Bluepay Mobile EMV App Documentation

PRODUCT

OVERVIEW

MOBILE EMV

PROCESSING

OVERVIEW

Version 1.1

BluePay Mobile EMV Processing Overview Version 1.1

Last Updated: 2021-02-26

IMPORTANT NOTICE

BluePay Mobile EMV Processing Version 1.1.

The information contained in this publication, including all illustrations, is considered to be proprietary and confidential. It is intended solely for the use of BluePay customers, partners, and employees. The contents of this document and the ideas contained herein may not be disclosed, reproduced or transmitted in any form or distributed, in whole or in part, without the prior written consent of BluePay Processing, LLC.

The use of this document does not constitute or imply transfer of any intellectual property rights nor does it grant any license to use this information or any BluePay product or service referred to herein for any other purpose than that for which it was intended.

All information contained in this document is provided “as is” and may change at any time without notice to the reader. Neither BluePay nor any other third party assumes any responsibility for the accuracy of the information contained herein, including technical errors, typographical errors, or any other inaccuracies. BluePay does not warrant that the information contained herein is accurate or complete.

All trademarks included herein are the property of their respective owners. Any use of the trademarks included herein must have the written permission of the respective owner.

BluePay, A Company Page 2

BluePay Mobile EMV Processing Overview Version 1.1

TABLE OF CONTENTS

WELCOME ...... 4 ABOUT THIS GUIDE ...... 5 INTENDED AUDIENCE ...... 5 FEEDBACK ...... 5 REVISION HISTORY ...... 5 MOBILE EMV OVERVIEW ...... 6 BENEFITS ...... 6 GETTING STARTED ...... 7 MERCHANT REQUIREMENTS ...... 7 TECHNICAL REQUIREMENTS ...... 8 INTEGRATION CONSIDERATIONS ...... 8 Mobile Applications ...... 9 Mobile Web Applications ...... 12 Standalone Operation ...... 13 HOW IT WORKS ...... 14 INSTALLATION & SETUP ...... 14 Downloading the Mobile Application ...... 15 Entering the Application Settings ...... 15 Device Operation ...... 20 PROCESSING PAYMENT TRANSACTIONS ...... 22 Processing an EMV Transaction ...... 22 Processing a Swipe Transaction ...... 26 Processing an EMV Swipe Fallback Transaction ...... 30 Processing a Manually-Keyed Transaction ...... 32 MOBILE PAYMENT PROCESSING API REFERENCE ...... 36

BluePay, A Company Page 3

BluePay Mobile EMV Processing Overview Version 1.1

Request Parameters ...... 36 Response Parameters ...... 39 EMV RECEIPT REQUIREMENTS ...... 43 DATA SECURITY ...... 44 TROUBLESHOOTING ...... 44 Accessing the About Page ...... 45 APPLICATION & DEVICE UPDATES ...... 45 Application Updates ...... 45 CAPK Updates ...... 46 Device Firmware Updates ...... 46

WELCOME

Congratulations on your selection of the ID Tech VP3300 card reader for your mobile EMV processing with BluePay! You have now joined the nationwide ranks of merchants who have met the EMV processing requirements for lower chargeback liability and reduced PCI-scope on card-present mobile payment transactions. Even better, you can also process eCheck (ACH) transactions from within the mobile application. A robust suite of search and reporting capabilities for your transactions is offered by the awardwinning BluePay Payment Gateway.

The ID Tech VP3300 represents the latest innovation in secure mobile payment acceptance. The VP3300 incorporates the latest Bluetooth BLE (Bluetooth Low Energy), triple-tracks magstripe, smart card, and contactless technologies. With this all-in-one mobile reader, it enables the acceptance of encrypted magstripe, EMV smart card, and NFC/contactless payments from a single, easy-to-use mobile interface. Together, the

BluePay, A Company Page 4

BluePay Mobile EMV Processing Overview Version 1.1

VP3300 and the BluePay Mobile Processing application can play a primary role in reducing the risk of data compromises and lowering your chargeback liability.

ABOUT THIS GUIDE

INTENDED AUDIENCE

This document is written for BluePay customers, partners, and employees who will be responsible for implementing the Mobile EMV Processing solution for use by BluePay merchants and for the operations personnel responsible for training users on how the Mobile EMV Processing solution works. It includes information necessary for the setup of the Mobile Processing application, the certified EMV/Swipe device, and the procedures used for performing EMV transactions, creating EMV receipts, and keeping the device up-to-date with the latest firmware and EMV configuration files.

FEEDBACK

Any feedback regarding the contents of this document or the BluePay Mobile EMV Processing solution, should be forwarded to the BluePay Product Management Department using the following email address:

[email protected]

REVISION HISTORY

This following revisions have been made to this document:

Version Description Date 1.0 Draft Document Release 07/31/2018 1.0 Initial Document Release 09/13/2018

BluePay, A Company Page 5

BluePay Mobile EMV Processing Overview Version 1.1

1.1 Corrected several typographical errors throughout the document. 09/20/2018 Added a reference to eCheck (ACH) transactions in the Welcome section. Added note regarding how to turn on the VP3300 device. Removed DUPLICATE from result value.

MOBILE EMV OVERVIEW

EMV stands for “EuroPay, Mastercard and Visa” and is also known as a smart card, chip and PIN, or chip and sign card. EMV-enabled cards include an added security feature, or chip, that is proven to keep card-present transactions secure, and is accepted in over 80 countries worldwide.

Effective since October 2015, businesses that do not accept EMV-enabled card transactions are held responsible for any liability resulting from counterfeit or fraudulent payment transactions.

EMV transactions involve a secure conversation that takes place between the EMV chip, embedded into the credit card, and the terminal, or device, used to process the transaction. During this secure conversation, the terminal learns what type of transactions the card is allowed to be engaged in and obtains a unique identifier for the current transaction. This information is then forwarded to the Issuing Bank through the BluePay Payment Gateway for final approval.

Using the industry standard EMV Quick-Chip technology, which avoids a two-way communication with the embedded chip, BluePay is now able to offer a Mobile EMV Processing solution that seamlessly operates in an iOS or Android operating environment. The BluePay Mobile Processing App uses an EMV/Swipe device that has been specifically certified for use with the BluePay Payment Gateway.

BENEFITS

Any BluePay partner or merchant who requires the ability to accept a card-present EMV transaction in a mobile smartphone or tablet environment, without the need or desire for

BluePay, A Company Page 6

BluePay Mobile EMV Processing Overview Version 1.1 a full terminal-based solution, will benefit by using the BluePay Mobile EMV Processing solution with a certified EMV/Swipe device. This solution does not currently support PINbased transactions or contactless NFC transactions. BluePay partners and merchants who implement the BluePay Mobile EMV Processing solution will benefit in the following ways:

• Provide the ability to accept card-present EMV “chip enabled” credit cards at point-of-sale. • Provide compatibility with mobile and mobile-web applications by using a secure mobile application capable of sending encrypted EMV and swipe data directly to the BluePay Payment Gateway. • Be compliant with card brand requirements related to EMV acceptance and chargeback liability. • Remain compliant with processing requirements on an ongoing basis. Since all EMV and swipe capabilities are built into the existing BluePay Mobile Processing application, there is no need to build or maintain integrations to existing devices. • Reduce PCI scope by keeping sensitive card information outside of your existing mobile POS application. • Enjoy added reporting and transaction review benefits through the robust feature set available by having transactions processed through the award-winning BluePay Payment Gateway.

