Category Archives: News

Convenience and security

Dedicated to small and micro-merchants, the SoftPOS solution allows payment solution providers to extend their smart payment acceptance offer. The principle of SoftPOS is to offer a lightweight, convenient and secure solution to merchants who cannot get equipped with traditional POS systems, or to complete existing POS systems for more mobility…

Check out the solution at Trustech

Trustech Logo

New ICS for EMV® Contactless Level 1 available

The applicability of EMV® 3.0 is now effective, and the corresponding ICS for EMV® Contactless Level 1 v3.0 is available for download on EMVCo website

Vendors can submit their contactless capable terminals to type approval against the v3.0 test plan. The scope of the EMV Contactless Level 1 testing includes Analogue test, Digital test, and Interoperability test. The aim is to adapt POS systems to new methods of payment used worldwide.

As the version 3.0 includes major changes on the Analogue side, EMVCo has stretched the migration period until December 2019. Hence, if products don’t pass all Analogue v3.0 tests, they can be granted a v2.6 LoA, provided  :

  • they pass all v3.0 Digital test cases
  • they pass certain v3.0 Analogue test cases (detailed description in TTA bulletin 221). 

Contact your Alcinéo representative to have further information on the Terminal certification processes at : info@alcineo.com.

 

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

It is time to plan EMV® Contactless Level 1 v3.0 certification

EMVCo has released a bulletin to announce the Type Approval and Renewal applicability of the new specification 3.0 for EMV® Contactless Level 1 Approval of contactless card readers.

The new version 3.0 will become applicable starting April 1st 2019, and will become mandatory as of 1st January 2020.

During this migration phase, terminal providers can submit their contactless devices to certification against 2.6b test plan, or 3.0 test plan. 

EMVCo also mandates that starting 1st January 2020, all products submitted to EMV contactless level 1 renewal process comply with the 3.0 version, for all test sessions, analog, digital and interoperability, with a possibility of restricted approval in case of some tests fail, considered acceptable by EMVCo.

Feel free to contact your Alcinéo representative to obtain further information on the 3.0 specification or to have more information on our EMV contactless suite and other smart payment and security solutions. You can also keep in touch at : info@alcineo.com.

PayWave approval policy change

In a recent notification, Visa has announced a change in the PayWave approval policy for contactless acceptance devices.

Starting November 1, 2018, contactless terminals passing PayWave certification will be granted a four-year period Approval Letter.

This new validity period of PayWave certified products will allow terminal providers to better manage their product certification cycles, in line with EMV Contactless Level 1 approval.  

Visit Visa Technology Partner website to obtain further information or contact Visa Approval Services

Visit EMVCo website for more information on EMV technology and specifications : www.emvco.com 

Contactless payments become the “norm” in transit

The convenience of simply waving a bank card to enter the transit network is one of the main reasons why open-loop payments become so popular in major cities in the world. But it is not the only reason. What are the benefits and the challenges faced by transit authorities? Is it worth the investment? 

Benefits

The implementation of tap & go in the transit sector simplifies not only daily commuters’ journey, but also foreign visitors’ traveling experience. Travelers do not have to carry many cards or have the exact amount in cash for a ride, or waste time in queues to buy a ticket. Instead they benefit from increased punctuality, flexibility and fluidity at peak times. 

Transition from paper-based tickets to digital and contactless ticketing solution is also attractive to transport operators. Contactless fare collection systems reduce operational costs, open the door to new customers on the network, minimize fraud attempts and improve transport services quality. 

How it works

Open-loop payment infrastructure is based on EMV® contactless technology, offering contactless payment in transitpassengers the ability to tap their cards as in any retail store, or use their transit cards, smartphone or other contactless payment capable form factors alike at automatic gates. 

The first challenge for cities is to offer a convenient and discontinued public transport service, easy to use, fast and reliable. It must support a large number of passengers boarding at the same time and embed particular features such as :

  • ODA (Offline Data Authentication) – using fast Dynamic Data Authentication allow the terminal to rapidly identify the card as being unaltered and accepted for travel
  • Deferred authorization – transit merchants have the ability to send authorizations online at deferred time (at the end of the travel period)
  • Fare calculation – travel fare is calculated at the back office system according the taps of a card accumulated over the travel period.  

