In addition to proprietary media (“closed loop” systems), ticketing systems increasingly use so called open media (“open loop” systems). There are also hybrid ticketing systems. The advantage of open architectures over closed architectures is, in particular, that they are more flexible. Users and passengers, respectively, can use different user identification elements such as tokens, chip cards (smart cards), credit cards, mobile phones, personal digital assistants (PDAs), tablet PCs, integrated circuit boards, electronic passports, electronic identification documents, etc. for authentication and billing when using a vehicle, in particular a transport vehicle. It is understood that the operator of a ticketing system can specify which user identification elements can actually be used, and which are excluded.
Ticketing systems based on an open architecture are described in US 2009/0121016 A1 and in WO 2012/088582 A1, for example. Such a ticketing system can be installed, for example, in a vehicle, such as a (public) bus or a (public) rail vehicle.
To use the vehicle, a user can sign on when entering the vehicle by means of a user identification element at a validator device arranged in (or in front of) the vehicle (on-board validation) or in front of the vehicle, and sign out in a corresponding manner when leaving the vehicle. The validator device can have at least one short-range interface that is configured to receive an identifier stored in the user identification element from the user identification element. The read identifier can be used by the ticketing system to identify a user and, for example, to charge for the use of the vehicle for the distance travelled between entry and exit.
A user dataset that comprises at least all relevant data to charge for the use of the vehicle is created in the validator device for every read identifier. The user dataset can be at least partially hashed. The validator device has a communication module for transmitting the user datasets to a remotely located central computing device (also called “back office”). A mobile data network can be used for transmission, for example. The remotely located central computing device in the form of one or more servers stores all user datasets, and can perform or at least initiate a usage accounting.
In order to at least reduce the misuse of a transport system, vehicle users are checked by inspectors inside the vehicle, for example. Using an inspection device to check or inspect is known from the prior art.
When using proprietary media as a user identification element, a validator device can document a compliant validation by changing the user identification element. In the simplest case, this is a ticket stamp on a paper ticket that an inspector can visually check. Relevant validation data is written onto electronically readable proprietary user identification elements, e.g. proprietary magnetic stripe tickets or proprietary smart cards, during validation so that the proper use can be read electronically by an inspector directly from the user identification element by means of an inspection device.
When using open media as user identification elements, this inspection is more difficult since it is generally not permissible for a validation device to write onto the user identification element, for example a contactless credit card. The information as to whether a user identification element (before departure) has been validated in a compliant manner is thus not present on the user identification element itself. In order to provide an assessment as to whether a user identification element has been validated in compliance with the rules, an inspection device must know, preferably “in real time”, which user identification elements were used on the ticketing system's validation devices.
The inspection device therefore comprises an additional communication module and a short-range interface for an inspection process. The identifier is read from the user's user identification element to-be-inspected via the short-range interface. With the communication module, the inspection device downloads user datasets from the remotely located central computing device via a mobile data connection and locally stores or accesses them. The inspection device then compares a read identifier with the user data. If the comparison result is negative it concludes misuse, and appropriate measures can be taken. If the comparison result is positive it concludes an authorised user.
In ticketing systems of this kind, the problem repeatedly encountered during the inspection process is that the inspection leads to a false negative result. One reason that an identifier read from an identification device cannot be assigned to a user dataset is a delay in the transmission of a user dataset from the validator device to the computing device. Typically, it can take up to 5 minutes from the reading of an identifier from an identification element until a user dataset for this identifier has actually been received by the remotely located central computing device. Therefore, before this, the inspection device also has no access to this user dataset, which can result in a false negative inspection result.
Another reason of an erroneous inspection result could be that no communication link, or only an inadequate one, can be established between the inspection device and the remotely located central computing device. This can happen, for example, when a vehicle passes through geographic areas in which the mobile data network used is only available in an inadequate quality.
It is therefore the object of the invention to provide a validation device for a ticketing system that improves the reliability of the inspection results of an inspection method.