Back in August 2012 the big Myki story was the flaw in receipt printing that risked users credit card security – it got a run in The Age and I posted about how the security hole put users at risk of further identity theft. Fast forward to today, and it appears that the Transport Ticketing Authority has finally done something about the issue.
Their solution is a software change to the Myki CVMs (ticket machines) themselves, coupled with an upgrade to the firmware of the EFTPOS terminal integrated into the machine.
The most visible change is the elimination of the previously-disabled ‘Buy short term ticket’ button on the home screen, with the ‘top up’ option being split into separate Myki money and Myki pass options.
The second change is to the receipt printing format – the Myki logo on the top of the printout has been removed, and the cryptic ‘Location ID’ (tram stop) or ‘Station ID’ (railway station) line has been replaced with the much more understandable tram stop or railway station name.
The final change is to the monospaced text that appears on the EFT receipts – personal information such as the cardholder’s name and card expiry date have been removed, and instead of nine digits of the card number being printed out, only the last four digits appear.
From what I have been determine, the first two changes occur together when a Myki machine is upgraded to the new software, but the change to the card information on receipts is dependent on the EFTPOS terminal itself being upgraded – I’ve received EFT receipts with the new header formatting but still with my personal details included.
I’ve been told that for security reasons card readers everywhere – vending machines and in retail stores – are standalone piece of software, with the communications between them and the ‘client’ machine being very basic – it says ‘debit $X from the customer’ and the card reader spits out a receipt (edit: or the data needed to print a receipt), and a yes/no authorisation.
As for the unwanted Myki receipts littering the streets of Melbourne, it looks like that issue will be with us for a while longer, as this Herald Sun report from a few days ago reports:
Mr Darwent said PTV was working on improvements that would result in no banking receipt being printed for customers who opt not to get one.
The more things change…