I was recently reading about automotive fare collection systems and came across

Question

I was recently reading about automotive fare collection systems and came across loyalty card systems. In these systems, if I understood correctly, each passenger has a card in which a value, not money, is stored. Whenever the passenger uses his card a reader decreases the stored value in the card, and the system administrator rewards the passenger according to his policy.
I was wondering if each of those devices that participate in the AFC, readers/cards etc, must conform to specific security standards and I do not mean the crypto algorithms.
To be more specific, I would like to know if, for example, I develop a Mifare NFC reader in order to sell it, does it need to have a security certification or something like that? Does anything have to do that if the transaction values are used instead of money?
Any info will help.

Explanation / Answer

If you want to build and sell a product similar to this loyalty card item, there is strictly no legal need for a certification of any kind.

However, if you want to sell it, you need a buyer, and a good buyer will compare different sellers before actually buying. And if:

On one hand, the buyer encounters a seller telling him that his product has been officially certified by some well known independent organism guarantying that his own "loyal" customers will have no easy way to fraudulently add some credit to their card,
On the other hand you come and say that your card has not been certified, but it is cheaper or any other advantage you may think about.

Then you should understand that certification quickly becomes merely a marketing issue than an actual security or legal one. Certification requirement will therefore depend on the market and usage you target for your card.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.