P&L qualification document v1.6

Payment and Loyalty Solutions Qualifications

Copyright © 2016, ThoughtFocus CONFIDENTIAL Page 1 of 40

mailto:[email protected]


http://www.thoughtfocus.com/


http://www.thoughtfocus.com/industries/payment-and-loyalty-solutions


1. Executive summary ............................................................................................................................... 2

2. Table of Contents .................................................................................................................................. 3

3. Organizational qualifications ................................................................................................................. 4

3.1 Organizational structure ................................................................................................................ 5

3.2 Company background and references .......................................................................................... 7

3.3 Staff qualifications ......................................................................................................................... 9

4. Solutions .............................................................................................................................................. 12

4.1 Frameworks ................................................................................................................................. 12

4.2 Capabilities .................................................................................................................................. 13

5. Project experience .............................................................................................................................. 15

6. Technical experience .......................................................................................................................... 16

7. Infrastructure ....................................................................................................................................... 17

8. Mobile applications .............................................................................................................................. 18

8.1 Mobile application development methodology ............................................................................ 18

8.2 Experience .................................................................................................................................. 19

8.2.1 Native iOS and Android applications................................................................................... 19

8.2.2 Apps that process debit cards, credit cards, EMV and other payment types ..................... 20

8.2.3 Experience providing an ADK ............................................................................................. 22

8.2.4 Enabling devices from mobile application and ADK ........................................................... 22

8.2.5 Mobile payment processing hardware devices ................................................................... 23

9. Project Management and Testing ....................................................................................................... 24

9.1 Level of Effort (LoE), Statement of Work (SoW) and Timeline ................................................... 32

10. Why ThoughtFocus ......................................................................................................................... 35

11. Value added services ...................................................................................................................... 36

12. Success stories ............................................................................................................................... 37


•

•

•

•

•

•

•

•

http://www.thoughtfocus.com/company/about-us

http://www.thoughtfocus.com/company/office-locations

http://www.thoughtfocus.com/capabilities/business-advisory

http://www.thoughtfocus.com/capabilities/business-process-operation

http://www.thoughtfocus.com/industries/financial-services


http://www.thoughtfocus.com/industries/education

http://www.thoughtfocus.com/industries/manufacturing

http://www.thoughtfocus.com/industries/avionics

http://www.thoughtfocus.com/capabilities/business-advisory

http://www.thoughtfocus.com/capabilities/user-experience-design

http://www.thoughtfocus.com/capabilities/application-engineering


•

•

•

•

•

•

•

http://www.thoughtfocus.com/capabilities/product-engineering

http://www.thoughtfocus.com/capabilities/quality-engineering

http://www.thoughtfocus.com/capabilities/business-process-operation

http://www.thoughtfocus.com/capabilities/hybrid-captive

http://www.thoughtfocus.com/company/leadership-team


Best practice Description


1. Mr. Shiv Enjeti, CTO

JetPay LLC

www.JetPay.com

Email: [email protected]

Office: +1 (972) 503 8900

Engagement description: Since 2012, ThoughtFocus has provided development and support

services for JetPay’s mobile POS solution. This solution is based on our FocusPAY framework.

The solution includes an Android and iOS-based POS application private-labeled and custom-

built for JetPay and managed by ThoughtFocus.

Our FocusCONNECT gateway acquires the transactions and routes them to JetPay’s processing

switch for authorization. The solution is currently undergoing EMV certification using IDTECH

UniPay 1.5+ and higher devices distributed as a default card reader with the mobile application.

As an option, merchants will be allowed to purchase a BlueBamboo P200 device or an IDTECH

BTPay200 as a possible EMV card reader for Chip and Pin transaction and printer support. In

addition, the solution also supports a BlueBamboo P25Mi device for MSR and print capability.

ThoughtFocus manages the app store releases in sync with hardware SDK updates and client

requested enhancements.

