Next generation fare collection G.R. Boogaard Final 1.0 November 2013

Contact details

UL Transaction Security

[email protected]

www.ul-ts.com

iso 14443 interoperability in transit - ul new science · iso 14443 interoperability in transit -...

Documents