Transit EMV Checker
Background
Transit EMV Checker (TEC) is an Android mobile device application which can be used to access a contactless EMV payment card or other cEMV media (phone, wearable…) to perform a technical check to determine whether the configuration of the media is likely to be suitable for acceptance for payment in a transit system where acceptance of the media must be determined offline as it is not acceptable to permit online verification of payments due to timing/usability considerations.
The tool accesses data from the cEMV media including the Primary Account Number (PAN), the storage of which is regarded as sensitive under the PCI regulations governing payment systems. The tool is designed to be acceptable under PCI-DSS revision 4.0 by ensuring that at least 6 digits of the PAN are discarded immediately after they are received from the media and are not stored on disk or displayed on the user interface. As well as the PAN, the tool emulates a transit payment terminal and retrieves configuration data (“EMV tags”) from the cEMV media. The configuration data received is examined and is used to determine whether the media is able to authenticate itself to the standards required for offline acceptance, and whether there are any restrictions on usage which would prevent it from being accepted for transit payments at the current location.
Note that the wording of PCI-DSS revisions in the 3.X series in relation to processing of live EMV media on test systems was more restrictive than the wording in revision 4.0. The tool is not represented as being acceptable under PCI-DSS revisions in the 3.X series.
Initial motivations
The idea for this tool arises from a past employment role working for a vendor of fare payment systems for transit. In this role I was the primary subject matter expert (SME) responsible for investigating issues arising with payment cards and mobile applications issued by local banks and other payment card issuing institutions.
In the course of introducing cEMV payments for some of our customers we received a number of support requests in relation to cards issued by particular banks and other institutions which were not accepted at the transit validators we had provided.
PCI-DSS revision 3.X restrictions made it impossible for logging at live validators to be sufficiently detailed to enable investigation of these problems. Physical separation between the customer site and the engineering site where I was located was also a problem, particularly in relation to some of the mobile wallet applications which were geo-locked to be installable only in the customer’s home continent.
The TEC app is intended to be used in the hands of customer service staff at transit businesses accepting cEMV, to capture sufficient technical detail in relation to a cEMV media item which is not accepted to allow subject matter experts at a different location to advise on the cause of rejection.
Current Status
The application is developed in a public repository on GitHub.
The developer recommends that the project is most likely to be of interest or value to engineers who are capable of checking the code out, building and experimenting with it, but the prebuilt application is available as a paid install on Google’s Android Play Store.
The requirement to pay for the prebuilt app is intended to discourage downloading by casual users other than those who have a professional engineering background and are employed in the transit payments industry. I am happy to share free download tokens from the Play Store with anyone who is professionally affiliated to a transit operator, agency or software/hardware/consultancy vendor in the transit payments space - if you would like to apply for a token or a bundle of tokens to cover a team working in this space, please contact me via LinkedIn: https://www.linkedin.com/in/tim-littlefair/.
I’m also very happy to receive messages related to LinkedIn relating to the value or otherwise of the software, or relating to discussions about the cEMV/transit payment space in general.
Code Repository
Component/Version |
Hosting URL |
|---|---|
Source code on GitHub |
|
Prebuilt app on Android Play Store |
https://play.google.com/store/apps/details?id=net.heretical_camelid.transit_emv_checker.android_app. |
Privacy Policy
The TEC application does not directly send any data over networks. It does store PCI-sanitized data read from each cEMV media presented in an XML file which can be accessed via the USB storage capability of the host Android device. The PCI-sanitization process masks the PAN in the standard way, ensuring that the data stored does not fall under PCI-DSS requirements.
The user of the Android device is responsible for managing the stored data responsibly. It is recommended that stored data will be securely shared with cEMV subject matter experts only, and will be deleted from the Android device within 30 days of storage.