All news

From Hardware POS to Pocket-Sized Payments: A Chief Product Officer’s Reflections on SoftPOS

Tue Feb 27 2024#Blog
Share
reflection-on-softpos

Written in collaboration with Damien Chow, Chief Product Officer, MineSec.

SoftPOS means Software Point-of-Sale (POS), but why was this technology named as such?  The name “SoftPOS” emphasises the key difference between it and traditional POS systems – highlighting the portability, flexibility, and cost-effectiveness that SoftPOS offers compared to its hardware counterparts.  

For over 6 years, I’ve been evaluating, developing, launching and advocating for SoftPOS, and I’m excited to share some of my experiences and learnings with you.

A Turning Point in Payments: Enter SoftPOS

It all started back in 2017 when I came across a paper on “Embedded Contactless Secure Reading for MPOS Pilot Programs” by a certain payment card scheme.  This technology had the potential to transform something fundamental: turning any mobile phone or Commercial Off the Shelf (COTS) device with NFC into a payment terminal.

Back then, acquiring payment terminals for your business meant personal trips to the bank, lengthy paperwork and months-long wait for the bank’s approval. Even then, only large merchants could afford these payment terminals, thus excluding the micro, small and medium merchants from the benefits of card payment acceptance.

That paper inspired us to imagine a world where merchants, big or small, no longer need bulky and expensive hardware just to accept contactless payments. In 2017, “SoftPOS” wasn’t even a word yet, but many of us knew that this technology was going to be a game-changer, especially in places like Hong Kong, where traditional POS systems were costly and inconvenient for many businesses.

From Pilot Programs to Market Adoption: A Journey of Innovation

Fast forward to 2020, and we saw the first SoftPOS launch in Hong Kong. Mastercard had partnered Dah Sing Bank and BBPOS MSL to launch the first Tap on Phone (another term for SoftPOS) in Hong Kong, allowing merchants to accept Mastercard payments on their phones. This was a major milestone, but it was just the beginning.

In 2021, Spectra Technologies launched the first multi-scheme SoftPOS in Hong Kong, supporting Mastercard, Visa, and later on AMEX, UnionPay, JCB and Discover/Diners payments. The introduction of the first multi-scheme SoftPOS solution in Hong Kong resulted in undeniable excitement for SoftPOS. Banks, payment processors and merchants alike were eager to learn more about this innovative technology. It was clear that SoftPOS had the potential to revolutionize the payments landscape, and I was proud to be a part of this journey.

Understanding Key Terms of SoftPOS

Before diving into the technical aspect of SoftPOS, you need to understand that this technology has been known, and is still known, by different names – CPoC, MPoC, Mobile Tap, Tap on Phone, Tap to Phone, Tap on Mobile, Tap to Mobile.

CPoC (Contactless Payments on COTS) and MPoC (Mobile Payments on COTS) are official terms from the Payment Card Industry (PCI), while the rest were coined by card schemes or the marketing teams of various SoftPOS solution providers. There are some technical differences for each term but essentially, they all refer to SoftPOS in general or the transformation of your mobile phone into a payment terminal.

While these acronyms may seem overwhelming, understanding their core meanings is crucial for informed decision-making on your SoftPOS strategy and development.

Differences between SoftPOS and Traditional POS

Many customers are curious about the key differences between SoftPOS and traditional POS (or hardware POS).  Here’s a breakdown:

Transaction Location:  With SoftPOS, transactions happen on the merchant’s mobile phone or COTS device. With traditional POS, transactions occur on a dedicated PCI PTS certified hardware device.

Cost:  Mobile phones are typically cheaper than PCI PTS certified devices, making SoftPOS a cost-effective option for merchants and payment service providers. 

Transaction Types:  SoftPOS currently supports only contactless and PIN transactions whereas traditional POS supports contactless, contact (chip and PIN), and even swipe transactions.

Security: PCI PTS certified POS terminals are considered inherently secure for payment transactions. Mobile phones or COTS devices may raise security concerns due to potential vulnerabilities like developer mode or outdated software, and are considered not safe enough for payment transactions (by PCI SSC). How do we make it safe with SoftPOS?  SoftPOS solutions address this by using a backend service called Attestation and Monitoring Server (AM Server). The AM Server monitors the merchant’s mobile phone to ensure it is safe before processing payments. 

Data Processing:  In traditional POS, the data from the PCI PTS device may be sent directly to the payment hosts or acquirers for authorization.  However, in SoftPOS, the data from the mobile phone or COTS device first goes to a backend service for data decryption, message formatting or sometimes key translation before reaching the payment host or acquirers for authorization. Regardless of the method, the contactless messages sent to the payment hosts or acquirers for authorization are the same for SoftPOS and traditional POS transactions. 

Last thing to note, Level 3 certification with the payment hosts or acquirers is required for both SoftPOS and traditional POS.

The Future of SoftPOS: The Journey is Far From Over

Looking ahead, I’m incredibly optimistic about the future of SoftPOS. As the technology matures and becomes more widely adopted, we will see even greater benefits for merchants and customers alike. By removing the hardware barrier, we empower individuals and businesses to participate in the digital economy, no matter where they are.

The road to develop, implement and launch a SoftPOS solution was not, and is still not an easy one, with many crucial decisions to be made along the way.

Develop in-house or partner with a solution provider?  Work off an SDK or sprint to launch with a white-label solution? How do you integrate SoftPOS into your existing payment infrastructure?  Which certification paths do you go for? 

At MineSec, we can help you make the right choice, so get in touch with us at [email protected].