EMV application development Questions [closed]

13
votes

I am new to EMV, currently I have an emergency EMV application development project, anybody could help me answer the below questions:

  1. what is EMV L2 application kernel? Is an API or just an executable EMV application?

  2. During an EMV payment transaction, what kind of data(message) information need to be captured from Chip&Pin card so that it could submit to bank card issuer for authorization. Which ISO specification that the payment transaction data should apply for.

  3. what kind of connectivity between EMV terminal and acquirer? IP or Serial Port?

  4. Any testing tools for EMV application development? Such as acquirer host simulation.

5.How much time it will take for an EMV application development?

2
emv
Since the question is closed I will just comment: I've developed Mastercard and Visa kernels, written in Java, targeting Android devices. Mastercard kernel took about 8 months, Visa - about 4 months. MC's kernel is much more complicated (probably 5-6 times Visa's). Developing kernel using Java for Android is probably much easier than in C targeting some "brick" terminal. Preparing for certification is 30-50 days for MC and 10-20 days for Visa.Ognyan

2 Answers

35
votes

1] what is EMV L2 application kernel? Is an API or just an executable EMV application?

It is more an API than an application. That's a piece of software that will use the underlying hardware to communicate with your EMV card, and will manage all of the EMV application level protocol (APDUs). If you're developing for a specific payment terminal, you'll have to contact the manufacturer to buy its kernel (ex : Ingenico, VeriFone). If you develop for a PC solution, you can buy some generic kernel (ex : EmvX). You probably don't want to write your own kernel, this blog estimates the cost of doing so :

EMV recommends to take around 18 month time to develop and certify a contact kernel. [...] Something between 200’000 and 400’000 Euro is a normal value.

2] During an EMV payment transaction, what kind of data(message) information need to be captured from Chip&Pin card so that it could submit to bank card issuer for authorization. Which ISO specification that the payment transaction data should apply for.

The documentation for the EMV protocol is publicly available at EMVco.com. An EMV card is a chip card, meaning you don't capture info from the card to later submit it to your bank (acquirer). In (very brief), your card will provide its characteristics to your application, and require a variable set of parameters (ex : amount, date, tip, etc.). Your application will reply with the required info and the card will then eventually decide if it accepts the transaction offline, accepts it online (after validation by the issuer), or rejects it.

3] what kind of connectivity between EMV terminal and acquirer? IP or Serial Port?

Between terminal and acquirer, it's a dial-up connection most of time (60% of merchants in the U.S. in 2012), or IP connection.

4] Any testing tools for EMV application development? Such as acquirer host simulation.

A bunch. You'll need a card issuer simulator (Visa, Mastercard, etc.), an acquirer (bank), simulator which will depend on the acquirer you're working with (in Canada, it could be Base24). You'll then need tools to troubleshoot communication problems between your application and EMV card (ex : SmartSpy), and eventually tools to prepare for certification (ex : from ICC Solutions, or Fime)

5] How much time it will take for an EMV application development?

A lot. Where I work, it just took a little bit more than 1 year to a 6 developers team with a strong experience in EMV transactions and payment applications to write a new payment application from scratch for an Ingenico terminal and to get it ready for certification. One of the most painful part is to succeed certification tests. Targeting a PC environment may make development easier (easier debugging, more online resources and documentation, etc), but not having in-house skills and experience will increase significantly the cost

5
votes

I can at least add to @nicolas-riousset 's answer for a couple.

1) I unfortunately do not have anything to add here.

2) Answer is check the specification on the applicability of your terminal and the CVM I believe of the terminal and the card as well as any processor specific requirements.

3) IP yes, but there are established protocols and most utilizing SSL these days. I believe even the dial-ups number has significantly dropped as those 'dial-up' ones have migrated to internet based but I don't drive POS terminals to be able to definitely confirm that.

4) A single simulator platform could accomplish a lot of this as getting a Base24, Postilion, Connex, SmartVista is no small under taking. We have the VISA & MasterCard simulators in-house as well as a few others and the VISA & MasterCard ones would be my last choice to pursue as they are least helpful for terminal to host. My short list of ones to look at that can do acquirer and issuer and processor simulation all on a single workstation would be the following, all have their quirks.

  • Paragon's FasTest
  • ACI Worldwide's "ASSET"
  • Clear2Pay's Lexcel (recently purchased by FIS)

5) Based on the complexity, nuances, backlog of talent, etc on EMV I think a year seems reasonable if not longer.