Airpay TAP (Android)
Airpay TAP is a component of EFTPOS Air that turns your NFC-enabled Android smartphone or tablet into a payment terminal.
Merchant Responsibilities and Guidelines
This document includes the guidelines that you as a merchant must follow when using the Airpay TAP solution.
Following these guidelines ensures that your own business information as well as the private card information of your customers is kept private and secure.
Failure to follow these guidelines may in extreme cases result in a malicious actor gaining access to personal information stored on your mobile device, or to customer card information.
Enabling Card Payments
After you first login to EFTPOS Air, you can enable Airpay TAP by choosing Enable from the card payments card on the dashboard. You can also do this by navigating to the More tab > Card Payments and choosing Enable on the Airpay TAP card.
Enabling Airpay TAP can take around 30 seconds while we ensure the security of your device.
While Airpay TAP is enabling, you will be prompted to enable any permissions and settings that are needed for Airpay TAP to operate. These permissions must be enabled in order for Airpay TAP to work.
The required permissions and settings are:
- Do not disturb access - This is used to ensure that the cardholder doesn't see any of your personal notifications during a transaction
- Device Location access - Your device location helps us to minimise transaction fraud
- Device Location enabled - Your device location must be turned on for us to access it
- NFC enabled - Your device NFC is required to commence transacting
- Google Play Protect enable - Your device must have Google Play Protect enabled which helps protect you from malicious apps on the Play Store
Once you have enabled all the required permissions and settings, you will be required to verify your app.
After enabling Airpay TAP you'll be presented with the Airpay TAP Training page. From here we recommend reviewing the Using your device's contactless reader training to help you locate your NFC location, as well as accessibility related training.
Verifying Airpay TAP Security
Verifying Airpay TAP allows you to verify that EFTPOS Air and Airpay TAP are operating securely together.
To verify Airpay TAP, navigate to More > Card Payments > Tools Menu > Verify Airpay TAP. You can then verify Airpay TAP by tapping Verify Now or by scanning the provided QR code with a different mobile device.
Airpay TAP will launch a website in your mobile devices web browser which will tell you if your device and app are secure and safe to use for payments. If your device or app does not display a green tick, your device is identified as not being secure, please contact us.
When verifying your app, ensure that you see the lock 🔒 icon in your browsers address bar, and that your address bar shows airpayshield.com.
Protected by Airpay Shield
Airpay Shield (airpayshield.com) is our back-end verification system that ensures that your mobile device is operating safely and securely, and ensures the security of any transactions processed on your mobile device.
To make a payment using Airpay TAP, you'll need to create a sale or invoice, and then follow the displayed instructions.
Once a sale has started, Airpay TAP will guide you, and the cardholder through the transaction:
- The cardholder must tap their card
- If a PIN is required, the cardholder must enter their PIN
- The device will display the transaction result
The green lights at the top of the app during payment replicate what you would see on a physical card reader. With a sucessful card read, you should see the four lights light up in sequence from left to right.
Android NFC Reader Location
Your Android device has an NFC antenna on the back of it, this is where the cardholder must tap their card. However, different phones have this NFC area in different positions, so you may need to assist the cardholder with locating the best area to tap their card.
Usually, your NFC location is near the top or centre of the phone. To familiarise yourself with your NFC location, you should review the Using your device's contactless reader training inside Airpay TAP Training.
If PIN is required during a transaction, then accessibility services must be disabled before the cardholder PIN can be entered. This is required to ensure the security of your customers PIN.
Review the Accepting payments as a merchant with a vision impairment training inside Airpay TAP Training for more information on how to easily do this.
Disabling Airpay TAP
To disable Airpay TAP, navigate to More > Card Payments and choose Disable from the Airpay TAP tab.
Airpay TAP Tools
You can find the Airpay TAP Tools inside More > Card Payments.
This tools menu displays the version of Airpay TAP that is loaded in your copy of EFTPOS Air, and also allows you to verify your Airpay TAP security.
Airpay TAP Training
After enabling Airpay TAP you will be taken straight to the Airpay TAP training page. You can also access this page by navigating to More > Help Center > Airpay TAP Training, or via the Airpay TAP Tools menu detailed above.
The Airpay TAP Training page contains the following training sessions:
Using your device's contactless reader - This interactive session will help you find your device's NFC location, which is where your customers will need to tap their card or smart device. You'll need a card handy for this session.
Assisting cardholders with vision impairment - This session provides important information about the accessibility options available to your customers when making a payment. You should make sure you review and understand this session to ensure you're able to assist any customers with accessibility needs.
- Accepting payments as a merchant with a vision impairment - If you're a merchant with vision impairment then this session provide important information about how to use Airpay TAP while accessibility features are enabled on Android.
If you believe you have found a vulnerability in Airpay TAP, EFTPOS Air, or a related product, please let us know via our secure vulnerability reporting form.
Keep your mobile device up to date
Although Android updates can often be irregular, when updates are released, they often contain security fixes and improvements. It is important to update as soon as an update is made available for your device to ensure that any security vulnerabilities that are discovered are resolved as quickly as possible.
Usually, you'll get a notification when an update for your device is available, but you can check for updates directly by following these steps: - Open the Android Settings app - Scroll down to and tap System - Tap System updates - If an update is available then follow any prompts to install it
Turn on your lock-screen
Having a lock screen for your device is important so that no one can access your phone without your permission.
If a malicious actor gets access to your device it may be possible for them to install malicious software that could compromise your device or steal information from it without you knowing, even if you get your device back!
You can turn on your lock-screen by following these steps: - Open the Android Settings app - Find Security & Lock Screen or Device Security - Configure your screen lock using a secure PIN, password, or pattern
Make sure you choose a secure PIN, password, or pattern that is sufficiently difficult for someone to guess. It's also a good idea to enable fingerprint scanning or face-unlock if available.
Be careful what apps you install
While Google do monitor the Play Store for malicious apps, sometimes bad apps slip past their systems. Often these apps might appear to be a simple app like a calculator but might contain unexpected or malicious functionality.
Always check reviews for apps, and if an app asks for a lot of unnecessary permissions, either during use or when you install it, then consider if that app should need those permissions.
Think about what permissions an app may or may not need. For example, a calculator app probably doesn't need camera or internet access.
Uninstall unwanted or unknown apps
It's a good idea to regularly review your installed apps and uninstall any unused or unknown apps.
Sometimes a malicious actor can gain control of a developers account on the Play Store, or might purchase an old app with lots of installations. They might then release an update that contains malicious functionality. By making sure you uninstall unused apps you can minimise the chance of this happening to an app on your device.
To review the apps installed on your device, you can: - Open the Android Settings app - Tap on Apps or Apps & Notifications - You may need to tap See all .. apps
Don't install apps from untrustworthy sources
You should never install apps from any source other than the Google Play Store or a trusted Device Manufacturer app store (such as Samsung Galaxy Apps).
3rd party app stores might not have rules or monitoring to protect against malicious apps which makes it very easy for malicious actors to distribute malicious apps using these platforms.
You should also never install APK files directly that have been sent to you via email or that you've downloaded via the internet.
Don't root your mobile device
Rooting an Android device means gaining escalated privileges that allow apps to perform functions that Android usually wouldn't allow. This can allow malicious apps to interfere with other apps or to easily steal information from the device.
It is very difficult to know what permissions apps have if your device is rooted because they do not use the standard permissions system. A malicious app can even hide itself so that you can't uninstall it.
(Merchant Guidelines Version 1.2.0)