GETTING STARTED

MERCHANT REQUIREMENTS

In order to use the BluePay Mobile EMV Processing solution, a merchant must be enrolled in either the Professional or the Enterprise Payment Processing package on the BluePay Payment Gateway, and optionally purchase one or more ID Tech VP3300 Bluetooth card readers from BluePay. An active BluePay Payment Gateway account ID and secret key are required to use the Mobile Processing application.

BluePay, A Company Page 7

BluePay Mobile EMV Processing Overview Version 1.1

TECHNICAL REQUIREMENTS

The merchant must download and install the BluePay Mobile Processing App from either the App Store or the Google Play Store. There is no charge for the Mobile Processing App. The minimum requirement for iOS devices is version 11.0 or later. Android devices require support for Bluetooth LE, using Android OS 6.0 Marshmallow (App Version 23) or later. A version for Windows or MAC OS is not currently available. The ID Tech VP3300 card reader requires support for Bluetooth LE or can be physically connected to the smartphone or tablet using the VP3300 micro USB connection. The micro USB connection is also used for charging the VP3300. All communication with the device is handled by the BluePay Mobile Processing App, so no additional drivers or manufacturer applications are required.

INTEGRATION CONSIDERATIONS

There are three possible methods of integrating and using the BluePay Mobile Processing application. No special technical requirements exist when using the application in standalone mode. However, if you plan to integrate the application with either an existing mobile application or a mobile web application, you will need to understand and use the industry standard URI scheme methodology to pass into and receive data from the BluePay Mobile Processing Application.

Figure 1 – Using URI Scheme for Data Exchange

NOTE: The value provided in the “my_app” input parameter is determined by the type of integration you choose. The following sections provide additional details specific to your chosen integration method.

BluePay, A Company Page 8

BluePay Mobile EMV Processing Overview Version 1.1

The BluePay Mobile Processing application is designed with a limited set of look-and-feel customization options to more closely match the look-and-feel of your mobile applications. These options include the ability to set your own logo, company name, and color options. See the section on Entering the Application Settings for more information.

Mobile Applications

In order to interface the BluePay Mobile Processing Application to your own mobile application, you will first need to understand the concept of using URI schemes to pass data. If you do not already possess this knowledge, you can refer to the following URL’s for additional information.

For iOS Developers: https://developer.apple.com/documentation/uikit/core_app/allowing_apps_and_websites _to_link_to_your_content/communicating_with_other_apps_using_custom_urls

For Android Developers: https://developer.android.com/training/basics/intents/filters

Once you have become familiar with the concepts for using the URI schemes, you must make sure you register the URI scheme for your application. You may choose any name you deem appropriate for your application, but the chosen name must be identical t o the

BluePay, A Company Page 9

BluePay Mobile EMV Processing Overview Version 1.1 value you pass in the “my_app” request parameter to the BluePay Mobile Processing application. Refer to the Mobile Payment Processing API Reference section later in this document for more information.

For example, suppose that the registered URI scheme for your mobile application is “speedy-pos”. Then the value you pass in the “my_app” parameter would be as follows:

my_app=speedy-pos

To pass data to the BluePay Mobile Processing application, create a string containing the “bluepay” URI scheme and include the parameters you want to pass.

For example, assume you want to pass the following information to the BluePay Mobile Processing application:

Transaction Type: SALE Amount: $127.55 Customer Name: Bob Smith Company Name: Billing ACME Corporation Address 1: 455 East Town Road Billing Address 2: Suite 500 Billing City: Billing Topeka State: KS Billing Postal Code: 66610 785-555-9876 Customer Phone #: [email protected] Customer Email: 000025 Customer ID: 34252 Invoice ID: Order 10154384 ID: Payment for Copy Machine Repair Comments: speedy-pos Your URI Scheme:

BluePay, A Company Page

BluePay Mobile EMV Processing Overview Version 1.1

0 You would create a URL-encoded data string as follows:

bluepay://process?trans_type=SALE&amount=127.55&name=Bob%20S mith&company=ACME%20Corporation&addr1=455%20East%20Town %20Road&addr2=Suite%20500&city=Topeka&state=KS&postal_code= [email protected] &customer_id=000025&invoice_id=34252&order_id=10154384&comme nts=Payment%20for%20Copy%20Machine%20Repair&my_app=speed ypos Figure 2 – Sample Input URI Data String

For iOS applications, the code might look similar to the following:

let url = URL(string: “bluepay://process?trans_type=SALE&amount=…”)

UIApplication.shared.open(url!) { (result) in if result { // The URL was delivered successfully! } }

Figure 3 – Sample Code for iOS Applications

For Android applications, the code might look like this:

Intent i = new Intent(); i.setAction(Intent.ACTION_SEND); i.putExtra(Intent.EXTRA_TEXT, “bluepay://process?trans_type=SALE&amount=…”); i.setType("text/plain"); startActivity(i);

Figure 4 – Sample Code for Android Applications

When control is passed to the BluePay Mobile Processing application, the data will be available in the “bluepay” URI scheme. The application will open to the Process Page and any data passed will be pre-populated into the corresponding data fields.

BluePay, A Company Page 11

BluePay Mobile EMV Processing Overview Version 1.1

After the payment transaction is completed on the BluePay Payment Gateway, the response string, containing the response parameters will be available by examining the data in the return URI scheme; in this case “speedy-pos”. This data string can then be parsed to extract the information relevant to the processed transaction. For example, you might be concerned about the following information:

Transaction Result: APPROVED Transaction Date: 2018-07-13 Transaction ID: 100456789123 Authorization Code: 479213 AVS Result: Y CVV Result: M Connected IP: 36.127.41.211 Card Present Flag: 1 EMV Application ID: A100023456789 EMV App Name: Mastercard

These results would appear in the destination URI scheme as follows:

speedy- pos://process?trans_result=APPROVED&issue_date=20180713&transaction _id=100456789123&auth_code=479213&avs_result=Y& cvv_result=M&connected_ip=36.127.41.211&card_present=1&emv_app lication=A100023456789&emv_app_name=Mastercard Figure 5 – Sample Output URI Data String

Depending on the application and settings, an email receipt with the customer signature may be sent to the customer automatically. Note that the customer signature, captured during the transaction process, is not available to be returned to the calling application.

