Developing Payment Applications with RhoMobile Suites - Motorola ...

launchpad.motorolasolutions.com

Developing Payment Applications with RhoMobile Suites - Motorola ...

Developing Payment

Applications with

RhoMobile Suites

Prashanth Kadur

Software Architect


Agenda

Understanding Payment

MPM-100 (Motorola’s Payment Device)

Developing Payment Applications using RhoMobile Suites

Our Vision…


Understanding Payment


Understanding Payment

Overview

Scan & price check Swipe Capture signature or PIN

Print receipt

Authorize payment


Understanding Payment

Terminologies for Mobile Payment

Gateway

Acquirers

Card Network

WiFi or WAN

Communication

Motorola Device

Mobile Device

Mobile Computer

Bluetooth

Communication

MPM-100 was released

recently!

MPM-100

MPM

Reader

Terminal

Payment Device


Understanding Payment

MagStripe

Magstripe cards are used for several purposes including

identification (driver’s license) and payment (finance).

Normally there are 3 tracks of data. Information such as account

number, account holder name and expiration date.

Can be used for credit as well as debit transactions.

Not very secure. Susceptible to fraud.

Stores limited amount of data.


Understanding Payment

EMV

EMV (Europay, Mastercard and VISA) is a global standard for

credit and debit payment cards based on chip card technology.

Also called “IC card”, “smart card” and “Chip & PIN”.

Contains embedded microprocessor that provides security and

capabilities more than a magstripe card can provide.

More than a billion EMV cards are in use worldwide.


Understanding Payment

Advantages of EMV

More secure than the data encoded on the back of the magstripe card

• dynamic cryptogram protects against data skimming

• usage restrictions such as international use prohibitions are enforced

• offline authorization: PIN capability protects against lost and stolen card fraud

• limits on offline activity protects against credit overruns and fraud

Supports enhanced cardholder verification methods

Stores more data than the magstripe

Single card can play multiple roles: credit, debit and others


Understanding payment

Advantages of EMV

Chip can perform the following:

Payment applications are resident on the chip

• Stores information securely

• Performs cryptographic processing

Two means of making connection with readers

• Contact . Requires physical contact , usually by inserting the card

• Contactless. Card (or mobile phones) must come to proximity

of reader. Max 4 cm.

If a card has CHIP, reader may refuse to accept the magstripe swipe of the

card

Single card can play multiple roles: credit, debit and others


Understanding Payment

Contact & Contactless EMV Readers

Contact: requires the card to remain in contact with the reader for the

duration of the transaction

Contactless: minimizes the amount of time the card is held close to the

reader

Contactless: Some transactions such as online authorization may be done

after the card has left the proximity


Understanding Payment

How EMV works

In magstripe, after reading the card, the card is no longer needed

In EMV, the card data is read and then rules set by the card issuer are enforced:

• Offline data authentication

• Card holder verification via PIN or signature

• Online authorization

• And several others…

Issuing bank dictates which of the rules are enforced for the current transaction

If the reader (terminal) is incapable of performing any rule requested by the chip, the

chip may decline


Understanding Payment

How EMV works

Initiate

Communication

Select Application

Read Data

Offline

authentication

Reader begins communicating

with chip.

Chip and Reader identify the

common app to work with.

Selected app is initiated.

Reader reads card data from

chip.

SDA, DDA, CDA (Static, Dynamic

or Combined Data

Authentication (CDA)

Decision by chip

Risk analys and

action on reader

Verify Cardholder

Verify Rules

Chip responds to reader and

decides to go online, offline

accept or offline reject

Reader analyses risks, decides

to go online/offline.

Method specified by issuer and

supported by reader. Sign,

online/offline PIN,CVM.

Verify if rules set by issuer

allows chip to process the

requested transaction

Process online

bank transaction

Complete

Transaction

Request

Request

Reader builds an online

request package (request for

authentication &

authorization) and sends it

acquirer.

Contactless: Occurs after the

card has left proximity

Request chip to complete

transaction. Optionally issuer

may set new or modify

existing rules via script

commands.

Contactless: No modification

to rules.

Response

Response


Understanding Payment

How Online Bank Transaction Works

Determine amount

Display amount &

Ask approval

Read Card Data

Enter PIN

Merchant scans items, does

price checks and determines

the total amount

Display the amount on the

payment device and ask

customer for approval

Customer swipes, inserts or

taps card on the payment

device.

Customer enters PIN for debit

Send Request to

Issuing Bank

Send request to

card network

Send Request to

Acquirer

Encrypt Data

Card network sends the request

to issuing bank (Chase, First

Bank of America..)

