In the wake of the universal hobby of contactless payment, I want to share the engine experience of Yandex. Money on the launch of Apple Pay and Samsung Pay. Our team had to coordinate with MasterCard and smartphone makers. Making friends with this company and not going crazy - the task itself is not trivial. In addition, we were in the first wave of those who came to the "holiday", and many decisions had to run in on the go.

Under the cut details about connecting contactless payments in Yandex.Money, testing and features of the security systems with a new type of payments.

In this post we will talk about the payment systems Apple Pay and Samsung Pay, which are based on similar principles and differ in details. For simplicity, I'll just call them * Pay wherever the details are not fundamental.

Why all this

You can pay for the goods from your phone a long time ago - just install your bank’s mobile application, which should have the contactless payment option (the Yandex.Money application will work, too, by the way). Card data is stored securely on the user's device and is available using HCE technology - this is a software analogue of a bank card chip.

There are also separate programs like the Wallet , which offer wireless payment options for partner banks and, as a bonus, the storage of discount cards.

That is why earlier contactless payment required additional “layers”:

1. Owners of the iPhone could not pay without contact, because the NFC interface in Apple smartphones cannot be directly used for payment in third-party applications. In addition, NFC appeared only in the iPhone 6 and SE.

   
   
2. Many modern smartphones have a separate Secure Element (SE) device, which serves as an EMV chip of a bank card and is not tied to a specific bank or card. Such a unified solution is more convenient for the user and easier to sell to the bank, which previously did not have to pay with a smartphone.

Apple Pay and Samsung Pay are needed first of all in order to make payment from a smartphone via NFC standardized and secure.

Make friends all with all

I hope that now all the causal relationships have been restored, so let's return to the Yandex.Money contactless payment project.

If all the same something remains vague - be sure to ask in the comments.

I will illustrate all further scenarios using the Yandex.Money cards as an example, for which the most information was accumulated.

So that the user can easily pay for the goods from the phone, you need close cooperation between the four parties:

1. contactless payment service from a smartphone manufacturer (Apple Pay and Samsung Pay);

   
   

2. payment system (MasterCard);

   
   

3. card issuer (Yandex.Money);

   
   
4. seller's acquiring bank.

Thus, the Yandex.Money team had to agree with Apple, Samsung, Mastercard and implement support for the updated payment protocols on their side. It was also necessary to add acceptance of payments through Apple Pay and Samsung Pay to Yandex.Money - a payment solution for business. But that's another story.

The illustration does not have enough acquiring bank - removed it for simplicity.

When a user adds a card to a wallet, Apple Wallet generates a cryptogram with encrypted card data and a digital signature, and then sends it to MasterCard. There, the cryptogram is decoded and tokenization occurs. Tokenization is the formation of a DPAN number, which is a synonym for the original map, unique to each physical device.

But DPAN will not be generated until MasterCard verifies * Pay support on the issuer’s side, that is, Yandex.Money. For this you need:

1. Wait for Apple or Samsung to check whether the device can be used as a payment (is the phone stolen, are there Root rights, etc.).

   
   

2. Connect to the MasterCard Digital Enablement Service (MDES). Details about such applications almost completely fall under the NDA, so those who wish will have to request documentation directly from MasterCard.

   
   

3. Implement support for specific requests * Pay.

   
   
4. Test the system with Apple, Samsung and MasterCard. Testing is partially offsite, so everything is not as simple as it may seem.

But the user may want to add a map not manually, but from the Yandex.Money application. Such an opportunity exists, but a slightly different mechanism is used.

Red, yellow, green

When a user adds a card to the phone’s wallet, one of three future scenarios is triggered, depending on the degree of risk:

• Green It is used when the request for adding a card comes from the issuer's mobile application (Yandex.Money) and it contains a special key confirming user authentication in the banking application. No additional checks are required.

  
  

• Yellow Usually used when adding a card manually or using a telephone camera (OCR). The wallet asks for the CVV code of the card and asks for additional authentication.

  
  
• Orange . Actually means refusing to add a card.

If you do not yet have a Yandex.Money plastic card, then for a sample of a pen, you can issue a virtual one directly in the application.

But we do not live in a perfect spherical world, so the yellow path will often be used. So that it also runs smoothly and at the stage of recognizing card details with the camera there were no problems, we sent more than 200 photos of test cards to Apple. Without this training, the recognition algorithm was periodically mistaken and tried to add a card with incorrect data to the wallet.

Preflight preparation

When the necessary software on the backend was ready, and the beta version of Yandex.Money was trained on the Apple Pay tricks (for Samsung Pay, the tokenization option through our mobile application is not yet available), the tedious testing time has come.

By the way, to connect to the "banquet" is not enough to implement everything and inform MasterCard about readiness - the payment system and phone manufacturers will check you personally. For example, about Apple Pay, a friend from UL came to us with a set of all kinds of Apple gadgets. He had only 6 iPhones - 3 generations in 2 versions (Simple and Plus). With their help, the auditor checked many payment scenarios, including a refund.

The updated Yandex.Money processing worked in the isolated test segment, so the white list of the cards was used for the checkout - for them, MasterCard simply turned on * Pay payments. But there were some difficulties with Apple’s test environment.

For example, there was no separate payment infrastructure for running in, therefore Yandex.Money testers had to transfer their smartphones and Apple ID to the “USA” region and select answers to some queries on their own.

But the devil is in the details, and the mistakes are on the last mile. It turned out that by no means all banks monitor the updating of the firmware of their terminals, and most modern technology is alien to cashiers.

Let's get the map ...

There are quite a lot of payment terminal models and firmware for them, and the most ancient of them were crazy about * Pay. I had to understand and forgive, at the same time telling in support of the respective banks about “minor difficulties with the POS terminal”.

When everything seemed to be working, for some transactions, sums began to arrive in the mobile wallet with a dash. This clearly meant problems outside the Yandex.Money systems. Of course, such reports did not affect the payment itself, but cognitive dissonance was present.

(Un) loophole for scammers

Tokenization of cards by Yandex. Money, like other banks, is accompanied by checking such requests for fraudulent patterns. To do this, Yandex.Money has a separate mechanism with its complex logic and powers to block extremely suspicious operations - the anti-fraud system.

Since the system operates on the basis of certain rules, a potential security issue was discovered during tokenization of someone else’s card on the device. For this you need the card number, expiration date and CVC2. Yes, the issuer will most likely request additional validation, but even in the case of the SMS password, phishing and social engineering work. With a payment amount of up to 1000 rubles, the terminal will not even ask the pin-code, and not all cardholders have included SMS alerts.

Such threats can be dealt with at the processing level. Each user action with his account or card is considered online by the fraud machine: if at least one blocking rule is triggered, the transaction will be rejected.

For each Yandex.Money user, an individual behavioral profile is formed: what he likes and dislikes, how and when he usually pays, typical periods of activity and many other signs. On the basis of this information and with the help of machine learning, a prediction of future values ​​is built, that is, the most likely human actions. If the anti-fraud notices deviations of the actual indicators from their prediction, it can request additional authentication or reject the transaction.

About machine learning in security systems, you can tell a lot of interesting things in connection with its long-term implementation in Yandex.Money, but this is a topic for a separate article.

If you are at work faced with other nuances of connecting to * Pay - share in the comments, many will be curious.