Airpay TAP - Merchant Guidelines

Version Date Changes
1.0.0 03/12/2019 Initial Release
1.1.0 17/02/2021 Added merchant verification information and how to take a payment
1.1.1 17/05/2021 Minor changes to wording
1.2.0 22/10/2021 Moved merchant guidelines to Airpay Shield.

This document outlines the guidelines that you as a merchant must follow when using the Airpay TAP solution.

Following these guidelines ensures that your own business information as well as the private card information of your customers is kept private and secure.

Failure to follow these guidelines may in extreme cases result in a malicious actor gaining access to personal information stored on your mobile device, or to customer card information.

Using Airpay TAP

Verify your application

Once you've installed the application that contains the Airpay TAP payment capability, you should verify that the app has been installed correctly.

To do this you can navigate to the Airpay TAP tools menu and tap Verify Airpay TAP, you will then be presented with options for verifying your app. You may tap the Verify Now button to launch a web browser that will verify the security of the app, or alternatively you can scan the QR code from a separate mobile device.

The web page that opens will tell you if your device and app are secure and safe to use for payments. If your device or app is identified as not being secure, please contact your payment provider.

When verifying your app, ensure that you see the lock icon in your browsers address bar and that your address bar shows airpayshield.com.

Taking a payment

In order to take a payment, use your app to enter any details required for the sale and then choose to begin a payment.

Airpay TAP will take over your devices screen and prompt for the cardholder to tap their card. Offer your mobile device to the cardholder and ensure they tap their card on the back of your device where your device's NFC is located. This is usually near the top of the device but may differ between different models.

If your business has PIN support enabled then Airpay TAP may prompt for PIN. If the transaction is above the CVM limit and requires a PIN then Airpay TAP will prompt the cardholder for their PIN. Hand your mobile device to the cardholder so they can securely enter their PIN. Once the cardholder finishes entering their PIN and taps the tick (:heavy_check_mark:) they can return the mobile device to you.

Airpay TAP will securely process the transaction to your financial institution and then inform you of the result. You can then use your app to provide a receipt to the cardholder.

Staying Safe

Keep your mobile device up to date

Although Android updates can often be irregular, when updates are released they often contain security fixes and improvements. It is important to update as soon as an update is made available for your device to ensure that any security vulnerabilities that are discovered are resolved as quickly as possible.

Usually you'll get a notification when an update for your device is available, but you can check for updates directly by following these steps: - Open the Android Settings app - Scroll down to and tap System - Tap System updates - If an update is available then follow any prompts to install it

Turn on your lock-screen

Having a lock screen for your device is important so that no one can access your phone without your permission.

If a malicious actor gets access to your device it may be possible for them to install malicious software that could compromise your device or steal information from it without you knowing, even if you get your device back!

You can turn on your lock-screen by following these steps: - Open the Android Settings app - Find Security & Lock Screen or Device Security - Configure your screen lock using a secure PIN, password, or pattern

Be careful what apps you install

While Google do monitor the Play Store for malicious apps, sometimes bad apps slip past their systems. Often these apps might appear to be a simple app like a Calculator, but might contain unexpected or malicious functionality.

Always check reviews for apps, and if an app asks for a lot of unnecessary permissions, either during use or when you install it, then consider if that app should need those permissions.

Uninstall unwanted or unknown apps

It's a good idea to regularly review your installed apps and uninstall any unused or unknown apps.

Sometimes a malicious actor can gain control of a developers account on the Play Store, or might purchase an old app with lots of installations. They might then release an update that contains malicious functionality. By making sure you uninstall unused apps you can minimise the chance of this happening to an app on your device.

To review the apps installed on your device, you can: - Open the Android Settings app - Tap on Apps or Apps & Notifications - You may need to tap See all .. apps

Don't install apps from untrustworthy sources

You should never install apps from any source other than the Google Play Store or a trusted Device Manufacturer app store (such as Samsung Galaxy Apps).

3rd party app stores might not have rules or monitoring to protect against malicious apps which makes it very easy for malicious actors to distribute malicious apps using these platforms.

You should also never install APK files directly that have been sent to you via email or that you've downloaded via the internet.

Don't root your mobile device

Rooting an Android device means gaining escalated privileges that allow apps to perform functions that Android usually wouldn't allow. This can allow malicious apps to interfere with other apps or to easily steal information from the device.

It is very difficult to know what permissions apps have if your device is rooted because they do not use the standard permissions system. A malicious app can even hide itself so that you can't uninstall it.

© Quest Payment Systems Pty. Ltd.