We recently completed a research effort for the Reason Foundation, “Dispelling the Myths – Toll and Fuel Tax Collection Costs in the 21st Century”, that investigated the collection costs of tolls and motor fuel taxes. Our findings suggested that all electronic tolling (AET) can be very cost effective compared to increasing taxes. How? By rethinking the way we do things.

A Case Study Approach
Since the toll industry has been going through a period of rapid change and collection cost data are difficult to interpret, we studied three all electronic toll (AET) operations (the new norm) that have been successful in reducing toll collection costs to identify commonalities:

• Colorado Department of Transportation (CDOT) I-25 Managed Lanes
• Fort Bend County Toll Road Authority (FBCTRA), and
• Tampa-Hillsborough Expressway Authority (THEA).

All are all relatively small operations. Tolls charged on each facility are toward the low end of the range typically encountered on today’s modern urban toll roads; and, CDOT’s and THEA’s express lanes are reversible – open to customers in only one direction at a time. These characteristics suggest that their cost of collections should be higher than those encountered elsewhere. However, all three agencies have achieved operating cost efficiencies that many larger toll operators have not yet obtained. The methods by which they have accomplished this offer a glimpse into AET best practices.

Our Findings
First, we must recognize that all three of toll authorities are relatively new and were not saddled with operations plans and business rules developed when automatic coin machines were considered new technology. Second, they were also not burdened with high labor costs from legacy operations. They were thus in a position where they could easily engineer their systems and operations for the future, not the past. However, there are several discriminators that should be stressed. Specifically, all three agencies:

• Focused on minimizing operating costs and reducing risks;

• Contracted with nearby toll authorities for account management and transaction processing services; and,

• Avoided establishing a large, full-time administrative staff and the infrastructure necessary to house that staff by outsourcing many of their management functions.

By starting with an operations plan consistent with current technology and rethinking how a toll agency can be structured and managed, these toll authorities have achieved operating efficiencies that would be otherwise unreachable. A critical part of their success has been via implementation of the classic make/buy analysis for all services required.

In fact, FBCTRA is, literally, a virtual authority that has outsourced its management functions to a vendor – enabling them to eliminate their facility costs and reduce their management costs to an absolute minimum. Another benefit of this approach is flexibility. FBCTRA’s Board could replace its management team if ever found reason to do so – an option usually not available to those ultimately responsible.

For more information on how to make your toll operation more efficient, please contact us at

http://www.etransgroup.com/contact

Thank you.

© 2014 The eTrans Group, Inc.

Hackers that attacked point-of-sale terminals at Target stores captured personal data of more than 70 million Target shoppers during the recent holiday season; and, Target was not the only retailer attacked. Nieman Marcus also appears to have been subject to a similar siege. IntelCrawler, a cyber intelligence firm, recently suggested that there are several other U.S. merchants currently plagued by similar malicious software.

How Does This Affect Us in the Tolling Industry?
AET systems require extensive payment card processing. Since tolling is considered politically incorrect by some, toll operations may be at greater risk compared to other, less visible targets. Therefore, it may not be a matter of if the toll industry will be subject to an attack, but when.

The direct cost of a data breach, estimated to be over $3 Billion to Target, could be significant. However, the direct cost may be small compared to the loss in public confidence. A major breach at one toll facility could quickly cascade and become a public relations nightmare for the entire industry.

Industry Security Standards
All major credit card processors must meet data security standards established by the Payment Card Industry Security Standards Council. The Payment Card Industry Data Security Standard (PCI DSS) was created to increase controls on cardholder data to reduce credit card fraud. Compliance is verified annually. Large volume processors are required to have an external Qualified Security Assessor review their systems and operations and prepare a Report on Compliance, which may include a list of improvements that must be implemented to minimize the risks associated with a breach in security.

How Could A Data Security Breach Happen?
PCI DSS establish a baseline for data security requirements. Thus an operation can be PCI DSS compliant and still not be secure. PCI DSS compliance comprises a series of high-level concepts that allow operators the flexibility to implement the most appropriate security controls for their environment that meet the intent of the standards. Also, PCI DSS verification is a process that occurs at a point in time. It is the responsibility of the operator to sustain compliance throughout the year. Rapidly changing technology and an increasingly aggressive group of people intent on defrauding the system make this an ever increasing challenge.

What Should We Do?
We should be aggressively managing data security issues. In addition to meeting minimum PCI DSS standards, we should strive to achieve higher security levels than those mandated, including:

• conducting an immediate review of all operating policies and procedures and correcting any short-falls identified

• retaining a data security expert to stress test current systems and operations

• upgrading systems and modifying operations policies and procedures where recommended

• verifying that upgrades and modifications were successful, and

• periodically (at least bi-annually) reviewing/stressing our systems and operations to ensure that data security requirements are being sustained.

Other suggestions on how best to manage this challenge are welcome.

© 2014 The eTrans Group, Inc.