Vision 2020 Webinar

Watch OSPT Alliance's Vision 2020 webinar to hear subject matter experts discuss the association’s strategic scope expansion, highlight the major areas of technical focus for the coming year and introduce its newest membership category along with an explanation of what this means for the wider transit industry.

The future of transport ticketing systems: a technical introduction to CIPURSE™

Watch OSPT Alliance's technical webinar entitled, 'The future of transport ticketing systems: a technical introduction to CIPURSE™'. The session details how an open standard ecosystem can be achieved by upgrading (and not replacing!) an existing ticketing infrastructure.

The webinar offers a technical insight into:

  • The key features of the CIPURSE standard
  • How the technology can support business requirements
  • How implementers can integrate CIPURSE products into existing systems
  • Considerations when developing an integration roadmap

CIPURSE Mobile Technical Webinar for SIM, eSIM and eSE implementations

Watch OSPT Alliance's latest webinar entitled, 'CIPURSE Mobile Technical Webinar for SIM, eSIM and eSE implementations.’

The session focuses on introducing the key features of the CIPURSE Mobile Guidelines and Optional Features Specification.

The webinar specifically provides an insight into:

  • The major features of CIPURSE Mobile.
  • Core characteristics of the CIPURSE applet.
  • How it leverages major open industry standards such as GlobalPlatform and ETSI.
  • How it facilitates multi-application implementations.

See more

If you have any questions regarding the content of this webinar, please view the supporting Q&As below. If you still have a question or would like to share feedback on the webinar, please contact media@osptalliance.org and a member of the OSPT Alliance webinar team will address your message as soon as possible.

1. What is the performance speed for a transaction using the Java CIPURSE applet?

The performance of a CIPURSE™ Java Card applet depends on the implementation choices of both the Java Card platform and the CIPURSE applet.  For example, a CIPURSE Server Crypto API providing a performance-optimized implementation of CIPURSE cryptography in native code significantly improves the transaction time of a Java Card.

As performance is a key decision criterion during product selection the OSPT Alliance certification process contains performance tests during the CIPURSE Certification. Vendors can provide these results as part of the certification test report.

2. Can you send us the CIPURSE applet to start testing it?

Applets are commercial products. OSPT as a standardization body does not sell commercial products. However, many of our members use CIPURSE™ applets in their GP based card or SE products. We recommend that you check with them if they provide the applet commercially independent of the HW. You can find a full list of members and the list of CIPURSE™ certified products including some GP products on our website.

3. Will you do end to end testing?

The OSPT Alliance has the objective of certifying the CIPURSE™ ‘Card’ products, including the Mobile phone based CIPURSE implementations using card emulation mode, as well as the CIPURSE command set and cryptography implemented by terminals interacting with CIPURSE cards. The Certification Working Group is currently working on delivering the type of test cases for CIPURSE terminal certification that approve conformance with the CIPURSE specifications and interoperability with CIPURSE certified card products. This activity includes conformance of messages created by a TSM service using the CIPURSE Optional Features to personalize and administrate a CIPURSE application.

4. Is IOS supported?

As per our knowledge, Apple uses an eSE with mostly standard functionality for their NFC enabled phones. As we have discussed on the webinar, CIPURSE™ Mobile uses functionality defined by GlobalPlatform and ETSI. Thus, CIPURSE Mobile should be compatible to Apple’s NFC enabled phones. Please note that Apple is gating the access to the NFC functionality and the eSE and so far has only enabled its proprietary payment scheme for ApplePay.

5. Is CIPURSE compatible with HCE technology?

Yes, CIPURSE is fully compatible with HCE technology. To find out more, we recommend that you download our HCE white paper and view our HCE webinar.

6. What kernel or implementation is needed on the payment reader side to work with CIPURSE mobile? Which brands have implemented CIPURSE on their reader?

The CIPURSE™ specifications define different file types, the possible operations on those files, and a security architecture for fine grain access rule configuration. It is up to the application developer to define and configure the application’s file structure and implement the respective transaction path. In that sense a systems integrator that is proposing a solution based on CIPURSE should define its own file structure, the security rules and the sequences of commands covering its use case and security needs.

Even though OSPT Alliance is in permanent contact with reader manufacturers and system integrators implementing CIPURSE into their products, we are unfortunately not allowed to communicate about the companies and products that have implemented the CIPURSE technology, excepted when the company has officially indicated that the OSPT Alliance can do it.

7. Is the flow of a transaction setup in a CIPURSE reader something that is still under development or is this a standardized transaction flow available now? 

