Developing Payment Applications with RhoMobile Suites - Motorola ...

Developing Payment Applications with RhoMobile Suites - Motorola ...

Developing Payment

Applications with

RhoMobile Suites

Prashanth Kadur

Software Architect


Understanding Payment

MPM-100 (Motorola’s Payment Device)

Developing Payment Applications using RhoMobile Suites

Our Vision…

Understanding Payment

Understanding Payment


Scan & price check Swipe Capture signature or PIN

Print receipt

Authorize payment

Understanding Payment

Terminologies for Mobile Payment



Card Network

WiFi or WAN


Motorola Device

Mobile Device

Mobile Computer



MPM-100 was released






Payment Device

Understanding Payment


Magstripe cards are used for several purposes including

identification (driver’s license) and payment (finance).

Normally there are 3 tracks of data. Information such as account

number, account holder name and expiration date.

Can be used for credit as well as debit transactions.

Not very secure. Susceptible to fraud.

Stores limited amount of data.

Understanding Payment


EMV (Europay, Mastercard and VISA) is a global standard for

credit and debit payment cards based on chip card technology.

Also called “IC card”, “smart card” and “Chip & PIN”.

Contains embedded microprocessor that provides security and

capabilities more than a magstripe card can provide.

More than a billion EMV cards are in use worldwide.

Understanding Payment

Advantages of EMV

More secure than the data encoded on the back of the magstripe card

• dynamic cryptogram protects against data skimming

• usage restrictions such as international use prohibitions are enforced

• offline authorization: PIN capability protects against lost and stolen card fraud

• limits on offline activity protects against credit overruns and fraud

Supports enhanced cardholder verification methods

Stores more data than the magstripe

Single card can play multiple roles: credit, debit and others

Understanding payment

Advantages of EMV

Chip can perform the following:

Payment applications are resident on the chip

• Stores information securely

• Performs cryptographic processing

Two means of making connection with readers

• Contact . Requires physical contact , usually by inserting the card

• Contactless. Card (or mobile phones) must come to proximity

of reader. Max 4 cm.

If a card has CHIP, reader may refuse to accept the magstripe swipe of the


Single card can play multiple roles: credit, debit and others

Understanding Payment

Contact & Contactless EMV Readers

Contact: requires the card to remain in contact with the reader for the

duration of the transaction

Contactless: minimizes the amount of time the card is held close to the


Contactless: Some transactions such as online authorization may be done

after the card has left the proximity

Understanding Payment

How EMV works

In magstripe, after reading the card, the card is no longer needed

In EMV, the card data is read and then rules set by the card issuer are enforced:

• Offline data authentication

• Card holder verification via PIN or signature

• Online authorization

• And several others…

Issuing bank dictates which of the rules are enforced for the current transaction

If the reader (terminal) is incapable of performing any rule requested by the chip, the

chip may decline

Understanding Payment

How EMV works



Select Application

Read Data



Reader begins communicating

with chip.

Chip and Reader identify the

common app to work with.

Selected app is initiated.

Reader reads card data from


SDA, DDA, CDA (Static, Dynamic

or Combined Data

Authentication (CDA)

Decision by chip

Risk analys and

action on reader

Verify Cardholder

Verify Rules

Chip responds to reader and

decides to go online, offline

accept or offline reject

Reader analyses risks, decides

to go online/offline.

Method specified by issuer and

supported by reader. Sign,

online/offline PIN,CVM.

Verify if rules set by issuer

allows chip to process the

requested transaction

Process online

bank transaction





Reader builds an online

request package (request for

authentication &

authorization) and sends it


Contactless: Occurs after the

card has left proximity

Request chip to complete

transaction. Optionally issuer

may set new or modify

existing rules via script


Contactless: No modification

to rules.



Understanding Payment

How Online Bank Transaction Works

Determine amount

Display amount &

Ask approval

Read Card Data

Enter PIN

Merchant scans items, does

price checks and determines

the total amount

Display the amount on the

payment device and ask

customer for approval

Customer swipes, inserts or

taps card on the payment


Customer enters PIN for debit

Send Request to

Issuing Bank

Send request to

card network

Send Request to


Encrypt Data

Card network sends the request

to issuing bank (Chase, First

Bank of America..)

