Ingenico RA1
How to extract P2PE data from Ingenico RA1 payloads for processing on the Decryptx Parser.
At Bluefin, we have integrated and verified the following Ingenico RA1 devices:
- Ingenico iSMP4
- Ingenico IPP350
Obtaining the Payload
Typically, RA1 terminals are connected to host computers that run special software referred to as point of sale (POS) applications. POS applications obtain payment data from a paired terminal and send the data to a card payment processing gateway. Conveniently, Ingenico's developer portal has a number of RA1 software development kits (SDK) for a wide variety of operating systems and development languages. They make it easy for POS applications to obtain data from payment terminals.
In order to obtain data from the terminal, the POS sends an RA1 commands to connected device. To capture P2PE data you need two RA1 commands, the syntax and output of which are detailed below.
The first step is to identify the device's serial number by sending a FF00020000 command to the terminal.
Command
FF00020000
Response
0020995601
This data is parsed as follows:
| Chars | Value | Description |
|---|---|---|
| 1-10 | 0020995601 | The device's serial number. |
The RA1 will output the device serial number with a pair of leading zeros; these zeros must be removed when including the serial number in the Decryptx API call. Serial Number:
20995601
Swiped Payloads
The next step is to send a capture swipe command.
Command
FF03020004FFFF010200
(Magstripe read)
Response
00003A22121212131010191913121916111712133E201A3A2906112C0213343D373A1A0F322202093E1916181415121816131216161816131916161219000025020202030000090903020906010702030D09060804050208060302060608060309060602099000
This data is parsed as follows:
| Chars | Value | Description |
|---|---|---|
| 1-2 | 00 | Track 1 code (00 = success) |
| 3-6 | 003A | Track 1 length in hex (58 decimal) |
| 7-122 | 221212...161219 | Track 1 |
| 123-124 | 00 | Track 2 code (00 = success) |
| 125-128 | 0025 | Track 2 length in hex (37 decimal) |
| 129-202 | 020202...060209 | Track 2 |
| 203-206 | 9000 | SW1 SW2 |
Next, make an API call to the Parser with your device serial number, the KSN and the RA1 payload:
curl -X POST \
https://cert-parser.decryptx.com/api/decrypt/parser \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"partnerId" : "?????????",
"partnerKey" : "????????????????????????????????",
"deviceType" : "ingenico-ra1",
"deviceSerial" : "0020995601",
"ksn" : "FFFF9876540015400014",
"devicePayload" : "00003A22121212131010191913121916111712133E201A3A2906112C0213343D373A1A0F322202093E1916181415121816131216161816131916161219000025020202030000090903020906010702030D09060804050208060302060608060309060602099000"
}'
The Parser response will look like this:
{
"success" : true,
"messageId" : "1201804171350001001477272",
"meta" : {
"device" : "INGENICO RA1",
"serial" : "20995601",
"mode" : "swiped"
},
"track1" : {
"decrypted" : "30313032353139313232303130303030303030303032353530",
"encoding" : "hex",
"length" : 25,
"ascii" : "%B2223000010251723^XXXXXXXXXXXXXX/XXXX^19122010000000002550?",
"masked" : "%*222300******1723^XXXXXXXXXXXXXX/XXXX^1912****************?"
},
"track2" : {
"decrypted" : "30313032353139313232303130303030303030303032353530",
"encoding" : "hex",
"length" : 25,
"ascii" : ";2223000010251723=19122010000000002550?",
"masked" : ";222300******1723=1912****************?"
},
"extracted" : {
"PAN" : "2223000010251723",
"EXPY" : "1219",
"Surname" : "XXXXXXXXXXXXXX",
"FirstName" : "XXXX",
"ServiceCode" : "201",
"Discretionary" : "0000000002550"
}
}
Keyed Payloads
To capture keyed data enter the following command:
Command
FF84010000 (CardDataEntry)
Response
05103436333135383836303534343238323431373737033430369000
Again, you must retrieve the KSN used to encrypt the keyed payload.