Mobile Web Applications

Unlike mobile applications that run locally on the smartphone or tablet device, a mobile web application consists of mobile web pages that are downloaded to the device from a remote web server. In this environment, you will need to pass control from a mobile web page to the BluePay Mobile Processing application and then have the results posted to a script residing on the remote web server. This script will process the transaction results and return control back to the mobile web application.

BluePay, A Company Page 12

BluePay Mobile EMV Processing Overview Version 1.1

Integration of mobile web applications follows the same logic outlined above for local mobile applications with a few exceptions.

First, make sure that the BluePay Mobile Processing application has been downloaded and installed on the mobile device. Then, when serving the page that will link to the local application, the server should create a data string, containing the input data parameters, and then add this string to the hypertext link, as follows:

Figure 6 – Sample Mobile Web Link

You will note in the above data string, that the value for the “my_app” parameter needs to be set to the destination URL of the remote script or web page where the transaction results should be posted. For this example, the following URL is used:

my_app=https://speedypos.com/trxresponse

Then, when the BluePay Mobile Processing application has finished processing an approved payment transaction, the API response parameters will be posted to the indicated URL. Also, depending on the application and settings, an email receipt with the customer signature may be sent to the customer automatically. Note that the customer signature, captured during the transaction process, is not available to be returned to the calling application.

For assistance in updating your existing mobile web application to use the BluePay Mobile Processing application, or for assistance in understanding how to handle the response data, please contact the BluePay Integration Support Team at [email protected].

Standalone Operation

BluePay, A Company Page 13

BluePay Mobile EMV Processing Overview Version 1.1

Although the majority of the benefit to BluePay partners comes from the ability to integrate the application to an existing mobile POS solution, the BluePay Mobile Processing application can also be used as a standalone payment processing application without being integrated to any other systems. In standalone mode, a merchant simply downloads and installs the iOS or Android application and enters the necessary account settings. To process a transaction, the merchant either enters the transaction data manually or uses the connected ID Tech VP3300 card reader device to capture the payment information via swipe or EMV.

Merchants are also able to change the look-and-feel of the application and add a custom name and logo if desired. Customer signatures can also be captured at the time of purchase and be printed on email receipts.

A wide variety of transaction reports, search capabilities and other integration options are still available through the BluePay Payment Gateway. For more information on using the payment gateway options to integrate to other systems, please contact the BluePay Integration Support Team at [email protected].

HOW IT WORKS

INSTALLATION & SETUP

The fully integrated BluePay Mobile EMV Processing Solution can consist of as many as four individual components, each of which need to be properly installed and/or configured.

The first of these components would be your own mobile app or mobile web application. You are responsible for the installation and configuration of this part of the solution. Keep in mind that since the BluePay Mobile Processing application can function as a standalone system, having it integrated to an existing application is not absolutely necessary.

Second, the primary component of the solution is the BluePay Mobile Processing application, which can be installed on any device running either a compatible iOS or Android operating system. The following section provides additional details on installation and configuration of the BluePay Mobile Processing application.

Third, for card present transactions, the BluePay Mobile Processing application has builtin support for the ID Tech VP3300 card reader device, operating in either a Bluetooth or

BluePay, A Company Page 14

BluePay Mobile EMV Processing Overview Version 1.1

USB wired configuration. The ID Tech VP3300 devices are configured with a BluePay specific encryption key for true end-to-end encryption capabilities and must be purchased directly from BluePay. Any other VP3300 device purchased from an alternate source will not work with the BluePay Payment Gateway.

Finally, a BluePay Payment Gateway account is necessary in order to process the payment transactions, as the BluePay Mobile Processing application is pre-configured to process transactions through that gateway only. The award-winning BluePay Payment Gateway is also available for transaction history reports, transaction searches, and a variety of other integration options.

The following sections provide additional details on the installation and setup of the BluePay Mobile Processing application and the ID Tech VP3300 card reader device.

Downloading the Mobile Application

The BluePay Mobile Processing application is publically available for iOS on the App Store and for Android on the Google Play Store. To find the application, simply search on “BluePay Mobile Processing” and it should appear in your search results. Once located, you can download and install the application just like you would any other mobile application. To ensure you have the correct application, make sure the application icon appears as follows:

Figure 7 – BluePay Mobile Processing Icon

Once the application is installed, proceed to the Settings page and enter your application settings. DO NOT attempt to pair the card reader device with your smartphone or tablet at this time, only make sure that Bluetooth communication is enabled and the application will take care of the pairing.

Entering the Application Settings

BluePay, A Company Page 15

BluePay Mobile EMV Processing Overview Version 1.1

Application settings may be entered and stored within the BluePay Mobile Processing application or passed to the application using the API parameters. Currently, only the settings for Account ID, Secret Key, Processing Mode, and Default Transaction Type can be passed from the API. To save these settings when passed from the API, set the value of the “save_settings” parameter to “1”. Refer to the Mobile Payment Processing API Reference section later in this document for more information.

To manually set up the application settings, navigate to the Settings page as show below.

Figure 8 – Access to the Settings Page

Enter the application settings according to the guidelines below and select the SAVE SETTINGS button at the bottom of the page when completed.

Account Settings

• Account ID – The 12-digit payment gateway account ID for the BluePay Payment Gateway. This value will typically start with a value of “100”. If left blank, this value must be passed into the application using the URI scheme API.

• Secret Key – The 32-digit secret key for your BluePay Payment Gateway account. If left blank, this value must be passed into the application using the URI scheme API.

• Processing Mode – The processing mode, Live or Test, for transactions processed by the application. When in Test Mode, the message “*** TEST MODE ***” will appear at the top of the Process page. If left blank, this value must be passed into

BluePay, A Company Page 16

BluePay Mobile EMV Processing Overview Version 1.1

the application using the URI scheme API. The API value may also be used to override the value found in the application settings.

• Default Transaction Type – The default transaction type to be used for processing transactions. This value can either be set to AUTH for authorization only, or SALE for an authorization and immediate capture. The value entered here will be used as the default transaction type on the Process page, but can be changed if desired for each transaction.

• API Sensitive Data Input (On/Off) – This switch is used to enable or disable the ability to receive sensitive payment details through the URI scheme API. Sensitive data includes the credit card number, expiration date, CVV2 value, ach account number, ach routing number, and ach account type. When disabled, or off, this option will block these parameters from being received through the URI scheme.

NOTE: The fields identified above are considered to be sensitive data by the PCI Security Standards Council or have been identified as sensitive Personally Identifiable Information (PII). Although the BluePay Mobile Processing application allows a merchant to pass these values to the application, doing so implies that the merchant will be collecting or storing this information within their own application or POS solution and will increase the merchant’s PCI scope. Under PCI guidelines, it is never permitted to store the card validation code (CVV2 value), and other fields, such as credit card number and bank account numbers, must be encrypted when stored and transmitted. For these reasons, it is not recommended that the merchant collect or store any of these fields, but rather allow the BluePay Mobile Processing application to obtain this data during the transaction process.

