Developing Payment Applications with RhoMobile Suites. Prashanth Kadur Software Architect

Developing Payment

Applications with

RhoMobile Suites

Prashanth Kadur

Agenda

Understanding Payment

MPM-100 (Motorola’s Payment Device)

Developing Payment Applications using RhoMobile Suites

Our Vision…

Understanding Payment

Scan & price check

Swipe

Capture signature or PIN

Overview

Authorize payment

Print receipt

Understanding Payment

Terminologies for Mobile Payment

Gateway

Acquirers

Card Network

WiFi

WiFi or WAN

or WAN

MPM-100

MPM

Reader

Terminal

Payment Device

Motorola Device

Mobile Device

Mobile Computer

Bluetooth

Communication

Bluetooth

Communication

WiFi

WiFi or WAN

or WAN

Communication

Communication

MPM

MPM--100 was released

100 was released

recently!

Understanding Payment

Magstripe cards are used for several purposes including

identification (driver’s license) and payment (finance).

Normally there are 3 tracks of data. Information such as account

number, account holder name and expiration date.

Can be used for credit as well as debit transactions.

MagStripe

Not very secure. Susceptible to fraud.

Understanding Payment

EMV (Europay, Mastercard and VISA) is a global standard for

credit and debit payment cards based on chip card technology.

Also called “IC card”, “smart card” and “Chip & PIN”.

Contains embedded microprocessor that provides security and

capabilities more than a magstripe card can provide.

EMV

Understanding Payment

More secure than the data encoded on the back of the magstripe card

•

dynamic cryptogram protects against data skimming

•

usage restrictions such as international use prohibitions are enforced

•

offline authorization: PIN capability protects against lost and stolen card fraud

•

limits on offline activity protects against credit overruns and fraud

Advantages of EMV

Supports enhanced cardholder verification methods

Stores more data than the magstripe

Understanding payment

Chip can perform the following:

•

Payment applications are resident on the chip

•

Stores information securely

•

Performs cryptographic processing

Two means of making connection with readers

Advantages of EMV

•

Contact . Requires physical contact , usually by inserting the card

•

Contactless. Card (or mobile phones) must come to proximity

of reader. Max 4 cm.

If a card has CHIP, reader may refuse to accept the magstripe swipe of the

card

Understanding Payment

Contact: requires the card to remain in contact with the reader for the

duration of the transaction

Contactless: minimizes the amount of time the card is held close to the

reader

Contactless: Some transactions such as online authorization may be done

Contact & Contactless EMV Readers

Contactless: Some transactions such as online authorization may be done

after the card has left the proximity

Understanding Payment

In magstripe, after reading the card, the card is no longer needed

In EMV, the card data is read and then rules set by the card issuer are enforced:

•

Offline data authentication

•

Card holder verification via PIN or signature

•

Online authorization

•

And several others…

How EMV works

•

And several others…

Issuing bank dictates which of the rules are enforced for the current transaction

If the reader (terminal) is incapable of performing any rule requested by the chip, the

chip may decline

Understanding Payment

Initiate

Communication Select Application Read Data

Offline authentication

Verify Rules Verify Cardholder

Risk analys and Decision by chip

Chip and Reader identify the common app to work with.

Selected app is initiated. Reader reads card data from chip.

SDA, DDA, CDA (Static, Dynamic or Combined Data

Authentication (CDA) Reader begins communicating

with chip.

How EMV works

Verify Rules Verify Cardholder

Risk analys and action on reader Decision by chip Process online bank transaction Complete Transaction

Verify if rules set by issuer allows chip to process the requested transaction Method specified by issuer and

supported by reader. Sign, online/offline PIN,CVM. Reader analyses risks, decides

to go online/offline. Chip responds to reader and

decides to go online, offline accept or offline reject

Reader builds an online request package (request for authentication &

authorization) and sends it acquirer.

Contactless: Occurs after the card has left proximity

Request chip to complete transaction. Optionally issuer may set new or modify existing rules via script commands. Contactless: No modification to rules. Request Request Response Response

Understanding Payment

Determine amount Display amount &

Ask approval Read Card Data Enter PIN

Encrypt Data Send Request to

Send request to Send Request to

Display the amount on the payment device and ask customer for approval

Customer swipes, inserts or taps card on the payment device.

Customer enters PIN for debit Merchant scans items, does

price checks and determines the total amount

How Online Bank Transaction Works

Encrypt Data Send Request to Acquirer Send request to card network Send Request to Issuing Bank Issuing Bank

PIN and card data are encrypted

Request is sent to the acquirer for approval.

