MPoC attestation processing changes
PhonePOS checks with a set of Attestation checks if the device at hand is integer and trustworthy. PCI-MPoC requires that all attestation checks happen right before each transaction (e.g. payment). Only minimal delays from attestation evaluation to transaction start are acceptable to prevent potential attackers from executing exploits. For security reasons, it is not allowed to start transactions and attestation checks in parallel. The attestation has to be fully executed and evaluated right before the transaction and again before pin entry. This is required by MPoC 1.0.1 for every software certified under MPoC (MPoC_1.0.1v-2A-1.5, MPoC_1.0.1v-1E-1.6). Rubean PhonePOS ensures this security requirements are met.
Attestation preflight
As we want to provide the end users the best experience of a POS terminal with PhonePOS, we included an attestation preflight in our solution. This preflight will start the process of collecting and verifying the attestation in the background right before the transaction. If the call of attestationPreflight and start of transaction are not too far apart, the transaction can be started without an additional attestation run. If no attestationPreflight call is executed, PhonePOS will synchronously execute the attestation process prior to the transaction.
Always executing the attestationPreflight call with the getStatus command does not yield benefits. Please ONLY execute the attestationPreflight right before the start of a transaction and not as a scheduled background operation.
Please note that there is only a limited quota of attestation requests that can be executed. In the case of misuse we might need to limit the amount of possible attestation and thus transactions for your terminals. A preflight of the attestation right before a transaction is always allowed and always wanted.
Timing guidance
As PhonePOS can not predict accurately when a transaction will be happening in the future, it is important for the integrating applications to place the attestationPreflight call right before a transaction (e.g payment). An attestationPreflight call is valid for around 50 seconds. In the following chapters we want to guide you on where to call the function at the right time.
Calling the attestationPreflight call multiple times right before a transaction is permitted. PhonePOS keeps track of when the last transaction was made and will only execute attestations when the previous executed is stale. Still, please only execute the call when you are sure a transaction is about to happen.
As PhonePOS in this case can be called either via the High-Level PhonePOS API -> Transaction API or the TerminalHelper APIs we only give you the place recommendations for the transactionPreflight command. For specific code examples on how to instantiate the APIs and call the command please adhere to the API documentation above.
Electronic cash registers (ECRs)
An ECR presents a number block to the merchant for tipping in the required transaction amount. Our recommendation is to execute the transactionPreflight call on every button press that changes the displayed amount. This allows PhonePOS a few seconds for processing which in most cases enables us to start the transaction right away.
Delivery, Order processing or Hospitality apps
Delivery, Order processing or Hospitality apps often present an activity that makes it possible to add a tip to the
transaction. We recommend to execute the transactionPreflight in the onResume function of the tipping activity:
public class TipActivity extends Activity {
@Override
protected void onResume() {
super.onResume();
// Call transactionPreflight
}
}
For Jetpack Compose please import the
androidx.lifecycle:lifecycle-runtime-compose
dependency and implement the following code:
@Composable
fun TipScreenComposable() {
val lifecycleOwner = LocalLifecycleOwner.current
val lifecycleState by lifecycleOwner.lifecycle.currentStateFlow.collectAsStateWithLifecycle()
when (lifecycleState) {
Lifecycle.State.RESUMED -> {
// Call transactionPreflight
}
else -> {}
}
}