Device Settings

Device Type – Select the type of device to be used when collecting credit card information. The valid options are None (manually-keyed information), VP3300 Bluetooth, or VP3300 USB, as show in the image below. Note that the card reader device is only used when collecting credit card information. ACH information is always manually keyed.

BluePay, A Company Page 17

BluePay Mobile EMV Processing Overview Version 1.1

Figure 9 – Device Type Options

Preferences

• App Display Name – Enter the name to be displayed at the top of the application pages next to the logo. This can be either a merchant DBA name, a partner name, or the name of a partner POS application.

• Logo – Used to select the logo to be displayed to the left of the App Display Name at the top of each page. To add or change the logo, select the CHANGE button. To remove the logo, select the REMOVE button.

• Display Name Color – Used to select the font color for the App Display Name sown at the top of each page.

• Heading Color – Used to select the font color for the section headings on each application page.

• Tab Color – Used to select the color of the selected tab option on the menu at the bottom of the screen.

The image below shows what areas of the application are affected by each of the Preference settings.

BluePay, A Company Page 18

BluePay Mobile EMV Processing Overview Version 1.1

Figure 10 – Areas Affected by Preference Settings

Receipt Settings

• Enable Receipt (On/Off) – Used to enable or disable the sending of email receipts for approved transactions. This is the master switch that turns on the receipt options listed below. If this is turned “off”, the options below will be disabled.

• Merchant Name – The merchant name to be shown on email receipts. This name will be used as both the “From” name on the email receipt and be shown as the merchant name on the receipt.

• Merchant Address – The full merchant address, in a single line, to be shown on the bottom of the email receipts. For example, the value should include the address, city, state, and postal code all in a single line.

• Merchant Email – The merchant email address to be used as the reply-to address on email receipts sent to the customer.

• Signature Line (On/Off) – Used to enable or disable the capturing of a customer signature for approved transactions. If enabled, a signature page will be displayed after an approved transaction and the customer will be able to sign directly on the smartphone or tablet screen. The captured signature will be presented on the email receipt.

BluePay, A Company Page 19

BluePay Mobile EMV Processing Overview Version 1.1

• Merchant Receipt Copy (On/Off) – Used to enable or disable the sending of an email receipt copy to the merchant. Note that that merchant email address must be entered in order for this feature to work.

• Customer Receipt Copy (On/Off) – Used to enable or disable the sending of an email receipt to the customer. Note that the customer email address must be entered or passed to the application in order for this feature to work.

Device Operation

The ID Tech VP3300 (shown below) is a plug and play Bluetooth LE device that comes pre-configured to operate with the BluePay Mobile Processing application. There are no additional software drivers to install (although when connected via USB, a generic USB driver may be installed automatically by your operating system). Because this device includes a BluePay-specific encryption key, a similar device purchased from a source other than BluePay will not work for any of the BluePay Mobile EMV options.

Figure 11 – ID Tech VP3300 Card Reader

To install the ID Tech VP3300 card reader, simply remove it from the box and plug it into any USB-style charger using the micro-USB charging port. A red LED on the back of the unit will indicate when the device is charging. When fully charged, the red LED will turn off. The VP3300 should process approximately 250 EMV or 500 swipe transactions for each charge.

To turn the device on, simply press and release the indented power button on side with the chip reader slot. There is no need to pair the device with your existing smartphone or

BluePay, A Company Page 20

BluePay Mobile EMV Processing Overview Version 1.1 tablet. The BluePay Mobile Processing application will take care of that automatically. Simply select the appropriate device type setting (VP3300 Bluetooth or VP3300 USB) on the Settings page and then select the Connect tab on the menu at the bottom of the screen. Click the CONNECT button to automatically connect the device. When connected, a Device Connected message will appear at the top of the Process page, as show below.

Figure 12 – Connecting the VP3300 Card Reader

There is a small power button on the side of the VP3300 device. To activate the device, simply depress this button with a fingertip or the tip of a pen or stylus. Once activated and connected, a blue LED will blink once every two seconds to indicate the device is ready for use. If the blue LED is blinking more rapidly, about once every second, then it is not properly connected to the application.

Refer to the table below for the LED status for normal operation.

Device Status LED Status (4 LED’s) Audible Beeper Ready for Transaction Left LED Flashes: 300ms on / 5 s off Swipe Successful All 4 LED’s Flash Once 1 Long Beep Swipe Error 2 Short Beeps EMV Contact Processing Left LED Flashes: 500ms on / 500ms off Do not remove card until transaction process is completed.

BluePay, A Company Page 21

BluePay Mobile EMV Processing Overview Version 1.1

Contactless Read Successful All 4 LED’s Flash Once 1 Long Beep Contactless Read Failed 2 Short Beeps Figure 13 – VP3300 Status Indicators

PROCESSING PAYMENT TRANSACTIONS

The BluePay Mobile Processing application is specifically designed to integrate with existing mobile or mobile web applications through an API layer that utilizes the industry standard URI scheme functionality. The application also leverages the card reader capabilities of the ID Tech VP3300 Bluetooth LE EMV/Swipe device. If necessary, the application may be used in a standalone non-integrated fashion with or without a connected card reader.

The sections that follow, outline the steps to be taken for each type of transaction to be processed. It is assumed that the application settings have either been already entered or will be passed to the application through the API interface.

Processing an EMV Transaction

The step-by-step process for performing an EMV transaction is as follows:

1. Open the BluePay Mobile Processing application by either calling it from an integrated mobile or mobile web application, or by opening the application manually.

2. If integrated, some or all of the customer data will be pre-populated on the Process page. If standalone, the customer information will need to be added manually. The table below describes the various data fields on the Process page.

Field Field Status Description Amount Required The amount for the current transaction. Transaction Type Required Select either AUTH or SALE for the type of transaction to be processed. This value defaults to the Default Transaction Type from the Settings page. Payment Type Required Select either Credit Card or E-Check (for ACH transactions). This value defaults to Credit Card. Note: For E-Check transactions, refer to the section on Processing A Manually-Keyed Transaction. Card Account Number Leave Blank Do not enter a credit card number for EMV transactions.

BluePay, A Company Page 22

BluePay Mobile EMV Processing Overview Version 1.1

Expiration Date Leave Blank Do not enter an expiration date for EMV transactions. CVV2 Optional Optionally enter the CVV2 value as printed on the credit card. Bank Account # Not Applicable for EMV Routing # Not Applicable for EMV Account Type Not Applicable for EMV Customer Name Leave Blank You do not need to enter a customer name for EMV transactions. The cardholder name will be used. If a name is entered, it will be overwritten with the cardholder name. Company Name Optional The company name for the current customer. Address (1) Optional The first line of address information for the current customer. Address (2) Optional The second line of address information for the current customer. City Optional The city name for the current customer. State Optional The state for the current customer. Zip Optional The postal code for the current customer. Country Optional The country for the current customer. The value defaults to United States. Phone Optional The phone number for the current customer. Email Required when Customer The email address for the current customer. Receipt option is enabled. Customer ID Optional The customer ID for the current customer. Invoice ID Optional The invoice ID for the current transaction. Order ID Optional The order ID for the current transaction. Master ID Optional The payment token for the current transaction. When using a payment token for an EMV transaction, only the customer information will be copied to this transaction from the existing token on file. Comments Optional Additional information related to the current transaction. Figure 14 – Processing Fields for EMV Transactions

3. If the card reader device is not already connected to the application, navigate to the Connect page and select the CONNECT button to connect the device. When the device is connected, navigate back to the Process page.

