Frequently Asked Questions

I. About the OSPT Alliance

1. What is the OSPT Alliance?
The OSPT Alliance is a vendor-neutral international association chartered to define an open technology standard for secure public transit fare collection solutions.

Its objective is to build a global ecosystem of transit operators, transit consultants and integrators, technology solution providers, and government agencies to stimulate the development and delivery of next-generation fare collection solutions. The OSPT Alliance develops and maintains CIPURSE™, an open security standard that addresses the need for future-proof fare collection systems with advanced security.
2. What does the OSPT Alliance provide to the transit industry?
The OSPT Alliance focuses on bringing open standards to transit fare collection systems and solutions. It creates a forum for defining and evolving the CIPURSE standard, provides development tools, and promotes global adoption of fare collection solutions based on open standards. The OSPT Alliance's work benefits all stakeholders in the transit ecosystem; open standards have repeatedly been proven to reduce operations costs, simplify migration, improve security, and increase industry competition, which benefits transit operators and agencies through interoperable, cost-competitive solutions.
3. Why is a new, open standard needed for transit?
Public transit systems worldwide are currently collecting fares using closed-loop system applications and smart cards. The majority of these collection systems rely on legacy technology that provides only a basic level of security. Because these systems and the newer payment technologies, multi-application cards, and near-field communication (NFC) phones are susceptible to compromise, there is a compelling need for more secure fare collection systems.

In addition, public transit authorities are under pressure to allow customers to use one ticket for different modes of transportation in different locations - even across different regions or countries.

By adopting solutions based on the CIPURSE standard, transit agencies can benefit from cost-effective, highly secure, flexible, scalable, and extensible fare collection systems and a rich ecosystem of interoperable solutions.

II. About Membership

1. Who can join the OSPT Alliance?
The Alliance welcomes technology vendors, transit operators, government agencies, systems integrators, mobile device manufacturers, trusted service operators, consultants, industry associations, and others wishing to participate in the organization's education, marketing, and technology development activities and to contribute their experience and creativity to ongoing development of the CIPURSE standard.
2. Who belongs to the OSPT Alliance?
For a complete list of current members, see http://www.osptalliance.org/members_current
3. Why should an organization join the OSPT Alliance?
Organizations that are involved in the OSPT Alliance have a time-to-market advantage in the development of products based on the CIPURSE standard. They also benefit from the organization's evangelism and marketing efforts and expand their network of contacts within the transit ecosystem.
4. How can an organization participate in the OSPT Alliance?
There are three types of affiliation with the OSPT Alliance.
  • Full membership is for companies that plan to develop commercial fare-collection products and services based on the CIPURSE standard. Members are eligible to purchase a CIPURSE software development kit (SDK)*.
  • Associate membership is for transit agencies, industry associations involved in transit, and universities and research institutions with an interest in public transportation. Members are eligible to purchase a CIPURSE software development kit (SDK)*.
  • Evaluators have access to the CIPURSE specification and are eligible to purchase a CIPURSE software development kit (SDK)*.
*Currently OSPT Alliance are offering a limited number of SDKs free of charge to members and evaluators – email media@osptalliance.org for further details
5. What does membership cost?
Full membership requires an annual membership fee of €5,000. There is no fee for becoming an associate member or evaluator. Evaluators and associate members can purchase the CIPURSE SDK for €600.
6. What benefits are provided at each level of membership?

Full members receive the following benefits:

  • Access to released specifications, as well as advanced access to draft specifications
  • Access to the SDK
  • An implementation license
  • Eligibility to participate in work groups
  • Eligibility to participate in user groups
  • Voting privileges
  • Eligibility to run for a Board seat
  • Invitations to participate in marketing activities
  • Use of the CIPURSE-certified logo
  • Use of the OSPT Alliance logo.

Associate members receive the following benefits:

  • Access to released specifications
  • Eligibility to purchase the SDK
  • Eligibility to participate in work groups
  • Eligibility to participate in user groups
  • Invitations to participate in marketing activities
  • Use of the OSPT Alliance logo.