The OSPT Alliance doesn’t currently provide any application file structures or transaction paths. As this question has been raised several times already, OSPT Alliance is investigating the need for guidance on frequently requested functionality such as a common personalization template and corresponding transaction path for a number of used cases like transport, access control or event ticketing. Companies interested in such use cases are welcome to join the OSPT Alliance as a member for the further elaboration of these use cases.

8. What must a Service Provider do to set up an application based on CIPURSE?

There are several steps that a service provider must

  • Identify and align with the TSM(s) to get a CIPURSE application on the target platform(s)
  • Provide the desired Application Dedicated File or ADF file structure with an ADF specific transport key
  • Enable own infrastructure to
    • identify ADF with transport key
    • finalize such ADF to act as proper application
    • provide necessary account data to back office for further processing
    • use application like a standalone card
  • Optionally define and implement wallet application for added value services via internet.

9. How many types of phone can support CIPURSE?

Any NFC phone with eSE and/or UICC with SWP interface can support CIPURSE Mobile functionality as presented today.

10. What is the position with regards to certifying CIPURSE mobile?

The OSPT Alliance Certification Working Group is working on a new test plan v1.08 to certify compliance of UICC/eSE products with the Optional Features dedicated to CIPURSE Mobile as presented today, namely the remote management functionality and event handling support.

11. Could you be more specific about which aspects of CIPURSE mobile are mandatory and which are optional?

CIPURSE mobile guideline gives recommendations on how to integrate CIPURSE in a mobile infrastructure. Optional features offer an interoperable set of functionality to enable typical use cases in such infrastructure. It is up to the UICC/eSE implementer to implement and certify part of or all optional features. The core CIPURSE functionality as described in the CIPURSE profiles specifications is mandatory and has to be certified.

12. Can CIPURSE Mobile be used for applications other than transport ticketing?

Definitively yes. CIPURSE can be used in many applications such as loyalty, facility access, micro-payment, and event ticketing. The beauty of CIPURSE is that the application code needs to be loaded only once and can then be used to create several of these applications in the same devices with minimum memory footprint.

For example, you can have your transport ticketing application loaded and later on use your mobile internet connection to securely add a loyalty application at your local coffee shop, followed by a micro purse to pay for car parking, and a ticket for the next Jazz festival in your city. All these applications can coexist in the same UICC/eSE using the same code.

13. Are there further development efforts going on in OSPT Alliance on mobile? If so, what kind of changes can we expect?

The specifications related to CIPURSE mobile are published and are in maintenance mode now. This means we constantly monitor the compliance of new products with the specifications and, if needed, add clarifications to the specification in the form of errata and precision lists.

The members of the OSPT Alliance working groups are also monitoring the technology advances in the market and can propose new functionality to be standardized.

14. I'm interested in implementing CIPURSE on wearables – can you tell me which aspects of the Mobile Guidelines are relevant?

If your wearable does not have a network connection, it should implement one of the CIPURSE Profile specifications. If it is connected and supports GlobalPlatform and ETSI functionality for remote administration, the Optional Features specification can apply as well.

15. You spoke about implementing the applet on a SE. Is there any means of implementing CIPURSE mobile without involving the SE?

OSPT Alliance has published a white paper called “HCE Synergy with Public Transport”. It describes various implementation alternatives for CIPURSE using HCE, their benefits and risks. The white paper is available from the OSPT Alliance web site.

16. Concerning concurrent access to ISO and SWP: isn’t this dependent on the hardware and operating system?

An eSE or UICC that supports SWP besides its traditional ISO/IEC7816-3 interface faces the problem that at the same time where e.g. an OTA operation is sending an APDU to the device, a contactless terminal may also send a further APDU via NFC controller to the SWP interface. To avoid data loss, the chip hardware must be built such that it can receive both APDUs simultaneously. The operating system needs to support this by setting up the chip hardware properly and providing different buffers for the different I/O interfaces.

Once received, these APDUs need to be processed by the respective application they were sent to. A Java Card Classic application can switch context between invocations to “process()” method, which means that the APDUs received in parallel will be executed sequentially.

If the APDUs ARE sent to different applications without common data, the order of execution is less important. If, however, the same application is addressed via the two physical interfaces, this application needs to take measures to avoid data inconsistencies.

The TWG of the OSPT Alliance is currently defining the behavior of applications in case of concurrent access over multiple interfaces.

Open Standards in Fare Collection: An Introduction to OSPT Alliance and CIPURSE

Watch OSPT Alliance’s latest webinar titled, 'Open Standards in Fare Collection: An Introduction to OSPT Alliance and CIPURSE'.