4. When all of the transaction and customer information has been entered and/or reviewed, press the PROCESS CHARGE button at the bottom of the screen.

5. Select EMV Contact from the pop-up selector, as shown below:

BluePay, A Company Page 23

BluePay Mobile EMV Processing Overview Version 1.1

Figure 15 – Selecting EMV Contact Transaction Type 6. When you see the “Swipe or Insert” message appear on the screen, insert the EMVenabled card into the EMV slot on the card reader. The left LED indicator will stay on to show that the card reader is ready to accept the card, and then blink while the card is being processed. Leave the card in the slot until the transaction has completely finished processing.

Figure 16 – Swipe or Insert Card Message 7. If the transaction is declined, a Decline message will appear and you will be returned to the Process page, where the transaction details will still remain. If the transaction is approved and the application is integrated to another mobile or mobile web app, then you will be automatically returned or redirected to the calling application. If the

BluePay, A Company Page 24

BluePay Mobile EMV Processing Overview Version 1.1

application is operating in standalone mode, then an Approved message will appear and you will be returned to a new (blank) Process page.

Figure 17 – Approval and Decline Messages for EMV 8. This step only applies when the Signature Line option is enabled on the Settings page. When a transaction is approved, a signature capture page will appear so the customer can add a signature to the transaction, as follows:

Figure 18 – Signature Capture Page for EMV

9. If the Customer Receipt Copy option is enabled on the Settings page, then an email receipt will be sent to the customer, as follows:

BluePay, A Company Page 25

BluePay Mobile EMV Processing Overview Version 1.1

Figure 19 – Customer Receipt Copy for EMV Processing a Swipe Transaction

The step-by-step process for performing a Swipe transaction is as follows: 1. Open the BluePay Mobile Processing application by either calling it from an integrated mobile or mobile web application, or by opening the application manually.

BluePay Mobile EMV Processing Overview Version 1.1

Routing # Not Applicable for Swipe Account Type Not Applicable for Swipe Customer Name Leave Blank You do not need to enter a customer name for swipe transactions. The cardholder name will be used. If a name is entered, it will be overwritten with the cardholder name. Company Name Optional The company name for the current customer. Address (1) Optional The first line of address information for the current customer. Address (2) Optional The second line of address information for the current customer. City Optional The city name for the current customer. State Optional The state for the current customer. Zip Optional The postal code for the current customer. Country Optional The country for the current customer. The value defaults to United States. Phone Optional The phone number for the current customer. Email Required when Customer The email address for the current customer. Receipt option is enabled. Customer ID Optional The customer ID for the current customer. Invoice ID Optional The invoice ID for the current transaction. Order ID Optional The order ID for the current transaction. Master ID Optional The payment token for the current transaction. When using a payment token for a swipe transaction, only the customer information will be copied to this transaction from the existing token on file. Comments Optional Additional information related to the current transaction. Figure 20 – Processing Fields for Swipe Transactions

4. When all of the transaction and customer information has been entered and/or reviewed, press the PROCESS CHARGE button at the bottom of the screen.

5. Select Swipe from the pop-up selector, as shown below:

BluePay, A Company Page 27

BluePay Mobile EMV Processing Overview Version 1.1

Figure 21 – Selecting Swipe Transaction Type 6. When you see the “Swipe card” message appear on the screen, swipe the card through the swipe slot on the card reader. The left LED indicator will stay on to show that the card reader is ready to accept the card, and then all 4 LED’s will blink once with a single beep to indicate that the swipe was accepted properly and the card is being processed.

Figure 22 – Swipe Card Message 7. If the transaction is declined, a Decline message will appear and you will be returned to the Process page, where the transaction details will still remain. If the transaction is approved and the application is integrated to another mobile or mobile web app, then you will be automatically returned or redirected to the calling application. If the

BluePay, A Company Page 28

BluePay Mobile EMV Processing Overview Version 1.1

application is operating in standalone mode, then an Approved message will appear and you will be returned to a new (blank) Process page.

Figure 23 – Approval and Decline Messages for Swipe 8. This step only applies when the Signature Line option is enabled on the Settings page. When a transaction is approved, a signature capture page will appear so the customer can add a signature to the transaction, as follows:

Figure 24 – Signature Capture Page for Swipe

9. If the Customer Receipt Copy option is enabled on the Settings page, then an email receipt will be sent to the customer, as follows:

BluePay, A Company Page 29

BluePay Mobile EMV Processing Overview Version 1.1

Figure 25 – Customer Receipt Copy for Swipe

Processing an EMV Swipe Fallback Transaction

Occasionally you will encounter an EMV chip card where the chip no longer works and cannot be accessed by the card reader device. This also occurs when the card is inserted incorrectly into the card reader. Note that the ID Tech VP3300 is not a bidirectional device, meaning that a card can be entered the wrong way. When you process a chipenabled card as a swipe transaction, it is called an EMV fallback transaction. In these circumstances, the card reader will detect the EMV error and instruct you to process the transaction using the swipe reader instead.

When a transaction is identified as an “EMV Fallback” transaction, the Issuing Bank, and not the merchant, will be responsible for a fraudulent transaction if the merchant was using an EMV chip reader device, such as the ID Tech VP3300.

Even though the Issuing Bank is liable for a fraudulent transaction in the case of an EMV fallback, a merchant should still exercise caution when accepting these transactions. For example, criminals can either remove the chip, damage the chip, or cover the chip with a masking device, such as tape, in order to engage in fraudulent activity. Fraud in general, regardless of the liable party, still causes a general increase in processing fees on an industry-wide basis.

BluePay, A Company Page 30

BluePay Mobile EMV Processing Overview Version 1.1

The steps for processing an EMV swipe fallback transaction are the same as those for processing a normal EMV transaction, as shown previously. However, when processing the EMV transaction, the card reader will determine there was an error reading the chip and instruct you to use the swipe reader instead, as shown below.

Figure 26 – EMV Fallback Message

The customer receipt for an EMV fallback transaction will appears as follows:

BluePay, A Company Page 31

BluePay Mobile EMV Processing Overview Version 1.1

Figure 27 – Customer Receipt Copy for EMV Fallback

Processing a Manually-Keyed Transaction

The step-by-step process for performing a manually-keyed transaction is as follows:

1. Open the BluePay Mobile Processing application by either calling it from an integrated mobile or mobile web application, or by opening the application manually.