Acquirer sends request to card

network (VISA, MC, AMEX…)

Request is sent to the acquirer

for approval.

PIN and card data are


Issuing Bank




Understanding Payment

How Online Bank Transaction Works (continued…)

Issuing Bank

Check for funds

and respond

Send response to


Send response to


Issuer bank checks for funds

and sends approval to the card


Card network sends approval

to Acquirer

Acquirer sends approval to


End of transaction

Print Receipt

Complete Sale

Capture Signature

Customer gets receipt/ereceipt

Merchant completes sale.

Merchant obtains customer

signature for credit




Understanding Payment


Customer Pays Issuing



Issuing Bank takes its fee


Card Network takes its fee


Merchant gets paid


Acquirer takes its fees


Understanding Payment

EMV Adoption

Source: EMVCo




Accepts credit, debit, smart card and

NFC enables cards and phone


The transaction data is transferred

from the MPM over a Bluetooth

connection to Windows Mobile and

Android based Motorola devices

Encrypts transaction data “at the





Transportation & Delivery

Field Service

Government / Public

Store mgrs, customer facing associates

Tableside, concessions, entertainment

Couriers, trains, planes, ticket reading

Repair and maintenance home or office

Citations, parking, Identification

Motorola Devices Supported

ES400 MC55A MC65 MC95 ET1



Vx Platform Architecture & EMV applications

Smart Card Reader

Models – Supports Windows Mobile & Android

Display – 128x32 LCD

PIN Pad– PCI 3.0 capacitive touch PIN pad

MSR with Triple-track head

Landed PSCR with 2 Secure Access Modules

Battery powered – >8 hour operation

Contactless Reader

MSR Reader

128x32 LCD Display



Capacitive Touch

PCI 3.0 PIN Pad


Power Button



Charge Port

Five-slot charging cradle

PCI 3.0 EMV 4.x, other regional certs

Security certifications as required

Encryption preloaded

Removable 1380 mAh

Battery (in rear)


Bluetooth 3.0


Gang Charging Connectors


MagStripe Smart card/Chip&PIN Contactless/NFC

Use only in the United States

Old Technology

Easy to counterfeit

Low cost solution

Can be used for debit and credit

When used for debit, requires a

separate keypad for pin entry

Use everywhere except the United


Modern Technology

Hard to counterfeit

Think of the chip as a PC without a

keyboard or display

Low cost solution, but not as

inexpensive as the MSR solution

Can be used for debit and credit

When used for debit, requires a

separate keypad for pin entry

Near Field Communications “NFC”

Use everywhere in the World

Works in all weather environments

Modern Technology

Hard to counterfeit

Generally used for Low Dollar , High

Volume, transactions: Fast Food, Donut

Shops, Coffee Shops…etc…

Low cost solution, but not as

inexpensive as the MSR solution

Can be used for debit and credit

When used for debit, requires a

separate keypad for pin entry


Communication with Mobile Device

Communication between the MPM and Mobile Device’s is Bluetooth

• Bluetooth Specification 3.0

• SPP Profile

Windows Mobile

• Microsoft Stack

• Stonestreet Stack


• BlueZ Stack




Configuring Mobile Device

Before accessing MPM from RE, you must manually pair.

Without pairing, app will not communicate with MPM.

On WM, use “Settings->Connections->Bluetooth” for accessing pairing.

On the Android devices, use “Settings->Wireless & network settings->Bluetooth”.

The Bluetooth address of the MPM device starts with “MPM-“.

Only one MPM per Mobile Device can be used at a time.


