In message , at 22:06:19 on Wed, 17 Sep
2014, Mizter T remarked:
(2) Using what (PCI DSS compliant) mechanism?

Huh? How does the suggestion I made differ from the current process which
records the entitlement on the Oyster card instead of in the back office?

The current process doesn't involve dealing with payment cards,
entering payment card information into a system and transmitting it
securely to a database. Once you start dealing with payment cards it's
a whole different scenario.

If you are worried about transmitting the card number then use the
customer's CPC account number instead (I presume that this institutional
paranoia about card numbers means it's not simply the card number).

Or use the card to buy a zero-pence "discount entitlement ticket" from a
machine (supervised by staff), at which point the mechanism already
exists to securely get the transaction sent to the right account in the
back office.
--
Roland Perry