How do Contactless Payments (cEMV) in Transit work? How does public transport ticketing works with scanning my credit or debit card?

94 viewsOtherTechnology

How can the system calculate one time or even trip based fares while keeping my data anonymized?

In: Technology

2 Answers

Anonymous 0 Comments

like any store.

you input what you where you want to ride, the machine calculates the cost and does a credit card transaction reserving that money off your credit card, so it either charges you that, or a lesser amount if its a system where you only get charged for whatever you ride.

Anonymous 0 Comments

There are several things involved here: the first one is your actual card. It’s a unique piece of electronics with a unique identifier. But it’s also your payment method. So the terminal gets your card data and your card’s unique ID and stores it as the initial transaction. Once you check out, it finds your id in the list of checked in transactions and calculates the final price.

As for the anonimity, your card doesn’t provide any personally identifiable data to the terminal and the terminal doesn’t need it, either. In fact, nowadays even online payments don’t actually require your name when paying. You could enter anything and it would still work. The only thing that matters is that you enter the correct card number and CVV.

Furthermore, in order to provide security, when you make repeated payments, at least online, the merchant doesn’t actually store your card details. The payment processor simply provides an authorisation code to the merchant after the initial transaction and that’s what we use from that point on. We never see your actual card details (at least if it’s implemented properly).

And last, if we DO want to store unique information about you without storing identifiable info, there’s a thing called “hashing”. It’s a one way operation that takes an amount of data and turns it into a unique, jumbled string (a piece of text) that can’t be reversed (at least for practical purposes). Usually it’s a fixed length 64 character string. For example, your username (arcticdoc) has this hash if SHA256 is used: 92b49acae5cc22c39b69f93ee2eb1d01a8a14c97b68ab0a2fc51fd12661d5f8b

This is mathematically irreversible (although in your case, since the original piece of text is so short, you can brute force all the combinations and have their corresponding hashes).

But now imagine that if you were to hash Shakespeare’s complete works, you’d still end up with a string of the same length. Can you reverse that? Probably not.

But back to your subject: rather than storing your card number, we store the card number’s hash. Whenever you swipe your card, we can read its number, calculate the hash and find THAT in the database and then proceed from there.