Account-Based Transaction Processing Risk Mitigation Methods



Similar documents
An Effective Approach to Open Payment Systems

Open Payment Fare Systems Save money through operational efficiencies.

Open Payment System Request for Proposals

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

Smart Card Fare Payment Solutions For Public Transportation

What Merchants Need to Know About EMV

CONTACTLESS INTEROPERABILITY IN TRANSIT

Bringing Mobile Payments to Market for an International Retailer

Edward B. Pollan, P.E. LTK Engineering Services

Simple Smart Card Applications for Paratransit Systems

Creating a Strategy for an Electronic Fare Payment System SEPTA s New Payment Technologies Project

Recurring Credit Card Billing

Euronet Software Solutions ATM Management System Maintain and Expand Your Automated Service Offerings with a Secure, Flexible and Powerful Solution

Product. Opencheck A Comprehensive Check Payments Solution to Meet the Demands of Financial Institutions in Today s Automated Environment

The Future Of Cloud based Ticketing. Ernst Bovelander Director Advisory Services

PCI and EMV Compliance Checkup

Bank. CA$H 2.0 Contactless payment cards

How To Install An Aneka Cloud On A Windows 7 Computer (For Free)

NACCU Migrating to Contactless:

How To Make Money From Mobile Payment On Wirecard

Sage Payment Solutions

ACFS PRODUCT FLYER MTFS

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

Integrated Transportation Payment Systems. Boston, MA 2009-February-27

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

SunGO Fare Payment General Information

Merchant Services Payment Solutions for Your Business

EMV mobile Point of Sale (mpos) Initial Considerations

How To Get Your Computer To Comply With Pca

American Express Contactless Payments

Euronet s Contactless Solution

mobile payment acceptance Solutions Visa security best practices version 3.0

Mobile Payment Trials in Public Transport. Building on Contactless Programs and APTA Standards March 16, 2009

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

bid every 10 years Are there specific pain points or issues with your current processor you are trying to resolve by going out for RFP?

Transport for London. Projects and Planning Panel. The Future of London s Ticketing Technology

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

NextCity Brief What is NextCity, February 2014

NEXT GENERATION TRANSIT TICKETING

MasterCard Contactless Reader v3.0. INTRODUCTION TO MASTERCARD CONTACTLESS READER v3.0

Mobile Near-Field Communications (NFC) Payments

Preparing for EMV chip card acceptance

EMV and Small Merchants:

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

Contactless card locker system. RFID card system for booking, accessing and payment for lockers and storage

Cisco Comprehensive Payments Solution

Electronic Funds Transfer (EFT) Guide

White paper: EMV Payments in Transport Consult Hyperion.

EMV FOR U.S. ACQUIRERS: SEVEN GUIDING PRINCIPLES FOR EMV READINESS

NCR Secure Pay FAQ Updated June 12, 2014

Business Case for the New Electronic Payments Program

Visa Recommended Practices for EMV Chip Implementation in the U.S.

NFC in Transport for London

Contactless Security Controls in Place to Protect Payment Card Data

Click to edit Master title style

FXLoader Cloud Service Deployment Guide

Introduction. Silverton Consulting, Inc. StorInt Briefing

Multi-factor authentication

The EMV Readiness. Collis America. Guy Berg President, Collis America

EMV Frequently Asked Questions for Merchants May, 2014

Configuring and Collecting Payments Release 7.5

Apple Pay. Frequently Asked Questions UK Launch

Euronet Software Solutions Recharge Solution

The Future is Contactless

PCI DSS Compliance Services January 2016

Electronic Funds Transfer (EFT) Guide

Shifting The Ticketing Paradigm

Implementation of an Enhanced Integrated Fare System for Singapore

Avoiding the Claims Denial Black Hole: Strategies to Accelerate and Maximize Claims Payments

PARKING SOLUTIONS. Amano McGann Wireless Event Parking System

Government of The Hong Kong Special Administrative Region

EMV and Restaurants What you need to know! November 19, 2014

Let s cover a few general terms and calculations that I m going to reference throughout this discussion.

EMV FAQs for developers

OMNITURE MONITORING. Ensuring the Security and Availability of Customer Data. June 16, 2008 Version 2.0

The DirectOne E-Commerce System

ROI Credit Card Processing. ROI Check Verification. Copyright 2000 by MaddenCo, Inc All rights reserved.

Innovation in payments an overview

Increase Efficiency, Maximize Profits, and Secure Guest Confidence.

MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

Accenture Fare Management Solution. A Digital Payment Platform for Transit Operators

WE ENABLE OUR CUSTOMERS TO MAKE THE SALE

Smart Ride: European transit systems move to contactless mobile payments Trends and Developments, May 05, 2015

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

DART Mobile App Go Pass

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Ingenious Systems. Evolute System's. Mobile Payment. Initiative

TfL s Contactless Ticketing: Oyster and Beyond Transport for London. Lauren Sager Weinstein Head of Oyster Development

Smart Array Technology: Basics and Advantages of Battery-Backed Cache

SmartConnect Glossary of Terms Version 1.4

PAYMENT EXPRESS EFTPOS GETTING STARTED GUIDE. Version 0.1

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Transcription:

-Based Transaction Processing Risk Mitigation Methods 2014 APTA Revenue Management Summit CH2M HILL, Inc. Pete Comps Chicago Doug Deckert Baltimore

A Little History Not that long ago, fare collection was all about securing cash and tokens If you lost the data, you still had the revenue in the farebox When card-based fare systems emerged, the data on the card represented the revenue (e.g., stored value or floating period passes) If you lost the back-end data, the data on the card remained intact, and the revenue was still in the bank Now, with account-based systems, bank card payments, mobile ticketing, etc., the data IS the revenue Lose the data, and you lose the revenue There is a variety of data sources, types, and storage locations Thus, there are many ways to lose revenue