2. The customer information will need to be added manually. The table below describes the various data fields on the Process page.

Field Field Status Description Amount Required The amount for the current transaction. Transaction Type Required Select either AUTH or SALE for the type of transaction to be processed. This value defaults to the Default Transaction Type from the Settings page. Payment Type Required Select either Credit Card or E-Check (for ACH transactions). This value defaults to Credit Card. Note: All E-Check transactions must be manually keyed. Card Account Number Required when Payment The credit card number for the current transaction. Type is Credit Card. Expiration Date Required when Payment The credit card expiration date (month and year) for Type is Credit Card. the current transaction.

BluePay, A Company Page 32

BluePay Mobile EMV Processing Overview Version 1.1

CVV2 Optional Optionally enter the CVV2 value as printed on the credit card. Bank Account # Required when Payment The bank account number for the current E-Check Type is E-Check. transaction. Routing # Required when Payment The bank routing number for the current E-Check Type is E-Check. transaction. Account Type Required when Payment Select the account type, Checking or Savings, for Type is E-Check. the current E-Check transaction. Customer Name Required The customer name, first and last, for the current customer. Company Name Optional The company name for the current customer. Address (1) Optional The first line of address information for the current customer. Address (2) Optional The second line of address information for the current customer. City Optional The city name for the current customer. State Optional The state for the current customer. Zip Optional The postal code for the current customer. Country Optional The country for the current customer. The value defaults to United States. Phone Optional The phone number for the current customer. Email Required when Customer The email address for the current customer. Receipt option is enabled. Customer ID Optional The customer ID for the current customer. Invoice ID Optional The invoice ID for the current transaction. Order ID Optional The order ID for the current transaction. Master ID Optional The payment token for the current transaction. When using a payment token for a manually-keyed transaction, both the payment information and the customer information will be copied to this transaction from the existing token on file. Comments Optional Additional information related to the current transaction. Figure 28 – Processing Fields for Manually-Keyed Transactions 3. When all of the transaction and customer information has been entered, press the PROCESS CHARGE button at the bottom of the screen.

4. Select Hand-Keyed from the pop-up selector, as shown below:

BluePay, A Company Page 33

BluePay Mobile EMV Processing Overview Version 1.1

Figure 29 – Selecting Manually-Keyed Transaction Type 5. If the transaction is declined, a Decline message will appear and you will be returned to the Process page, where the transaction details will still remain. If the transaction is approved and the application is integrated to another mobile or mobile web app, then you will be automatically returned or redirected to the calling application. If the application is operating in standalone mode, then an Approved message will appear and you will be returned to a new (blank) Process page.

Figure 30 – Approval and Decline Messages for Manually Keyed Transactions 6. This step only applies when the Signature Line option is enabled on the Settings page. When a transaction is approved, a signature capture page will appear so the customer can add a signature to the transaction, as follows:

BluePay, A Company Page 34

BluePay Mobile EMV Processing Overview Version 1.1

Figure 31 – Signature Capture Page for Manually-Keyed Transaction

7. If the Customer Receipt Copy option is enabled on the Settings page, then an email receipt will be sent to the customer, as follows:

Figure 32 – Customer Receipt Copy for Manually-Keyed Transaction

BluePay, A Company Page 35

BluePay Mobile EMV Processing Overview Version 1.1

MOBILE PAYMENT PROCESSING API REFERENCE

Request Parameters

The following table lists all of the request parameters which may be passed to the BluePay Mobile Processing application using the “bluepay” URI scheme. Note that based on the settings within the Mobile Processing application, certain items listed as optional may be ignored even if passed to the application. These items are identified in the table below with asterisks around the optional designation (**Optional**). Please contact your account manager or the Integration Support Team if you have questions about your integration.

Data Type Max Length Parameter Required Description ACCOUNT SETTINGS GROUP account_id Numeric 12 Optional The 12-digit BluePay assigned gateway account ID number for your BluePay gateway processing account. This value will typically start with “100”. If left blank, the Account ID will be taken from the application settings. NOTE: If either the “account_id” or the “secret_key” values are provided as input parameters, then both values will be taken from the input API parameters and the values stored in the Settings section of the application will be ignored.

secret_key Text 32 Optional The 32-character BluePay assigned Secret Key for you gateway processing account. If left blank, the Secret Key will be taken from the application settings. save_settings Numeric 1 Optional If this parameter contains a “1”, then the Account ID, Secret Key, Transaction Mode, and Default Transaction Type for this transaction will be saved to the Account Settings within the application. my_app Text 4,096 Optional Contains the registered URI scheme (for iOS or Android) for the calling application or the URL (mobile web address) to return parameters to the user. This value is required if returned data is needed from the Mobile Processing application. If omitted, no data will be returned by the application.

PAYMENT DETAILS GROUP trans_mode Text 4 Optional Contains the processing mode for the current transaction. Valid values include: LIVE = Required to run a real transaction. TEST = Allowed for test transactions. If this parameter is omitted or left blank, the Processing Mode will be taken from the application settings.

BluePay, A Company Page 36

BluePay Mobile EMV Processing Overview Version 1.1

trans_type Text 4 Optional The default action to be performed for the current transaction. Valid values include: AUTH = Reserve funds on a customer’s credit card. No funds are transferred. SALE = Make a sale. Funds are transferred.

NOTE: This only represents the default action to be taken. It may still be changed on the Process page in the application. If this parameter is omitted or blank, the Default Transaction Type will be taken from the application settings. payment_type Text 3 Optional The type of payment for the current transaction. Valid values include: CC = Credit Card (Default) ACH = Automated Clearing House/e-Check If omitted, the application will default to a Credit Card transaction.

amount Numeric 12 Optional The amount for the current transaction. If provided, this value cannot be modified in the application. If omitted, the amount will be collected on the Process page in the application. NOTE: The amount value must be provided by either the input parameter or by manually keying it into the application or an error will occur. cc_number Numeric 20 **Optional** The credit card number for the current transaction. exp_month Numeric 2 **Optional** The 2-digit card expiration month. exp_year Numeric 2 **Optional** The 2-digit card expiration year. cvv2 Numeric 4 **Optional** This parameter contains an additional payment verification number, such as the American Express CID number, the MasterCard CVC2 number or the Visa CVV2 number. (This number is usually located on the reverse side of the card, and is usually not embossed or recorded on the magnetic stripe of a credit card.) ach_account Numeric 25 **Optional** Contains the customer bank account number for the current transaction. ach_routing Numeric 9 **Optional** Contains the 9-digit bank routing (“ABA”) number for the customer’s bank account. ach_type Text 8 **Optional** Contains a value representing the type of ACH account being used. Valid values include: C = Checking Account (Default) S = Savings Account

BILLING DETAILS GROUP name Text 64 Optional Contains the first and last name of the customer for the current transaction. This is typically referred to as the Cardholder name. If omitted, the Customer Name will be collected on the Process page in the application.

