• Français
  • English

SoftPOS: the new standard for payments?

Payment terminals are undergoing a revolution! These objects used to be cumbersome and monotonous, but they have evolved towards other flexible and affordable models. First, you had Standalone Point of Sales that has popularized bank card payments.

More and more  credit card schemes require internet connections to perform transaction monitoring and poinbecame connected devices.

The mPOS (Mobile point of sale) was launched and popularised by Square with the arrival of smartphone: a more discreet device than its predecessors but, above all, more mobile, less expensive and connected via the mobile phone.

The latest innovation is the SoftPOS (Software point of sale), a software payment terminal in the form of a smartphone application that no longer depends on a single object dedicated to this service.

If SoftPOS offers a new model that is much more practical than traditional payment terminals, what about its security? How can the information between the bank card and this software solution be transmitted without fault? Here are some explanations.

SoftPOS: how does it work?

SoftPOS was created with a specific goal in mind: to be able to use COTS (Commercial off the shelf) or otherwise known as “consumer” devices for payments with a bank card, such as an iPhone, a Samsung, a Xiaomi, or any other recent smartphone model.

So, after downloading the SoftPOS application, the smartphone activates its NFC antenna – an electromagnetic data exchange protocol – to accept bank cards.

Therefore, in a SoftPOS transaction, the steps are as follows:

  • The seller indicates the transaction amount directly in the app.
  • The buyer deposits his bank card on the smartphone for a traditional contactless payment.
  • The application requests the encrypted card’s information and sends it to the server using an available payment scheme.
  • The transaction is completed and transmitted to the seller’s and buyer’s banks.

The transaction should be authorized in seconds.

SoftPOS: opportunities and limitations

A flexible solution 

At a time when consumers prefer to pay by credit card or smartphones, the innovative SoftPOS system has many advantages for sellers:

  • If you work in mobility (taxi driver, street-food vendor, etc.), these payment terminals are handy! It allows for greater mobility. There is no longer any need to carry your terminal or a dedicated object as it is integrated into a single device that everyone has: the smartphone.
  • They cost less than traditional payment terminals as they do not require the purchase of an individual device. Here, the cost of acquiring the solution is removed. SoftPOS is therefore more affordable and can be adopted by small retailers or entrepreneurs starting, for example.
  • Getting started is very simple—there is no need to get a demo from a salesperson or manage the payment service with your bank. Just download the application, create an account, and connect it to your business bank account.

The SoftPOS security challenge

While contactless payments are increasingly common, accepting them with smartphones presents a significant technical challenge. Not all smartphones have built-in security, and their versatility presents a higher risk. As a result, they may be more vulnerable to fraud!

Fortunately, the phone industry already made great strides in security. Major technology players such as Apple, Google and Samsung have built contactless mobile payment systems to emit payments and to store virtual credit cards: Google Pay, Apple Pay, etc. Therefore, we can expect increased security for receiving payments as a sale.

Furthermore, with the increase in the use of dematerialised payment, it is more than necessary to encrypt the data exchanges between the bank card and the smartphone. The aim is to ensure that cardholder data is safe and will not be stolen.

SoftPOS publishers: how to secure your payment solution?

To compensate for the possible lack of security of devices, it is possible to rely on a reference organisation: the Payment card industry security standard council, or PCI SSC. This association brings together the major players in the payment industry who can set up security standards and certifications for each solution. Their objective is to ensure the security of transactions and the security of transaction data, both for sellers and providers.

This organisation has implemented various standards, including PCI Contactless Payments on COTS (PCI CPoC), which was introduced at the end of 2019. It removes the need to use a bank card reader and uses the contactless capabilities of a COTS device, such as a smartphone. Since then, software-based payment solutions need to pass the PCI CPoC certification.

PCI CPoC requires using security functions that are very difficult to develop. SoftPos players often turn to providers who offer ready-to-implement security solutions. However, it can be challenging to know where to turn. The American organisation EMVco has therefore created an additional certification. This means that EMVCo-certified resolutions have passed the requirements for PCI CPoC certification. Thus, by choosing an EMVCo-certified security solution, the SoftPOS payment solution provider will be PCI CPoC certified without the need for a laboratory to evaluate the strength of the security functions.

Secure your SoftPOS solutions with Quarkslab

As you can see, SoftPOS solution providers need to be PCI CPoC certified to market their solutions. The easiest way to get it is to buy an EMVCo-certified security solution.

QShield, a security software developed by Quarkslab, is one of the essential software solutions for securing the SoftPOS application.Indeed, our Software ProtectionTool allows you to benefit from security bricks that are EMVCo certified, which guarantees PCI CPoC certification.

It is the easiest technological solution to obtain the necessary certification to market your SoftPOS application with peace of mind! So contact us!

Watch our webinars


How to secure mobile payment applications?


Looking for a way to counter malware
attacks from files?

Follow us