NFC mobile payments standards? - nfc

I understand how NFC is supposed to work on a high level, and a bit about the protocols used. Now, I need to understand, with your help, if there are any standards related to mobile payments.
From a trusted service manager perpective, I believe there are no standards at all and that both the machine on the point of sale and the app on the mobile device would have to be custom made correct?
If no such standards exist yet, can I assume it can be as "simple" as:
On contact the machine creates a checkout receipt and sends it to the device (this would have to be done with customized hardware)
The device receives the receipt and uses the UICC to authenticate itself with the bank/TSM
The bank, upon validation, signs the receipt which is forwarded to the machine by the device
Am I getting this right? If there are any technical bits I'm missing, please refer them so I can research.
Thanks

sure there are standards - see EMV (Europay, Mastercard, Visa). It is necessary for world wide interoperability of the payments systems, which uses the chip (aka secure element), no matter they are contact or contactless (i.e. NFC).
EMV specifies used hardware, protocols, file structures and used commands, data authentication, PIN ciphering, key management. It is pretty complicated.
I think you can start here: http://en.wikipedia.org/wiki/EMV
Regards,
STeN
www.mautilus.com

As said before, EMVCo standards will cover some of your need, but so will also GlobalPlatform underlying technology, as well as some further refinements of AEPM.

I'll also add once you obtain the information you need from the payment card, you have to send it to a payment gateway which then transfers the information to the payment network (Visa, MasterCard, etc.) where the data will then be routed to the issuer of the card for authorization. The response is then sent all the way back through the chain to the initiator of the transaction. Triangle has a free API that captures the card information for you. You can then use the captured information and route it to your gateway.
Disclaimer: I'm the co-founder of Triangle.

Related

Can I still buy Eddystone-EID beacons?

I know asking this question here is not proper, I feel sorry for that.
I have tried searching websites, Amazon and Alibaba, but fail to find any product can support Eddystone-EID.
So, I think developers in stack overflow may know any product can support Eddystone-EID.
Could you share any any information for that?
The two vendors below claim to sell beacons compatible with Eddystone-EID as of October 2021:
Gimbal
Estimote Location Beacons
Before you buy anything beware that Google shut down their beacon platform web services in April 2021. I wrote a full blog post to explain what this means: Eddystone is Dead, Long Live Eddystone!
Using these web services is completely optional for Eddystone-UID and Eddystone-URL, but critical for Eddystone-EID, because the beacon identifier rotates with a crypto algorithm and a “trusted resolver” server is needed to convert the advertised “ephemeral identifier” from jibberish to something meaningful and useful.
Without Google’s beacon platform web services, I am aware of no commercially available trusted resolver for Eddystone-EID. You would need to build your own, which is a non-trivial effort. Without a trusted resolver Eddystone-EID is worthless.
Because of this, make sure the vendors above still support using their products with Eddystone-EID. In time, it is likely they will remove support in their beacon firmware.
Finally, it is important to note that just because Google gave up on their beacon web services, most apps that use Eddystone, iBeacon and Altbeacon are unaffected. Beacons are standardized and will work forever — just don’t use Google web services! Again, beacon technology aside from Eddystone-EID has no need for Google web services.

How do I implement an sms USSD app like this?

