Data protection & security with the D-Ticket
Passengers in Germany have been able to use the Deutschland-Ticket since 1 May 2023. The ticket, which is valid throughout Germany, is available as a monthly subscription - either on a chip card or as a mobile phone ticket. A subscription ticket valid throughout Germany also requires national security monitoring, which checks, for example, whether there is an issue transaction for each proof of inspection. In other words, has the ticket that has just been checked in the underground actually been sold or is it a copy or forgery?
To be able to check this, all national tickets must exist in an audit-proof system. We operate such a system: the Central PV System (ZPVS) for the Deutschland-Ticket.
This ZPVS is not only important for system security, it can also provide important information about the exact number of all D-tickets for revenue sharing. For this to work, the sales and control systems of all transport companies and associations in Germany must send their issue and control records to this system. The faster the participants in (((eTicket-Deutschland connect to this system, the better - and the lower the migration costs.
Pseudonymised data records in the central PV system
All data records sent to the ZPVS are pseudonymised and sent in encrypted form via a specially secured network.
Technical and organisational measures ensure that customer data and control transaction data are stored at different locations so that they cannot be merged - and thus a movement profile cannot be created. The data can only be merged for the purpose of billing or complaint processing.
The data of the proof of issue and proof of control are stored in the central PV system and at the selling company.
It is important to distinguish between the data processed by the ticket-issuing transport company and the systemic data stored in the ticket and the proof of control for control and system security purposes.
Only pseudonymised data is stored in our ZPV system. The location of the selling company is entered as the location for the issuing transaction.
If the ticket is purchased in Berlin, the location is therefore not the passenger's place of residence, but Berlin. During the inspection, the so-called "Germany-wide stop ID" (DHID) is entered in the proof of inspection.
The transport companies that issue the Deutschland-Ticket store data relevant to the purchase and billing, such as the passenger's name, address and bank details. These are usually stored in separate subscription or customer relationship management systems.
The D-ticket is personal and non-transferable. It contains the passenger's data relevant for verification, such as surname, first name, date of birth and optionally gender (which, however, is generally no longer processed).
The SCE ID, a static ID of the digital user medium for the purpose of copy protection, is only stored on the user medium when using Motics (smartphone tickets with dynamic barcode). The legal basis for this is Article 6(1)(f) of the General Data Protection Regulation (GDPR), whereby the respective data subject rights are guaranteed.
In addition, the validity period (currently the month in question) and the geographical validity (in this case Germany) are stored.
The time and area of validity as well as the passenger's name are checked as part of the inspection, whereby the name must be compared with a photo ID in the case of a barcode ticket in order to recognise ticket copies at this stage if possible.
The data of a proof of inspection is deleted in the ZPVS when all checks of the proof of inspection have been carried out and the result is positive (no abnormalities). Only some basic data of the proof of inspection remains stored on the user medium (chip card). The storage of these control transactions on the chip card is necessary in terms of consumer protection so that a passenger can view the last transactions made with his chip card.
This data processing is accepted in the form practised by the data protection supervisory authorities. The entries in the application logbook on the chip card can be deleted at any time at the customer's request. Only ten transaction records can be stored automatically, which overwrite each other (ring memory).
You can find out exactly how the ZPVS works and how transport associations and transport companies can connect their systems to the ZPVS or upload cryptograms here or via our collaboration platform (((efi.
Download: Cryptograms for D-Ticket (((efi: Functions of the ZPVSAn issue transaction with a unique number is created for each electronic ticket in the VDV-KA system. This must be complete and in ascending order. Each inspection generates a proof of inspection, which is also given a number. These must also be complete and in ascending order. The ZPVS is an integral part of a national ticketing system and receives all proofs of issue and the relevant proofs of inspection for national fare products. This makes the Germany ticket audit-proof. Monitoring recognises forgeries, copies and compromised keys for issuing tickets and can provide issue and usage data for revenue distribution.
On 25 April 2023, the ZPVS went into operation as the latest component of the central background systems of (((eTicket Deutschland.
Until the official launch of the Deutschland-Ticket, the industry had not yet appointed a national product owner (PV) who would have provided the key and system. At a special meeting on 23 March 2023, the VDV Executive Committee passed a resolution demanding and approving compliance with a minimum security level for the Deutschland-Ticket. The VDV eTicket Service is therefore now providing the complete technical security architecture for the D-Ticket, even though the regular national product owner has not yet been defined. In view of the great potential for fraud and misuse, a functioning security monitoring system must also be in place during the transition phase.