Evaluators receive the following benefits:

  • Access to released specifications
  • Eligibility to purchase the SDK
7. What level of membership is required to sell a CIPURSE™- certified product?
Only full members of the Alliance are allowed to submit products for certification or sell CIPURSE-certified products. A full member certificate is required to initiate the certification process. In addition, only current members are permitted to mark products with the CIPURSE and OSPT trademarks, and only current members are allowed to leverage the Alliance's marketing activities.
8. What are members expected to contribute?
Full and associate members are expected to help promote the CIPURSE standard through speaking opportunities, internal development efforts, and by participating in Alliance events. They are encouraged to take part in the evolution of the standard by contributing new ideas, products, or business models.
9. How does the OSPT Alliance support its member organizations?
The Alliance offers member organizations support for development activities based on the CIPURSE standard, education, networking opportunities, and participation in key work groups. The Alliance has also created a third-party certification process for CIPURSE-based products.

Alliance activities include:
  • Defining, maintaining, and providing access to CIPURSE specifications
  • Defining intellectual property (IP) rules
  • Administering participation contracts.
10. What are the OSPT Alliance committees and work groups?
The Alliance currently has active marketing, technical and certification work groups. The marketing work group devises and executes external-facing strategies and programs designed to raise the Alliance's profile within the transit industry and the ecosystem that supports that industry. The technical work group focuses on developing and refining the CIPURSE standard. Various subgroups are created as needed to address specific technical issues. The certification work group defines the test strategy and maintains the Certification framework to certify the CIPURSE™ products.

III. About the CIPURSE Open Standard

1. What is the CIPURSE open standard?
The CIPURSE open standard provides an advanced technical foundation for developing highly secure, interoperable, and flexible transit fare-collection solutions. It is built on a foundation of proven standards, including ISO/IEC 7816, AES-128, ISO/IEC 14443-4 and ETSI TS 102 622. It is designed to:

  • Stimulate innovation and market opportunities for developers.
  • Support more secure, flexible design and deployment alternatives for transit system integrators and consultants.
  • Foster a broad range of cost-effective, interoperable transit fare-collection solutions.
2. What is unique about CIPURSE?
The CIPURSE standard includes a single, consistent set of security, personalization, administration and life cycle management functions for creating a broad range of interoperable transit applications. It provides three distinctive development profiles that support a range of solutions—from low- to high-end—and allow them to be introduced into a fare collection system at any time and used concurrently. Profiles include:

  • CIPURSE T: For microprocessor-based transactions using smart cards, mobile phones and similar devices like connected wearables, this profile is the best for implementing multi-applications media with transit fare products needed a complex fare structure
  • CIPURSE S: For applications or transit fare products which will require less data or having a value which require a lower cost solution
  • CIPURSE L: For applications which require few data or a limited use of the media, still with a high level of security.


A modular architecture enables development of future-proofed solutions that can be enhanced over time with new capabilities. As the first truly open standard, CIPURSE allows to migrate or upgrade proprietary legacy systems towards state of the art security based on open standards.  This gives the industry more flexible, cost-effective fare collection solutions.
3. How does CIPURSE benefit stakeholders in the mass transit market?
The CIPURSE open security standard promises to improve the performance and strengthen the security of public transit applications, as well as increase the availability of multiple sources for chip products.