2. Mr. Edmund Chan, First Vice President

IT Systems, National Capital Region

7899 Makati Avenue

Makati City 0726, Philippines

Email: [email protected]

www.bdo.com.ph

Direct Line: +63 2688 1410

Engagement description: Since 2008, ThoughtFocus has been providing development and

support service for BDO’s acquiring and issuing switch platform. As part of our support

engagement, we have executed numerous development projects for BDO’s switch.

Currently, we have our second generation switch platform in production. This will shortly be

upgraded to a third generation platform.

Example project: The EMV transaction enhancement project focused on the switch’s acquiring

and issuing sides. One requirement was to enhance the platform to receive EMV contact and

contactless transactions from their terminal and ATM population and then route the transactions

to the respective networks for authorization.

Our team performed detailed requirements analysis, development, and assisted the client through

the card brand certification process. The project was handled in phases with Visa as the first card

network to be certified for EMV and then followed by MasterCard, Amex, Discover, CUP, JCB

and finally Diners.

http://www.jetpay.com/



http://www.bdo.com.ph/


•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•


•

•

•

•

•

•


ThoughtFocus has followed the changing trends in mobile development and has adopted different

methods based on client specific business needs, budget considerations, time constraints, etc.

Additionally, we have been working on putting Xamarin based mobile applications to work, in order to

obtain the maximum benefit of cross-platform utilization.

The key approaches we have used include:

1. Native application development: This is platform (iOS, Android, MS Windows, etc.) specific and

requires unique platform expertise. However, the full potential of the platform can be leveraged,

which will drive great user experience and larger application capabilities, especially around phone

hardware like cameras, USB’s and GPS’, etc. Based on requirements, this can be pricey and take

longer to develop.

Hybrid application development: Developer augmented web code with native SDK can

easily be deployed across multiple platforms. Hybrid applications are developed using

web technologies: HTML5, CSS, and JavaScript. These are then embedded into a native

container by using cross-platforms tools like Phone gap, Kony, IBM work light, etc. The

native containers run the web application code and package it into an application which

can run on multiple platforms like Android iOS, MS Windows, etc.

Shared code

2. Native v. Hybrid: There are benefits and drawbacks to using either technology. Below are the

advantages and disadvantages:

Design of interfaces: Most mobile interfaces can be implemented using either native

application or hybrid application development technologies. Hybrid application

development uses HTML5 and CSS3. These have far superior capabilities when

designing interfaces with many form factors and highly dynamic content.

UI layer (HTML,

CSS, java

script)

Business logic

layer

Data access

layer

Service access

layer

Domain model

iOS platform

specific code

Android

platform

specific code

MS Windows

platform

specific code


The native application development environment provides tools and design widgets for

creating certain standard interfaces with native user interaction experience which are not

currently available using hybrid application development tools. So, it is easier to create a

native application user experience using native application development environment.

Cost: It is more cost effective to build mobile applications using a hybrid application

development technology stack. However, keep in mind that if you would need to create a

certain native user experience and native feel, it can be more time consuming and

costlier to design and develop a certain native user experience using a hybrid application

development technology.

Also, with hybrid application development, you can build it once and submit it to all of the

platforms (iPhone, Android, Windows Phone) using cross-platform tools. So, you would

be saving money by not having to build the application using native programming

language of each platform.

Development timeline: Hybrid applications are easier and faster to develop and deploy.

User experience and performance: Native applications provide better performance,

provide a better responsive and fluid experience, and the user can navigate and interact

with the application without noticing any loading delays. Also, the native application

development environment provides design and user interaction widgets that come

standard with each platform. So, users will have a better experience because they are

familiar with the application’s standard native experience.

Hybrid applications tend to have some user interaction delays, and users can notice that

the application is not as responsive sometimes.

Security: Native applications may provide a better security environment. So, if the

application requires many security features, you should only consider a native approach.

Support and resources: Since a native application development environment provides a

lot of resources and options for mobile application development, there are more support

and available resources for building native mobile applications.

Tools and debugging: Native development provides a better development environment

and tooling to test and debug the work; so it is much easier and less time consuming to

find and fix bugs using native development tools.