Fraud Prevention

MPM has special hardware and software to do encryption

Encryption done on the MPM device

Encrypted data goes all the way to bank

Only the bank knows how to decrypt

The encryption system requires an initial number (“Seed Number”) to

base encryption algorithm

The Seed Number is provided by the Bank

The operation of putting the Seed Number into the device is

called “Key Injection”

Key Injection can only be performed in a special certified room

Motorola has special certified rooms

If the MPM senses attempts to break in and obtain the seed number,

it wipes the seed number within 300ms



Every Country has it’s own transaction network and rules

In order to use a new payment device, every Country requires

certification of the payment device for it’s network

This ensures the device:

• Communicates properly on the network

• Doesn’t interfere with other transaction on the network

• Doesn’t intercept other transactions

In addition , there are two worldwide certifications:

• PCI “Payment Card Industry”

• EMV “Europay MasterCard Visa”



It’s up to the manufacture to certify the payment device.

Motorola certifies their payment devices. But your payment app may

still require certification.

The payment device is sent to an independent lab for testing

and the result report is sent to the certification body

Some Countries accept International certification as the only

certification required.

Other Countries require In-Country certification

Still other Countries require In-Country and Bank specific certification

This is no “Universal” rule

Must certify device in Country prior to sale

Developing Payment Applications

Developing Payment Application


Motorola RhoMobile Suite v2.1 supports development of applications to

target MPM-100.

EMDK for .NET. Currently .NET support for MPM is not available.

Tentatively available in Q2 2013.

EMDK for C. No plans for C/C++ support for MPM.

EMDK for Java. No plans for the Java support for MPM on WM or Android.

Developing Payment Application

RhoMobile Suite

Motorola RhoMobile Suite v2.0 allows you to create flexible, OS-independent,

hardware-agnostic applications that look, feel and act the same on every supported device.

You can rapidly create robust mobile applications that can include a wide range of

advanced data capture capabilities.

RhoMiobile Suite comprises of the following:


RhoElements allows creating

flexible applications that look,

feel and act the same on

every supported device.


RhoConnect is the easy, fast

way to connect mobile

applications to business data

and ensures users can access

that data.


RhoStudio’s fully-featured

simulator allows you to

quickly test and debug crossplatform

applications on one


Use RhoElements for developing applications to target MPM-100

Developing Payment Application

RhoElements for MPM

RhoElements is built on Motorola’s WebKit rendering engine.

RhoElements enables software developers to develop rich mobile apps using latest

HTML5 and CSS standards.

Applications can be written to include a wide range of functions including barcode scanning,

signature capture, printing and more.

RhoElements supports a set of JavaScript functions for accessing the MPM device and

performing payment transactions.

Help distributed with RhoElements does not contain MPM documentation.

Customers are required to contact Motorola TAs for documentation on MPM.

Using MPM functions requires a passcode. Request your Motorola TA.

MPM Help documentation describes payment functions and also contains a section on programmer guide.

The programmer guide section provides helpful hints for designing payment apps in RhoElements.

Developing Payment Application

Software Solution - Architecture











Customer Rho Application

.NET on WM

Java on Android

(currently not available)



Specific Code



Specific Code

Developing Payment Application

What you can do using RhoMobile Suite

You can use all the features available in RhoMobile to write your payment app

Scan items

Take pictures of the item (returns?)

Connect to MPM using RhoElements

Display message and prompt menu on MPM

Allow customers to swipe, insert or tap the card on MPM

Allow customer to enter PIN on MPM

Obtain card data (both encrypted and clear) from MPM

Write to the smartcard once the bank response is received.

Capture Signature on mobile device

Print Receipt

Developing Payment Application

What your application must do

Currently, RhoElements does not offer any feature to perform country specific

requirements. You must have a detailed knowledge of these requirements.

You must write your own process to create and pass the payment package to Acquirer gateway.

You must have detailed knowledge the Acquirer requirements and their interfaces.

You must understand all the certification requirements for all countries that you wish to use.

You must certify your payment applications, if necessary.

Once the bank response is received, your application must know how to read the bank response and

do post-payment writings to the smartcard. We provide a number of functions for this purpose.

Developing Payment Application

RhoElements APIs – Data Event

Methods and events available for MPM can be accessed using the ‘mpm’ JavaScript Object.

For example:“passcode”, “COM5”);

There are about 20 functions available for performing tasks on MPM.

All functions return response in the DataEvent callback.

