For the third year running, my colleague Gary Munro facilitated a thought-provoking debate around the use of mobile phones and tablets as contactless payment terminals during last week’s virtual Merchant Payments Ecosystem (MPE) conference. For the last three years, Gary and his panellists have tracked the progress of the SoftPOS technology and standards. The three key messages that I took away from this year’s conversation were that:
- The Payment Schemes and vendors have taken a range of approaches to the deployment of their services. Payment kernels can be loaded into the phone or accessed in the cloud. The SoftPOS application can be delivered as an SDK to be integrated into the merchant’s application or as a white label stand-alone service.
- Each deployment option brings differing security challenges that PCI and the Payment Schemes have to evaluate and regulate for in their standards. The range of technical solutions has caused delays in the publication of those standards and the refinement of the processes and tools for certifying the applications.
- There is insufficient capacity within the global PCI and Payment Scheme certification laboratories to meet the demand for the ongoing certification, and re-certification, of SoftPOS solutions. PCI’s ability to approve new labs, and increase capacity, has been impacted by global and local COVID travel regulations.
So, what does this mean if you are a vendor looking to launch a SoftPOS service or a merchant looking to integrate SoftPOS into their point of service?
As one of the panellists commented, ‘there are all flavours of SDK’ currently on the market. Each brings a different set of evaluation and certification requirements for both the vendor and merchant. While PCI requires an annual security evaluation of the SoftPOS application as standard, depending on how it shares the data with the merchant’s application, those security evaluations could be extended to the merchant application. Thus, while a white label SoftPOS application may not deliver the merchant’s optimum consumer experience, its speed to market and operating costs may be less.
The shortage of capacity within the certification laboratories could significantly delay the launch of a new service should it not pass certification first time, as subsequent slots in those laboratories will be booked months in advance. Both the Payment Schemes and certification laboratory need to understand the security architecture associated with the SoftPOS service under evaluation when they start the evaluation. So, a certification can fail due to inconsistencies in the vendor or merchant’s paperwork as well as the implementation of the security architecture in their service.
Gary and our colleagues at Consult Hyperion, have significant experience of helping vendors prepare their processes and products for PCI and Payment Scheme certification. Our consultants regularly act as technical architects within our client’s project teams tasked with procuring complex payment services. They have successfully authored and critiqued security architectures for POS and SoftPOS solutions validated the security of distributed payment services and, together with our in-house development and test teams, have assisted in the development, security and testing of Tap To Phone solutions. All have a deep understanding of the weaknesses in the design of a mobile phone, the countermeasures required to secure data stored in a mobile application and the techniques for writing secure iOS and Android code.
We are excited by the opportunities presented by SoftPOS/Tap to Phone and the difficulties with getting these services to market, as discussed both at MPE and other venues. If you are a vendor having difficulty launching your SoftPOS service or a merchant looking to acquire such a service from a third party, please let me know. I will organise a call for you with our experts to review your plans and any concerns that you might have with its successful deployment.
Looking forward to our conversations – +1 617 320 6561, +44 7966 003 332 or firstname.lastname@example.org