Security of payment transactions

The evolution of security in payments has accompanied the challenges of a constantly changing society. Fiduciary payment, based on currency in the form of notes, relied mainly on physical security, without real traceability. The appearance of cashless payment marked a step forward, by linking the payer and the beneficiary by a traced writing, thus introducing the first proofs of transaction.

With the emergence of checks, security has been strengthened by precise information such as account number, check number (i.e. CMC7 information) and the signature of the payer, laying the foundations for authentication, consent and non-repudiation of the payment. The advent of the bank card introduced secure data into the magnetic strip, then into the chip, including a confidential code. Initially, transactions were mainly offline, via the TRANSPAC network perceived as secure due to its limited access.

Today, security is provided by cryptographic seals, guaranteeing the integrity of transactions. The rise of the Internet has brought new rules, requiring a rethinking of the principles of authentication and payment guarantee, such as 3DS in 2008 and 3DSv2 in 2021.

Other payment methods such as direct debit (SDD) exist without active validation from the payer, and alternative solutions such as wallets have emerged, often based on existing card schemes.

Smartphones have improved security with biometric authentication and tokenization. The bank card continues its dematerialization, with innovations like Click-to-Pay and mobile wallets gaining popularity. Solutions such as WERO, entirely mobile, represent an alternative well suited to new mobility uses.

Regulatory challenges and constraints

Securing mobility transactions is crucial in the face of fraud risks. European directives, national laws and global standards protect payers, cardholders and merchants. Major standards include PCI DSS (Payment Card Industry – Data Security Standard), the DSP (European Payment Services Directives), and the GDPR (General Regulation on Data Protection).

PCI DSS applies to any organization accepting or processing credit card transactions. It imposes operational and technical requirements, such as restricting access to cardholder data and encrypting data transmissions via public networks. To maintain certification, merchants and payment providers must define a “PCI Scope” audited annually, a long and costly but essential process.

DSPs have harmonized and secured SEPA payments across the EU. PSD1, implemented in 2009, introduced a framework for SEPA payments. PSD2, in force since 2018, strengthened security with strong authentication (SCA) and paved the way for Open Banking. The PSD3, planned for 2026, will regulate digital currencies and cryptocurrencies while continuing to strengthen payment security.

The GDPR, applicable since 2018, protects personal data, including banking data, by imposing strict principles. Mobility operators must therefore comply with these requirements to ensure the protection of their customers’ data. Organizations such as the OSMP (Observatoire de la Sécurité des Means de Paiement en France) and the EPC (European Payments Council in Europe) contribute to the security and harmonization of payments. The OSMP publishes statistics on fraud, while the EPC works on the harmonization of payments in the SEPA zone. All converging towards one goal: securing payment data!

Security from a customer perspective

The transition from paper transport tickets to digital has transformed sales channels, ranging from payment by SMS, to e-commerce, to Open Payment.

Mobile apps make it easier to store payment cards and simplify transactions. Customer trust in the operator remains crucial. Solutions like Google Pay or Apple Pay provide transparency and immediate notification of payments.

Systems like “Freeflow” on motorways, using plate recognition and association with payment cards, simplify payments. However, they rely on trust in the operator and secure data management. In car parks and charging stations for electric vehicles (EV), the use of QR codes to download the application or identify themselves, the absence of accepted universal payment methods is a challenge both for the customer as for securing payments.

The varied use cases, although incorporating secure payment principles, introduce vulnerabilities between use and payment. It is common today for a customer, citizen, traveller, to have recorded their bank card data in 10 to 20 operator applications. A centralized solution, such as a “Single Pass” application (transport, parking, toll, charging, etc.) could simplify management and strengthen security. This is also the reason of the popularity of Payment Wallets, which allow customers to deposit their credit card details in a limited number of places.

The operator’s point of view

For operators or mobility operators, mobile applications are the main channel of access to services for their customers. They allow you to plan journeys, purchase and validate transport tickets, or interact with the operator. These applications collect a lot of personal data to

personalize services, but must respect strict regulatory constraints. The bank card remains preferred for purchasing securities or accessing networks via Open Payment. This method, popularized in London in 2012, is appreciated for its simplicity, especially for occasional customers. However, it requires ticketing providers to comply with electronic payment security standards.

In France, millions of Open Payment transactions are carried out daily, making safety crucial. Mobiles are also used by operators as sales, validation and control tools. They make it possible to sell tickets on board vehicles or at stations, validate and control transport or bank cards as part of Open Payment.

SoftPoS (Software Point of Sale) technology makes it possible to accept card payments on mobiles equipped with NFC (Near Field Communication). This technology could make payment terminals, or card reading accessories, disappear in favour of smartphones. However, this poses a trust issue for payers, being presented with a simple smartphone to pay by bank card.

In summary, the growing use of mobile phones in transport generates opportunities but also increased risks of fraud. Security organizations, payment schemes and regulators continue to issue new standards to protect these transactions.

Conclusion

In conclusion, the security of means of payment in the field of transport is essential and requires constant vigilance from all stakeholders involved. E-commerce fraud, mainly through phishing or “Man in the Middle” vulnerabilities, remains a serious threat.

For local payments, beware of scams such as “Marseille collar”, “card trapping”, “cash trapping” and “card skimming”. Customers must remain attentive, while merchants must be PCI-DSS compliant, secure their payment terminals, and remain vigilant.