Bye-Bye Cards app demonstrates how CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token is used in UniTiAgUniversal Ticketing Agent is a model of open-loop public transit ticketing using card-not-present transactions for fare acquiring. More Open-LoopOpen-loop ticketing allows fare payments with Visa, Mastercard, etc. cards. UniTiAg unlocks non-card-based open-loop ticketing tools, e.g., direct banking, e-wallets, crypto, etc. More ticketing model.
This approach makes it easier for ticketing system vendors to integrate with UniTiAgUniversal Ticketing Agent is a model of open-loop public transit ticketing using card-not-present transactions for fare acquiring. More, and fully exempts transit agencies from the complexity of PCI DSSPayment Card Industry Data Security Standards. and payment scheme regulatory obligations.
An app similar to Bye-Bye Card can be implemented by any TSMPAn online marketplace comprising two categories of customers: (A) online shoppers—e-wallet holders with cards or cash, and service receivers; (B) online merchants, sellers, and service providers. Examples include Amazon, Walmart, Uber, and many others. More participating in UniTiAgUniversal Ticketing Agent is a model of open-loop public transit ticketing using card-not-present transactions for fare acquiring. More. Alternatively the TSMPAn online marketplace comprising two categories of customers: (A) online shoppers—e-wallet holders with cards or cash, and service receivers; (B) online merchants, sellers, and service providers. Examples include Amazon, Walmart, Uber, and many others. More may opt to use Bye-Bye Cards. The TSMPAn online marketplace comprising two categories of customers: (A) online shoppers—e-wallet holders with cards or cash, and service receivers; (B) online merchants, sellers, and service providers. Examples include Amazon, Walmart, Uber, and many others. More is responsible for generating its unique CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token, according to the TSMPAn online marketplace comprising two categories of customers: (A) online shoppers—e-wallet holders with cards or cash, and service receivers; (B) online merchants, sellers, and service providers. Examples include Amazon, Walmart, Uber, and many others. More APIApplication Programming Interface More, and managing its CA Public certificate.
UniTiAgUniversal Ticketing Agent is a model of open-loop public transit ticketing using card-not-present transactions for fare acquiring. More maps the PKIPublic Key Infrastructure is a framework of cryptographic technologies, policies, and services that enables secure authentication by managing digital certificates and public-private key pairs. More Public Key certificate X.500 “O” (organization name) to participating TSMPsAn online marketplace comprising two categories of customers: (A) online shoppers—e-wallet holders with cards or cash, and service receivers; (B) online merchants, sellers, and service providers. Examples include Amazon, Walmart, Uber, and many others. More.
Bye-Bye Cards currently demonstrates two contactless interfaces: cEMV-like and QR Code.
Example of cEMV Session in Bye-Bye Cards
The following is an example of a cEMVContactless EMV More session between a validator’s NFCNear-Field Communications, a protocol used for data exchange between contactless cards and readers. More card reader and a CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More that is a smartphone with installed app Bye-Bye Cards.
Bye-Bye Cards is not a payment app. Its AID does not represent a payment EMVA protocol used by payments smart cards and points of sales for execution of payments transactions. application, and there is no payment data exchange in this session. The cEMVContactless EMV More protocol is implemented solely for the purpose of compatibility with the existing cEMVContactless EMV More card readers. This example demonstrates that the proposed card reader logic is already implemented in regular cEMVContactless EMV More card readers.
This approach makes it easier for ticketing system vendors to integrate with UniTiAgUniversal Ticketing Agent is a model of open-loop public transit ticketing using card-not-present transactions for fare acquiring. More, and fully exempts transit agencies from the complexity of PCI DSSPayment Card Industry Data Security Standards. and payment scheme regulatory obligations.
During this session, the app emulates a cEMVContactless EMV More card. The ‘card” presents the CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token to the card reader and proves its authenticity using a simplified cEMVContactless EMV More approach.
The entire NFCNear-Field Communications, a protocol used for data exchange between contactless cards and readers. More session time takes around 200 msec on the modern smartphones. Let’s walk through it step-by-step.
The APDU request/response trace is obtained with app NFCNear-Field Communications, a protocol used for data exchange between contactless cards and readers. More EMVA protocol used by payments smart cards and points of sales for execution of payments transactions. Explorer which can be installed from Google Play Store here.
Step 1: Select PPSE 2PAY.SYS.DDF01
This step is implemented for the compatibility purposes. It is not mandatory because the card reader knows exactly which AID to select in the next step. If this step is executed the smartphone’s operating system may direct the NFCNear-Field Communications, a protocol used for data exchange between contactless cards and readers. More session to an app with a higher priority, e.g. a Wallet.
APDU Request/Response Trace:
Select PPSE APDU Request: 00a404000e325041592e5359532e444446303100
Transceive Time=31 msec. SW1/SW2=9000.