There are not reliable hybrid application developments tools that can help with debugging

and fixing issues, so, sometimes the developer may spend a few hours to fix a problem in

a hybrid application environment where the same problem can be identified and fixed

within minutes using native application development tools.

Platform independent: One of the main advantages of hybrid app development is that

the developer can build it once and then use cross-platform tools to submit the app to all

platforms (iPhone, Android, Windows Phone and Blackberry).

8.2.1 Native iOS and Android applications

ThoughtFocus’ Mobility Solutions is a very mature engineering practice. Since 2009, when we entered

into developing payment applications for BlackBerry devices, the company has been involved in the

developing mobile applications to enterprise mobility solutions. During these years, we have worked with

multiple clients in creating unique solutions as described below:


1. FocusPAY – Mobile POS framework: The framework includes a mobile application supported

on Android and iOS platforms. FocusPAY’s intelligent content delivery framework allows the

solution to quickly morph into several customized flavors of point of sale (POS) applications such

as a tableside checkout application, a fundraiser application or healthcare check out application.

The framework allows us to develop a turnkey, custom built and private labeled mobile POS

solution to our customers.

2. Network quality monitoring for cellular networks: The client aims to supply enterprise mobile

solutions to cellular network companies for monitoring network quality and planned network

deployment. ThoughtFocus’ application has cross-Device and cross-OS support. The test

strategy for this project was also very complex. It required the physical movement of the unit

under test across home and visiting networks. ThoughtFocus also developed the central

analytical server for reporting.

3. Loyalty kiosks: A loyalty solution provider wanted to develop a white-labeled product platform

that can be owned by big retail stores for better customer engagement. ThoughtFocus developed

the loyalty platform along with a kiosk system that supported MS Windows 8 and Android. The

solution has been deployed in several thousand stores. ThoughtFocus continues maintenance,

support, and implementation activities. The system allows kiosk to kiosk differentiation in terms of

offers, geo-based offers, etc.

4. Android application for a wearable start-up: A San Francisco bay area start-up is developing a

wearable device that monitors biometric information. The client wanted to create a collaboration

platform that will multiply the possibilities of usage for the device. ThoughtFocus developed a

XMPP-based messaging layer and developed an Android application allowing biometric and robot

control activities. The collaboration feature enables people to share biometric information and

control movement.

5. EMV semi-integrated solution: One of our processor clients currently provides a certified

payment processing middleware to POS vendors to be deployed as a semi-Integrated EMV

solution for the MS Windows platform. ThoughtFocus’ team is rearchitecting and refactoring the

solution into a true cross-platform compatible middleware that can be deployed either as a

standalone service or consumed as a library (SDK) by a POS application on MS Windows, Linux,

Mac, Android, and iOS platforms. The solution intends to provide the necessary abstraction to the

POS application, from handling sensitive cardholder data as well as transaction processing

interfaces; thus minimizing the PCI scope for the POS application.

8.2.2 Apps that process debit cards, credit cards, EMV and other payment types

Our Payments and Loyalty Solutions Group’s experience with developing point-of-sale applications

includes terminal device applications, mobile device applications, and eCommerce applications that can

process card present and card-not-present payment and loyalty transactions.

The terminal device payment applications we have developed follows the industry standard feature set

supporting acceptance of credit cards to process the typical Auth, Sale, Void, Refund, and Capture

transactions. Such applications will also support acceptance of debit cards with PIN and debit cards with

a signature that is processed on the credit rails.

We have implemented Inquiry transactions in cases where prepaid cards are supported and balance

inquiry is an additional feature supported by the payment application. POS devices include VeriFone Vx

and eVo series, PAX, Equinox 4xxx, and Ingenico terminals. Traditional terminal applications posted that


transactions using ISO 8583 formats, the newer generation terminal devices, are capable of posting XML

transactions over SSL.

