“Illogical” Myki flaw exposes passenger privacy
The Public Transport Users Association (PTUA) has called for urgent changes to the Myki ticketing system to ensure passenger privacy is not compromised by vending machine EFTPOS receipts.
PTUA President Daniel Bowen said that the way the vending machines work is flawed, resulting in many users leaving behind top-up receipts that include not just the transaction amount, but also their full name, most of their credit card number, and expiry date, which is against the guidelines of credit card providers. 
“If you top-up your card using an ATM card or credit card, the vending machine will ask you if you want a receipt. If you say yes, it actually prints two — and if you say no, it prints one anyway, with most of your credit card details on it.
“In many cases, people don’t realise a receipt has been issued, and simply walk away.”
Mr Bowen said that it was common to find numerous receipts left behind in the collection tray of Myki vending machines.
The PTUA believes there may be thousands such receipts left behind every day at Myki vending machines across Melbourne’s rail network, and at major tram stops and bus interchanges.
“We have raised this with the Transport Ticketing Authority in the past, but to no avail”, said Mr Bowen.
“The way the receipts work is completely illogical. It is at odds to what people expect, and what is common practice for other retailers.
“If someone says they don’t want a receipt, the system should not print them a receipt. If there is a requirement to print a receipt, then don’t offer people the choice.
“And these receipts should not reveal full names, card expiry dates and so much of the card number.
“The government must fix this – and in the meantime, passengers should be wary and check the collection tray at vending machines before leaving.”
While the PTUA believes Myki system reliability has improved since its introduction, Mr Bowen said that, apart from the receipt issue, there were still a number of areas where it needed to be improved:
* touch times must be consistently fast, and equipment more reliable;
* touch-on and touch-off should make different sounds, so that passengers do not have to stop and look at the readers to confirm the system has done the right thing;
* short term tickets, such as thermal printed tickets used in other cities with smartcard systems, should be available from vending machines, for occasional users ;
* monthly Pass costs should be reduced to encourage more people onto these fares – allowing more people to use the system without having to touch-off 
“We’re stuck with Myki now. But the government must make it work for passengers, ensure it does not become another hurdle for public transport users, and it must fix the illogical printing of unwanted receipts that compromise passenger privacy”, concluded Mr Bowen.
* * *
 See this image for a sample of receipts were found in Myki vending machine collection trays at Melbourne railway stations.
Mastercard Australia has the following guidelines for receipts:
The Cardholder and Merchant receipts generated by all electronic POS Terminals, whether attended or unattended, and all printed ATM receipts must omit the Card expiration date. In addition, the Cardholder receipt generated by all electronic POS Terminals, whether attended or unattended, and all printed ATM receipts must reflect only the last four (4) digits of the PAN.
Current Myki receipts do not conform to these guidelines.
 Perth uses ticket machines similar to Melbourne’s Myki vending machines to print paper tickets: www.flickr.com/photos/ptua/7582443954
 A PTUA study in February 2011 found that Melbourne’s monthly ticket prices are among the highest in the world, in comparison with daily fares. www.ptua.org.au/2011/02/21/monthly-tickets-expensive
* * *