Ingenico RA1

How to extract P2PE data from Ingenico RA1 payloads for processing on the Decryptx Parser.

At Bluefin, we have integrated and verified the following Ingenico RA1 devices:

  • Ingenico iSMP4
  • Ingenico IPP350

Obtaining the Payload

Typically, RA1 terminals are connected to host computers that run special software referred to as point of sale (POS) applications. POS applications obtain payment data from a paired terminal and send the data to a card payment processing gateway. Conveniently, Ingenico's developer portal has a number of RA1 software development kits (SDK) for a wide variety of operating systems and development languages. They make it easy for POS applications to obtain data from payment terminals.

In order to obtain data from the terminal, the POS sends an RA1 commands to connected device. To capture P2PE data you need two RA1 commands, the syntax and output of which are detailed below.

The first step is to identify the device's serial number by sending a FF00020000 command to the terminal.

Command

FF00020000

Response

0020995601

This data is parsed as follows:

CharsValueDescription
1-100020995601The device's serial number.

The RA1 will output the device serial number with a pair of leading zeros; these zeros must be removed when including the serial number in the Decryptx API call. Serial Number:

20995601

Swiped Payloads

The next step is to send a capture swipe command.

Command

FF03020004FFFF010200
(Magstripe read)

Response

00003A22121212131010191913121916111712133E201A3A2906112C0213343D373A1A0F322202093E1916181415121816131216161816131916161219000025020202030000090903020906010702030D09060804050208060302060608060309060602099000

This data is parsed as follows:

CharsValueDescription
1-200Track 1 code (00 = success)
3-6003ATrack 1 length in hex (58 decimal)
7-122221212...161219Track 1
123-12400Track 2 code (00 = success)
125-1280025Track 2 length in hex (37 decimal)
129-202020202...060209Track 2
203-2069000SW1 SW2

Next, make an API call to the Parser with your device serial number, the KSN and the RA1 payload:

curl -X POST \
https://cert-parser.decryptx.com/api/decrypt/parser \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
      "partnerId"     : "?????????",
      "partnerKey"    : "????????????????????????????????",
      "deviceType"    : "ingenico-ra1",
      "deviceSerial"  : "0020995601",
      "ksn"           : "FFFF9876540015400014",
      "devicePayload" : "00003A22121212131010191913121916111712133E201A3A2906112C0213343D373A1A0F322202093E1916181415121816131216161816131916161219000025020202030000090903020906010702030D09060804050208060302060608060309060602099000"
    }'

The Parser response will look like this:

{
    "success"   : true,
    "messageId" : "1201804171350001001477272",
    "meta" : {
        "device" : "INGENICO RA1",
        "serial" : "20995601",
        "mode"   : "swiped"
    },
    "track1" : {
        "decrypted" : "30313032353139313232303130303030303030303032353530",
        "encoding"  : "hex",
        "length"    : 25,
        "ascii"     : "%B2223000010251723^XXXXXXXXXXXXXX/XXXX^19122010000000002550?",
        "masked"    : "%*222300******1723^XXXXXXXXXXXXXX/XXXX^1912****************?"
    },
    "track2" : {
        "decrypted" : "30313032353139313232303130303030303030303032353530",
        "encoding"  : "hex",
        "length"    : 25,
        "ascii"     : ";2223000010251723=19122010000000002550?",
        "masked"    : ";222300******1723=1912****************?"
    },
    "extracted" : {
        "PAN"       : "2223000010251723",
        "EXPY"      : "1219",
        "Surname"   : "XXXXXXXXXXXXXX",
        "FirstName" : "XXXX",
        "ServiceCode"   : "201",
        "Discretionary" : "0000000002550"
    }
}

Keyed Payloads

To capture keyed data enter the following command:

Command

FF84010000 (CardDataEntry)

Response

05103436333135383836303534343238323431373737033430369000

Again, you must retrieve the KSN used to encrypt the keyed payload.

