Table of Contents
SoftPOS, software-based point of sale, gives merchants a way to accept payments anywhere, right on the mobile device they already own. But for merchants who understand the gravity of PCI compliance and growing threats to payment data, there may be concerns about security. Independent software vendors (ISVs) and value-added resellers (VARs) can put their clients’ minds at ease by educating them about what SoftPOS is and answering these seven common questions.
What Is SoftPOS?
SoftPOS is software-based point of sale (POS) that allows businesses to accept contactless card and mobile wallet payments without investing in traditional payments hardware. It benefits merchants by allowing them to accept contactless payments on commercial devices, like Android tablets and smartphones. It’s a practical way for merchants to add mobile POS to their capabilities while keeping total cost of ownership (TCO) low.
7 Questions And Answers About SoftPOS Security
When you offer SoftPOS to your merchants, you’ll probably hear their concerns. Can accepting contactless payments really be that easy without putting data at risk? Be ready with the facts to answer their questions and build trust in this game-changing technology.
- Does SoftPOS Meet PCI CPoC and SPoC Standards?
The quick answer is yes, but PCI didn’t stop there. While the first SoftPOS solutions were launched before controls, the Payment Card Industry Security Standards Council (PCI SSC) stepped in to establish controls to keep payment data safe.- In 2018, PCI published SPoC, which required an external card reader on a commercial off-the-shelf device (COTS) as a means of protecting card data.
- In 2019, PCI published CPoC. This standard allowed the use of near-field communication for payments with a mobile wallet or contactless card, but not PIN entry on the same device
- PCI published MPoC in 2022 to solve the PIN entry on the same device that reads the contactless card. This standard also gave providers even more flexibility to develop, deploy, and maintain SoftPOS solutions.
All three standards are valid and work to protect data so merchants can confidently accept payments.
- Does SoftPOS Isolate Payment Data from Other Apps on the Device?
Yes. PCI standards require that SoftPOS solutions use techniques like sandboxing, trusted execution environments (TEE), and application hardening to keep payment data separate and secure.
- How Does SoftPOS Manage Transactions Securely?
SoftPOS transactions run on the same payment rails as EMV and are validated similarly with a one-time key generated for the transaction. This system puts protections in place, so if the system doesn’t recognize the person trying to pay or has information that the account is invalid, it doesn’t allow the transaction to go through.
- How Secure is a Standard Android Device for Accepting Card Payments?
Commercial mobile devices are designed for data protection. Payment data is tokenized and encrypted to keep all readable data from hackers or cybercriminals. Additionally, devices can be configured to require biometric or other factor authentication for access. Also, remind merchants that near-field communication (NFC), which allows a contactless card or mobile wallet to communicate with the device, only transmits within a few centimeters, so anyone walking by cannot communicate with the software.
- Does SoftPOS Ever Store Card Data on the Device?
No. This is one of the system’s greatest advantages. SoftPOS uses encryption and tokenization to ensure no readable card data is ever on the device. Furthermore, data is managed by the SoftPOS solution, not the device itself.
- What Happens if the Phone is Lost or Stolen?
Devices that merchants use for SoftPOS need to be configured so they can be locked or wiped remotely. If a device is lost or stolen, the merchant should contact the SoftPOS provider so they can disable the software on the device. The software should also be set up with two-factor authorization, so unauthorized users won’t be able to access the software on the device.
- What Security Responsibilities Stay with the Merchant?
Responsibility for the protection of payment data is shared between the SoftPOS provider and the merchant. Merchants bear the responsibility of ensuring devices are configured for access control and that strong user authentication protocols, such as two-factor or multi-factor authentication, are non-negotiable. The SoftPOS provider handles meeting PCI requirements and building security into workflows. An experienced payment solution provider with a solid security track record and the ability to monitor activity on SoftPOS accounts can help ease merchants’ concerns over security.
SoftPOS with All the T’s Crossed and I’s Dotted
As a trusted business advisor, you need to vet SoftPOS solutions to identify which will offer the greatest benefits while maintaining security. ISVs and VARs must educate themselves about SoftPOS solutions and assure merchants that they meet PCI requirements, don’t create any payment data vulnerabilities, include safeguards for lost or stolen devices, and come from a provider with a long track record of providing secure payment solutions.
Datacap Systems offers a feature-rich and secure SoftPOS system. Contact us about partnering to provide a SoftPOS system your clients can trust.