-Based Fare Systems Benefits compared to card-based systems: Eliminates most proprietary designs on the card and at the card-to-reader interface Reduces security vulnerabilities from NFC smart phones ( cloning ) Supports third-party media and distribution networks Provides clear path to acceptance of EMV contactless bank cards

-Based Fare Systems Realities -based transaction processing depends on communications to back-end data system Data communications especially mobile are not 100% available Real-time communication and authorization affects transaction times, especially during peak periods Simpler device-to-card interface requires a highly complex back-end data system Back-end data system can be a single point of system failure Consistently satisfying desired transaction time no more than ½ second is challenging

Pure -Based Transaction Process 12345 1. When tapped, device reads card identity and conducts initial rules verifications (e.g., card expired, passback, etc.) 2. Device requests authorization from back-end data system 3. Back-end data system determines validity of account linked to card 4. Back-end data system informs device whether to allow entry 5. Back-end data system calculates transaction cost (according to business rules) and updates account Device Local Rules Check Go Stop Back-end Validity Check Price Transaction Note: transaction price determined after authorization to maintain desired transaction speed

Pure -Based Transaction Challenges Communication loss or capacity constraints Back-end data system failure or degraded operations 12345 Desired maximum transaction time of ½ second Device Local Rules Check Go Stop Back-end Validity Check Price Transaction Note: transaction price determined after authorization to maintain desired transaction speed

Risk Mitigation Strategies Always allow entry if no response from back-end within allotted time Risk of significant revenue loss Reduce risk of loss by adding validation processing at card readers Usually includes device-stored (distributed) risk mitigation lists Validation via search of stored lists can be in parallel with or instead of on-line authorization Requires robust process to maintain up-to-date lists on all devices

Transaction Processing Parallel with Risk Lists 1. When tapped, device reads card identity and conducts initial rules verifications (e.g., card expired, passback, etc.) 2. Device requests authorization from back-end data system AND Device commences search of risk mitigation lists 3. Back-end data system determines validity of account linked to card WHILE Device determines validity of account, based on risk list content 4. Back-end data system informs device whether to allow entry BUT If the back-end data system does not respond within the allotted time, the device uses the results of the risk list search to determine whether to allow entry 5. Back-end data system calculates transaction cost (according to business rules) and updates account and risk list content 12345 6. Back-end data system broadcasts risk list updates to all devices Device Local Rules Check Local Risk List Check Go Stop Local Risk List Back-end Validity Check Price Transaction Risk List

Transaction Processing Off-Line with Risk Lists 12345 1. When tapped, device reads card identity and conducts initial rules verifications (e.g., card expired, passback, etc.) 2. Device commences search of risk mitigation lists 3. Device determines validity of account, based on risk list content, and whether to allow entry 4. Device communicates transaction results to back-end data system 5. Back-end data system calculates transaction cost (according to business rules) and updates account and risk list content 6. Back-end data system broadcasts risk list updates to all devices Device Local Rules Check Local Risk List Check Go Stop Local Risk List Back-end Price Transaction Risk List

Risk List Content Parallel Positive and/or Negative lists Positive lists contain identifiers (tokens) of accounts with known validity Negative lists contain identifiers of accounts with insufficient value or lost/stolen cards Systems can include either or both list types List entries can also include other conditional information, such as pass types, low value warning, exception rules, etc. Parallel risk list processing need not have an entry for every account in use

Risk List Content Off-Line Off-line risk list should contain an entry for every account Each entry in the list must contain the account status Entries may also contain additional information, including: type (full / reduced fare) Pass type & expiration Low value warning

Risk List Content Additional account-specific information enables more post-transaction feedback, but can increase list content volatility and frequency of list updates Any entries for bank cards must be encrypted for PCI compliance

Risk List s Due to the size of the list files (up to 1 Gigabyte), updates are typically deltas only frequency should be configurable and governs the degree of risk mitigation If an account should be on the negative list, but is not, the user gets free rides (resulting in negative account balance) frequency also affects customer satisfaction If a user replenishes an account (taking it off the negative list), but the device list is not up to date, the user may be incorrectly denied entry If a new account should be on the positive list but is not, the user may be incorrectly denied entry Local Risk List Price Transaction Risk List

Risk List s Lists can be updated in batches every 3 to 5 minutes, or continuously updated (streamed) Lists on devices can be significantly out of date when: A device is shut down for several days A device is replaced with a spare device Specialized procedures may be necessary to ensure that such devices have current risk lists Periodic (e.g., daily) download of entire risk list to every device may improve overall list accuracy Means to monitor and report the currency of device risk lists recommended to gauge health of risk list update process Local Risk List Price Transaction Risk List

Helpful Fare Policies deposits can provide a cushion against negative account balances Capped fares can mitigate risk Enable customers to purchase unlimited ride passes (e.g., day passes) one ride at a time Limit potential per-account losses to the value of a day pass

Summary Data integrity can play a vital role in securing revenue for account-based systems Real-time authorization within ½ second can be difficult to achieve consistently Risk mitigation lists: Can offer backup to real-time authorization OR Equivalent authorization processing without real-time authorization challenges Require robust update processes Coordinated fare policies can further mitigate risks

A CH2M HILL Production Copyright MMXIV Co-Producer: Porky Pete Comps 847-476-PETE (7383) pete.comps@ch2m.com Co-Producer: Daffy Doug Deckert 703-939-5130 douglas.deckert@ch2m.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information