ORGANIZATIONAL

Who is OSPT Alliance?

OSPT Alliance is the global, non-profit industry association that enables the future of mobility services across markets including transport ticketing, ID, access control, loyalty and micro-payment.

The organization is driven by over 100 global members who share the common goal of developing and advancing OSPT Alliance’s CIPURSE™ Specification; an open, non-proprietary standard which offers an advanced foundation for developing highly secure, interoperable and flexible mobility solutions across multiple use cases.

OSPT Alliance provides industry education, creates workgroup opportunities and catalyzes the development and adoption of innovative mobility technologies, applications and services.

OSPT Alliance membership is open to all mobility stakeholders including, technology providers, transit operators, consultants, solution vendors, government agencies, reader and terminal manufacturers and system integrators.

Who owns OSPT Alliance?

As a not-for-profit association, OSPT Alliance is not owned by any single entity or company. It is run by a Board of Directors, which comprises representatives from Full Member companies. These include founding members Infineon Technologies and IDEMIA, along with Full Members Americaneagle.com and Rambus.

The Board defines and maintains the association’s bylaws; it shapes the strategic direction of the association and works alongside over 100 member companies to advance and evolve the CIPURSE Specification.

What does ‘OSPT’ stand for?

The ‘OSPT’ acronym stands for the ‘Open Standard for Public Transport’. OSPT Alliance was established in 2010 with the objective to ‘provide the standard for secure transit fare collection solutions’. Transport remains at the heart of the organization, but it has since expanded its remit to support a number of adjacent industries and the delivery of secure transaction applications including ID and access control.

Who can join OSPT Alliance?

OSPT Alliance membership is available to all stakeholders operating within the mobility services sector, including technology providers, chip manufacturers, card manufacturers, system integrators, solution providers, software developers, hardware manufacturers, consultants, government agencies and transit operators.

The association offers three levels of membership, along with an Evaluator category.

  • Full membership (€5,000 annual fees) – available to component providers (such as smart cards, smart devices, app-specific operating software and reader devices) and chip manufacturers. This level of membership is necessary if you plan to develop and certify commercial products based on CIPURSE, plan to contribute to its development or plan to use the CIPURSE logo on products / services.
  • Affiliate membership (€1,000 annual fees) – available to all reader and terminal manufacturers, and system integrators. This level of membership is only available to those who plan to develop commercial products at the transmitting level.
  • Associate membership (no fee) – available exclusively to transit agencies, consultants, and not-for-profit organizations such as industry associations, universities and research institutions with an interest in the fields where standards defined by OSPT Alliance can be used. This level of membership is not available to solution or service providers.
  • Evaluator (no fee) – available to any vendor interested in downloading the CIPURSE Specification free of charge and evaluating its suitability for their product / service. This level of membership only enables the specification to be reviewed; if an evaluator deems CIPURSE to be relevant, they must upgrade to Full Membership before implementing solutions based on the standard.

Visit ‘Member Benefits’ for further details and how to join.

Does OSPT Alliance focus on transportation or MaaS solutions?

Both. The transportation industry is in a period of significant evolution. With expanding consumer demands and a number of new technologies to consider, PTOs and PTAs are under more pressure than ever to balance cost constraints with innovation and the integration of new services. In this age of complexity, supporting this ecosystem remains a core focus of the association.

However, this complexity is also resulting in a convergence of transport with mobility services – what’s commonly known as the mobility-as-a-service (MaaS) industry. OSPT Alliance has recognized the value that open standards and an open approach can bring to the adjacent and converging ecosystems within this space. As a result, OSPT Alliance is also supporting MaaS solutions across industries including ID, loyalty, access control and payment.

Today, OSPT Alliance’s non-proprietary CIPURSE Specification is already deployed across sectors including ID, transport ticketing and access control.

Is OSPT Alliance a global association?

Yes. In October 2019, OSPT Alliance’s membership surpassed 100 member companies globally. Its members represent a range of players from countries including Austria, Brazil, China, Ecuador, France, Germany, Mexico, North America, Peru, Sweden, Switzerland, Turkey and Vietnam.

Today, CIPURSE is deployed across a range of projects internationally across regions including Latin America and Korea.

Additionally, OSPT Alliance hosts face-to-face meetings and workshops worldwide to ensure feedback on market requirements and updates are shared in person, and its international members have a platform to connect. This is also reflected internally by the association’s region-specific working groups. The North American and Latin American Sub-Working Groups are driven by local member representatives to ensure market interests, requirements and challenges are directly fed back into the organization’s strategy and working group efforts.

