Section B.2 Variation 1: Shared Secret (Password)
In this variation, the first database stores only a shared secret like a password and user ID related to the customer. The database contains no personal information. This variation has the advantage that all cards are anonymous. Because the system stores no personal data, there is no risk of abuse of personal information.
We still recommend that travel data be periodically transferred from the first database to the second, because an individual could still be tracked if their ID number was known. However, this risk is greatly reduced.
The disadvantage of this variation is that users must remember a password and identification number in order for lost cards to be reissued. This variation also lacks some of the advantages of the one presented below.
In the second variation, the first database stores some personal information about the user, such as name, contact information, credit card number, credit card company, and credit card verification information. (If the customer is paying via cash or check rather than credit card, the credit card related data would be left blank).
As in the recommendations given above, this information should be kept reasonably minimal. No piece of information in the database should be stored unless is directly leads to additional functionality for the customer. For instance, the customer's religion, sexual orientation, and favorite color are not directly needed for any declared functionality. However, name, contact information, and credit card information can be used in the reissuing of lost cards, and automatic reloading.
F igure B.2
Schematic for Variation 2 of the Design
Additionally, the RFID card should still only store a single number. If the card is read illegally by an unauthorized card reader, the information of a card ID number would be less useful than any personal information.
The advantages of this system are that it
allows for an opt-in automatic reloading program
allows for card reissuing without forcing the customers to memorize passwords (the customer would provide his/her name, and a photo ID, for instance)
However, it has the disadvantages that
If the card has automatic reloading and is lost/stolen, the customer must report it quickly, or risk paying for someone else's T fare for an arbitrary amount of trips
There is personal data in the system which could be subject to internal or external abuse
To help make the personal data less at risk for internal abuse, personal data could remain encrypted on the system until needed (to reissue a lost card or perform automatic reloading).
Share with your friends: |