The webinar explored the importance of open standards and why they are needed for fare collection in the transport ecosystem such as the CIPURSE use in the city of Perm

The webinar specifically provides an insight into:

  • The importance of open standards.
  • OSPT Alliance and the CIPURSE open standard. Including an overview of the benefits that the alliance brings to the industry.
  • The need for a CIPURSE certification program and the value it brings to transport authorities and public transport operators when developing fare collection solutions.
  • Why CIPURSE was chosen for Prokart’s Odin Billet project, and the benefits and next steps for the project.

CIPURSE Mobile: Supporting NFC Services Beyond Payment

Watch OSPT Alliance's latest webinar titled, 'CIPURSE Mobile: Supporting NFC Services Beyond Payment'.

The session focuses on how services such as ticketing, loyalty and couponing are the real drivers of near field communication (NFC) technology.

The webinar specifically provides an insight into:

  • The important role services beyond payments – such as ticketing, loyalty and couponing – have in driving the adoption of NFC technology.
  • Why OSPT Alliance is committed to supporting the implementation of open standards as part of a NFC mobile solution, and the adoption barriers CIPURSE addresses.
  • The functionality of CIPURSE technology when implemented on a NFC-enabled mobile device.

See more

If you have any questions regarding, please view the supporting Q&As below. If you still have a question or would like to share feedback on the webinar, please contact media@osptalliance.org and a member of the OSPT Alliance webinar team will address your message as soon as possible.

1. If my understanding is correct, there must be an agreement between the MNO and the transport operators?

During its webinar, OSPT Alliance presented the CIPURSE Mobile SIM-centric and embedded secure element (SE) approach where it is crucial that there is an agreement between the transport operator and the owner of the SE. Nevertheless, CIPURSE activities today also include host card emulation (HCE) implementations where a new scope of business model is possible.

Today, there are many options available for HCE implementations with CIPURSE; some of which do not require an agreement between the MNO and the transport operators. OSPT Alliance members are currently working on several such scenarios and are welcoming all stakeholders to participate. Furthermore, OSPT Alliance’s HCE Sub-Working Group is currently developing a white paper, which will report on this matter.

2. What about CIPURSE implementation on HCE smartphones without UICC/eSE?

There are many options available for HCE implementations with CIPURSE; some of which do not require a UICC/eSE. OSPT Alliance members are currently working on several such scenarios and are inviting all stakeholders to participate. Furthermore, OSPT Alliance’s HCE Sub-Working Group is currently developing a white paper, which will report on this matter. The paper will provide an insight into HCE implementations, such as:

  • Pure HCE without an SE
  • Online HCE with the SE being in a remote location such as the cloud
  • Account-based solutions with backend processing
  • Tokenisation approach allowing offline support

3. Are there any certified HCE implementations for Android?

Today, there are no certified HCE products. OSPT Alliance has recently created an HCE Sub-Working Group, which aims to analyse the functionality, security, availability and performance of HCE, along with the potential implications on their use in applications, within transport, ticketing and value added services.

In parallel, in 2016, the OSPT Alliance Certification Working Group is developing a test strategy to certify HCE CIPURSE products.

4. Is the CIPURSE wallet in direct competition with the Apple Applet or can it integrate the Apple wallet?

CIPURSE is not a wallet, it is an applet. It has been developed so that it can support any kind of wallet currently available in the market, as long as the handset and the wallet are able to support additional functionalities.

CIPURSE Mobile is the right choice to enhance existing solutions beyond payment.

5. What is the impact for terminal vendors? Is there a specific certification to support CIPURSE such as EMV Type Approval?

OSPT Alliance has not yet published a specification relating to CIPURSE readers. The work efforts of OSPT Alliance are driven by its membership and today, its members do not see a need for this specification.

The association has published a SAM Specification, however, that is used on the reader. Today, OSPT Alliance has not set up a certification program for the reader of the SAM. OSPT Alliance is keen to encourage companies involved in the reader ecosystem to become members of the association; by joining as a Full Member, companies are able to outline the requirements for a reader specification and related certification program.

To find out more about becoming a member of OSPT Alliance, please visit the membership pages.

6. Is SAM the only method to implement CIPURSE on a terminal? Can it be developed using a purely software approach?

The main objective of the SAM is to provide a secure environment in which to store, diversify and generate keys.

The SAM can also be used by the terminal to easily develop a solution that addresses the CIPURSE card. When transporting a key from a person to the terminal (as is explained in the OSPT Alliance key management guide, which is available on the OSPT Alliance member website), if an application has the same level of security, it can be implemented on a purely software approach; the SAM offers the main way to secure the keys today.

7. Are the CIPURSE event ticketing details available on the OSPT website?

The event ticketing use case discussed during the webinar forms part of the CIPURSE Mobile Guidelines, which have recently been released by OSPT Alliance to its membership. 