Acquirer sends request to card

network (VISA, MC, AMEX…)

Request is sent to the acquirer

for approval.

PIN and card data are

encrypted

Issuing Bank

Request

Request

Request


Understanding Payment

How Online Bank Transaction Works (continued…)

Issuing Bank

Check for funds

and respond

Send response to

Acquirer

Send response to

Merchant

Issuer bank checks for funds

and sends approval to the card

network

Card network sends approval

to Acquirer

Acquirer sends approval to

merchant

End of transaction

Print Receipt

Complete Sale

Capture Signature

Customer gets receipt/ereceipt

Merchant completes sale.

Merchant obtains customer

signature for credit

Response

Response

Response


Understanding Payment

Fees

Customer Pays Issuing

Bank

$$$

Issuing Bank takes its fee

$$$

Card Network takes its fee

$$$

Merchant gets paid

$$$

Acquirer takes its fees

$$$


Understanding Payment

EMV Adoption

Source: EMVCo


MPM-100


MPM-100

WHAT DOES IT DO

Accepts credit, debit, smart card and

NFC enables cards and phone

payments

The transaction data is transferred

from the MPM over a Bluetooth

connection to Windows Mobile and

Android based Motorola devices

Encrypts transaction data “at the

swipe/insert/tap”

WHO USES IT

Retail

Hospitality

Transportation & Delivery

Field Service

Government / Public

Store mgrs, customer facing associates

Tableside, concessions, entertainment

Couriers, trains, planes, ticket reading

Repair and maintenance home or office

Citations, parking, Identification

Motorola Devices Supported

ES400 MC55A MC65 MC95 ET1


MPM-100

Specifications

Vx Platform Architecture & EMV applications

Smart Card Reader

Models – Supports Windows Mobile & Android

Display – 128x32 LCD

PIN Pad– PCI 3.0 capacitive touch PIN pad

MSR with Triple-track head

Landed PSCR with 2 Secure Access Modules

Battery powered – >8 hour operation

Contactless Reader

MSR Reader

128x32 LCD Display

CTLS / NFC

Antenna

Capacitive Touch

PCI 3.0 PIN Pad

CTLS LEDs

Power Button

MicroUSB

Data/Power

Charge Port

Five-slot charging cradle

PCI 3.0 EMV 4.x, other regional certs

Security certifications as required

Encryption preloaded

Removable 1380 mAh

Battery (in rear)

Integrated

Bluetooth 3.0

module

Gang Charging Connectors


MPM-100

MagStripe Smart card/Chip&PIN Contactless/NFC

Use only in the United States

Old Technology

Easy to counterfeit

Low cost solution

Can be used for debit and credit

When used for debit, requires a

separate keypad for pin entry

Use everywhere except the United

States.

Modern Technology

Hard to counterfeit

Think of the chip as a PC without a

keyboard or display

Low cost solution, but not as

inexpensive as the MSR solution

Can be used for debit and credit

When used for debit, requires a

separate keypad for pin entry

Near Field Communications “NFC”

Use everywhere in the World

Works in all weather environments

Modern Technology

Hard to counterfeit

Generally used for Low Dollar , High

Volume, transactions: Fast Food, Donut

Shops, Coffee Shops…etc…

Low cost solution, but not as

inexpensive as the MSR solution

Can be used for debit and credit

When used for debit, requires a

separate keypad for pin entry


MPM-100

Communication with Mobile Device

Communication between the MPM and Mobile Device’s is Bluetooth

• Bluetooth Specification 3.0

• SPP Profile

Windows Mobile

• Microsoft Stack

• Stonestreet Stack

Android

• BlueZ Stack

Bluetooth

Bluetooth


MPM-100

Configuring Mobile Device

Before accessing MPM from RE, you must manually pair.

Without pairing, app will not communicate with MPM.

On WM, use “Settings->Connections->Bluetooth” for accessing pairing.

On the Android devices, use “Settings->Wireless & network settings->Bluetooth”.

The Bluetooth address of the MPM device starts with “MPM-“.

Only one MPM per Mobile Device can be used at a time.


