Security is a concern in each moment in the life cycle of a ticketing system, not only at its launching.
Security of a ticketing scheme like Calypso doesn’t require static management, but a dynamic one.
All the hackings of existing ticketing technologies are not the consequence from the initial level of security at their creation, but are due to a lack of a roadmap of security improvements in their life cycle. A security certification (as the EAL classification) is of no interest if it is not linked to a period of time.
Recent successful hacking of a well-known ticketing technology is clearly the result of a total lack, from the manufacturer, of evolution of the mechanisms of security for at least ten years. But the ones facing, on the field, the financial and image consequences are the operators and transport authorities, with no possible influence on the manufacturer policy.
Calypso has implemented a completely different paradigm, in order to not depend on the good willingness of manufacturers to improve their security solutions: to put the security policy in the hands of the community of transport operators and authorities which constitutes Calypso. Two main principles, based on the independence of the hardware and software solutions, are leading this policy:
- To use the best existing technological platforms (i.e. hardware components from IC manufacturers) to implement Calypso software. These platforms are those issued by these manufacturers to answer the needs of the bank sector, with the regular evolutions imposed by this sector, which guarantees always benefiting from the best secured hardware.
- To manage software evolutions under the responsibility of the Calypso community, represented by its Board and operationally ensured by a dedicated working group regrouping the best experts in this matter.
Consequently, from its origin in 2000, there have been 4 major evolutions in the Calypso software security and no hacking of Calypso has been reported.
Remark: the migration of a security step of Calypso remains under the responsibility of the operator or transport authority which has issued the ticketing system (new software version and/or new hardware platform), but Calypso always ensures the availability of solutions at the best level of security.