How does OSPT Alliance work with other associations in the industry?

OSPT Alliance’s vision is to support the creation of a standardized, secure and open platform for transport and mobility service solutions that bring benefits to all stakeholders in the value chain. This vision can only be achieved with the collaborative efforts of numerous global associations all working to formulate and publish their needs. Sharing knowledge is a core principle of any standardization body and, as such, collaboration should always champion over competition.

OSPT Alliance is proud to include associations such as the American Public Transport Association, ITSO and the Secure Technology Alliance amongst its membership.

TECHNICAL

What is CIPURSE?

CIPURSE is the open, non-proprietary specification that is developed and advanced by OSPT Alliance.

CIPURSE is built on industry proven standards including ISO/IEC 7816-4, AES-128 and ISO/IEC 14443. It is fully form factor agnostic and supports media including contactless cards, mobile and wearables, whether using a secure element or HCE.

Crucially, CIPURSE is independent from both hardware and software providers. It promotes vendor neutrality and cross-vendor system interoperability, which results in lower technology adoption risks and improved market responsiveness, competition and innovation.

As a non-proprietary specification that utilizes industry standards, CIPURSE is compatible with existing infrastructures. This foundation also means the standards are easily scalable and flexible enough to meet the needs of any application and infrastructure regionally, nationally or globally.

What makes CIPURSE an ‘open standard’?

The CIPURSE Specifications are developed collaboratively by the OSPT Alliance membership, representing stakeholders from the entire MaaS value chain. OSPT Alliance membership is open to all industry stakeholders without exception; members come together to discuss and evaluate current industry challenges, which in turn help shape the development and future evolution of the CIPURSE Specifications.

What activity is OSPT Alliance progressing in relation to HCE?

OSPT Alliance has an established HCE Sub-Working Group which focuses on creating new opportunities for mobility solutions through leveraging HCE technologies. A key focus for the working group has been the creation of a dedicated HCE Specification which is in the final stages of development.

Additionally, OSPT Alliance has published a white paper ‘HCE Synergies with Public Transport’, which explains how CIPURSE can be implemented on HCE, demonstrates how CIPURSE can mitigate security risks associated with HCE and provides implementation examples.

To find out more about OSPT Alliance’s HCE activity, view the Proof-of-Concept video.

What role does CIPURSE play in account-based ticketing (ABT) solutions?

CIPURSE Specifications can support the implementation of both stored-value and ABT-based solutions.

Pure ABT solutions can be greatly enhanced by what’s known as the ‘Customer Convenience Register’ (CCR), a pre-existing stored value functionality already included in the CIPURSE Specifications. It enables PTOs to effectively overcome some of the key challenges associated with launching ABT solutions, such as connectivity speeds, throughput and fraud.

A CCR is event status information written to the card or fare media that helps entrance devices, such as fare gate readers, quickly and effectively determine whether to grant the passenger access.

OSPT Alliance has developed an eBook, which explores the benefits of implementing ABT functionality, the CCR, and why adopting a non-proprietary open standard such as CIPURSE is essential to ensuring implementations are cost-effective and realize their full potential.

What is the CIPURSE certification program?

The CIPURSE certification program provides mobility service stakeholders with confidence that the products they choose to integrate into their solutions are interoperable and compatible with existing systems based on CIPURSE.

The program utilizes a third-party testing house to ensure all testing is independent and performed by a specialist in functional testing.

Once a product is approved and certified to CIPURSE, it will be included on the Certified Products page of the OSPT Alliance website and the product can be freely labelled as ‘CIPURSE Certified’. Any company wishing to commercialize products utilizing the specification must receive formal certification.

For further details on the program, visit the Certified Products page.

What is the difference between the different CIPURSE Profiles?

CIPURSE supports a whole range of use cases, with differing levels of security, data storage, complexity and cost requirements. The Specifications have defined this broad scope of functionalities within one documentation set, dividing the levels of complexity with three profiles: L, S and T.

