With the extension of contactless payments onto the Sydney Rail Network, open loop cards are all set to become ubiquitous for the travelling public. This article answers 10 important questions about Transit Payment infrastructure.
In the context of this article, Transit payments are defined as transactions performed on an open-loop, EMV compliant, contactless payment card, for fare payment on public, private or mass transport modes including bus, rail, ferry or other modes.
Not much for a standard retail transaction where the payment card is presented at a Kiosk or vending machine where a traditional authorisation is performed as part of the fare collection.
The point of difference is where the ‘tap’ transaction occurs on an unattended terminal such as the gates and / or readers as you board your service. In this case, the payment card is only a means of identification for a payment transaction that will be completed at some point after the customer has commenced their journey. This introduces the concept of first ride risk.
First ride risk occurs because the payment authorisation could be declined following the initial tap transaction. This may make the debt generated subsequently unrecoverable. It is important that the Deny list is promptly updated after the authorisation is declined to ensure that further exposure on the same payment card is prevented.
You know how the saying goes – I could tell you but then I’d have to….Seriously though, this is a tightrope that Merchant Transit Providers, Acquirers, Schemes and Issuers need to negotiate up front. Some schemes are taking the leadership on this by issuing transit transaction specifications that clearly spell out the obligations for all parties involved.
Imagine the scenario at rush hour with hundreds of paying customers all trying to proceed through the gates to catch a departing service. For queues to be manageable each payment card needs to be validated in hundreds of milliseconds. The timeframes to achieve an E2E authorisation are simply non-workable in the mass transit environment.
An Offline Data Authentication (ODA) is performed. This checks the card expiry date and confirms that the card is valid. Other checks can be performed including that the card number is not on a Deny List, and that the scheme and BIN range is accepted.
A deny list is the equivalent of a blacklist of PAN’s that are denied entry because of a previous payment dishonour. When a payment is dishonoured, the PAN must be entered onto the Deny list to prevent the same payment card from being used again.
Yes, when the customer subsequently makes good on the dishonoured payment, the Deny list should be updated swiftly to prevent further denial of service on the same payment card.
The Merchant Transit Provider must store PANs securely and in line with PCI guidelines. No exceptions.
The same ODA check can be undertaken with different form factors regardless of whether the payment is presented on a mobile device, watch or other medium.