Command

FF84000000 (Get KSN)

Response

0100464646463938373635343030313530303030313030353034303630303030009000

The KSN response message when converted to ASCII:

0100FFFF98765400150000100504060000009000

This data is parsed as follows:

CharsValueDescription
1-40100Header
5-24FFFF98...000010KSN
25-340504060000KSN terminator (this can be ignored)
35-40009000SW1 SW2

Next, make an API call to the Parser with your device serial number, the KSN and payload:

curl -X POST \
https://cert-parser.decryptx.com/api/decrypt \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
      "partnerId"  : "?????????",
      "partnerKey" : "????????????????????????????????",
      "reference"  : "",
      "ksn"        : "FFFF9876540015000010",
      "deviceType"    : "ingenico-ra1",
      "deviceSerial"  : "0020995601",
      "devicePayload" : "05103436333135383836303534343238323431373737033430369000"
}'

The Decryptx response is as follows:

{
    "success"   : true,
    "messageId" : "1201804171558071001110755",
    "meta": {
        "device" : "INGENICO RA1",
        "serial" : "20995601",
        "mode"   : "keyed"
    },
    "keyed": {
        "decrypted" : "05103436333135383832353733373238323431393035033532379000",
        "encoding"  : "hex",
        "length"    : 16,
        "ascii"     : "46315882573728241905527",
        "masked"    : "463158******28241905***"
    },
    "extracted" : {
        "PAN"  : "4631588257372824",
        "EXPY" : "1905",
        "CVV"  : "527"
    }
}

EMV Payloads

When processing an EMV transaction, multiple commands must be sent to the Ingenico RA1 device.

  • Start the transaction.
  • Complete the transaction.
  • Stop the transaction.
  • Retrieve the KSN to encrypt the Track 2 equivalent.

The P2PE encrypted data is contained within the start transaction's response. The following is a sample EMV start transaction command (refer to the Ingenico RA1 documentation for a description of the command options).

FF811010008C5F2A0208269F1A0208268104000000649F0404000000009F02060000000001009F03060000000000009C01009A031707019F21031626029F390107DF161459315A3159325A3259335A333030303530323034DF6504000030009F350122DF15039F3704DF6801019F3303E0B8C89F4005F000F0B0015F3601029F1C083339333033303330DF0B01019F53015200

The following "Card Inserted" message is output:

0000124631585464402824D051247485043501823F4631586739882824FFFF5649534120444542495400000000000018000007A00000000310102425310000000840656E0000000000000000000007A0000000031010FF8000960096000000000000000000000000000000000000009000

Command

FF84000000 (Get KSN)

Response

0100464646463938373635343030313530303030304330353034303630303030009000

The KSN response message when converted to ASCII:

0100FFFF987654001500000C0504060000009000

This data is parsed as follows:

CharsValueDescription
1-40100Header
5-24FFFF98...00000CKSN
25-340504060000KSN terminator (this can be ignored)
35-40009000SW1 SW2
curl -X POST \
https://cert-parser.decryptx.com/api/decrypt \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
      "partnerId"     : "?????????",
      "partnerKey"    : "????????????????????????????????",
      "ksn"           : "FFFF987654001500000C",
      "deviceType"    : "ingenico-ra1",
      "deviceSerial"  : "0020995601",
      "devicePayload" : "0000124631585464402824D051247485043501823F4631586739882824FFFF5649534120444542495400000000000018000007A00000000310102425310000000840656E0000000000000000000007A0000000031010FF8000960096000000000000000000000000000000000000009000"
    }'

The Decryptx response will look like this:

{
    "success": true,
    "messageId": "1201804171604511001010813",
    "meta": {
        "device" : "INGENICO RA1",
        "serial" : "20995601",
        "mode"   : "emv"
    },
    "track2equivalent": {
        "decrypted" : "3634333531323038313234343932353738373038343337",
        "encoding"  : "hex",
        "length"    : 23,
        "ascii"     : "3235373337313930353230313139343731323238383235",
        "masked"    : "463158******2824D1905**************F"
    },
    "track2": {
        "decrypted" : ";4631588257372824=190520119471228825?",
        "encoding"  : "ascii",
        "length"    : 37,
        "ascii"     : ";4631588257372824=190520119471228825?",
        "masked"    : ";463158******2824=1905**************?"
    },
    "extracted": {
        "PAN"  : "4631588257372824",
        "EXPY" : "0519",
        "ServiceCode"   : "201",
        "Discretionary" : "19471228825"
    }
}