Acquirer sends request to card network (VISA, MC, AMEX…) Card network sends the request

to issuing bank (Chase, First Bank of America..)

Request Request

Understanding Payment

Issuing Bank Check for funds and respond Send response to Acquirer Send response to Merchant Capture Signature Complete Sale Print Receipt End of transaction

Issuer bank checks for funds and sends approval to the card network

Card network sends approval to Acquirer

Acquirer sends approval to merchant

How Online Bank Transaction Works (continued…)

Capture Signature Complete Sale

Print Receipt End of transaction

Merchant obtains customer signature for credit Merchant completes sale.

Customer gets receipt/e-receipt

Response Response

Customer Pays Issuing Bank

$$$

Issuing Bank takes its fee

$$$

Card Network takes its fee

$$$

Understanding Payment

Fees

Acquirer takes its fees

$$$

Merchant gets paid

Understanding Payment

EMV Adoption

MPM-100

Retail
Store mgrs, customer facing associates

Hospitality
Tableside, concessions, entertainment

Transportation & Delivery
Couriers, trains, planes, ticket reading

Field Service
Repair and maintenance home or office

Government / Public
Citations, parking, Identification

Accepts credit, debit, smart card and NFC enables cards and phone

payments

The transaction data is transferred from the MPM over a Bluetooth connection to Windows Mobile and Android based Motorola devices
Encrypts transaction data “at the

WHAT DOES IT DO

WHO USES IT

Motorola Devices Supported

Encrypts transaction data “at the swipe/insert/tap”

MPM-100

Vx Platform Architecture & EMV applications
Models – Supports Windows Mobile & Android
Display – 128x32 LCD

PIN Pad– PCI 3.0 capacitive touch PIN pad
MSR with Triple-track head

Smart Card Reader

128x32 LCD Display

CTLS LEDs

Power Button MSR Reader

Specifications

Landed PSCR with 2 Secure Access Modules
Battery powered – >8 hour operation

Contactless Reader
Five-slot charging cradle

PCI 3.0 EMV 4.x, other regional certs
Security certifications as required
Encryption preloaded

CTLS / NFC Antenna

Capacitive Touch PCI 3.0 PIN Pad

Gang Charging Connectors MicroUSB Data/Power Charge Port

Removable 1380 mAh Battery (in rear)

Integrated Bluetooth 3.0 module

MPM-100

MagStripe Smart card/Chip&PIN Contactless/NFC

Near Field Communications “NFC”
Use only in the United States

Old Technology
Easy to counterfeit
Low cost solution

Can be used for debit and credit

When used for debit, requires a separate keypad for pin entry

Use everywhere except the United States.

Modern Technology
Hard to counterfeit

Think of the chip as a PC without a keyboard or display

Low cost solution, but not as inexpensive as the MSR solution
Can be used for debit and credit
When used for debit, requires a separate keypad for pin entry

Near Field Communications “NFC”
Use everywhere in the World
Works in all weather environments
Modern Technology

Hard to counterfeit

Generally used for Low Dollar , High Volume, transactions: Fast Food, Donut Shops, Coffee Shops…etc…

Low cost solution, but not as inexpensive as the MSR solution
Can be used for debit and credit
When used for debit, requires a separate keypad for pin entry

Communication between the MPM and Mobile Device’s is Bluetooth • Bluetooth Specification 3.0 • SPP Profile
Windows Mobile • Microsoft Stack • Stonestreet Stack

MPM-100

Communication with Mobile Device

Android

• BlueZ Stack

Bluetooth

MPM-100

Configuring Mobile Device

Before accessing MPM from RE, you must manually pair. Without pairing, app will not communicate with MPM.

On WM, use “Settings->Connections->Bluetooth” for accessing pairing.

On the Android devices, use “Settings->Wireless & network settings->Bluetooth”.
The Bluetooth address of the MPM device starts with “MPM-“.

Only one MPM per Mobile Device can be used at a time.
Only one MPM per Mobile Device can be used at a time.

MPM-100

Fraud Prevention

MPM has special hardware and software to do encryption
Encryption done on the MPM device

Encrypted data goes all the way to bank
Only the bank knows how to decrypt

The encryption system requires an initial number (“Seed Number”) to base encryption algorithm

base encryption algorithm

The Seed Number is provided by the Bank

The operation of putting the Seed Number into the device is called “Key Injection”

Key Injection can only be performed in a special certified room
Motorola has special certified rooms

If the MPM senses attempts to break in and obtain the seed number, it wipes the seed number within 300ms

MPM-100

Certification

Every Country has it’s own transaction network and rules
In order to use a new payment device, every Country requires

certification of the payment device for it’s network
This ensures the device:

• Communicates properly on the network

• Doesn’t interfere with other transaction on the network • Doesn’t intercept other transactions

In addition , there are two worldwide certifications: • PCI “Payment Card Industry”

MPM-100

Certification

It’s up to the manufacture to certify the payment device.

