‍

Every time a passenger taps in on public transport, there is an unspoken contract: they are trusted to pay for their journey, and the public transport operator is trusted to deliver it; however, that contract is being quietly broken.

‍

In systems like London's TfL and the Dutch NS OVPay system, fraudsters have found a way to ride for free. By exploiting deferred payment models and generating temporary virtual cards in their digital wallets, they check in, complete their journey, and delete the card before the fare is ever charged.

‍

The result? A valid ride for them, a silent revenue loss for the public transport operator.

‍

This is not just a flaw in payment design; it is a direct misuse of public funds and services. And while the way many public transport operators are responding, by blocking entire payment providers like Revolut or Paysafe, may stop the fraud, it punishes thousands of legitimate passengers who are forced to revert to less desirable payment alternatives. Turning what was supposed to be a seamless payment experience into a frustrating and complicated one.

There is a better way to stop fraudsters without making honest passengers collateral damage.

‍

How This Fraud Works and Why It Slips Through the Cracks

‍

The fraud itself is pretty simple. Digital wallets like Revolut, Paysafe, and Vivid allow users to create temporary virtual debit cards. These cards behave like any other payment card when tapping in and out of public transport.

‍

Because many transit systems use deferred payment models, the fare is not deducted immediately. The transaction is settled later, often during overnight batch processing. This is done to keep boarding fast and seamless for passengers.

‍

Fraudsters exploit this timing gap. They generate a virtual card, use it for their journey, and then delete the card from their wallet app before the fare is collected. From the system's perspective, the tap-in is valid. Ticket inspectors see a legitimate check-in. The fraud is invisible until much later, when the payment attempt fails.

‍

This misuse is often referred to as retokenisation fraud. It is not theoretical; public transport operators are now dealing with this at scale, losing revenue every day.

‍

The problem lies in how these digital cards are tokenised and how the current payment infrastructure handles deferred charges. Once the token is gone, so is the public transport operator's ability to collect payment, and since the fraudster presented a valid ticket during the journey, traditional enforcement methods cannot catch them in the act.

‍

Why Blunt Bans, Like Blocking Virtual Cards, Hurt More Than They Help‍

Faced with growing losses, some public transport operators have adopted a defensive solution: blocking entire ranges of cards from providers such as Revolut, Paysafe, and Vivid. From a distance, this seems like a reasonable response. If a particular type of card is frequently linked to fraud, stop accepting it.

‍

The problem is that this approach does not distinguish between fraudsters and legitimate passengers. It treats every user of these services as a potential risk. For thousands of honest passengers who rely on these digital wallets, especially younger passengers and international visitors, this means losing access to public transport or being forced to use less convenient payment alternatives.

‍

Public transport operators are investing heavily in tap-and-go (Contactless EMV) technology to eliminate payment friction and create truly universal access. Yet banning cards from popular providers like Revolut, Paysafe, and Vivid does precisely the opposite. It replaces universal acceptance with payment exclusion, reintroduces the very friction public transport operators sought to eliminate, and creates confusion and frustration when passengers discover their preferred payment method no longer works.

‍

Public transport is a public service. It must remain open and accessible. Fraud prevention that results in locking out entire user populations is not a long-term solution. It is a blunt instrument that may reduce fraud for now, but it damages trust and excludes the very people these systems are meant to serve.

‍

Preventing fraud should not come at the expense of unfairly penalising honest passengers. What public transport operators need is precision, a way to block fraudulent behaviour at the account level without disrupting the travel experience for everyone else.

‍

Stopping Fraudsters Without Punishing Passengers: A Smarter Approach

At XPP, we believe fraud prevention should be precise, not punitive. The answer is not to block entire payment providers, but to target fraudsters directly, regardless of how many virtual cards they create or how often they retokenise.

‍

Our approach is built on a layered fraud detection. It looks beyond just card numbers. We analyse patterns in how cards are used, the types of cards presented, the issuers behind them, and how tokens are generated and refreshed. Every transaction is assessed in context, drawing on these data points to distinguish between legitimate travellers and those attempting to exploit the system.

‍

At the heart of this approach is the Payment Account Reference (PAR). PAR is a unique identifier that links all cards, virtual or physical, to the same underlying bank account. Even when a fraudster deletes a virtual card and generates a new one, the PAR remains constant. It provides a privacy-friendly way to connect different tokens and cards back to a single account without exposing sensitive card data. This provides public transport operators with a reliable method to recognise and block fraudulent accounts, regardless of how many times the fraudster tries to disguise their identity.

‍

By using multiple data points, including PAR, public transport operators can prevent a fraudster from returning under a new physical or virtual card while leaving honest passengers unaffected. Once a fraudulent account is flagged, it is blocked until the outstanding fare is repaid. The fraudster cannot simply reset and repeat the process.

‍Putting Control Back in the Hands of Public Transport Operators

No two public transport operators face the same challenges. Fraud patterns vary by geography, payment habits, and rider demographics. That is why fraud prevention cannot be a rigid, one-size-fits-all solution.

‍

We believe public transport operators should have full control over their fraud mitigation strategies. Our Vayapay Smart Payment Platform gives public transport operators the tools to configure how fraud is detected, how deny lists are applied, and what actions are taken when suspicious behaviour is identified.

‍

Public transport operators can decide which data points to use for blocking, such as PAR, PAN patterns, BIN ranges, or card product types. They can set how aggressive or lenient their deny lists should be, based on their specific risk appetite. Whether they choose soft interventions, such as alerts or fare reminders, or immediate access blocks, the decision remains in their hands.

‍

This configurability means public transport operators are no longer forced into extreme measures, such as blocking entire providers. They can respond to fraud with precision, making decisions that align with their operational needs and passenger expectations.

‍

Fraud prevention should be driven by policy, supported by real-time insights, and enforced instantly to maintain both security and accessibility. The technology stack must serve this approach, not constrain it.

‍

Conclusion: The Future of Public Transport Relies on Precise and Responsible Fraud Control

Public transport is built on trust. It is a public service, funded and maintained for the benefit of all. When fraudsters exploit system gaps, it is not just public transport operators who lose revenue; it is the public who pays the price.

‍

As payment methods evolve, so must the tools we use to protect the integrity of fare collection. Deferred settlement models will continue to be essential for a fast and seamless passenger experience. But they demand fraud controls that are as dynamic and adaptable as the threats they face.

‍

Blunt measures, such as blocking entire payment providers, are not sustainable. They undermine the accessibility and openness that public transport systems are designed to offer. What public transport operators need is precision, the ability to respond decisively to fraud without penalising legitimate passengers.

‍

Our Vayapay Smart Payment Platform provides the infrastructure that enables public transport operators to do exactly that. By combining multiple data points, including PAN, BIN, card type, token usage, and PAR, into a layered fraud mitigation strategy, we provide public transport operators with the control and clarity needed to protect their revenue, maintain trust, and keep their systems open to the public.

‍

Fraud prevention in public transport should not be about exclusion. It should be about control, responsibility, and precision. That is how Vayapay safeguards the integrity of public funds and ensures that the rider experience remains seamless for everyone.

‍

‍