I was wondering how to create an SMS app like this where you text something say "1GB" and get some response from server. https://imgur.com/zwFFhzz
Sorry I'm new to USSD so apologies if amateur question. 1) How does an app like this work? What do I need to know to implement this?
To implement a USSD style application you need to have buy in and assistance from the network operator.
There are API's in various toolsets that will allow you to issue USSD commands to the device, these API's simply just pass the request straight through to the GSM modem on the device as an AT command (I can't remember off the top of my head what it actually is), and the modem unit is responsible for actioning it.
Some commands are processed directly on the device. For example if you type in * 06# (or #06 *) i forget which, most devices will display thier IMEI number. Many mobile sites too, will often have lists of "Secret Manufacturer Commands Your Not Supposed to Know" or "Special Commands that get you Free Credit".... :-)
All these are, are fixed strings built into the modems firmware by the manufacturer of the modem, not the device.
Most USSD style SMS's however are actually parsed and acted upon inside the providers network, usually on some kind of application server that's attached to or works in tandem with the main network SMSC's
For example when I worked on the Yalla Bill pay system out in Qatar we routinely had to attend meetings at QTel (The state telcom provider) to explain our routing rules and test them to make sure they where implemented correctly.
When I worked as a network engineer for Orange UK, i would often have to take care of service requests from vending machine companies that used USSD in thier firmware to send messages to a router at the provider's SMSc center.
The other thing to consider too, is that many providers will charge you A LOT OF MONEY to undertake a project like this, even more if you want them to just intercept anything sent to a given number and be routed directly back to you for you to act on in your own servers.
Some providers do have SDK's that allow some kind of similar access, sometimes for free, sometimes for a cost. I remember when I worked for Orange, you could join the "Orange Partners Program" and that got you some nice SDK code and access to various inner network stuff (I built a big chunk of it :-D) that allowed you to do some interesting stuff, since the company became EE and now part of BT however, I honestly don't know if any of it is still in use.
You can also get a shortcode, and while that's not USSD style SMS, you can have SMS messages sent to the code and those messages will then get forwarded onto a TCP server endpoint that you control.
I believe Twilio have this feature available, and I know MBlox do beacuse that's who I use.
It's not genuine USSD, but you can easily set up a shortcode, have folks send SMS to it, then use an SMS send API to reply back to the sending number.
My MBlox account for example gives me a pay as you go HTTP SMS end point, where I send regular TCP based get requests with a set of parameters, and they turn those into SMS's and send them to the recipient. I pay roughly 2p UK per text inside the UK, and it cost me £50 UK to set it up.
On top of that, I got an inbound SMS number, which costs me a fixed £50 per year, and any SMS recieved by the number is sent to a TCP/WEB based endpoint I provide to them, and which I then do what's needed with the recieved SMS when it arrives.
My inbound is a normal full length number though, for a "shortcode" number which is what your picture shows, you'll likley have to pay extra for that.
That looks like it uses a short code for the interaction, the response is parsed to make a purchase of the 2GB via another API.

Google Client Library for Java SDK and GDPR

I am using the Google Client Library for Java SDK in my Android app to interface with Google Drive.
Do Google act as a Data Controller or Data Processor by using this SDK? I need to know if I need to store any data to show the user has consented to my app interfacing with Google Drive in line with GDPR.
I know I need to ask permission for personalised or non-personalised ads but the Google Drive SDK and GDPR stuff is driving me crazy.
Thanks
Disclaimer I am not a legal type person this is my opinion from the guidelines that we have been given. You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifcally tailored to your situation.
For refrence I am going to quote from the following documents which as of my writing are the only thing Google has released with regard to GDPR that i am aware of ath this time
Google Cloud & the General Data Protection Regulation
GOOGLE CLOUD & THE GDPR WHITEPAPER
Google Cloud & the General Data Protection Regulation (GDPR)
G Suite1
and Google Cloud Platform customers will typically act as
the data controller for any personal data they provide to Google in
connection with their use of Google’s services. The data controller
determines the purposes and means of processing personal data,
while the data processor processes data on behalf of the data
controller. Google is a data processor and processes personal data
on behalf of the data controller when the controller is using G Suite
or Google Cloud Platform.
Data controllers are responsible for implementing appropriate
technical and organisational measures to ensure and demonstrate
that any data processing is performed in compliance with the GDPR.
Controllers’ obligations relate to principles such as lawfulness,
fairness and transparency, purpose limitation, data minimisation,
and accuracy, as well as fulfilling data subjects’ rights with respect
to their data.
If you are a data controller, you may find guidance related to your
responsibilities under GDPR by regularly checking the website of
your national or lead data protection authority under the GDPR (as
applicable)2, as well as by reviewing publications by data privacy
associations such as the International Association of Privacy
Professionals (IAPP).
You should also seek independent legal advice relating to your status
and obligations under the GDPR, as only a lawyer can provide you with
legal advice specifcally tailored to your situation. Please bear in mind
that nothing on this website is intended to provide you with, or should
be used as a substitute for legal advice.
Gsuite is Googles sweet of tools that being Drive, Calendar ... they are the data controller for the data behind the Google tools.
Controller vs. Processor
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
IMO
If you are accessing a users data on Google Drive and changing it or doing anything with it then yes you are going to need to tell them what you are using their data for and log their consent. If you are saving their data anywhere then you are also going to have to give them the ability to delete that data.
There are some things you cant do for example if they want to delete all their files on drive thats not your responsibility that's Googles. You are only responsible for the data thats on your system and what you have done with it.
Using googles client library IMO doesn't have much to do with GDPR its what you are doing with the data that they return that matters. I did contact google a few months ago hoping to get some official guidelines with regard to GDPR and the client libraries. I have not heard anything as of yet.