Motorola certifies their payment devices. But your payment app may still require certification.

The payment device is sent to an independent lab for testing and the result report is sent to the certification body

Some Countries accept International certification as the only certification required.

Other Countries require In-Country certification

Still other Countries require In-Country and Bank specific certification
This is no “Universal” rule

Developing Payment Application

Tools

Motorola RhoMobile Suite v2.1 supports development of applications to

target MPM-100.

EMDK for .NET. Currently .NET support for MPM is not available.

Tentatively available in Q2 2013.

EMDK for C. No plans for C/C++ support for MPM.

Developing Payment Application

RhoMobile Suite

Motorola RhoMobile Suite v2.0 allows you to create flexible, OS-independent,

hardware-agnostic applications that look, feel and act the same on every supported device.
You can rapidly create robust mobile applications that can include a wide range of

advanced data capture capabilities.

RhoMiobile Suite comprises of the following:

Use RhoElements for developing applications to target MPM-100

RhoElements

RhoElements allows creating flexible applications that look, feel and act the same on every supported device.

RhoConnect

RhoConnect is the easy, fast way to connect mobile applications to business data and ensures users can access that data.

RhoStudio

RhoStudio’s fully-featured simulator allows you to quickly test and debug cross-platform applications on one computer.

Developing Payment Application

RhoElements for MPM

RhoElements is built on Motorola’s WebKit rendering engine.

RhoElements enables software developers to develop rich mobile apps using latest HTML5 and CSS standards.

Applications can be written to include a wide range of functions including barcode scanning, signature capture, printing and more.

RhoElements supports a set of JavaScript functions for accessing the MPM device and performing payment transactions.

Help distributed with RhoElements does not contain MPM documentation.
Customers are required to contact Motorola TAs for documentation on MPM.
Using MPM functions requires a passcode. Request your Motorola TA.

MPM Help documentation describes payment functions and also contains a section on programmer guide.
The programmer guide section provides helpful hints for designing payment apps in RhoElements.

Developing Payment Application

Software Solution - Architecture

.NET on WM Java on Android (currently not available)

Customer Rho Application

Independent Acquirers WiFi WAN Inventory Price Check Customer-created Country/Bank Specific Code Customer-created Country/Bank Customer Payment Gateway

(currently not available)

Developing Payment Application

What you can do using RhoMobile Suite

You can use all the features available in RhoMobile to write your payment app
Scan items

Take pictures of the item (returns?)
Connect to MPM using RhoElements

Display message and prompt menu on MPM

Allow customers to swipe, insert or tap the card on MPM
Allow customer to enter PIN on MPM

Obtain card data (both encrypted and clear) from MPM
Write to the smartcard once the bank response is received.
Capture Signature on mobile device

Developing Payment Application

What your application must do

Currently, RhoElements does not offer any feature to perform country specific requirements. You must have a detailed knowledge of these requirements.

You must write your own process to create and pass the payment package to Acquirer gateway.
You must have detailed knowledge the Acquirer requirements and their interfaces.

You must understand all the certification requirements for all countries that you wish to use. You must certify your payment applications, if necessary.

Once the bank response is received, your application must know how to read the bank response and do post-payment writings to the smartcard. We provide a number of functions for this purpose.

Developing Payment Application

RhoElements APIs – Data Event

Methods and events available for MPM can be accessed using the ‘mpm’ JavaScript Object.

For example:

mpm.open(“passcode”, “COM5”);

There are about 20 functions available for performing tasks on MPM.

All functions return response in the DataEvent callback.

Before making any calls, set the DataEvent as follows:

mpm.DataEvent = "url('JavaScript:dataEventFunction('%s','%s');')";

DataEvent can callback the function on same page or a different page(providing a new url).

When a new url is provided, navigation will occur automatically.

Two strings are passed in the DataEvent which directly or using JSON objects.

data – Data returned for the corresponding method call

function – Identifies the function for which the response is returned.

function dataEventFunction(data, method) {

Developing Payment Application

RhoElements APIs – Functions

Manually pair. Open MPM before calling any other function:

mpm.open(“passcode", "COM5");

Comport is ignored on Android

Requires a valid passcode. Contact Motoroal TA.