Command
FF84000000 (Get KSN)
Response
0100464646463938373635343030313530303030313030353034303630303030009000
The KSN response message when converted to ASCII:
0100FFFF98765400150000100504060000009000
This data is parsed as follows:
| Chars | Value | Description |
|---|---|---|
| 1-4 | 0100 | Header |
| 5-24 | FFFF98...000010 | KSN |
| 25-34 | 0504060000 | KSN terminator (this can be ignored) |
| 35-40 | 009000 | SW1 SW2 |
Next, make an API call to the Parser with your device serial number, the KSN and payload:
curl -X POST \
https://cert-parser.decryptx.com/api/decrypt \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"partnerId" : "?????????",
"partnerKey" : "????????????????????????????????",
"reference" : "",
"ksn" : "FFFF9876540015000010",
"deviceType" : "ingenico-ra1",
"deviceSerial" : "0020995601",
"devicePayload" : "05103436333135383836303534343238323431373737033430369000"
}'
The Decryptx response is as follows:
{
"success" : true,
"messageId" : "1201804171558071001110755",
"meta": {
"device" : "INGENICO RA1",
"serial" : "20995601",
"mode" : "keyed"
},
"keyed": {
"decrypted" : "05103436333135383832353733373238323431393035033532379000",
"encoding" : "hex",
"length" : 16,
"ascii" : "46315882573728241905527",
"masked" : "463158******28241905***"
},
"extracted" : {
"PAN" : "4631588257372824",
"EXPY" : "1905",
"CVV" : "527"
}
}
EMV Payloads
When processing an EMV transaction, multiple commands must be sent to the Ingenico RA1 device.
- Start the transaction.
- Complete the transaction.
- Stop the transaction.
- Retrieve the KSN to encrypt the Track 2 equivalent.
The P2PE encrypted data is contained within the start transaction's response. The following is a sample EMV start transaction command (refer to the Ingenico RA1 documentation for a description of the command options).
FF811010008C5F2A0208269F1A0208268104000000649F0404000000009F02060000000001009F03060000000000009C01009A031707019F21031626029F390107DF161459315A3159325A3259335A333030303530323034DF6504000030009F350122DF15039F3704DF6801019F3303E0B8C89F4005F000F0B0015F3601029F1C083339333033303330DF0B01019F53015200
The following "Card Inserted" message is output:
0000124631585464402824D051247485043501823F4631586739882824FFFF5649534120444542495400000000000018000007A00000000310102425310000000840656E0000000000000000000007A0000000031010FF8000960096000000000000000000000000000000000000009000
Command
FF84000000 (Get KSN)
Response
0100464646463938373635343030313530303030304330353034303630303030009000
The KSN response message when converted to ASCII:
0100FFFF987654001500000C0504060000009000
This data is parsed as follows:
| Chars | Value | Description |
|---|---|---|
| 1-4 | 0100 | Header |
| 5-24 | FFFF98...00000C | KSN |
| 25-34 | 0504060000 | KSN terminator (this can be ignored) |
| 35-40 | 009000 | SW1 SW2 |
curl -X POST \
https://cert-parser.decryptx.com/api/decrypt \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"partnerId" : "?????????",
"partnerKey" : "????????????????????????????????",
"ksn" : "FFFF987654001500000C",
"deviceType" : "ingenico-ra1",
"deviceSerial" : "0020995601",
"devicePayload" : "0000124631585464402824D051247485043501823F4631586739882824FFFF5649534120444542495400000000000018000007A00000000310102425310000000840656E0000000000000000000007A0000000031010FF8000960096000000000000000000000000000000000000009000"
}'
The Decryptx response will look like this:
{
"success": true,
"messageId": "1201804171604511001010813",
"meta": {
"device" : "INGENICO RA1",
"serial" : "20995601",
"mode" : "emv"
},
"track2equivalent": {
"decrypted" : "3634333531323038313234343932353738373038343337",
"encoding" : "hex",
"length" : 23,
"ascii" : "3235373337313930353230313139343731323238383235",
"masked" : "463158******2824D1905**************F"
},
"track2": {
"decrypted" : ";4631588257372824=190520119471228825?",
"encoding" : "ascii",
"length" : 37,
"ascii" : ";4631588257372824=190520119471228825?",
"masked" : ";463158******2824=1905**************?"
},
"extracted": {
"PAN" : "4631588257372824",
"EXPY" : "0519",
"ServiceCode" : "201",
"Discretionary" : "19471228825"
}
}
Updated over 2 years ago