BluePay, A Company Page 37

BluePay Mobile EMV Processing Overview Version 1.1

company Text 64 Optional Contains the company name of the customer for the current transaction. If omitted, the Company will be collected on the Process page in the application. addr1 Text 64 Optional Contains the address line 1 of the customer for the current transaction. If omitted, the Address will be collected on the Process page in the application. addr2 Text 64 Optional Contains the address line 2 of the customer for the current transaction. If omitted, the Address will be collected on the Process page in the application. city Text 32 Optional Contains the city of the customer for the current transaction. If omitted, the City will be collected on the Process page in the application. state Text 16 Optional Contains the state of the customer for the current transaction. If omitted, the State will be collected on the Process page in the application. postal_code Numeric 9 Optional Contains the postal code of the customer for the current transaction. If omitted, the Postal Code will be collected on the Process page in the application. country Text 64 Optional Contains the country of the customer for the current transaction. If omitted, the Country will be collected on the Process page in the application. phone Text 16 Optional Contains the primary phone number of the customer for the current transaction. If omitted, the Phone will be collected on the Process page in the application. email Text 128 Optional Contains the email address of the customer for the current transaction. If omitted, the Email will be collected on the Process page in the application.

OTHER DETAILS GROUP customer_id Text 16 Optional Contains the Customer ID of the customer for the current transaction. If omitted, the Customer ID will be collected on the Process page in the application. This field corresponds to the CUSTOMER_CODE field in the bp10emu API. invoice_id Text 64 Optional Contains the Invoice ID of the customer for the current transaction. If omitted, the Invoice ID will be collected on the Process page in the application. order_id Test 128 Optional Contains the Order ID of the customer for the current transaction. If omitted, the Order ID will be collected on the Process page in the application.

BluePay, A Company Page 38

BluePay Mobile EMV Processing Overview Version 1.1

master_id Numeric 12 Optional Contains the transaction number of the original BluePay transaction used as a template for the current transaction. Also known as the BluePay-defined token number. If submitted, then the payment details and billing details will be taken from the template transaction unless provided elsewhere in the API or added on the Process page in the application. comments Test 4096 Optional A merchant-defined comment associated with the current transaction. If omitted, a Comment can be added on the Process page in the application.

Response Parameters

The following table lists the parameters that are available after a transaction is processed by the BluePay Payment Gateway. All of these values are generated by the payment gateway itself, and passed through the Mobile Processing application when the transaction has been processed. The response values can be obtained by examining the appropriate URI Scheme as indicated in the “my_app” request parameter.

The BluePay Mobile Processing Application makes use of the BluePay 1.0 Post (bp10emu) API for processing transactions on the BluePay Payment Gateway. Parameters other than those listed below may be returned in the response parameter set. See the BluePay 1.0 Post API documentation for additional details if necessary.

Data Type Max Response Length Version Parameter Description RESPONSE HEADER PARAMETERS result Text 8 n/a Contains the result for the current transaction. Valid values include: APPROVED DECLINED ERROR MISSING This is the response parameter that should be checked to determine the transaction status. NOTE: The Result of a TEST transaction is determined by the dollar portion of the amount of the transaction. If the dollars are odd, APPROVED is returned. If the dollars are even, DECLINED is returned.

BluePay, A Company Page 39

BluePay Mobile EMV Processing Overview Version 1.1

message Text 25 n/a Contains a human readable message that corresponds to the result for the current transaction. On error, describes the error. The actual contents of the field can vary, even between supposedly identical transactions, so do not attempt any machine-parsing of the contents of this response parameter. connected_ip Text 15 n/a Contains the IP address of the computer or device that initiated the transaction. This is the customer’s IP address. account_id Numeric 12 n/a Contains gateway account ID used for the current transaction.

RESPONSE TRANSACTION PARAMETERS transaction_id Numeric 12 n/a Contains the BluePay assigned transaction ID number for the current transaction. This ID can be used as a token for subsequent transactions.

issue_date Date/Time 19 n/a Contains the date and time, in YYYY-MM-DD HH:MM:SS format, that the transaction was processed. auth_code Text 6 n/a Contains a 6-character authorization code returned from the processing network. trans_mode Text 4 n/a Contains the transaction processing mode used for processing the current transaction. Valid values are LIVE or TEST. trans_type Text 4 n/a Contains the transaction type value used for the current transaction. payment_type Text 3 n/a Contains the Payment Type value used for the current transaction. amount Numeric 12 n/a Contains the transaction amount used for the current transaction. cc_number Numeric 20 n/a Contains a masked version of the credit card number used for this transaction. For credit cards, this will be a string of “X”’s followed by

the last four digits of the actual card number. exp_month Numeric 2 n/a Contains the “exp_month” value as submitted in the Request Parameters for the current transaction.

exp_year Numeric 2 n/a Contains the “exp_year” value as submitted in the Request Parameters for the current transaction.

BluePay, A Company Page 40

BluePay Mobile EMV Processing Overview Version 1.1

card_type Test 4 n/a Contains a four character indicator of the credit card type used for the current transaction. Valid values include: AMEX=American Express MC =Mastercard DISC=Discover VISA=Visa JCB =JCB Card DCCB=Diner’s Club/Carte Blanche ENRT=EnRoute BNKC=BankCard SWTC=Switch SOLO=Solo

avs_result Text 1 n/a Contains a 1-character response code from the Address Verification System (AVS). When the value of the “trans_mode” parameter is TEST, and the first character of the “addr1” parameter is a valid AVS response code, then that value will be returned as the response value in this parameter. cvv_result Text 1 n/a Contains the Card Verification Value (CVV2) response code for the current transaction. NOTE: When the value of the “trans_mode” parameter is TEST, and the first character of the “addr2” parameter is a valid CVV2 response code, then that value will be returned as the response value in this parameter.

ach_account Text 25 n/a Contains a masked version of the ach account number used for this transaction. This will be a string of “X”’s followed by the last four digits of the actual account number. ach_routing Numeric 9 n/a Contains the “ach_routing” value as submitted in the Request Parameters for the current transaction.

ach_type Text 8 n/a Contains the “ach_type” value as submitted in the Request Parameters for the current transaction.

bank_name Text 64 n/a Contains the customer’s bank name. card_present Numeric 1 n/a Contains a “1” for EMV or swiped transactions or a “0” for a handkeyed transactions. emv_application Text 16 n/a Contains the EMV Application ID from the EMV card reader device. This value is to be used on EMV transaction receipts. emv_app_name Text 25 n/a Contains the EMV Application Name from the EMV card reader device. This value is to be used on EMV transaction receipts.

