Client Overview
A Japan-based manufacturer of Android payment terminals. They aimed to launch a new terminal generation with strict payment security, rapid over-the-air updates, and a unified Android user experience for scanning, printing, and retail point flows.
Business Challenges
- Achieve EMV L2 and enforce PCI PTS/SRED requirements for Manual PAN entry and Secure Keypad.
- Unify multiple Android utilities (barcode/QR scanning, remote printing, retail app) into one experience.
- Minimize PCI scope and protect sensitive data while enabling auditable cloud operations.
- Reduce field service visits by enabling reliable FOTA with signed, safe rollouts and rollbacks.
- Accelerate time-to-market without compromising certification and device hardening.
Our Solution Approach
Architecture
On-device (two isolated tracks):
- Secure CPU (C++): EMV contact/contactless kernels, risk management, CVM routing; sensitive PAN never exits the secure boundary.
- Android single app: consolidates barcode/QR, remote printing (ESC/POS, ePOS-Print XML), and retail point flows; payment launched via IPC to the Secure CPU. Verified Boot, TEE/Keystore, and mutual TLS with device certificates.
Backend (AWS, serverless-first):
- Payment orchestration using API Gateway, Lambda, DynamoDB, EventBridge.
- Ads distribution via S3 + CloudFront (signed URLs); terminals cache content and emit proof-of-play telemetry.
- Security with KMS CMKs, Secrets Manager, WAF, and least-privilege IAM; comprehensive audit logging.
- Operations for device telemetry, policy targeting, fleet grouping, and observability.
FOTA (firmware & app):
- AWS IoT Core/Jobs, signed bundles, staged canary→wave rollouts, A/B partitions, resumable/delta downloads, and automatic rollback.
Features
- EMV & Secure Entry (CDA/DDA), Manual PAN and Secure Keypad within PTS/SRED scope.
- Unified Android UX for scan/print/sale & refund; offline resilience with local storage.
- Ads engine with proof-of-play telemetry and device-level caching.
- FOTA pipeline with device identity (mTLS), signed updates, staged rollout, and one-click rollback.
- Hardened stack: Verified Boot, TEE/Keystore on device; KMS-backed encryption and WAF on cloud.
Team & Process
Cross-functional squad (Embedded C++ • Android • Cloud • QA • DevOps • Security). Execution follows a gated SDLC with clear handoffs and traceability:
- Requirements (Customer Spec → Clarifications): requirement log and traceability matrix.
- Design Phase: System Design (architecture, interfaces, data flows) and Detail Design (API contracts, sequence diagrams, data models).
- Coding Phase: Programming and Code Unit Test with coverage & evidence in CI.
- Testing Phase: IT (Integration Test), ST (System Test and non-functional), UAT (business validation with customer scenarios).
- Release & Warranty: controlled rollout with monitoring and rollback readiness; 60-day defect warranty post-acceptance.
Technology Stack
Device & OS:
- Secure CPU (C++) with EMV kernels and secure keypad handlers.
- Android (single consolidated app) with Verified Boot and TEE/Keystore.
Cloud & Data:
- AWS: API Gateway, Lambda, DynamoDB, EventBridge, S3, CloudFront, KMS, Secrets Manager, WAF, CloudWatch.
- FOTA: AWS IoT Core/Jobs with Code Signing and A/B partitioning.
DevOps & QA:
- CI/CD pipelines, automated unit tests, integration test harness, device fleet observability dashboards.
Commercial Model
Preferred engagement: Time & Materials (T&M) for certification-heavy, evolving scope, with weekly burn reports and backlog grooming.
Fixed-Price work packages are offered for well-bounded deliverables with:
- Milestones: 40% / 40% / 20% (definition, build, acceptance).
- Warranty: 60-day defect warranty post-acceptance.
- Support: Optional SLA-based L2/L3 support.
- Change Control: formal handling of out-of-scope items.
Outcomes
- Consolidated UX across device SKUs; reduced code duplication and release overhead.
- Accelerated certification and safer deployments via strict separation of secure vs. UI domains.
- Lower operating costs: serverless primitives and FOTA reduce idle cost and site visits.
- Tighter PCI boundaries with auditable IAM, logging, and device-side data minimization.
