More News:

June 28, 2021

'SEPTA Key 2.0' sets table for future upgrades to fare payment system

As a smartphone payment technology nears implementation, the transit authority must navigate privacy concerns and cyber threats

Transportation SEPTA
SEPTA Key 2.0 Thom Carroll/for PhillyVoice

SEPTA plans to introduce mobile fare payment across the transit system starting later this year, but it's just the beginning of a long-term plan to keep current with a changing landscape of technology, privacy issues and cyber threats.

As SEPTA emerges from the coronavirus pandemic with a five-year vision to revamp the transportation system, one its top priorities will be the development of what the authority is calling "SEPTA Key 2.0."

Five years have passed since SEPTA first rolled out the long-awaited replacement for its antiquated token fare system, the last of its kind in a major American city. Implementation of the key card system followed years of delays and shifting specifications for the project, a massive undertaking that overran its initial $140 million budget.

By the time SEPTA Key had fully expanded to the public in early 2017, it was already in danger of falling behind the innovative curve in other cities, where rider convenience was often achieved by working through the inevitable glitches that come with early adoption. (Oddly enough, for example, some SEPTA Key card holders managed to get free rides in Chicago and London a few years ago due to an unintended cross-functionality of payment processing).

SEPTA has made a number of improvements to streamline SEPTA Key account management, such as enabling funds to be deposited using a smartphone and expanding the use of the SEPTA Key card for access across the Regional Rail system.

But one of the most consequential steps forward for SEPTA Key — enabling riders to validate their fare with a smartphone — was delayed by the coronavirus pandemic and many of the same installation hurdles that set back the debut of the original system. 

The hold-up may ultimately prove beneficial both for SEPTA and the public. It will give SEPTA a chance to better anticipate some of the problems and technical challenges that come with system upgrades. 

On Monday, SEPTA issued a Request for Information seeking input and recommendations from vendors who can provide expert insight about the future of fare collection. 

"SEPTA Key 2.0 will help ensure that we stay up-to-date with constantly-evolving fare collection technology," SEPTA General Manager and CEO Leslie Richards said. "This is a critical investment in our customers, and an important part of SEPTA’s strategic plan."

Examining trends in mobile payment technology will be the main focus of the RFI, which will inform a later Request For Proposals for future upgrades to the system, spokesperson Andrew Busch said.

"Part of the RFI is going to be getting responses from vendors who are working on similar systems elsewhere," Busch said. "This will give us a picture of what's going on elsewhere, what's working and what people are expecting moving forward."

SEPTA first unveiled plans to make mobile fare payment a reality at station kiosks and fare boxes across the network in December 2019. Riders were promised a more convenient future with contactless fare payments through Apple Pay, Google Pay, Samsung Pay, student ID cards and other compatible mobile platforms.

Installing the hardware for this change has become another expensive, large-scale project under SEPTA's current $4.3 million contract with Conduent. The New Jersey-based company formerly was a subsidiary of Xerox, which handled the original contract and specifications for SEPTA Key's development. 

SEPTA and Conduent are in the process of upgrading more than 5,000 fare boxes and turnstiles in order to make them compatible with mobile payments. Conduent manages the SEPTA Key Fare system as a third-party vendor. 

Busch said pilot testing for mobile fare payment could begin by the fall, with an expected rollout across the system by early next year — likely beginning with fare boxes on buses. 

The new RFI is concerned with staying ahead of the curve in future projects SEPTA undertakes, whether it's with Conduent or another vendor. 

Elsewhere, Apple Pay, Google Pay and other mobile fare payment systems already have been introduced to public transit in New York City, Washington, D.C., Chicago, San Francisco and London, among other cities. 

Implementation of this technology does not come without concerns, specifically in relation to rider data and privacy, as The Verge examined last year with New York City's OMNY fare payment system.  

In the thick of the pandemic last August, SEPTA's IT department was hit with a cyberattack that caused the authority to temporarily shut down real-time transit information for customers. More than 2,000 employee email accounts were compromised by the attack, resulting in workflow issues that created an internal nightmare.

SEPTA Key was not affected by the cyberattack because its server is operated by Conduent and is completely separate from the authority's other servers.

A deeper commitment to mobile fare payment technology, and the attendant risk of rider data being harvested by a third party, nonetheless presents issues that warrant scrutiny from SEPTA and the public. 

Privacy of movement is an obvious facet of this new frontier, but so is the potential for third-party policies that could insulate SEPTA from responsibility for certain aspects of system management. The terms of service can't realistically be rejected by riders who depend on the system to get where they need to go. 

"The security component is the key. That's something that we gather more information about through this RFI and as we move into getting a new contract," Busch said. "That's where we expect that the expertise will come from — people in the field who are working on these systems. They're going to bring information to us to help us ensure that we're following best practices and that whatever we put in moving forward has maximum protection for user information. That always has been a high priority." 

Third-party companies are not necessarily more immune to cyberattacks than unsuspecting transit agencies, which may be considered easier targets with less sophisticated firewalls. 

Cubic, the company that designed and manages New York and San Francisco's contactless payment platforms, was hacked and held ransom in 2016 under the threat of releasing encrypted data from the Muni light rail system in the Bay Area. The transit agency said it never once considered paying the Bitcoin ransom, but instead gave riders free access to the system while the matter was sorted out with help from federal authorities.

Busch said that any future RFP involving SEPTA Key will place a premium on a vendor's ability to secure and protect data. 

"That's at the forefront — how are you keeping this information secure, and what plans do you have moving forward to make sure that you're responding to emerging threats?" Busch said. "We don't know what the next source of a malware attack might be. They will have to provide assurances and a proven track record of handling threats like that elsewhere. What do they to do prevent it?"

From another vantage point, some critics of tech-enabled fare payment systems contend that innovation may inherently disadvantage lower-income riders, who might not have bank accounts, mobile payment apps or debit cards to link with their travels.

It's unclear how SEPTA plans to maintain equity in its fare payment systems, but the authority is in the process of taking a hard look at how its bus network can be comprehensively redesigned with these and other issues in mind. 

SEPTA didn't specify what other kinds of upgrades would be considered for SEPTA Key beyond broadening mobile fare payment capabilities. The authority issued three goals accompanying its RFI:

•Develop a proactive organization: Create an agile system that can be continually adapted to leverage the latest technology, increase operational efficiency, and meet the changing needs of SEPTA and its riders
• Provide an intuitive experience: Provide easy-to-use and conveniently accessible rider-facing products and systems
• Deliver a seamless transit network: Integrate products and solutions from across SEPTA and beyond – serving as a platform for partnerships with regional mobility providers

Busch said figuring out the future of mobile fare payments represents new territory. 

"That's part of why we're doing an RFI. We wouldn't normally do that and it's not every project that we put something like this out," Busch said. "We know that there's expertise and information from people who specialize in this work that we need to gather. They're on the cutting edge of studying these technologies — not just now, but what we're expecting moving forward. They have insight into what's going to develop with mobile payments and what we should be looking at adding that other cities are doing."

Busch added that SEPTA is committed to a transparent process that will keep the public in the loop about future projects and what they mean for riders. With an eventual RFP, there will be a period when bids are sealed, but any eventual project details will be made public before implementation. 

"We wanted to get information out there at the very beginning of this process, to let people know we're reaching out to vendors to move this project forward," Busch said. "We're going to provide public updates with what's going on and we're definitely committed to keeping the process transparent moving forward." 

Interested parties who wish to offer expertise and proven recommendations that will bolster the development of SEPTA Key are encouraged to respond to the RFI by Monday, Aug. 9, at 3 p.m.