MPM-100

Fraud Prevention

MPM has special hardware and software to do encryption

Encryption done on the MPM device

Encrypted data goes all the way to bank

Only the bank knows how to decrypt

The encryption system requires an initial number (“Seed Number”) to

base encryption algorithm

The Seed Number is provided by the Bank

The operation of putting the Seed Number into the device is

called “Key Injection”

Key Injection can only be performed in a special certified room

Motorola has special certified rooms

If the MPM senses attempts to break in and obtain the seed number,

it wipes the seed number within 300ms


MPM-100

Certification

Every Country has it’s own transaction network and rules

In order to use a new payment device, every Country requires

certification of the payment device for it’s network

This ensures the device:

• Communicates properly on the network

• Doesn’t interfere with other transaction on the network

• Doesn’t intercept other transactions

In addition , there are two worldwide certifications:

• PCI “Payment Card Industry”

• EMV “Europay MasterCard Visa”


MPM-100

Certification

It’s up to the manufacture to certify the payment device.

Motorola certifies their payment devices. But your payment app may

still require certification.

The payment device is sent to an independent lab for testing

and the result report is sent to the certification body

Some Countries accept International certification as the only

certification required.

Other Countries require In-Country certification

Still other Countries require In-Country and Bank specific certification

This is no “Universal” rule

Must certify device in Country prior to sale


Developing Payment Applications


Developing Payment Application

Tools

Motorola RhoMobile Suite v2.1 supports development of applications to

target MPM-100.

EMDK for .NET. Currently .NET support for MPM is not available.

Tentatively available in Q2 2013.

EMDK for C. No plans for C/C++ support for MPM.

EMDK for Java. No plans for the Java support for MPM on WM or Android.


Developing Payment Application

RhoMobile Suite

Motorola RhoMobile Suite v2.0 allows you to create flexible, OS-independent,

hardware-agnostic applications that look, feel and act the same on every supported device.

You can rapidly create robust mobile applications that can include a wide range of

advanced data capture capabilities.

RhoMiobile Suite comprises of the following:

RhoElements

RhoElements allows creating

flexible applications that look,

feel and act the same on

every supported device.

RhoConnect

RhoConnect is the easy, fast

way to connect mobile

applications to business data

and ensures users can access

that data.

RhoStudio

RhoStudio’s fully-featured

simulator allows you to

quickly test and debug crossplatform

applications on one

computer.

Use RhoElements for developing applications to target MPM-100


Developing Payment Application

RhoElements for MPM

RhoElements is built on Motorola’s WebKit rendering engine.

RhoElements enables software developers to develop rich mobile apps using latest

HTML5 and CSS standards.

Applications can be written to include a wide range of functions including barcode scanning,

signature capture, printing and more.

RhoElements supports a set of JavaScript functions for accessing the MPM device and

performing payment transactions.

Help distributed with RhoElements does not contain MPM documentation.

Customers are required to contact Motorola TAs for documentation on MPM.

Using MPM functions requires a passcode. Request your Motorola TA.

MPM Help documentation describes payment functions and also contains a section on programmer guide.

The programmer guide section provides helpful hints for designing payment apps in RhoElements.


Developing Payment Application

Software Solution - Architecture

Inventory

Price

Check

Customer

Payment

Gateway

Independent

Acquirers

WiFi

WAN

Customer Rho Application

.NET on WM

Java on Android

(currently not available)

Customercreated

Country/Bank

Specific Code

Customercreated

Country/Bank

Specific Code


Developing Payment Application

What you can do using RhoMobile Suite

You can use all the features available in RhoMobile to write your payment app

Scan items

Take pictures of the item (returns?)

Connect to MPM using RhoElements

Display message and prompt menu on MPM

Allow customers to swipe, insert or tap the card on MPM

Allow customer to enter PIN on MPM

Obtain card data (both encrypted and clear) from MPM

Write to the smartcard once the bank response is received.

Capture Signature on mobile device

Print Receipt


Developing Payment Application

What your application must do

Currently, RhoElements does not offer any feature to perform country specific

requirements. You must have a detailed knowledge of these requirements.

You must write your own process to create and pass the payment package to Acquirer gateway.

You must have detailed knowledge the Acquirer requirements and their interfaces.

You must understand all the certification requirements for all countries that you wish to use.

You must certify your payment applications, if necessary.

Once the bank response is received, your application must know how to read the bank response and

do post-payment writings to the smartcard. We provide a number of functions for this purpose.


Developing Payment Application

RhoElements APIs – Data Event

Methods and events available for MPM can be accessed using the ‘mpm’ JavaScript Object.

For example:

mpm.open(“passcode”, “COM5”);

There are about 20 functions available for performing tasks on MPM.

All functions return response in the DataEvent callback.

Before making any calls, set the DataEvent as follows:

mpm.DataEvent = "url('JavaScript:dataEventFunction('%s','%s');')";

DataEvent can callback the function on same page or a different page(providing a new url).

When a new url is provided, navigation will occur automatically.

