About ITSO
ITSO Organisation | ITSO Specification | ITSO Environment
These are quick guides to what ITSO does, how it is structured and how organisations and individuals can become involved. In particular, they look at what it means to be an ITSO member, how to become a supplier of ITSO compliant equipment, systems and services and what's needed to operate key processes within the ITSO environment.
What is ITSO 
Introduction to ITSO
ITSO Organisation
Incorporated in 2001, ITSO Limited is a company limited by guarantee, a non-profit distributing organisation, whose membership covers the breadth of the Transport arena including transport operators (both bus and train operating companies), suppliers to the industry, local authorities and public transport executives. Supported by the Department for Transport, ITSO has links with major transport industry organisations and established smartcard schemes in the UK and overseas.
Having evolved from the initiative of various UK Passenger Transport Authorities concerning the lack of standards for interoperable smartcard ticketing started in 1998, ITSO’s objective is to maintain and develop ITSO Specification, operate and manage an interoperable smart media environment, and facilitate and support development of interoperable smart ticketing schemes that comply with the ITSO Specification.
ITSO Governance
The Board of ITSO are representatives of the membership through direct elections and each sector (Rail, Bus , Local Authorities & PTEs and Suppliers) have equal representation on the Board. On the ITSO Board there are also representatives of Transport for London, Transport Scotland, Welsh Assembly and the Department for Transport.
The ITSO Board evolves with changes to the Membership structure. In this fashion all Members can ensure they have representation at Board level in addition to any other avenues.
Committee Structure
The ITSO Board can choose to create and authorise various bodies to undertake specific tasks. This has resulted in the establishment of a number of committees with distinct tasks. The committees to be reviewed as each task is completed. Where possible, ITSO includes Member representation on these committees by asking them to provide expert resource in discussion and review.
Technical Committee. The Technical Committee is responsible for ensuring and changes to the ITSO Specification comply with the changes authorised by the ITSO membership, the ITSO Specification is updated in a fashion to be commensurate with the practical implementation within the ITSO environment. In addition, the Technical Committee maintains close relationships with standards bodies to ensure convergence with relevant emerging standards.
Security Committee. ITSO Security Committee is an independent group of experts led by Fred Piper, Director of the Information Security Group at the Royal Holloway, University of London. Main functions of the ITSO Security committee are to review ITSO security policies and provide comments and recommendations to the ITSO Board, as well as to monitor, evaluate and communicate to ITSO membership the industry security standards, trends and threats.
User Groups
There are a number of groups that operate within ITSO, where members discuss issues specific for different parts of the ITSO operational environment.
Supplier Special Interest Group (SSIG) is a group operated by ITSO Supplier members where joint learning and development takes place. The SSIG constitution says that "in creating SSIG the suppliers recognise not only their important role in the continuing development of ITSO, but also their input into a specification and organisation whose role is now to keep apace of the technology rather than the implementation of a specification".
ITSO Licenced Operators Group (ILOG) is another user group. ILOG's ultimate aim is to promote better understanding between Licensed Operators and ITSO by agreeing Codes of Practice and Guides to compliment formal ITSO documentation, whilst encouraging the sharing of experiences concerning implementation and product interoperability.
ITSO ISMS User Group. This User group is a forum for feedback and exchange of information on all aspects of the ITSO Security Management System. It is an informal meeting which provides an opportunity for ITSO, Asset Management System Providers, and ISMS Contractors to discuss current issues affecting the service, suggest improvements and plans for the future of the system, discuss development and address any house-keeping issues.
ITSO Specification
ITSO Specification is a technical platform on which interoperable smart ticketing schemes can be built. It defines the key technical items and interfaces that are required to deliver interoperability between both, components of a ticketing system – smart media, points of service and back offices - and separate ticketing systems. ITSO is unique in transport smartcard schemes in that it covers all components - media, point of service and back office systems.
ITSO Specification is an open specification. It is Crown Copyright and available to all. You can download a copy from the ITSO Specification page.
ITSO Environment
ITSO's interest is the security of cards, products and transaction data between interoperable schemes. Whilst ITSO does not run schemes, provide equipment or influence commercial agreements, it does provide an environment for schemes to operate in and enjoy that security.
Certification
Before any equipment, software or sub-assembly can be used within the ITSO environment, it has to be certified by ITSO. To gain certification the equipment is rigorously tested in the ITSO Test House for compliance to the the ITSO Specification. ITSO goes further than certification against the Specification. ITSO operates an Interoperability Warehouse, which contains all certified kit against which new items are tested to ensure that interoperability is achieved.
Integri BV has been accredited to perform the ITSO testing service.
ISAM
The specially commissioned ITSO Secure Application Module (ISAM) is constructed from a programmable smart card chip with extended memory and resides in all ITSO compliant point of service terminals and back office equipment. It implements the secure part of the ITSO applicationis and is fundamental to the operation of the ITSO environment. It has the same form factor as SIM card for a mobile phone.
The ITSO SAM has achieved certification to the security assurance Common Criteria Evaluation standard EAL4+. Read more about ISAM Common Criteria certification.
Security Management
Security of data transmission is a key aspect of interoperability. The consequent handling and transmission of data between Point-of-Service devices, operators and settlement organisations is crucial for genuine interoperability.
ITSO provides a Security Management Service (ISMS) for the generation and distribution of security keys within the ITSO environment. These keys are the means by which Licensed Operators equipment and systems can recognise and accept other Licensed Operators products. The ISMS allows ISAMs to be updated remotely with new products, amended products and other operational changes as required by the Licensed Operarots . As a result ITSO products can be field updated without service disruption and whilst still maintaining high levels of security.
Operational Regulations
The ITSO Specification sets out the technical means by which interoperability of smart contactless systems can be facilitated. In addition to the Specification, each Licensed Operator operating a scheme or performing specific roles in ITSO environment agrees to abide by a set of regulations that comprise Operating License. This ensures that all parties behave consistently and fairly, both in interactions with each other and with users of ITSO smartcards.
Back to Top