The main critical issue is to authenticate a card in milliseconds, to avoid any slowdown in the flow, to minimize fraud, and then be able to adequately charge the amount for the trip done. The major payment schemes have released best practices and specific requirements for contactless payments in the transit sector, that transport authorities and their technology partners must follow to securely and compliantly implement open-loop systems.

Security challenges

It is crucial for transport authorities to keep travelers’ data protected from fraud at all times during their trips on the transport network, starting at the point of entry, the contactless readers, up till the acquirer system where the transaction is completed.

Therefore enhancing security layers with PCI Standard Security requirements allow transit operators to ensure cardholder data is kept safe during the whole transaction process on their network, and add security barriers to fight fraud.

Moreover, transit merchants must rely on a robust and secure back office to safely and seamlessly store data, process transactions, track terminal issues, remotely maintain and update each terminal on the network.

One single payment technology partner for all your needs

Alcinéo has been working with stakeholders operating in the transit sector for more than a decade, supporting companies involved in the development of smart ticketing solutions at the gates or turnstiles, unattended payment kiosks and terminals, parking meters or next generation validators.

We help them to overcome the hurdles during the design, development and through certification process of their products with EMV, contactless payment schemes and PCI, and provide a bespoke support after the deployment. Our complete suite of contactless kernels has been designed to comply with the transit speed threshold and security constraints and have already been implemented into terminals operating in many transit systems worldwide.

The modular approach of our PCI PTS logical package allows them to build the most innovative solutions while complying with the latest PCI security requirements to securely process and store sensitive data.

Additionally, our Terminal Management System solution allows our customers to seamlessly manage their terminal fleet easily and remotely : remote control of terminals, real-time monitoring, firmware or application update capability, among other modular functionalities.

Do not hesitate to contact us to have more information on our dedicated solutions for contactless payments in transit, at : info@alcineo.com, or contact your Alcinéo representative.

Mastercard’s milestone for contactless acceptance terminals

Major payment schemes have released roadmaps for the global completion of EMV® contact and contactless technology migration, such as Mastercard’s milestone, to help POS vendors anticipate the development of EMV capable solutions in the near future.

Even though the migration to EMV has started in the early 90s in Europe which is now a mature market, it has only been introduced 2 years ago in the US and still need to be promoted.

Mastercard requires that from October 2018, newly deployed POS terminals support EMV contact and contactless functionalities.*

And all POS systems shall embed EMV and contactless technology by April 2023.*

*Please note that these rules and dates may defer according the regions, such as US or Canada, and the nature of the deployed terminals (POS, mPOS, unattended terminal, integrated POS…).

The other major payment schemes have also edited milestones to achieve EMV and contactless payments’ expansion. Do not hesitate to contact your Alcineo representative to obtain further information, at : info@alcineo.com.

Increase data protection at POS with AES DUKPT

Keep cardholder’s PIN safe with AES DUKPT encryption 

AES DUKPT becomes the new standard for improved data protection at POS systems. Sensitive transaction data processed in the payment network require a high-end level of security to withstand fraudulent attacks. In a new version of the PIN Security standard document, the PCI Security council announced changes in encryption methods that POS vendors must implement to process transaction data online such as cardholder’s PIN.

TDES, widely used in the payment industry, is considered as a weakened technique of PIN encryption to face the threats of elaborated fraud attempts. According the document, TDES PIN  encryption will be disallowed to the benefit of AES cryptographic algorithm. 

AES enhances encryption robustness, as compared to TDES. It offers a larger set of secret keys (from 128 to 256 bits), that can be generated during the whole lifespan of the terminal. 

PIN ProtectionThe combination of AES cryptographic algorithm and DUKPT (Derived Unique Key Per Transaction) key management scheme provide an upper level of protection for transaction data.

The challenge for terminal manufacturers is to develop innovative and convenient  payment solutions for merchants and consumers,  while complying with state-of-the-art technologies and the latest security standards.