Response content:
6f FCI Template, length=41
84 Dedicated File Name, length=14
"2PAY.SYS.DDF01"
a5 FCI Proprietary Template, length=23
bf0c FCI Issuer Discretionary Data, length=20
61 Directory Entry, length=18
4f ADF Name, length=7
f5633545180001
50 Application Label, length=7
"UNITIAG"
---- End of Response Content.
|
Tag 4F comprises the AID of the CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token app
Step 2: Select ADF
The card reader selects Application Data File for the AID F5633545180001.
APDU Request/Response Trace:
==== Select ADF APDU REQUEST: 00a4040007f563354518000100.
Transceive Time=15 msec. SW1/SW2=9000.
Response content:
6f FCI Template, length=49
84 Dedicated File Name, length=7
f5633545180001
a5 FCI Proprietary Template, length=38
50 Application Label, length=7
"UNITIAG"
9f38 PDOL, length=8
9f1c089f37049a03
df01, length=15
73084de18d15f9ac4734662814d4bb
---- End of Response Content.
|
In tag 9F38, the “card” requests from the card reader 9F1C (Terminal ID, 8 bytes), 9F37 (Unpredictable Number, 4 bytes), and 9A (Transaction Date, 3 bytes). In tag DF01, the “card” presents the 15 byte-long CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token.
At this point, the validatorValidator is a device with contactless card reader, registering card taps and validating access to the transit services. It is not a point of sale in UniTiAg model. More can initiate a parallel process to look up the CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token in the validator’s OTRBOpen-to-Ride Balance is an e-wallet monetary value for ticketing purposes, associated with a contactless token, shared between Transit Agencies. It can be pre-authorized, prepaid, postpaid, or a combination of thereof. More list (don’t forget to re-encode the binary value on DF01 to Base64-encoded string), and continue with CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token offline data validation (next steps).
Step 3. Get Processing Option
On this step, the card reader presents the data objects requested in the PDOL which the “card” signs with its private key and returns the Signed Dynamic Application Data.
APDU Request/Response Trace:
==== GPO APDU REQUEST: 80a8000011830f30303132303031325cb0b6f725122000
Transceive Time=34 msec. SW1/SW2=9000.
Response content:
77 Response Message Template Format 2, length=73
94 Application File Locator, length=4
08010202
9f4b Signed Dynamic Application Data, length=64
7f54 ... db
---- End of Response Content.
|
Tag 94 points to file 1, records 1 and 2. The card reader obtains these records on the next step and uses them for Offline Data AuthenticationOffline Data Authentication. A process for ensuring that the contactless instrument presented to the Validator is genuine. More.
Step 4. Read Records
The terminal reads two records specified in the AFL tag . The records comprise the public key X.509 certificate issued by the TSMP’s Certification Authority. This is the last step of the NFCNear-Field Communications, a protocol used for data exchange between contactless cards and readers. More session.
APDU Request/Response Trace:
==== Read Record 1 in file 1 APDU REQUEST: 00b2010c00.
Transceive Time=44 msec. SW1/SW2=9000.
Response content:
70 Read Record Response Message Template, length=244
9f46 ICC Public Key Certificate, length=240
3082 ... d718
---- End of Response Content.
==== Read Record 2 in file 1 APDU REQUEST: 00b2010c00.
Transceive Time=36 msec. SW1/SW2=9000.
Response content:
70 Read Record Response Message Template, length=190
9f48 ICC Public Key Remainder, length=186
0a56 ... a8c4
---- End of Response Content.
|
Step 5. Offline Data Authentication
Upon finishing the NFCNear-Field Communications, a protocol used for data exchange between contactless cards and readers. More session, using the ICC Public Key, the PDOL data, the Signed Dynamic Application Data, and the well-known Certificate Authority public X.509 certificate, the card reader completes offline data authenticationOffline Data Authentication. A process for ensuring that the contactless instrument presented to the Validator is genuine. More.
The card reader also compares the CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token obtained in Select ADF stage, tag DF01 with ICC Public Key Certificate component Certificate Name “CN’. The latter also presents the CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token encoded as a 30 char-long string of hexadecimal digits. In this case it must be “CN=73084DE18D15F9AC4734662814D4BB”
More about Bye-Bye Cards and its integration with Telegram Web App – in our blog.
QR Code Implementation in Bye-Bye Cards
Overview
Symbology & Physical Layer
- Standard: ISO/IEC 18004 (QR Code Model 2).
- Encoding Mode: 8-bit Byte Mode (Binary).
- Note to Integrators: The payload must be treated as a raw byte stream. Do not attempt to decode as UTF-8 or ASCII text, as this will corrupt the cryptographic signature.
- Error Correction Level: Level M (approx. 15% recovery) recommended for reader reliability under poor lighting/glass conditions.