  • CIPURSE L Profile – This is a limited use ticket profile. It has just one application available, with a subset of functionalities and a reduced file system. L Profile is used mainly for more cost-sensitive products.
  • CIPURSE S Profile – This is a multi-application profile with applications loaded at the time of issuance and support for post-issuance personalization. It has more space to store data, greater functionality, and several pre-defined functions to choose from.
  • CIPURSE T Profile – This includes all the functionalities described in the Specifications, such as the consistent transaction mechanism. It is a multi-application profile with transaction support and post-issuance application download and personalization. T Profile is used for more complex applications, especially those envisioning the roll out of additional services or upgrades longer term.

For each profile, the minimum number of applications, files and data supported, is defined. So, with this, we have an assurance that any personalization that follows these limitations can be loaded on to products from different suppliers. This also ensures migration, expansion and adding new functionalities to products is dramatically simplified.

What are the security credentials of CIPURSE?

CIPURSE is built on industry-proven standards including ISO/IEC 7816-4, AES-128 and ISO/IEC 14443, that are already adding trust to the world’s most popular payments types and identification documents such as passports. AES-128 is the leading symmetric cryptographic algorithm and is recommended by the National Institute of Standards & Technology (NIST) and British Standards Institution (BSI). Embedded in the CIPURSE Crypto Protocol, this AES protection means solutions will be inherently secured against DPA and DFA attacks.

Utilizing open standards builds trust between those delivering the solution as well as between the provider and end-user. As a member-driven association, OSPT Alliance receives input from a wide cross-section of industry players on the security level that its specifications need to offer to meet the specific requirements of different vertical markets. It also delivers privacy and patent protection, ensuring solutions avoid IP challenges.

How flexible is CIPURSE?

CIPURSE offers great flexibility in several areas. It is easily configurable, with a broad set of pre-defined functions to pick and choose from. This enables project stakeholders to define a solution tailored to its unique needs, all without compromising interoperability. An open standards platform also ensures solutions are more easily upgraded and scaled in the future, empowering solution owners to remain agile and responsive.

The scope of CIPURSE is wide, and it has been able to form the basis of a variety of applications across verticals including transport ticketing, ID solutions and multi-application city cards. In addition to multi-application support, another benefit of CIPURSE is its fully configurable access conditions. This enables multiple stakeholders to process their data on one solution without compromising access to restricted or sensitive data.

CIPURSE for ID solutions

CIPURSE™ is widely considered as the open standard for transport ticketing, but its scope extends far beyond, including identity. In fact, it has gained significant traction for ID globally, and has already been chosen for a number of projects, including Brazil’s driving licence card, securing the data of 66 million drivers. In recent years, other Brazilian states have also started pilot projects for citizen cards using CIPURSE.

What ID applications can be developed on CIPURSE?

CIPURSE is a truly flexible standard. It can be used for citizen cards, regional cards, state and city implementations; it can be used for applications covering anything from public transport and health cards, micro-payments, loyalty, and access control.

How can CIPURSE benefit agencies developing ID solutions?

CIPURSE is hardware and software agnostic, removing the risk of vendor lock-in. This provides an invaluable level of independence to government and associated agencies, who are often required to manage numerous stakeholders under one solution. This also empowers agencies to select the vendor, products and technologies that best meet budgetary and strategic needs.

Using CIPURSE ensures seamless interoperability across the entire ‘transaction’ network. Not to mention that managing, upgrading and scaling solutions is dramatically simplified. In addition, agencies can be reassured that solutions are also protected by OSPT Alliance’s patent pool, as the CIPURSE Specifications respect privacy management regulation.

What are the security credentials of CIPURSE for ID?

Agencies can feel confident embracing the benefits of open standards doesn’t mean they need to compromise on security. Security is central to the CIPURSE standard. It utilizes AES 128 cryptography – part of the encryption utilized by most passports – as well as proven smartcard standards including ISO 7816 and ISO/IEC 14443-4 that are widely used in major payments infrastructures.

What functionalities are built into CIPURSE, and how can these be utilized in ID solutions?

CIPURSE has a unique key management system that’s of real value to governments. Multiple applications can be added onto one solution and attributed keys for each. CIPURSE then allows players to separate access rights such as ‘read’ and ‘write’ for each data storage set within an application. In short – a simple and secure way for different authorities and agencies to intercommunicate while managing and protecting their designated application.

Take the Brazil driving licence as an example. The technology on the new card allows law enforcement officers to read the data on the card via an NFC smartphone app, in any location, and quickly coordinate with other agencies across related systems. CIPURSE’s flexibility means in the future, other parties such as banks, local public transportation and access solutions could also utilise fingerprint authentication on the card to grant access to other services.