We are developing mobile app in which customers can access multiple loyalty programs. The most convenient way for customers is to use nfc loyalty card and we are in search of ways to implement it via google pay passes and apple wallet passes
However, we are quite not familiar with the pipeline and user—>PoS—>etc interactions.
Could someone explain, please:
What process is happening after card is submitted to PoS terminal? (Interactions with GPay/Wallet and our backend).
Any information is appreciated!
For the Google Pay Passes side the protocol to transmit loyalty card payload through NFC is called Smart Tap. The design is as follows:
The phone with Google Pay and loyalty passes (enabled with Smart tap) loaded into the wallet is tapped on the terminal.
The terminal through Smart Tap Protocol presents a unique collector ID and signed information to the Google Pay app.
The Google Pay app uses this signed information to verify the identity of the terminal and that collector id is used to determine which passes it transmits.
Google Pay transmits the pass payload through Smart Tap from the wallet.
The terminal then decrypts the payload and passes upstream, to the POS.
The best way to think about NFC transmission is as an encrypted alternative to transmitting a value using barcode.
Related
First, forgive my complete ignorance. I've tried to research this, but I clearly don't know the correct terminology for what I'm trying to accomplish.
I'm trying to set up NFC chips that link to separate, unique profiles. The profiles will be to a web app, but I want to hide the hyperlink to prevent someone from being able to copy the direct link to the profile and put it into another NFC Chip.
Example: A Plastic Business Card with an NFC chip that takes someone to a unique web app profile on their phone. I want to make sure someone can't create a new card and copy/paste the profile link into the new card on their own.
Note: The NFC Chip at this current moment will NOT be used for contactless payments.
Thanks.
So first point, security on NFC is hard, you can make it more difficult but not impossible to get the data from the card depending on how tightly you can control access to readers etc.
But from the sounds of it you are looking just to prevent casual copying.
It also sounds that you want the reading device to be a reading device.
So there are various techniques you can use to prevent casual copying, below I'll list a few in some order of complication (some can be used in combination with others):-
There is a common theme and drawbacks to some of these techniques.
You have to write your own phone App and get it to display the web App in it's own webview as you do not want the URL shown in a standard web browsers address bar.
Any protections you put in the phone App can be extracted from it by reverse engineering the phone App.
Use a NFC Tag like the Ntag21x range that has read password protection. You would write a phone App that knows the password to read the URL and then the App displays it
Encrypt the data on the card using standard encryption method and write an phone App that knows how to decrypt it and has the encryption keys to read the URL
Don't use a standard data format like Ndef but use your own data format again you phone app needs to know how you formatted the data to display
You can make reverse engineering of item 1 and 2 harder by not storing the "secrets" in the App itself but have it get it across the network at run time, but getting the secret can be reverse engineered or sniffed from the network.
I successfully created a pass with PassKit. But I want to add NFC capability to this pass to, when other smartphone (NFC reader) read the card, an URL will be opened to this smartphone.
I don't know if I need to do an NFC Certificate request for Apple Pay, because I don't want to use NFC for Apple Pay (https://developer.apple.com/contact/passkit/) ?
Can I achieve this without a certificate ?
No, you absolutely must have a certificate authorizing the use of NFC even if it is not a payment.
To obtain a certificate, contact Apple: http://developer.apple.com/contact/passkit.
But they rarely answer
I'm very new to NFC here. I am working on a project as part of which we are looking to do "check-ins" at a clients locations. We postulate we can use NFC tags so that people can scan them with their phones and easily "check in." The process after scanning would be to send the user to a URL such as example.com/check-in?location=PA&uniqueSerial=1234567.
Is there a way to get a unique serial number to place into the URL on each scan?
What I want to do is verify that the user has actually scanned the tag. What I don't want to happen is have users save the URL from the NFC tag and reload it again to create another "check-in."
Thanks for your help!
This seems to be an identical requirement to Prevent URL obtained from NFC from being shared or accessed remotely
And the answer is No,Yes and to some extent.
It depends on if you want to use a custom written App to read the cards or want to rely on the devices inbuilt behaviours to load the URL.
Most standard NFC tags just read and write to some EPROM data chips, so the data is static on the card, while most cards have a unique serial number this is still static data.
The possibilities are:-
1) Store a static URL in an NDEF message on the card that causes the device to load it in it's own browser - the URL is static and visible to the user for store and re-use. (That's the No response)
2) Write an App to read the cards, the URL can then be hidden from the user but still it will be unique to the card and static, but a determined person with the knowledge could work out the URL. (That's to some extent answer)
With Android you could use and AAR NDEF record to prompt the user to download the App if they don't have it already, not sure it this can be done on other devices.
2a) as 2) but then use the time or other methods to crypto hash the unique ID in time as well to make it a one time code. Harder for people to reverse engineer to but depending on how you do it determines the difficulty. (That's to some extent answer)
3) Their are some advanced cards out their that can run custom programs (one is called JavaCards https://en.wikipedia.org/wiki/Java_Card ), so you could write a program that generates a unique serial you want and then present it to the card reader device as a standard NDEF message that would launch the devices browser to this dynamic URL. (This is a Yes response but it very very advanced)
4) Instead of a NFC card being read from, you could have a smartphone with an App running Host Card Emulation software (or other device with a USB reader/writer might also be able to do Host Card Emulation). This is like option 3 in that the program that generates a unique serial you want and then present it to the card reader device as a standard NDEF message that would launch the devices browser to this dynamic URL.
This of course requires the device to be secured and powered. (This is a Yes response, but has drawback that it is not as cheap as a NFC card and needs it's own power supply and is advanced in terms of programming).
There are some fairly 'off the shelf' NFC chips that can do this. These 'authentication' NFC Tags are typically used for product authentication / counterfeit protection, etc. Example of use case on Seritag's website
However, I can't see that you'd actually need the backend auth to do what you want. Each time the tag is scanned it will generate a new unique auth code and as long as you log any previous codes then the user will always need the next one. Without the backend auth system it wouldn't stop the user just making up a new code but it depends how secure you want it to be.
Visa and Mastercard are working on a card tokenization, and I wondered if it was possible with this token stored on a NFC-tag like a key-fob to perform a contactless payment?
Do you think it is enough to put the token on the NFC-tag or is it must be wrapped ?
It will work like the visa ring.
Yes, but with a lot of conditions (nothing is simple, sorry).
The keyfob must have a real Secure Element inside that can run an applet that complies to Visa/Mastercard specifications. A simple NDEF tag would not do: this is not just about storing some data, but it is about an application handling it securely.
In other words: the 'token' has to be stored securely on the chip, and the chip shall send it only to a reader that has authenticated itself properly to the chip.
The specifications are freely available, have a look at 'EMV'.
I need to know is there any native API to store the credit card information in Windows 8 Mobile. I found a lot about NFC technology. Our requirement is storing the credit card information in wallet only by touch the credit card with phone like storing business card info by tapping using NFC.
Windows 8 Phone - access to NFC reader?
http://code.msdn.microsoft.com/wpapps/Wallet-payment-instruments-85c2a7a0
I could see some answers in this post. But it doesn't exactly matches our requirement.In the second link there says that tapping a credit card is it possible to tap an store the info of credit card in the wallet app.
There is no API in the public SDK that will allow you to store credit card information outside of the wallet.
You haven't said what your requirements actually are so it's hard to say for sure but be aware of the possible legal implications of storing credit card details in each of the countries where the app is to be used. There are strict requirements around this.