- Minimum Module Size: 20 mils (0.5mm) recommended for optical scanners.
Data Link Layer (Payload Structure)
- The payload is a Proprietary TLV (Tag-Length-Value) binary stream. The structure allows for variable-length fields and forward compatibility (validatorsValidator is a device with contactless card reader, registering card taps and validating access to the transit services. It is not a point of sale in UniTiAg model. More should ignore unknown tags).
- Endianness: Big-Endian (Network Byte Order).
TLV Field Definition Table
| Field | Value (Hex) | Interpretation |
|---|---|---|
| Version | 01 | Protocol Version 1 |
| Tag: AID | 02 | |
| Length | 07 | |
| AID Value | F5633545180001 | AID |
| Tag: Label | 03 | |
| Length | 07 | |
| Label Value | 55 4E 49 54 49 41 47 | ASCII Text: “UNITIAG” |
| Tag: | 04 | |
| Length | 0F | 15 bytes |
| CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token | 73084DE18D15F9AC4734662814D4BB | CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token value |
| Tag: | 05 | |
| Length | 08 | |
| Timestamp | 0000019BDBD024F5 | In Unix Format |
| Tag: | FF | |
| Length | 47 | 71 bytes |
| Signature | 30450220…02CAA | ECDSA Signature (ASN.1 DER format) of CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token concatenated with the timestamp |
Offline Data Authentication
The ValidatorValidator is a device with contactless card reader, registering card taps and validating access to the transit services. It is not a point of sale in UniTiAg model. More verifies the signature of CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token concatenated with the timestamp tag.
The validatorValidator is a device with contactless card reader, registering card taps and validating access to the transit services. It is not a point of sale in UniTiAg model. More must retrieve the ICC Public Key Certificate component from the OTRBOpen-to-Ride Balance is an e-wallet monetary value for ticketing purposes, associated with a contactless token, shared between Transit Agencies. It can be pre-authorized, prepaid, postpaid, or a combination of thereof. More table (targeted replica) received in TANBA Transit Agency API that gives access to a Transit Agency Ticketing System to its targeted OTRB data replica at the Regional UniTiAg Host. More APIApplication Programming Interface More call “sync OTRBOpen-to-Ride Balance is an e-wallet monetary value for ticketing purposes, associated with a contactless token, shared between Transit Agencies. It can be pre-authorized, prepaid, postpaid, or a combination of thereof. More”.
The certificate Name “CN’ presents the CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More Token encoded as a 30 char-long string of hexadecimal digits. In this case it must be “CN=73084DE18D15F9AC4734662814D4BB”
Bye-Bye Card generates the QR code on the user request and displays the QR code for 20 seconds or until the screen is locked (whichever happens sooner). Each newly displayed QR code has a new timestamp. Respectively, the ValidatorValidator is a device with contactless card reader, registering card taps and validating access to the transit services. It is not a point of sale in UniTiAg model. More should decline expired QR codes.
UniTiAg cEMV Transit Validator
Android App UniTiAg Demo Transit Validator emulates a transit validatorValidator is a device with contactless card reader, registering card taps and validating access to the transit services. It is not a point of sale in UniTiAg model. More, using UniTiAgUniversal Ticketing Agent is a model of open-loop public transit ticketing using card-not-present transactions for fare acquiring. More TAA transit operator or an agency representing several transit operators. The TA acts as a merchant from the UniTiAg’s standpoint. More APIApplication Programming Interface More and TANBA Transit Agency API that gives access to a Transit Agency Ticketing System to its targeted OTRB data replica at the Regional UniTiAg Host. More APIApplication Programming Interface More. The app “understands” the CRDContactless Rider Device that presents credentials to the Validator proving the rider’s right to access transit services, e.g. cEMV card, UWB-enabled smartphone app, Calypso card, etc. More token presented by Bye-Bye Cards app via the cEMVContactless EMV More channel as well as standard cEMVContactless EMV More cards linked to OTRBsOpen-to-Ride Balance is an e-wallet monetary value for ticketing purposes, associated with a contactless token, shared between Transit Agencies. It can be pre-authorized, prepaid, postpaid, or a combination of thereof. More via Telegram mini app RideOnTonBot or via demo TSMPAn online marketplace comprising two categories of customers: (A) online shoppers—e-wallet holders with cards or cash, and service receivers; (B) online merchants, sellers, and service providers. Examples include Amazon, Walmart, Uber, and many others. More AmuzeBuy
The app can be used, together with AmuzeBuy, to explore these APIs, as well as the Rider UXUser Experience. More and OTRBOpen-to-Ride Balance is an e-wallet monetary value for ticketing purposes, associated with a contactless token, shared between Transit Agencies. It can be pre-authorized, prepaid, postpaid, or a combination of thereof. More spending and refill cycle.