The event ticketing use case is part of the CIPURSE Mobile Guidelines, which we have recently released. Interested persons can read the document and what we have defined for the event ticketing. It should also give you the reasons why you should join OSPT Alliance and support the CIPURSE mobile activity

8. Is there some plan to detail key diversification for card / SAM system?

OSPT Alliance has published a set of specifications, which provide guidelines and use cases related to the key management using SAMs:

  • The CIPURSE V2 Key Management Guide outlines a number of  security requirements applicable for systems based on CIPURSE products.
  • The CIPURSE V2 SAM Use Cases document describes the most common use cases of various CIPURSE SAM types.
  • CIPURSE V2 SAM Specification defines  the interface  of  a  CIPURSE SAM that provides  a  terminal  with  all  of  the  cryptographic services  required  to  securely  communicate with CIPURSE V2 cards.

Each of these documents are available to view on the OSPT Alliance member website.

The OSPT Alliance SAM Sub-Working Group is developing a new version of the CIPURSE V2 SAM Specification, which will be available in 2016. The group is also updating the CIPUURSE V2 SAM Use Cases document to provide new and enhanced use cases.

9. What are the KEY differentiators compared to technologies already deployed and having the same value proposition as CIPURSE?

CIPURSE Mobile is an open solution that can be implemented on any NFC-UICC, embedded secure element and HCE concept. CIPURSE does not differentiate on license models for the various business models for the secure element and furthermore doesn’t need a specific hardware IP on the secure element. CIPURSE Mobile uses standardized protocols for the management of the secure element in the field.

CIPURSE provides five key features, when compared to similar technologies:

  1. Security.
    CIPURSE's advanced security mechanisms include a unique cryptographic protocol that encourages fast and efficient implementations. The protocol provides robust, inherent protection against differential power analysis and differential fault analysis.

  2. Flexibility.
    CIPURSE builds upon existing proven open standards:

    • ISO 7816-4 for commands and file structure
    • ISO 14443 for the RF communication
    • Advanced Encryption Standard for state-of-the-art security
    It provides a platform for securing both new and legacy applications and has the potential to be used within existing application frameworks around the world.

  3. Scalability.
    CIPURSE is ONE hardware independent specification, which allows the implementation of different types of products based on profiles already defined within the CIPURSE Specification. It can be implemented just once into an existing infrastructure, thereby providing different profiles for different purposes; whether it is for limited use, mono-application / close-loop or high-end / multi-applications purposes.

  4. Open.
    The CIPURSE Specification is available to everyone

    • As an open standard, every interested party can implement its products based on CIPURSE.
    • Consequently, CIPURSE promotes vendor neutrality and cross-vendor system interoperability. This results in lower technology adoption risks and improved market responsiveness.

  5. Multi-application.
    A recent but notable addition to the standard is the Multiple Proximity System Environment (PxSE). PxSE offers efficient application identification and selection in contactless access control environments. Within a multiple-application ecosystem, PxSE will improve product performance and optimize times on entering a transit network, event or building.

10. Do you think CIPURSE will be successful in a country that accepts contactless payment cards as part of its ticketing offering?

Yes, CIPURSE will support the use of contactless payment cards by adding services beyond payment for the user’s convenience. 

While accepting EMV contactless payments cards is obviously attractive to operators because of back office savings, it cannot completely replace operator specific ticketing solutions. There will always be passengers who prefer not to use contactless payments cards for transit, for a variety of reasons such as security and privacy concerns, poor user experience from card clash and concerns about direct access to bank accounts. Operators risk these customers falling back to using cash if there is not an operator specific ticketing solution available, adding cost to both operators and customers. In addition, by depending entirely on contactless payment cards, operators lose both control and the benefit of the data generated from ticketing. CIPURSE should therefore be viewed as:

  1. Complimentary to contactless payments cards and
  2. As a superior alternative to proprietary automated fare collection solutions because of its open nature, which encourages scalability and flexibility within the market place, and consequently promotes vendor neutrality and cross-vendor system interoperability.


The CIPURSE open standard for HCE-based ticketing solutions

Watch OSPT Alliance's latest webinar titled, ‘The CIPURSE open standard for HCE-based ticketing solutions'.

The session examines the structural constraints public transport imposes on HCE technology and how these impact the approach taken to its implementation, the value it can bring to transport ticketing and how CIPURSE™ can enhance openness and security and protect investment through adherence to standards and multi-platform compatibility. The webinar specifically provides an insight into:

  • The value of HCE technology in transport ticketing and the need for open standards
  • Details of how HCE can be implemented with CIPURSE™ and recommendations about the most effective approach
  • Future developments for CIPURSE HCE usability, including event ticketing and mobile wallet

A pdf version of the webinar slides is available here.