EMV application development Questions

emv
Bo Huang picture Bo Huang · Jan 11, 2014 · Viewed 9k times · Source

I am new to EMV, currently I have an emergency EMV application development project, anybody could help me answer the below questions:

  1. what is EMV L2 application kernel? Is an API or just an executable EMV application?

  2. During an EMV payment transaction, what kind of data(message) information need to be captured from Chip&Pin card so that it could submit to bank card issuer for authorization. Which ISO specification that the payment transaction data should apply for.

  3. what kind of connectivity between EMV terminal and acquirer? IP or Serial Port?

  4. Any testing tools for EMV application development? Such as acquirer host simulation.

5.How much time it will take for an EMV application development?

Answer

Nicolas Riousset picture Nicolas Riousset · Jan 13, 2014

1] what is EMV L2 application kernel? Is an API or just an executable EMV application?

It is more an API than an application. That's a piece of software that will use the underlying hardware to communicate with your EMV card, and will manage all of the EMV application level protocol (APDUs). If you're developing for a specific payment terminal, you'll have to contact the manufacturer to buy its kernel (ex : Ingenico, VeriFone). If you develop for a PC solution, you can buy some generic kernel (ex : EmvX). You probably don't want to write your own kernel, this blog estimates the cost of doing so :

EMV recommends to take around 18 month time to develop and certify a contact kernel. [...] Something between 200’000 and 400’000 Euro is a normal value.

2] During an EMV payment transaction, what kind of data(message) information need to be captured from Chip&Pin card so that it could submit to bank card issuer for authorization. Which ISO specification that the payment transaction data should apply for.

The documentation for the EMV protocol is publicly available at EMVco.com. An EMV card is a chip card, meaning you don't capture info from the card to later submit it to your bank (acquirer). In (very brief), your card will provide its characteristics to your application, and require a variable set of parameters (ex : amount, date, tip, etc.). Your application will reply with the required info and the card will then eventually decide if it accepts the transaction offline, accepts it online (after validation by the issuer), or rejects it.

3] what kind of connectivity between EMV terminal and acquirer? IP or Serial Port?

Between terminal and acquirer, it's a dial-up connection most of time (60% of merchants in the U.S. in 2012), or IP connection.

4] Any testing tools for EMV application development? Such as acquirer host simulation.

A bunch. You'll need a card issuer simulator (Visa, Mastercard, etc.), an acquirer (bank), simulator which will depend on the acquirer you're working with (in Canada, it could be Base24). You'll then need tools to troubleshoot communication problems between your application and EMV card (ex : SmartSpy), and eventually tools to prepare for certification (ex : from ICC Solutions, or Fime)

5] How much time it will take for an EMV application development?

A lot. Where I work, it just took a little bit more than 1 year to a 6 developers team with a strong experience in EMV transactions and payment applications to write a new payment application from scratch for an Ingenico terminal and to get it ready for certification. One of the most painful part is to succeed certification tests. Targeting a PC environment may make development easier (easier debugging, more online resources and documentation, etc), but not having in-house skills and experience will increase significantly the cost