Open()

Success or failure message is returned in DataEvent

Closes port and disconnects the MPM device.

This call does not unpair. Unpair manually.

Developing Payment Application

RhoElements APIs – Functions

Enable keypad on MPM each time before calling functions such as readcarddata() and

promptpin(), which require user input

Disable keypad.

EnableKeypad()

DisableKeypad()

EnableKeybeep()

Enables keybeep on MPM device. Requires enabling each time

Disables key beeps.

DisableKeybeep()

EnableKeybeep()

Developing Payment Application

RhoElements APIs – Functions

Prepares MPM for a card read

Swipe (MagStripe), insert (smart cards) or tap (contactless)

readcarddata(Amount, OtherAmount, ReadMode)

Data returned in DataEvent

•“AccountNumber=<AccountNumber>

Readcarddata()

•“AccountNumber=<AccountNumber>

•|CardHolderName=<CardHolderName>

•|ExpiryDate=<ExpiryDate>

•|Track1Data=<Track1Data>

•|Track2Data=<Track2Data>

•|Track3Data=<Track3Data>

•|AID=<AID>

•|AppLabel=<AppLabel>

•|AppPreferredName=<AppPreferredName>

•|ServiceCode=<ServiceCode>

•|EMVTags=TagIDs=<value>|<value>|<value>|Values=<value>|<value>|<value>

Developing Payment Application

RhoElements APIs – Functions

Prepares MPM for accepting PIN entry

Encrypts PIN

Syntax:

• AccountNumber

• MinPINLength

PromptPIN()

• MinPINLength

• MaxPINLength

• PinRequired – Allow empty PIN

• Messages1

• Message2

• ProcessingMessage

Developing Payment Application

RhoElements APIs – Functions

Displays two lines of messages on MPM

Provides a menu with a maximum of 4 choices.

Returns the selection in the DataEvent

Max of 18 chars on each line (Message + Choice)

Promptmenu()

Multiple transactions combined into one

• Prompts the user to confirm amount

• Prompts user to confirm surcharge

• Prompts user to enter TIP

• Prompts user to enter cashback

Returns user input in DataEVent

Promptadditionalinfo()

Developing Payment Application

RhoElements APIs – Functions

Displays upto 4 lines of messages on MPM

Can be used for getting confirmation such as OK and Cancel

Returns the selection in the DataEvent

Promptmessage()

Cancelprevmethod()

Cancels previously issued method

Displays welcome screen on MPM

Accepts data to be MAC’ed using ANSI x9.91 standard and MAC Working Key.

Used for MAC’ing credit transactions when MPM supports support both credit and debit

Cancelprevmethod()

Developing Payment Application

RhoElements APIs – Functions

Validates the response MAC

Displays any authorization messages returned by the host

Completes online EMV transaction

Host decision is sent MPM

Validatemac()

Completeonlineemv()

Host decision is sent MPM

Displays result

Updates tags on the smartcard

Reads or write tag values/tags from the smartcard

Getemvtags() /Setemvtags()

Developing Payment Application

RhoElements APIs – Functions

Authorizes the EMV transaction amounts on the smartcard

Required params : amount, merchant decision, tags, display result, PIN try exceed status,

display amount, display app expired

Authorizecard()

Removecard()

Requests the cardholder to remove the card from MPM.

Required params: message1, message2

If empty messages are passed, MPM will use default messages.

Removecard()

Developing Payment Applications

RhoElements APIs

After calling a function, wait for the response before calling another function

If calling another function is required before the response, call cancelprevmethod() first

Some of the functions such as promptmenu and readcarddata return success or error

first in DataEvent. The data (or error code) is returned in a separate callback

Helpful Hints

first in DataEvent. The data (or error code) is returned in a separate callback

Our Vision…

Our vision for the future

Our vision is to create a solution that makes the payment application development even

simpler. And easier to understand. Currently the payment process is extremely complex.

We are exploring options to provide interfaces to major acquirers, so that you don’t have to

spend time and effort to understand the process.

Our goal is to achieve further simplification and abstraction of interfaces to various

payment devices, mobile devices, payment technologies, development languages,

communication, Acquirers, Card Networks…

communication, Acquirers, Card Networks…

Another important vision of ours is to reduce the amount of certification you will

have to do with your applications.

All these power and new features will be accessible to your application via simple and

easy to use configuration.

THANK YOU

THANK YOU