At the forefront of data integrity challenges and software-based security, Alcinéo has already developed AES DUKPT key encryption solution for our customers’ secure payment solutions in transit, retail or mPOS environments.

The modular approach of our PCI logical package allow them to obtain customized PCI PTS compliant products, according their needs and supporting the most advanced security requirements in the payment landscape.

Do not hesitate to require further information on our PCI PTS POI package at : info@alcineo.com

The full set of documents on PIN security requirements is available on PCI Security Standard website : www.pcisecuritystandards.org.

JCB updates its requirements program for approval processes

The Japan-based payment scheme JCB has issued an update of its requirement program for Contactless IC terminal approval tests. The new version of the document has been released on the 1st of August.   

It describes the submission processes for initial and renewal approval of compliant EMV payment terminal with JCB specifications. The main changes in the document are related to clarifications on the renewal process. 

Renewal testing requirements

The purpose of renewal testing is to demonstrate that the contactless kernel inside an approved payment terminal still meets sufficient conformance with the current specifications. 

JCB reviews the ICS of the embedded kernel and decides if renewal testing process is needed. If it considers that the product shows sufficient compliance then an extension of approval is granted for 3 years. Otherwise the device must undergo a series of tests to prove compliance with the current test plans. 

The renewal testing session shall be scheduled at the same laboratory that performed initial testing of the product. The set of renewal tests is performed using the same sample device as initial type approval, provided that the device stored at the laboratory is still functional. 

Terminal providers shall send the renewal request within 6 months prior to the end of the approval validity period, and shall ensure that the device has at least a valid EMV Contactless L1 LoA (if it is contactless only capable). 

How to ensure the renewal of terminal approval

It is crucial for POS providers to perform internally the appropriate testing campaigns prior to submitting the device to renewal process. 

Alcinéo has all the the tools identical to those used in laboratories, in order to perform the required testing campaigns in-house for our customers. Either for initial TTA or renewal testing, our team of highly-qualified ISTQB testers can perform tests cases related to EMV contact and contactless kernels, and the full suite of contactless kernels (including but not limited to : MCL, PayWave, ExpressPay, DPAS, Interac, JCB, CUP).

Newsletter – Issue 12 – The steps to EMV® CL1 approval

The development of a contactless payment terminal is not an easy task. From antenna design, to EMV® CL1 stack implementation, debug sessions and approval process, terminal manufacturers must face several challenges. 

Moreover, additional requirements from international standards to increase interoperability imply new testing process. Contactless cards and mobiles can now be used to perform additional tests. Documents on Interoperability testing and requirements can be found on EMVCo website

Read our latest newsletter to have an overview of the maze and find the way out of it :

Newsletter – Issue 12 – Best practice – the steps to EMV contactless level 1 approval

Comply easily with the new PayWave Cross testing process

Visa has defined specific requirements to perform PayWave Cross testing automatically, called VCAS (Visa Cross-test Automated Specification). You can visit Visa Technology Partner website to access the dedicated documentation.

More precisely, VCAS defines the interface communication that must be established between a Device Testing Environment and the robot controller used in a laboratory to perform the set of Cross tests during Visa PayWave type approval. 

The purpose of this protocol is to shorten the duration of the Cross testing session. 

The robot controller integrated by each accredited laboratory initiates a transaction command automatically to analyse the device behavior. The challenge for Point-of-sales providers is to supply a compliant testing environment that is capable of converting each tag sent by the robot into a tag that the device will recognize and manage easily, using the appropriate language. 

Alcinéo has developed a tool to help our customers to seamlessly perform PayWave automated Cross tests and comply with this additional function which is now mandatory to start a Cross testing campaign in a lab. 

Our VCAS webservice converts the tags received from the robot (simulating contactless card commands), and transmit it to the device in the appropriate format. 

Alcinéo develops Visa PayWave kernels for contactless capable devices and supports customers during the certification process of their payment solutions. In addition to the contact and contactless kernels, we deliver dedicated tools to help them performing full testing sessions at the laboratory. 

Request your Alcinéo’s SDK to access the right toolbox for certification at : info@alcineo.com, or contact directly your Alcinéo representative.