In this article, I would talk what I learnt & observed while working on a POS app.
The payment terminal I worked on ran on the Android Operating System. Android developers with the knowledge of Kotlin or Java programming languages would find this article very helpful.
A point of Sale System allows a business to accept payments from customers using a payment terminal. Basically, a customer pays for a service physically using a card on a POS terminal and a receipt is generated for that transaction.
There are a couple of terms you might come across while working with POS terminals. Some of them includes OEM, Prepping, TMS, Key Management, NIBBS, Merchant, Acquirer, Issuer, PTAD, PTSP etc.
OEM
The OEM stands for Original Equipment Manufacturer. In our case, the OEM is the company that manufactures products used in the production of a POS terminal. The OEM provides firsthand support to help with problems that might arise when using the POS terminals. Some popular Point of Sale OEMs includes Aisino, Horizon, Morefun, Verifone etc.
What resources do you need before building a POS app? SDKs, keys & Documentation.
The OEM also provides SDKs, Sample Projects & documentation when a POS terminal is purchased. These resources help a programmer have an understanding of how that brand of terminal works. In these resources, you look out for specific functions that show how to perform certain functions e.g., Initializing the SDK, how printing receipts are done, how keys are injected etc. based on the use case of the app you are building.
After creating a project, you add the necessary libraries of the POS terminal as a dependency. These often comes in the form of JAR files. The next thing to do is to initialize the SDK of the POS terminal. You must call the classes that initializes the POS SDK as soon as the app is started. In Android, the initialization is done in onCreate method.
Below is an example of the SDK initialization process in an Aisino POS terminal.
TMS
The Terminal Management System is a system that manages various POS Terminals an organization has.
The organization referred to here could be the OEM or a company that ship products that runs on POS terminals.
PREPPING
What is prepping? How is it done? What happens in prepping?
To perform financial transactions over a network, the POS terminal needs certain data before a transaction is processed. The process of getting these data from a network is called prepping. When you prep, you download encrypted keys & terminal parameters (merchant ID, merchant name etc). The keys are to be “injected” into the terminal before a transaction can be successful. The SDK contains methods for injecting the keys into the terminal. You might want to inject the keys as soon as they were downloaded.
EMV KEY MANAGEMENT
EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for “Europay, Mastercard, and Visa”, the three companies that created the standard.[1
There are three keys needed to process an EMV transaction across a network. There are the Master Key, Session Key & Pin Key. These keys come encrypted from the network. The Terminal Management System (TMS) provides another key called Combined Key or Key Encryption Key (KEK) which plays an important role in decrypting the keys used in the EMV transaction.
An algorithm used in the Key Encryption / Key Decryption process is the Triple DES algorithm.
NIBBS KEY MANAGEMENT
A company that integrates with NIBBS is usually given the three keys, but they come encrypted. The values to get the combined key is also given. They are given as a pair; component 1 & component 2. The combined key is gotten by XORing component 1 & 2. The value of component 2 is usually zero, so XORing 1 & 2 would give a value that is equal to component 1.
All these data can be found on the integrating company’s TMS. As a developer you can get the keys can be gotten from a company’s TMS by making a GET request to an endpoint provided by the TMS.
The Combined Key is used to decrypt the Encrypted Master Key. The Decrypted or Clear Master Key is used to decrypt the Session & Pin Key respectively.
The clear Session Key & clear Pin Key would be used when a request is made to the network that processes the payment.
Things to note
- A POS terminal allows a business to accept payments from customers using a payment terminal.
- Payments done on the POS are based on EMV standard.
- The OEM provides the needed resources to build a POS app
- The combined key is gotten from TMS, while the master key, session key & pin key is gotten when a terminal is prepped.
Thanks for reading this article. In my next article, I would explain more terms & concepts.