We have been providing mobile payment application development services for several years for our

clients. We do own a mobile POS framework called FocusPAY, which could be leveraged, if applicable, to

expedite suitable projects. Our mobile payment application experience includes iOS and Android

platforms. As is prevalent in the United States, the mobile POS applications are designed to process a

credit card transaction set which includes acceptance of debit cards on credit rails. PIN debit transactions

are not currently a part of the typical set of mobile POS transactions.

Our experience on EMV payment applications, on terminal platforms, and on mobile platforms includes

acceptance of Chip cards using Dip, Tap or Swipe methods based on appropriate fallback options.

Typically, the terminal platforms will allow for Chip and Pin as well as Chip and signature transactions as

they are EMV L2 certified as well as PTS certified. On mobile platforms, typically card readers connected

via the audio jack will support Chip and signature as well as MSR transactions. When available the newer

and larger card readers, most commonly connected via Bluetooth, do support Chip and Pin, Chip and

Signature, and MSR methods on contact and contactless cards.

Our projects in the eCommerce segment include direct integration via API into processing or gateway

platforms and developing hosted payment pages that are consumed by eCommerce applications. The

PCI scope assumed by the eCommerce platforms dictates the implementation method.

Tokenization has been a part of almost all POS application platforms and our experience spans across

First Data’s TransArmor to custom tokenization platforms. Implementation of recurring payments, bill pay

along with a reduced PCI scope have brought about tokenization as a standard implementation either

leveraging a processor’s tokenization platform or as a custom tokenizer in the case of multiple processor

dependencies.

Apart from the standard transaction set for credit card acceptance, we have implemented ACH and other

custom transactions based on the processing platform that is being posted to. Loyalty applications on

mobile and terminal devices have leveraged XML-based interfaces to read and process magnetic stripe

loyalty cards.

Our experience related to payment applications on varying platforms – terminals, mobile, and

eCommerce as well as processing various transaction types. We have briefly described a couple of

specific projects that were undertaken for the same.

Mobile POS application: We have developed and deployed a turnkey, white-labeled mobile

POS application for a major processor in the United States. The POS application is a custom

derivative of our FocusPAY framework and the production application resides in the Apple and

Android App Stores under our client’s own App Store accounts.

The POS application supports card present and card not present transactions for credit and debit

cards. Pin debit is not supported as stated earlier. The application uses IDTech Shuttle as the

card reader for MSR transactions. The solution is implemented as a P2PE application wherein

the card readers are injected with encryption keys that are dedicated to our client. The readers

adopt 3DES encryption with DUKPT key management. Transactions originating from the mobile

applications are first acquired by our gateway and then routed to our client’s processing switch as

this was the agreed upon architecture.

The application will also support IDTech EMV card reader UniPay 1.5+ as well as BTPay200 to

cover Chip and signature and Chip and PIN. In addition to card readers connected through the


audio jack, the application also supports the BlueBanboo P25Mi Printer+MSR combo as well for

merchants needing a paper receipt.

The application includes GPS location capture, electronic signature capture, transaction history

lookup, Void and Refunds from the transaction history as well as receipt reprints and emails.

VeriFone Vx820 EMV custom application: The project required us to develop a custom

payment application that accepts EMV Chip and Pin, Chip and Signature, and MSR transactions

with appropriate fallback options. The application was developed utilizing VeriFone’s eVo SDK

and was integrated with our client’s processing switch using a XML interface over SSL/TLS. The

application supported IP communication for transaction posting.

The implementation included the standard transaction set and was certified on card brands for

deployment.

8.2.3 Experience providing an ADK

Our capabilities include:

Developing payment solutions as standalone applications that can run on mobile platforms such

as Android and iOS as well as desktop platforms.

Developing the same applications as a library package that can be consumed by the application

developers to perform interfacing with the hardware devices to accept the card data.

One of the projects involving the development of a payment application, deployed as a standalone

service as well as a library that can be then integrated into the native applications built by a third party

vendor, is the implementation of a semi-integrated payment solution supporting EMV transactions. The

core of the project is to develop a payment application module using Java that accesses an Ingenico

PinPAD (iPP3xx) either via USB or via an IP connection over SSL as well as independently

communicating with the authorization host to post and receive transaction authorization.