How is Apple Pay and NFC-enabled Credit Cards used in check in/check out scenarios such as the London Underground?

If I understand correctly: Apple Pay, Android Pay and NFC-enabled credit cards can all be accessed using APDU commands via NFC according to the EMV standard.
I want to use information from this data exchange to associate the device/card with some persistent server-side information, typically a check-in/check-out scenario.
The NFC Tag ID is randomized on most devices, making this obvious approach unusable.
I am NOT trying to take payment, only use an unique identifier that does not change over time. It is also important that the identifier is unique per device, so that the same credit card registered on two phones does not appear to be identical.
Reading about the use of temporary tokens makes we wonder if this is at all possible on the phones due to the one-time tokenization employed. Apple creates a Device Account Number that is unique for a device, but this is supposedly not shared with the Point Of Sale. But still, travellers can use EMV Cards as well as Apple Pay to check in/out on the London underground, this is not possible without reading the same identifier twice.
So my question is what information can I use to read a persistent unique token that works across all EMV mediums?
Extra bonus points for some information on the APDU commands used for reading this information or thoughts on the security aspects of using this token as an non-cloneable identifier (can offline PIN verification be used?).
The following threads could not provide an answer:
Serials on NFC Tags - truly unique? cloneable?
Create Token With Apple Pay Without Payment
I think you might be getting a bit confused around how Apple Pay works - it's just a regular EMV contactless card payment with a device specific card number/token instead of the actual token. The uniqueness comes from the EMV cryptogram. The public Apple Security Whitepaper details this: https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Apple Pay Contactless payment scenario is a sub-part of Visa PayWave specification. During the card(or Apple Pay device)-to-terminal interaction Card(or Apple Pay device) generate ARQC cryptogram which, together with other transaction details, needs to be validated by Acquirer host.
Nothing actually new invented here. Apple Pay is just method to provide Card data and Transaction Cryptogram (TC) via Apple devices. The same or at least similar scenario as for usual PayWave Contactless-EMV card.
The Apple Pay UK and US profiles and test scenarios now covered by Visa PayWave Test Procedures (VpTP).

How can I send SMS messages like Twitter does?

Do all cell companies have open APIs that allow you to send SMS messages like Twitter does?
Do you have to pay to do this?
Many (most?) mobile companies have email gateways allowing you to send an SMS. For AT&T I believe it's phonenumber#text.att.net, but each provider will have a different address.
This wikipedia article summaries it pretty well. Some cell companies have easy formats. For example, Verizon uses number#vtext.com.
It depends what country you're in.
In the UK to pay to send - receiving is free.
Take a look at messagepub. They provide an easy API so that you can send SMS messages from your application.
If you want a reliable solution then yes you will have to pay for it, there are some limited free versions.
We used Clickatell with an earlier project http://www.clickatell.com/developers.php
It gets a bit more complicated. E-mail gateways may work for some carriers, but not others. As noted, it's based on your cell carrier, what we can the aggregator, and possibly a third-party "intercarrier". However, it also depends on volume. If you're just sending the occasional SMS via e-mail, it certainly can work, but, it's occasional in use, and you don't get the confirmations that your phone normally sees. For volume transfers of messages, you typically need to talk to your carrier about access to their "SMSC gateway". The SMSC gateway speaks an internet protocol (SMPP) to transfer messages from your app, into the carrier clouds. It it designed for volume, and you get response codes for your messages.

Resources