Public transport system in my city has the following option for monthly subscription: you can register your DEBIT/CREDIT CARD in some sort of whitelist and use it on the doors to access the subway or buses.

They. Save. Your. Card.

↑↑ he said "whitelist"

SJWs ATTACK!!!

They are trying to solve the most untreatable problem in tech: how to make the new system retro-compatible with older versions of the humanware.

Seriously, public transport in many places still accepts cash just because old people cannot learn how to use apps to purchase stuff.
Reeeeally poor places may still have an excuse of "our folk is so poor they don't even have phones and data plans" but people this poor don't have credit cards, either.

So that's it, they will save your card so the next bloke that absconds with one of those card readers will have a field day using it's key to harvest the data and selling tens of thousands of credit cards on the dark web.

I guess a public transport operator could just store the hash of the card's NFC ID into their databases, increase a timestamped usage counter when you punch the card and make a deal with Visa and the other card clans to disregard PIN numbers.
But if freaking Sony won't bother, why would a regional public transport company?

@ostream they should be free to use, so the whole payment-thing doesn't even matter.

@tosensei taxes should be enough to pay for them

@JsonBoa there's an interesting thing somewhere about phone credit being used in place of cash, google "mobile money africa", phone numbers are the low infrastructure bank accounts.

@iSwimInTheC in germany, the savings from "eliminating everything that's part of the buying process" should be enough.

or alternatively, only a fraction of the money that automotive companies get shoved up their arse all the time.

Are they PCI compliant, or are they just tokenizing the payment method?

The former is a nightmare for both implementation and security. The latter is pretty easy, and relatively safe.

@jestdotty Eve lower tech than that. Pay as you go. You get a code to top up your phone from a shop, you can send that code via text to someone else. LowFi money transfer.

Where I live, you can check into most (all?) public transport using your debit (bank) card, without getting it registered. Now, if only it was an affordable means of transportation.

@Gazotey we used to have such option as well...

Can you see/edit the full card number online? if not, there might be a small glimmer of hope that they hash it instead of saving it in plaintext.
But I doubt you entered it though

@Awlex indeed, I didn't

Revolut + virtual card just for transport?
Our public transport moved to using cards as tokens and even did a co-op with card company to issue "blank"/anonymous cards for folks who dont want to associate their main payment card

@JsonBoa Using an app for everything makes your phone a spof. A value dense small handheld object with no guard, safety harness or proximity alarm made of glass that has a single battery, which you use for a lot of low priority tasks, but if it's unavailable you can't travel, pay, contact your friends, or identify yourself for administrative purposes.

No thanks, I'll stick to paper or plastic ID cards and passes and physical debit cards.

@lorentz admitedly my wallet is not made of glass nor has a single battery. But it is very time sensitive, since the cards in there have an average time-before-next-expiration of, like, 6 months maximum. A mission critical ID card might take *weeks* to replace. And has absolutely no password protection. If you live in a pickpocket-friendly place (EU comes to mind), having physical financial, legal and professional media with you at all times just makes for an even harder to replace and less safe SPOF

@JsonBoa Granted, theft is a comparable issue, though I think phones are stolen more often, specifically because people have more reasons to take them out and they're easier to appraise at a glance.

The card with 6 months expiration that takes weeks to replace sounds dystopian. I thought Hungary was a dysfunctional postsoviet country with excessive bureaucracy, but all IDs are either replaceable within the day or expire in 5 years.

It's also definitely true that physical cards can be stolen and abused, but any cards that enable a thief to spend money without identification can usually be disabled from your phone, so now the expectation that it's always available is required only for your failsafes, not for basic survival.