Open Payments: All You Need to Know about PCI, Chain of Custody, and EMV Certification

Hey there, fellow public transit enthusiast! Today, we'll be talking about Open Payments for Public Transit and why PCI certification is so important for ensuring the security of our customers' sensitive financial data.

Agencies around the world are increasingly adopting Open Payment (contactless EMV) systems for fare collection, making travel more convenient and efficient for riders as they are able to simply tap a contactless bank card or mobile device without needing to obtain a smart card or download an app in advance. 

However, with great power comes great responsibility… 

With the convenience of Open Payments comes the responsibility of ensuring the security of customers' sensitive financial data. This is where PCI certification comes into play. 

In this blog, we will explore PCI compliance and demystify what it is, why it’s important and what agencies need to be aware of when deploying an Open Payments (cEMV) solution.

What is PCI DSS?

The security requirements of the payments industry is defined by a global standard called Payment Card Industry Data Security Standard (PCI DSS). PCI DSS defines a comprehensive set of requirements designed to help businesses and agencies protect sensitive payment data when stored, processed or transmitted.

What is PCI DSS Certification?

PCI (Payment Card Industry) certification is a set of security standards established by the major credit card companies to protect customers' financial information during transactions. PCI certification is mandatory for any organization that accepts credit card payments, including public transit agencies and must be renewed ever year.

As a Merchant of Record, transit agencies must prove their PCI DSS compliance, which serves as evidence that a transit agency can reduce the risk of card fraud or reputational damage that can occur from the loss or theft of cardholder data by implementing security controls to protect sensitive payment data when stored, processed or transmitted.  

If an agency is not a Merchant of Record there are still responsibilities they need to be aware of in order to obtain and retain PCI certification which we discuss later in this blog. 

The benefits of PCI DSS certification for public transit agencies

First, let’s be clear. Before launching an Open Payments solution, obtaining PCI Certification is a requirement and is not optional. But we thought highlighting some of the benefits might be useful for educating your teams.

Obtaining PCI certification for an open payments system used in public transit has numerous benefits, including;

1. Increased security: By following the PCI security standards, agencies can ensure that customers' sensitive financial information is protected against theft, fraud, or other security breaches.
2. Increased trust: With the prevalence of data breaches, customers are becoming increasingly aware of the importance of data security. A PCI certification can reassure customers that their financial data is being handled securely.
3. Reduced liability: In the event of a data breach, a certified organization is better protected from financial liability.

Key steps when deploying Open Payment systems

When deploying an open payments (CEMV) solution, public transit agencies need to keep the following points in mind:

1. Work with a certified vendor: The vendor providing the Open Payments solution should be PCI certified. Agencies can verify a vendor's certification status through the PCI Security Standards Council website.
2. Follow the PCI DSS requirements: Agencies should ensure that their open payments system meets the requirements of the PCI DSS (Data Security Standard). This includes encrypting data transmissions, protecting stored data, and implementing strong access controls. The system must be level 3 certified before launch which we cover later in this blog. 
3. Chain of Custody for payment devices (Validators): On deployment, the transit terminal (Validator) must follow chain-of-custody rules all the way through from the factory to being installed on the buses.
4. Train staff: Staff responsible for managing the open payments system must be trained in PCI compliance and security protocols.

What are the three levels of EMV certification for public transit Open Payment Systems?

EMV certification is different from PCI certification, but we think this is useful to be aware of as you can’t launch an Open Payments solution for transit without having a Level 3 EMV-certified solution. There are three main categories for EMV certification that you need to complete before launching an Open Payments solution. This is normally handled by the vendor you select:

• Level 1 (L1)  -Validator certification: This testing area focuses on the media (e.g. card, smartphone, wearable) and validator compliance for the electrical and logical protocols and the data transfer (analog and digital compliance). This testing is common to all payment schemes. (Validator certification)
• Level 2 (L2): This testing area assesses the compliance of the media application and terminal software (aka EMV kernels) to perform functional EMV processing. This testing is specific per payment scheme.
• Level 3 (L3) -Full system certification: This targets the validation, per payment schemes or brand, of the integration between the payment terminal (validator) and the payment acquiring system. This needs to be certified for each combination of validator, back office, gateway and acquiring bank combination. If your agency is using a pre-certified combination then it will save time in deployment having to certify before launch.

