Case

Translink securely bringing OV transactions to the public cloud

Translink emerged in 2001 with the aim of developing a single payment system for the entire Dutch public transport system. The company now processes an average of over 7.75 million OV-chipkaart transactions every day. In order to improve access to public transport further, Translink was looking for more flexibility in a scalable, yet highly secure, IT environment. They found the solution in a gradual and managed transition of services to the public cloud with Solvinity.

Ambitions and challenges

Simple and smooth innovation, such as the replacement of a chipkaart with personal payment methods
Managing peak loads with a scalable solution
Maintaining control over a technically complex system that is highly outsourced
Meeting all major security and reliability requirements for payment transactions

Solutions

Hosting all mobility solutions and the customer contact centre (2011)
Office365 license management (2016)
OS renewal process (2018)
Gradual transformation of services to public Azure cloud (2019)
PCI DSS certification for EMV-based IDBT (2021)

Results of the partnership

95% of services now go to private/public/hybrid cloud

IDBT pilot at Keolis and Arriva

15% cost savings in 2020

60% fewer support calls since 2017

85% fewer critical/high incidents since 2017

Towards greater flexibility and innovation

The way the Dutch can pay for public transport anywhere in the country with one OV-chipkaart is unique in the world. But no matter how fantastic the solution is, it’s not perfect, according to Ted Straathof, Manager Operations at Translink. Translink therefore wants to move towards a more flexible solution that provides travellers and transport operators with more options, both now and in the future.

Translink wishes to bring the processing of OV transactions to the public cloud in a responsible way to handle the inevitable peak loads in public transport in a flexible way and make innovation significantly easier, like travellers being able to pay with their own means, such as their bank card, phone or smartwatch. In addition, underlying systems are being standardised as much as possible, preferably to public cloud.

At the same time, Translink itself has expressed the wish to remain in control of a technically complex system that, despite being largely outsourced, still meets all essential requirements for security and reliability.

Secure outsourcing

Translink has been working with Solvinity for almost ten years now. In 2011, Solvinity transferred the majority of Translink’s IT operations to its own private data centres, with the move to the public cloud commencing in 2019.

One of Solvinity’s major responsibilities is security. In order to be able to use the international EMV standard (of Europay, Mastercard and Visa), the systems and infrastructure for the Identity Based Ticketing environment (IDBT) need to comply with the Payment Card Industry Data Security Standard (PCI DSS) certification, which is fighting payment card fraud.

“Solvinity already complies with strict SOC 2 requirements in terms of information security, and has stringent regulations for the safe handling of data,” says Potappel. Continuous hardening, security by design, infrastructure segmentation and a strict update and patch policy are standard at Solvinity.

We were looking for an experienced partner of similar size, with whom we could work together towards further developing our services.

TED STRAATHOF

Manager Operations - Translink

Moving to the cloud together

Solvinity is gradually moving an increasing amount of Translink services from its own private cloud environment to the public cloud. “In consultation with Solvinity, we have opted for Azure, but we aren’t tied to it”, says Potappel. “We want to retain the flexibility to make other choices if we need to in the future”.

The advice that Solvinity provides carries a lot of weight, Straathof adds. “We were looking for an experienced partner of similar size, with whom we could work together towards further developing our services.” Both he and Potappel compare the partnership to a marriage: “As in any relationship, there are ups and downs, but you choose each other because you can achieve something together,” says Straathof.

We have worked hard on good communication, from management to implementation. “Our partnership has become closer and closer and Solvinity deserves a lot of credit for that. We regularly consult at all levels and visit each other frequently (mainly digitally in Corona times) – a deliberate choice that keeps us well informed and helps us understand each other better.

When it comes to security they know what they're doing at Solvinity. It gives us the confidence that we've taken adequate and appropriate security measures, which is perhaps the most important thing.

MARTIN POTAPPEL

CISO - Translink

Transparency brings results

With the convenient CloudBilling invoicing system, Solvinity provides insight into the services and products that are being purchased and consumed, not only at Solvinity, but also from other suppliers and service providers. Making a conscious choice for the right migration has led to huge gains in efficiency, which in the past year have delivered cost savings of 15%,” says Straathof.

Equally important is the significant improvement in the quality of the service, notes Martijn van de Veen, Delivery Manager IT Operations at Translink. “Since 2017, the number of calls to Solvinity has more than halved. Of course, the number of incidents will never be zero, but the fact that we’ve been able to reduce these by almost 60% is very important for us.”

As CISO, Potappel is particularly pleased that, with Solvinity, he has a partner who understands the importance of security. “Compliance, certifications and monitoring are essential, but so too is going into detail with experts. When it comes to security, they know what they’re doing at Solvinity.” The ‘journey to the cloud’ is exciting in all respects for a public organisation like Translink. Potappel: “Solvinity gives us the confidence that we’ve taken adequate and appropriate security measures, which is perhaps the most important thing.”