How much is TFL paying to each player in the payment industry (Mastercard, Visa, Barclay,...) for contactless EMV transactions made with contactless payment cards per full year in the TFL system? How much is the overall cost payed to the payment industry? How much does it cost to keep the readers and backend of TFL EMV-PCI compliant per year? How often is it necessary to PCI re-certify the readers and the backend to stay PCI compliant? Before EMV acceptance started in 2014 TFL mentioned that 15% of the fare collection revenue was used to manage the oyster system. Is there any detailed split of this 15%? Is there any statistics available how this changed from 2014-2018 having EMV ontop?

---

Our ref: FOI-1102-1920/GH

Thank you for your request received by Transport for London (TfL) on 12 July 2019 asking for information about the Cost of running an EMV ecosystem ontop of Oyster.

Your request has been considered under the requirements of the Freedom of Information Act 2000 and our information access policy. I can confirm that we do hold some of the information you require.

How much is TFL paying to each player in the payment industry (Mastercard, Visa, Barclay,...)  for contactless EMV transactions made with contactless payment cards per full year in the TFL system? How much is the overall cost payed to the payment industry?

Costs are included in the Cost of Fare Revenue Collection report.  This covers all payment card transactions, not just contactless cards.  We pay a single charge to our Merchant Acquirer, which is then distributed between the payment schemes, the card issuer and our merchant acquirer.  Commercial confidentiality precludes further breakdown of these numbers, and we are therefore not obliged to provide you with this information as it is subject to a statutory exemption to the right of access to information under section 43(2). In this instance the section 43(2) exemption has been applied as disclosure would, or would be likely to prejudice our commercial interests.

The use of this exemption is subject to an assessment of the public interest in relation to the disclosure of the information concerned. We recognise the need for openness and transparency by public authorities, particularly where the expenditure of public money is concerned, but in this instance the public interest in ensuring that we are able to obtain the best value for public money outweighs the general public interest in increasing transparency of our processes.

How much does it cost to keep the readers and backend of TFL EMV-PCI compliant per year?

This information is not held - these costs are not identified separately within the maintenance costs for either the readers or the back end system.

How often is it necessary to PCI re-certify the readers and the backend to stay PCI compliant?

We undertake an annual process to confirm that our systems and processes continue to be compliant with PCI DSS standards.  This follows the best practice defined in PCI DSS v3.2.1.

Before EMV acceptance started in 2014 TFL mentioned that  15% of the fare collection revenue was used to manage the oyster system. Is there any detailed split of this 15%?

The attached Cost of Fare Revenue Collection report provides this information.  2015-16 is the last year for which this report has been issued at present.

Is there any statistics available how this changed from 2014-2018 having EMV ontop?

The attached slides show the trend over time.

If this is not the information you are looking for, or if you are unable to access it for some reason, please do not hesitate to contact me.

If you are not satisfied with this response please see the attached information sheet for details of your right to appeal.

Yours sincerely

Graham Hurt

FOI Case Officer

FOI Case Management Team

General Counsel

Transport for London

Attachments

Back to top

---