CIPURSE is designed to address the need of local and regional transit authorities for future-proofed fare collection systems with better security than current systems. These systems will enable the public to use a single payment device—such as a standalone ticket, multi-application card, microSD card, or NFC mobile phone—seamlessly across multiple transportation modes in different regions and systems.
  • Integrators: CIPURSE provides a single set of standards for a broad range of products designed by a wide range of OS developers, reducing development costs, accelerating time to market and offering competitive advantage
  • Transit operators: CIPURSE fosters greater choice among a larger vendor ecosystem, driving more competitive costs and greater flexibility. CIPURSE also delivers the benefits of open standards, like Java Card and GlobalPlatform and simplifies support for mobile payments with smart phones, tablets and other smart devices. The vendors are able to create innovative functions and products.
  • Vendors: CIPURSE’s modular, device-agnostic design enables development of families of interoperable products with a wide range of functionality based on a single specification, and encourages innovative, more secure, interoperable transit fare collection solutions.
4. Can CIPURSE be used for applications other than transit ticketing and automated fare collection?
Due to its openness, Yes. CIPURSE is already in use for event ticketing and others as it is an ideal solution for applications such as door access, loyalty, open payments and health insurance. It also enables multi-applications on cards and on phones.
5. Why is CIPURSE significant?
The CIPURSE open standard provides a platform for securing both new and legacy transit fare collection applications and has the potential to be used within current application frameworks around the world. As an open standard, CIPURSE promotes cross-vendor system interoperability, lower technology adoption risks, higher quality, improved market responsiveness, and innovation—all of which result in lower operating costs and greater flexibility for transit system operators.
6. What variety of form factors does CIPURSE support?
The CIPURSE standard has been designed for application to a variety of form factors. It can be used with simple tokens, smart paper tickets, contactless smart cards, dual-interface smartcards, wearables and NFC-compliant mobile devices. CIPURSE makes it possible to address and expand to the low-end market (single-trip or limited-use tickets) more easily without sacrificing security or the ability to expand to other form factors in the future.
7. To adopt CIPURSE, must a transit agency start from scratch?
No. Because it is based on widely used and proven open standards and protocols, CIPURSE simplifies the cost and complexity of migrating from a proprietary or insecure transportation fare collection system. The standard on which CIPURSE is based, ISO 7816, has existed for many years and is widely supported by microcontroller cards. Standard commands such as Mutual Authenticate or Update Binary File ease integration into existing applications. Use of the ISO 14443-4 protocol layer enables re-use of current features while facilitating the integration of new functionality. AES128 is optimized for software integration and can be easily added, if necessary, to any reader firmware or background system. Infrastructure migration costs are minimized, since many of the necessary features (command code and AES) are already supported by many systems.
8. Will CIPURSE support Near Field Communication?
CIPURSE is form-factor independent and designed to be used in smart cards, NFC mobile phones, and other devices. Because CIPURSE defines only a minimum feature set, implementers are free to add functionality to their products as long as interoperability is unaffected. Adoption of CIPURSE by NFC-enabled devices, such as microSD cards, mobile phones, and other consumer electronics devices, is expected to be a major driver for CIPURSE.
9. How are CIPURSE-based solutions certified?
All truly open standards provide certification by an independent third party company in co-operation with the standardization body. Therefore, the OSPT Alliance has contracted with KEOLABS to provide certification services for CIPURSE products. More information about the CIPURSE certification program can be found at http://www.osptalliance.org/certification.
10. How will CIPURSE continue to evolve?
CIPURSE is intended to be a highly efficient, flexible, and secure standard for the transit market. OSPT encourages its members to participate in work groups to ensure that CIPURSE continues to evolve to meet the needs of the industry. For more information about OSPT working groups, see www.osptalliance.org/about_us/workgroups.
11. How can an organization obtain CIPURSE™ specification?
Organizations can read and evaluate the CIPURSE specification by obtaining a free Evaluator's license from the OSPT Alliance website. To download the specification, or to learn about OPST Alliance membership options, go to http://www.osptalliance.org/members/become_a_member.

IV. About Product Certification

1. Who conducts the CIPURSE certification process?
The OSPT Alliance has selected, through a tender process, KEOLABS (www.keolabs.com), a global provider of test and development solutions for the microelectronics industry. This third-party lab is in charge of independently testing product interoperability and compliance with the CIPURSE specification.
2. How do products get certified?
An OSPT-defined CIPURSE Certification Program document, available to members, describes the certification process without violating the confidentiality of any product certification. The document is available on the OSPT web site at www.osptalliance.org/certification.
3. What kinds of products can be certified?
Any CIPURSE product supporting a communication interface ISO 14443 Type A or Type B, ISO 7816 T=0 or T=1 or ETSI TS 102613 SWP Type A, Type B or Type C can be tested for certification.
4. How many samples are necessary to conduct the Certification?
The personalization phase of a CIPURSE™ product is specified by the OSPT Alliance and is part of the CIPURSE™ Certification, ensuring the interoperability of the personalisation on any CIPURSE™ product. Therefore the test suite is designed to personalize the CIPURSE™ product by itself depending on the test purpose, limiting the number of samples to be provided to the laboratory (5 samples if the product is erasable).
5. What is the average cost of obtaining a ‘CIPURSE™-Certified’ label?
The OSPT Alliance's intention is to make certification costs, which depend on the product options, as affordable as possible. The current pricings are available on the OSPT web site at www.osptalliance.org/certification.
6. Is it possible to conduct a ‘debug session’ before a CIPURSE product is certified?
Yes. KEOLABS conducts debug sessions. The debug session is not a component of the CIPURSE certification process and may entail additional costs. Ask your evaluating laboratory for details (www.keolabs.com).

