Getting started

The ITSO Environment

This ensures security of cards, products and transaction data between interoperable schemes.

While ITSO does not run schemes, provide equipment or influence commercial agreements, it does provide an environment for schemes to operate in and enjoy that security.


Before any equipment, software or sub-assembly can be used within the ITSO environment, it has to be certified by ITSO.

To gain certification the equipment is tested by ITSO for compliance with the Specification.

ITSO also tests to ensure that interoperability can be achieved.


The specially commissioned ITSO Secure Application Module (ISAM) is constructed from a programmable smart card chip with extended memory and resides in all ITSO-compliant point of service terminals (POST) and back office equipment (HOPS).

It implements the secure part of the ITSO application and is fundamental to the operation of the ITSO environment.

It has the same form factor as a SIM card for a mobile phone.

The ISAM has achieved certification to the security assurance Common Criteria Evaluation standard EAL4+.

Security Management

Security of data transmission is a key aspect of interoperability. The consequent handling and transmission of data between point-of-service devices, operators and settlement organisations is crucial for genuine interoperability.

ITSO provides a Security Management Service (ISMS) for the generation and distribution of security keys within the ITSO environment. These keys are the means by which Licensed Operators’ equipment and systems can recognise and accept other Licensed Operators’ products.

The ISMS allows ISAMs to be updated remotely with new and amended products, and other operational changes as required by the Licensed Operators. As a result ITSO products can be updated in the field without service disruption and while still maintaining high levels of security.

Operational Regulations

The ITSO Specification sets out the technical means by which interoperability of smart contactless systems can be facilitated. In addition to the Specification, each Licensed Operator running a scheme or performing specific roles in the ITSO environment agrees to abide by the regulations contained within the ITSO Operating Licence. This ensures that all parties behave consistently and fairly, both in interactions with each other and with users of ITSO smartcards.

This page was last updated on 16 January 2015 GMT