BluePay, A Company Page 41

BluePay Mobile EMV Processing Overview Version 1.1

RESPONSE BILLING PARAMETERS name Text 64 n/a Contains the “name” value as submitted in the Request Parameters for the current transaction.

company Text 64 n/a Contains the “company” value as submitted in the Request Parameters for the current transaction.

addr1 Text 64 n/a Contains the “addr1” value as submitted in the Request Parameters for the current transaction.

addr2 Text 64 n/a Contains the “addr2” value as submitted in the Request Parameters for the current transaction.

city Text 32 n/a Contains the “city” value as submitted in the Request Parameters for the current transaction.

state Text 16 n/a Contains the “state” value as submitted in the Request Parameters for the current transaction.

postal_code Numeric 9 n/a Contains the “postal_code” value as submitted in the Request Parameters for the current transaction.

country Text 64 n/a Contains the “country” value as submitted in the Request Parameters for the current transaction.

phone Text 16 n/a Contains the “phone” value as submitted in the Request Parameters for the current transaction.

email Text 128 n/a Contains the “email” value as submitted in the Request Parameters for the current transaction.

RESPONSE OTHER PARAMETERS customer_id Text 16 n/a Contains the “customer_id” value as submitted in the Request Parameters for the current transaction. This field corresponds to the CUSTOMER_CODE field in the bp10emu API. invoice_id Text 64 n/a Contains the “invoice_id” value as submitted in the Request Parameters for the current transaction.

order_id Text 128 n/a Contains the “order_id” value as submitted in the Request Parameters for the current transaction.

BluePay, A Company Page 42

BluePay Mobile EMV Processing Overview Version 1.1

comments Text 4096 n/a Contains the “comments” value as submitted in the Request Parameters for the current transaction.

EMV RECEIPT REQUIREMENTS

EMVCo, the governing body that exists to facilitate worldwide interoperability and acceptance of secure payment transactions, along with the individual card brands, have set forth a series of requirements related to the printing of receipt data for EMV enabled transactions. As these requirements change from time to time, it is always best to refer to the industry guidelines for the latest requirements.

It is recommended that you use the receipt capabilities that are built into the Mobile Processing Application, which will include the ability to print a copy of the captured cardholder signature. If you choose to disable the built in receipt functionality and create and send your own receipts, the following practices should be used when creating receipts for card-present EMV transactions.

DO NOT: • Print the full PAN (Primary Account Number) on the receipt. The account number must be printed in truncated format. (Example: XXXXXXXXXXXX1234) • Print the card expiration date on the receipt.

DO: • Print the EMV AID (Application ID). (Example: A000000025010801) o This value is returned by the API in the “emv_application” parameter. • Print the Application Label. (Example: American Express) o This value is returned by the API in the “emv_app_name” parameter. • Print the Transaction Data Source. (Example: Amex – Chip Entry, Amex – Swiped, etc.) o API users should print the appropriate option for their application. This string is created by concatenating the card brand type and the card-present processing source, either Swiped or Chip Entry. • Print the CVM (Cardholder Verification Method). (Example: None, Signature, PIN Verified) o API users should print the appropriate option for their application. Typically “Signature” or “None”. • Print the Authorization Mode for approved transactions. (Example: Issuer, Chip, etc.) o API users should print “Issuer”. • The Amount must include the corresponding currency designator. (Example: BluePay, A Company Page 43

BluePay Mobile EMV Processing Overview Version 1.1

$USD, $CAD, etc.)

DATA SECURITY

The BluePay Mobile Processing Application provides a secure end-to-end encrypted processing solution using industry standard 3DES DUKPT encryption. Unlike previously available swipe technology, the EMV data stream from the card reader is encrypted using a BluePay specific encryption key. In order to meet EMV processing and PCI security requirements, this encrypted data stream must remain intact until it reaches the BluePay Payment Gateway. This provides for full end-to-end encryption of the data from the chip all the way to the payment gateway.

As a result, elements contained within the data stream (such as card number, card brand, expiration date, and cardholder name) are not available until after the transaction is fully processed. Also, note that in both swipe and EMV transactions, the actual cardholder name from the card will take precedent over any data passed or entered into the cardholder name field in the application.

TROUBLESHOOTING

From time to time, you may encounter issues with either the BluePay Mobile Processing application or the ID Tech VP3300 card reader not working properly. In those cases, please try the following troubleshooting tips before contacting BluePay Merchant Support.

Issue Cause/Solution(s) SECURITY ERROR returned when Bad or missing Account ID or Secret Key. processing transaction. Please enter or correct the values and try the transaction again. VP3300 card reader losing Make sure the VP3300 device is fully charged connection or not responding. and try again.

BluePay, A Company Page 44

BluePay Mobile EMV Processing Overview Version 1.1

Cannot connect VP3300 to Make sure the VP3300 unit is on and fully application. charged. Recycle the power on the VP3300 off and then on again. Make sure that Bluetooth is enabled on the smartphone or tablet. Make sure the VP3300 unit is within range of the smartphone or tablet. Try manually pairing the VP3300 unit with the smartphone or tablet. Try connecting using a USB cable.

Figure 33 – Troubleshooting Techniques

If an unknown problem occurs or you cannot resolve the problem using one of the above troubleshooting techniques, contact the Integration Support Team for further assistance.

Accessing the About Page

When contacting BluePay for support, you may be asked to provide the application version number, the card reader serial number, or the card reader firmware version. This information can be accessed by navigating to the About page from the application menu, as shown below.

Figure 34 – About Screen

APPLICATION & DEVICE UPDATES

Application Updates

BluePay, A Company Page 45

BluePay Mobile EMV Processing Overview Version 1.1

From time to time, BluePay will make planned updates to the BluePay Mobile Processing application. These updates will automatically be available for iOS on the App Store or for Android on the Google Play store. To obtain these updates, either set your operating system to automatically download and install App updates or manually install the update from the App Store or Google Play store.

When installing new updates, all of the application settings will be preserved from the previous version. If new settings are added, then will be set to a default value during the upgrade or when access the Settings page. Do not uninstall the application, as this will destroy any existing settings that you have entered previously.

CAPK Updates

The ID Tech VP3300 card reader comes pre-loaded with a variety of public encryption keys, also known as CAPK (Certificate Authority Public Key) keys. These keys are specific to each of the card brands and are used to encrypt the communication between the card chip and the terminal.

Because these public CAPK keys are created and maintained by the card brands, they will periodically expire and need to be updated on your ID Tech VP3300 card reader. When this occurs, BluePay will receive advanced notification of the change and receive the new CAPK keys. These updated CAPK keys will then be automatically installed onto your VP3300 card reader without the need to take any action on your part. If an error should occur while the update takes place, please contact the BluePay Integration Support Team for assistance. Note that a failed update procedure will typically not cause the VP3300 card reader to stop processing transactions.

Device Firmware Updates

Generally, the device firmware will never need to be updated on the ID Tech VP3300 card reader. In the rare circumstance where it is necessary to install a firmware update, please contact the BluePay Integration Support Team for assistance. It is not recommended that you attempt to upgrade the VP3300 device firmware yourself.

(*** END OF DOCUMENT ***)

BluePay, A Company Page 46