V. How to License CIPURSE

1. What licenses and conditions are required to commercially deploy a CIPURSE-Certified product?
A company that wishes to implement the CIPURSE specification and offer CIPURSE products and services must be a member of the OSPT Alliance. It must also sign a standard license agreement with the OSPT IP Pool entity.
2. Do all vendors need to sign the license agreement?
Companies that develop and offer products based on the CIPURSE specification ("CIPURSE Products") must sign the license agreement. A license is required only once in the value chain of a CIPURSE product. Manufacturers of modules, cards or other sub-systems or systems purchasing CIPURSE Products and implementing them in such modules, cards or other sub-systems or systems do not need to sign a license agreement with the OSPT IP Pool, but must be members of the OSPT Alliance to access trademarks.
3. What is the OSPT IP Pool entity?
The OSPT Alliance has bundled intellectual property (IP) rights into a licensing company, the OSPT IP Pool. Bundling IP rights simplifies CIPURSE license issuance and helps ensure that the IP rights to CIPURSE are available to all members under fair, reasonable, and non-discriminatory conditions. The OSPT IP Pool offers to implementers of the CIPURSE specification a standard license agreement approved with the OSPT Alliance.
4. What are the licensing costs associated with commercializing a CIPURSE product?
In accordance with such standard license agreement, only royalties are to be paid. No upfront payment is requested. The applicable royalties are the lower of US$ .01, or two percent of each product’s commercial selling price, per CIPURSE product sold.

Up to 10,000 units of CIPURSE products per year are royalty-free. This makes it especially attractive for infrastructure providers to develop and offer CIPURSE-compatible systems.
5. Where does my company get more information about the licensing requirements?
Contact Till Hans, managing director of the OSPT IP Pool entity. He can be reached at info@ospt-ip-pool.com or +49 (89) 234-23559

VI. Miscellaneous Technical Questions

1. Which RF contactless protocol is required for CIPURSE products?
By default, the CIPURSE specification is RF agnostic, meaning it neither specifies a current RF protocol nor defines any new transmission protocol. Nevertheless, in order to test compliance with the CIPURSE specifications, one of the transmission protocols supported by the certification laboratory must be implemented.
2. Is there a CIPURSE reader specification? What are the minimum requirements for a terminal?
There is currently no CIPURSE specification for a reader. Systems integrators or terminal manufacturers must follow and understand the CIPURSE specification to support CIPURSE products. By default, any ISO 14443 Type A- or ISO 14443 Type B-compatible reader can be upgraded to support CIPURSE products easily. Note that CIPURSE security is built on AES cryptography and may require secure access module (SAM) support.
3. What kind of encryption algorithm is used with CIPURSE?
The CIPURSE specification employs an AES-128 algorithm, which uses a key length of 128 bits and reflects the current state of the art. The security concept was designed to be implemented in low-cost silicon; it employs an advanced authentication scheme that resists electronic attacks. AES-128-based card authentication can be performed off line, as an interaction between card and terminal, or on line, with a card issuer system. AES-128 reduces authentication times despite the use of longer and more secure encryption keys through its inherently fast processing speed.

CIPURSE security mechanisms include a unique cryptographic protocol that encourages fast and efficient implementation with robust protection against hacker assaults such as differential power analysis (DPA) and differential fault analysis (DFA) that have successfully defeated proprietary schemes such as CRYPTO1. Because the protocol is inherently resistant to attacks and does not require dedicated hardware measures, it eliminates the need to incorporate costly software and hardware countermeasures. This unique advantage makes it possible to guard against counterfeiting, cloning, eavesdropping, man-in-the-middle attacks, and other security risks that threaten the integrity of card-based AFC systems without incurring undue costs.
4. What kinds of data structures can be used with CIPURSE?
In general, data structures can include both binary and record-oriented data files (linear, linear value, cyclic).
5. Where can the specification for a transit application be obtained?
Transit applications are specified by transit operators. The OSPT Alliance does not specify actual transit applications but instead the CIPURSE standard serves as a foundation to develop transit applications.
6. What are the options for implementing the CIPURSE specification?
The CIPURSE specification can be implemented natively or as a JavaCard applet.
7. Do applications need to run on a specific hardware chip?
The CIPURSE specification can be implemented completely in software on any standard chipcard controller or NFC secure element.
8. Do I need to assign a specific AID to my CIPURSE™ based application?
On a CIPURSE™ product the transit applications for example can be personalized and selected using any AID value as specified by ISO/IEC 7816-5. An AID consists of a Registered Application Provider Identifier (RID) of 5 bytes followed by a Proprietary Application Identifier Extension (PIX) of up to 11 bytes. If required, this is up to the System Integrator or the Transport Organisation to request a RID according to ISO/IEC 7816-5 Registration Authority and to administer the related PIX values that will be used to differentiate the applications to be selected on the field.