This module will be certified for EMV against the card brands along with the host. The module can then

be distributed to POS application developers, who can integrate with either via SSL (if used as a service)

or as a library (if provided as an SDK). As the payment module deployed as a service runs in the

background and will not expose the POS application to the card data, the PCI scope of the POS

application is minimized. On a mobile platform, the native POS application can integrate the payment

processing library which will also prevent the exposure of sensitive card data to the native application; the

goal is to minimize the PCI scope on the POS application.

8.2.4 Enabling devices from mobile application and ADK

We have described below our integration with IDTECH’s shuttle device for creating a turnkey custom

mobile application.

As stated earlier, shuttle devices are injected with a dedicated encryption key for our solution to prevent

cross usage of our devices with other payment applications using a shuttle device. Also having a key

injected device encrypting the card data, at the time of swipe and using 3DES encryption and DUKPT key

management, allows us to implement a P2PE solution for the client.

The payment application is written as a native application for the Android and Apple iOS platforms. We

have supported all Android operating systems, starting from KitKat, and on the iOS side, starting with iOS

6.x.x. The native application integrates the reader using IDTECH provided SDK libraries for accessing the

device data. The device is identified as a supported device using the KSN value received from the device

at the time of card read. Once the device is recognized, the payment application captures the card track


data read by the device in encrypted form as well as non-sensitive data in the clear from the device’s data

stream. The non-sensitive data is used to display the last four digits of the swiped credit card and the card

holder’s name. The encrypted card data is then passed through to the processing platform for decryption

and authorization.

Some application’s salient features:

No transaction data is stored in the device itself. The transaction history is retrieved from our

gateway host on demand.

Each user logs into the application using a specific login ID and password. This unique ID is tied

into the merchant boarding for routing the transaction.

The application transmits the encrypted transaction data over SSL/TLS, thus encapsulating with a

second layer of data protection.

8.2.5 Mobile payment processing hardware devices

Our experience with hardware devices that are typically used in conjunction with a mobile payment

application spans across the devices offered by popular hardware vendors in the United States.

IDTECH is one of the vendors we have worked with closely on several of their devices. Our

implementation experience with IDTECH started with their original UniMag readers. We work with their

shuttle MSR readers, UniPay 1.5+ for the EMV Chip and signature implementations as well as BTPay200

for the full EMV set of transactions. We also have worked with IDTECH to create dedicated BDK

encryption keys for our client implementations, developing P2PE solutions with branded readers

distributed by our clients to their merchants.

AnywhereCommerce is another vendor of hardware devices for mobile solutions that we have integration

capabilities. Their Rambler audio jack device was one of the first ones to be worked on. We have grown

familiar with their Walker and Nomad series of devices for EMV implementations.

In addition to the above card readers, we also have worked on several thermal printers that are available

with a Magnetic Swipe Card reader. In the past, we have supported Blue Bamboo’s P25 and P10 series

of devices on our MSR applications. The P200 is an EMV reader supported on the newer generation of

EMV mobile applications.

We also have working relationships with Bixolon, whose R200 and R300 printer card readers have been

used in our implementations. Evolute and Woosim are other hardware vendors that provide printer card

reader combo devices and who we have investigated their feasibility.


o

o

o

o


o

o

o

o

Sprint 1

Story Story Points

User Story A 10

User Story B 20

User Story C 20

User Story D 5

Week 1 Week 2

Sprint 1

Story Story Points

User Story X 10

User Story B 20

User Story C 20

User Story D 5

User Story X of size 10 arrives with

greater priority

Product Backlog

Story Story Points

User Story E 10

User Story F 10

User Story G 30

Product Backlog

Story Story Points

User Story A 10

User Story E 10

User Story F 10

User Story G 30

NOTE: User Story A is chosen to move to backlog since User Story A is the only story that has the same

size as X. If there is more than one story that has the same size then the priority is looked at before

moving to backlog

P&L qualification document v1.6

Documents

Transcript of P&L qualification document v1.6