Before making any calls, set the DataEvent as follows:

mpm.DataEvent = "url('JavaScript:dataEventFunction('%s','%s');')";

DataEvent can callback the function on same page or a different page(providing a new url).

When a new url is provided, navigation will occur automatically.

Two strings are passed in the DataEvent which directly or using JSON objects.

data – Data returned for the corresponding method call

function – Identifies the function for which the response is returned.

function dataEventFunction(data, method) {

alert("Data= "+data+" Method= "+method); }

Developing Payment Application

RhoElements APIs – Functions


Manually pair. Open MPM before calling any other function:“passcode", "COM5");

Comport is ignored on Android

Requires a valid passcode. Contact Motoroal TA.

Success or failure message is returned in DataEvent


Closes port and disconnects the MPM device.

This call does not unpair. Unpair manually.

Developing Payment Application

RhoElements APIs – Functions


Enable keypad on MPM each time before calling functions such as readcarddata() and

promptpin(), which require user input


Disable keypad.


Enables keybeep on MPM device. Requires enabling each time


Disables key beeps.

Developing Payment Application

RhoElements APIs – Functions


Prepares MPM for a card read

Swipe (MagStripe), insert (smart cards) or tap (contactless)

readcarddata(Amount, OtherAmount, ReadMode)

Data returned in DataEvent












Developing Payment Application

RhoElements APIs – Functions


Prepares MPM for accepting PIN entry

Encrypts PIN


• AccountNumber

• MinPINLength

• MaxPINLength

• PinRequired – Allow empty PIN

• Messages1

• Message2

• ProcessingMessage

Encrypted PIN Data returned in DataEvent

Developing Payment Application

RhoElements APIs – Functions


Displays two lines of messages on MPM

Provides a menu with a maximum of 4 choices.

Returns the selection in the DataEvent

Max of 18 chars on each line (Message + Choice)


Multiple transactions combined into one

• Prompts the user to confirm amount

• Prompts user to confirm surcharge

• Prompts user to enter TIP

• Prompts user to enter cashback

Returns user input in DataEVent

Developing Payment Application

RhoElements APIs – Functions


Displays upto 4 lines of messages on MPM

Can be used for getting confirmation such as OK and Cancel

Returns the selection in the DataEvent


Cancels previously issued method

Displays welcome screen on MPM


Accepts data to be MAC’ed using ANSI x9.91 standard and MAC Working Key.

Used for MAC’ing credit transactions when MPM supports support both credit and debit

Developing Payment Application

RhoElements APIs – Functions


Validates the response MAC

Displays any authorization messages returned by the host


Completes online EMV transaction

Host decision is sent MPM

Displays result

Updates tags on the smartcard

Getemvtags() /Setemvtags()

Reads or write tag values/tags from the smartcard

Developing Payment Application

RhoElements APIs – Functions


Authorizes the EMV transaction amounts on the smartcard

Required params : amount, merchant decision, tags, display result, PIN try exceed status,

display amount, display app expired


Requests the cardholder to remove the card from MPM.

Required params: message1, message2

If empty messages are passed, MPM will use default messages.

Developing Payment Applications

RhoElements APIs

Helpful Hints

After calling a function, wait for the response before calling another function

If calling another function is required before the response, call cancelprevmethod() first

Some of the functions such as promptmenu and readcarddata return success or error

first in DataEvent. The data (or error code) is returned in a separate callback

Even though several functions accept language codes, only English is supported at this time.

Our Vision

Our Vision…

Our vision for the future

Our vision is to create a solution that makes the payment application development even

simpler. And easier to understand. Currently the payment process is extremely complex.

We are exploring options to provide interfaces to major acquirers, so that you don’t have to

spend time and effort to understand the process.

Our goal is to achieve further simplification and abstraction of interfaces to various

payment devices, mobile devices, payment technologies, development languages,

communication, Acquirers, Card Networks…

Another important vision of ours is to reduce the amount of certification you will

have to do with your applications.

All these power and new features will be accessible to your application via simple and

easy to use configuration.

We appreciate your input on your requirements and comments.


More magazines by this user
Similar magazines