How Smartcards Work

Date: Friday, November 7, 2014

Smart cards with ITSO are very powerful. The technology can come on a plethora of cards, and store all sorts of things from cash value, to loyalty points, to travel passes. I'd like to explain a little bit about how that data gets there, and how we use it.

First off, ITSO is two things: A technology for making an interoperable smart card environment, and the organisation which makes it happen, by developing standards for cards, readers, and software. ITSO (that is, the "Integrated Transport Smartcard Organisation") pick and mix a number of international standards for how smart cards interact, and oversee the process of making the parts work together, with the help of a number of transport companies and local authorities. ITSO is not-for-profit.

The point is that all ITSO smart cards are theoretically compatible with all ITSO entry gates, top-up points, etc. (ever noticed the train station ticket barriers which say "ITSO / Tickets" on the screen?) However, in practice, not all travel cards are meant to work with all services! You can't use your Oyster card on Merseyrail, but at a secret level, the technology can work together.


Smart cards are known as Customer Media (CM) and contain one or more applications. Apps on a smart card are not like applications you're used to! In fact the combination of apps which make up the "ITSO Shell" have the charming names: 00, 16, 02, and A0, and they deal with data which is about as readable as their names.

The applications contain products, known as IPEs. The IPE could represent monetary value, and have its value changed whenever the customer tops up or passes through a payment gate. Or it could contain a pass representing a month of travel, which the pedestal on the bus can verify and allow the customer aboard. These are encrypted very strongly using a special server so that you can't hack your own card to get free travel!

The commands we send to the card are known as "Application Protocol Data Units" (known as "APDUs", pronounced "App-doos" which is funny in my opinion because you use them to ask an App to Do something! It's a wonderful world.)

We compose these APDUs ourselves for lower functions such as simple queries of card data, but for the complex (and encrypted) business of loading and unloading products, we rely on a Part 11 service, which I'll discuss in a future post.

This primer should serve to demonstrate how complex and yet familiar the ITSO system is. We are experts in this area, as well as in the hardware necessary for smart card operations, and we're an agile team, able to keep up nimbly with specifications and project demands. There's basically not a better squad in the country for creating a new smart card solution, and if that sounds about right for your scenario, get in touch with us; we're

Author: Ste Griffiths