The major benefit of EMV Contactless certification
It relies on cards for which the certification is very thorough and a virtual guarantee of interoperability between cards and terminals.
However, for EMV, the validator (and the whole chain up to the Acquirer) must be PCI DSS Certified.
Using EMV contactless bank cards as secure ID media
It is a common way of using EMV contactless bank cards for public transportation.
This approach is employed by TFL (Transport For London). It consists of checking that a card is genuine and has not been black-listed when it is used for validating.
In standard EMV contactless transactions, the card has authorization for a small amount until the next chip and PIN transaction, typically a maximum of 20 Euros and when it is used, the counter is decreased from the amount paid. The transaction can be done offline. When the amount is reached, an online connection and/or PIN transaction is necessary to authorize the payment and reset the counter.
On the other hand, in transport, validators check that the card is genuine, acceptable and not hotlisted. This is performed in real-time and does not require an online transaction. Then a £0 transaction is triggered for every tap. Validators’ hotlists are regularly updated.
An authorization for an amount greater than the maximum trip is requested from the back-office to the bank. If the requested is accepted, this reserves the amount and therefore guarantees payment. If the request is denied, the information is then sent to validators to update the hotlist. This has for consequence that the first usage is always allowed.
The issuing bank will cover the cost of the very first trip, even when the account was blocked.
Major shortcomings of ABT
Network availability shortcoming
Traditional ABT systems rely heavily on networks as transactions are processed in a back-office server, which is not available when the network is down.
ABT terminals can buffer the transaction request and send the request to the back-office when the network connection is resumed. In that case, the terminal takes the risk of emulating a successful transaction for media that are linked to accounts that cannot be charged for lack of funds or for any other reason.
As “pure” ABT POs only contain an ID, unless a network connection is available, there is no way for a terminal to ascertain whether the PO holder is entitled to concessionary fares.
As the information relative to ABT transactions is registered in back-office (and optionally in validators in addition to being stored in back-office), inspecting POs also requires accessing the back-office system.
In the metro, train, and in some bus and tram networks, ticket inspection is performed away from the validator/gate which means that relying on accessing the data directly from the validator/gate used by the traveler for inspection purposes is simply not feasible.
Others generic issues related to EMV :
Susceptibility to hacking
Key benefits of EMV contactless-based ABT include the fact that card issuing and after-sales service are covered by third parties (banks), enrolment is automatic for bank customers and interoperability is mastered successfully.
The drawbacks of ABT schemes are network dependent, ticket inspection may face legal issues, concessionary ticketing is hard to implement, and finally that it removes some of the independence of transport authorities and operators.