Two strings are passed in the DataEvent which directly or using JSON objects.

data – Data returned for the corresponding method call

function – Identifies the function for which the response is returned.

function dataEventFunction(data, method) {

alert("Data= "+data+" Method= "+method); }


Developing Payment Application

RhoElements APIs – Functions

Open()

Manually pair. Open MPM before calling any other function:

mpm.open(“passcode", "COM5");

Comport is ignored on Android

Requires a valid passcode. Contact Motoroal TA.

Success or failure message is returned in DataEvent

Close()

Closes port and disconnects the MPM device.

This call does not unpair. Unpair manually.


Developing Payment Application

RhoElements APIs – Functions

EnableKeypad()

Enable keypad on MPM each time before calling functions such as readcarddata() and

promptpin(), which require user input

DisableKeypad()

Disable keypad.

EnableKeybeep()

Enables keybeep on MPM device. Requires enabling each time

DisableKeybeep()

Disables key beeps.


Developing Payment Application

RhoElements APIs – Functions

Readcarddata()

Prepares MPM for a card read

Swipe (MagStripe), insert (smart cards) or tap (contactless)

readcarddata(Amount, OtherAmount, ReadMode)

Data returned in DataEvent

•“AccountNumber=

•|CardHolderName=

•|ExpiryDate=

•|Track1Data=

•|Track2Data=

•|Track3Data=

•|AID=

•|AppLabel=

•|AppPreferredName=

•|ServiceCode=

•|EMVTags=TagIDs=|||Values=||


Developing Payment Application

RhoElements APIs – Functions

PromptPIN()

Prepares MPM for accepting PIN entry

Encrypts PIN

Syntax:

• AccountNumber

• MinPINLength

• MaxPINLength

• PinRequired – Allow empty PIN

• Messages1

• Message2

• ProcessingMessage

Encrypted PIN Data returned in DataEvent


Developing Payment Application

RhoElements APIs – Functions

Promptmenu()

Displays two lines of messages on MPM

Provides a menu with a maximum of 4 choices.

Returns the selection in the DataEvent

Max of 18 chars on each line (Message + Choice)

Promptadditionalinfo()

Multiple transactions combined into one

• Prompts the user to confirm amount

• Prompts user to confirm surcharge

• Prompts user to enter TIP

• Prompts user to enter cashback

Returns user input in DataEVent


Developing Payment Application

RhoElements APIs – Functions

Promptmessage()

Displays upto 4 lines of messages on MPM

Can be used for getting confirmation such as OK and Cancel

Returns the selection in the DataEvent

Cancelprevmethod()

Cancels previously issued method

Displays welcome screen on MPM

Createmac()

Accepts data to be MAC’ed using ANSI x9.91 standard and MAC Working Key.

Used for MAC’ing credit transactions when MPM supports support both credit and debit


Developing Payment Application

RhoElements APIs – Functions

Validatemac()

Validates the response MAC

Displays any authorization messages returned by the host

Completeonlineemv()

Completes online EMV transaction

Host decision is sent MPM

Displays result

Updates tags on the smartcard

Getemvtags() /Setemvtags()

Reads or write tag values/tags from the smartcard


Developing Payment Application

RhoElements APIs – Functions

Authorizecard()

Authorizes the EMV transaction amounts on the smartcard

Required params : amount, merchant decision, tags, display result, PIN try exceed status,

display amount, display app expired

Removecard()

Requests the cardholder to remove the card from MPM.

Required params: message1, message2

If empty messages are passed, MPM will use default messages.


Developing Payment Applications

RhoElements APIs

Helpful Hints

After calling a function, wait for the response before calling another function

If calling another function is required before the response, call cancelprevmethod() first

Some of the functions such as promptmenu and readcarddata return success or error

first in DataEvent. The data (or error code) is returned in a separate callback

Even though several functions accept language codes, only English is supported at this time.


Our Vision


Our Vision…

Our vision for the future

Our vision is to create a solution that makes the payment application development even

simpler. And easier to understand. Currently the payment process is extremely complex.

We are exploring options to provide interfaces to major acquirers, so that you don’t have to

spend time and effort to understand the process.

Our goal is to achieve further simplification and abstraction of interfaces to various

payment devices, mobile devices, payment technologies, development languages,

communication, Acquirers, Card Networks…

Another important vision of ours is to reduce the amount of certification you will

have to do with your applications.

All these power and new features will be accessible to your application via simple and

easy to use configuration.

We appreciate your input on your requirements and comments.


THANK YOU

More magazines by this user
Similar magazines