How to protect payment data

For EMV, there are three main categories of specification and testing areas for protecting payment data which is useful to be aware of:

1. PCI DSS (Data Security Standard) is the global repository of requirements and procedures to provide guidelines that applies to all entities involved in the payment processing (merchants or transit operators, processors, acquirers, issuers and any services providers (hosting, networking)). The requirements address data protection but also information systems monitoring, staff skills and access restriction and regular checks.
2. PCI PTS (PIN Transaction Security) requirements focus on the protection of the cardholder PIN. Even if the PIN is not used with the validation device (transit access terminal), these requirements included in the implementation can ease the PCI DSS assessment. This is handled by the vendor of the validation units.
3. P2PE (Point-to-point encryption) provides a set of requirements to secure the cardholder data transmission between the payment terminal and the payment acquiring system thanks to cryptography.

This makes the transmitted data unreadable if stolen. This encryption requires security keys and strong management processes. 

Keeping PCI certification

PCI certification is not a one-time event. Public transit agencies must take the following steps to ensure ongoing PCI compliance:

1. Conduct annual PCI compliance assessments: Agencies must conduct an annual assessment to ensure that their open payments system meets the latest PCI DSS requirements.
2. Complete a self-assessment questionnaire: The PCI Security Standards Council provides a self-assessment questionnaire that agencies must complete every year.
3. Perform penetration testing: Agencies must conduct a penetration test every year to ensure that their open payments system is secure against attacks.
4. Maintain documentation: Agencies must maintain documentation of their PCI compliance efforts and be prepared to provide evidence of compliance upon request.

PCI DSS Chain of Custody Overview

Chain of custody refers to the process of maintaining a clear and documented record of the custody, control, transfer, and location of assets or data. In the case of open payments for public transport validators (transit access terminal), this typically involves keeping a detailed record of the delivery of transit terminals (validation devices).

This section provides an overview but you would need a comprehensive view on this when installing and running an Open Payments solution (please speak to Masabi for more information). For example, we do not cover validator disposal below.

Here are some of the chain of custody rules related to the certification, storage, and installation of validation units for open payments in public transport:

Certification:

• The certification process should include testing of the hardware, software, and communication protocols used in the payment system. (Level 1, 2 and 3)
• The certification process should also include testing of the tamper-evident features of the validation units to ensure they can detect and prevent unauthorized access or manipulation.

Storage:

• The validation units must be stored in a secure and controlled environment to prevent unauthorized access, damage, or tampering.
• The storage area should be monitored and controlled to ensure only authorized personnel have access to the units.
• The storage area should have appropriate environmental controls to prevent damage to the units from factors such as temperature, humidity, or exposure to light.

Installation:

• The installation of the validation units must be carried out by trained and authorized personnel.
• The installation process should include verification that the units have not been tampered with or damaged during storage or transportation.
• The installation process should include testing of the communication links between the validation units and other components of the payment system to ensure they are functioning correctly.
• The installation process should be documented and reviewed to ensure compliance with relevant chain of custody rules and best practices.

In summary, the chain of custody rules for open payments in public transport validators involves ensuring the integrity and security of the payment process through certification, secure storage, and proper installation of the validation units.

Open Payments and Compliance - Made Easy

Masabi specializes in providing Open Payment systems for public transit agencies through our shared platform, Justride. 

We help make the launch of Open Payment systems easy by providing certified validators and have extensive experience with Level 3 certification. Level 3 certification is the highest level of certification for Open Payment systems, and requires extensive testing and verification of the payment system.

By completing level 3 certification multiple times, Masabi has demonstrated its expertise and knowledge in Open Payments and can provide valuable insights and guidance to transit agencies. Masabi is PCI DSS certified and also has extensive experience in this area as well.

This experience can help to take the burden off you, as you can rely on Masabi's expertise to navigate the process of launching an open payment system. 

Masabi can provide you with guidance on everything from choosing the right payment methods to training staff on how to use the payment equipment and manage compliance.

So there you have it, folks! 

By obtaining PCI certification and following best practices when deploying Open Payments systems, we can ensure the security of our customers' financial data while also providing them with a more convenient and efficient way to pay for their transit fare. 

Want to learn more? We have an Open Payments + brochure available here.

Happy travels!

Demo Open payments

If you're interested in learning more, our team of experts can provide valuable insights into Open Payments and help you understand how its implementation could look for your organization.

Contact our team for a demo.

Further reading:

• 10 questions to ask before implementing an Open Payments contactless ticketing system for public transport
• Everything You Need to Know About Open Payments for Public Transit
• Use Whatever Is in Your Pocket as Your Ticket to Ride
• Do Shared Fare Collection Platforms With Continuous Updates Herald The 'End of Obsolescence'?