Author: David Henshaw
Since the introduction of PCI device security in April 2014, bringing a new payment device to market has required navigating one of the most complex and costly certification pathways in fintech. Traditional card machines, whether countertop, portable, Android‑based, or Linux‑based, require PCI PTS certification, payment application development, and acquirer or processor accreditation. This process is expensive, slow, and often highly repetitive, especially when the same software must be ported across multiple hardware variants or different payment kernels (set of specific EMV software functions that manage the interaction between a payment terminal and a chip enabled card or mobile wallet during a transaction).
But SoftPos (or Tap‑to‑Pay) is now reshaping that landscape. As PCI MPoC (Mobile Payments on COTS - Commercial Off-The-Shelf devices) matures and the UK contactless limit changes, SoftPos is becoming a lower‑friction route to market for both device manufacturers and payment solution providers.
Bringing a traditional payment terminal to the market can be high friction
Launching a PCI PTS (PIN Transaction Security) payment terminal requires multiple layers of effort:
1. Payment application development & tailoring
A payment app must be created, and often customised per device type, per OS version and kernel. Changes, however small to the transaction flow can result is fresh testing cycles with the acquirer or payment processor.
2. PCI PTS hardware certification
PCI PTS certification is rigorous and costly. Manufacturers must certify:
The physical security of the device
The tamper detection mechanisms
The secure keypad
Cryptographic key handling components
This certification is device‑specific, meaning that each new model or form factor triggers a new certification cycle.
3. Payment application accreditation with acquirers/payment processors
Even when acquirers support “family” kernel accreditations, the reality is that:
Many acquirers certify a specific kernel + a specific payment application version + a specific hardware model.
Moving the same application onto a different device typically requires a new approval cycle, whether a full accreditation including card scheme approvals or a smaller set of proving tests for the acquirer.
This increases cost of ownership for providers wanting to scale across multiple merchant demographics, geographies or device families.
Could SoftPos Reduce Friction?
SoftPos runs on COTS (Commercial Off-The-Shelf) devices i.e. your own mobile phone, typically an Android or iOS smartphone, removing the requirement for a PCI PTS device.
SoftPos solutions must comply with:
PCI MPoC (Mobile Payments on COTS) the current PCI standard.
PCI CPoC (Contactless only Payments on COTS) the previous PCI standard.
PCI DSS (PCI Data Security Standard)
Once a SoftPos solution is certified with an acquirer or processor, the software can theoretically run on any compatible device without requiring hardware recertification.
Could we see Non-PCI PTS Hardware Freedom on Scale?
Manufacturers and providers can now design Card Terminal-like hardware for retail, hospitality, mobility or delivery use cases without needing PCI PTS certification of the hardware itself.
As long as the device runs a certified SoftPos application, the manufacturer bypasses:
PCI PTS certification
Kernel-by-kernel accreditations
Acquirer device-specific certifications
This could radically lower the time-to-market for new propositions once a SoftPos app has been approved by an acquirer or payment processor.
What is Holding SoftPos Back Today? Friction in Authentication
The main constraint on SoftPOS adoption has historically been consumer authentication requirements for transactions above the contactless limit or when SCA (Strong Customer Authentication) is needed.
UK Contactless Today:
The FCA has removed the contactless cap of £100 allowing banks and payment providers to set their own limits, however most have retained it.
On SoftPos, this presents challenges because not all transactions can be completed via a simple tap.
Some SoftPos solutions in the UK now provide fall back options for these scenarios including PIN on Glass entry (the PIN is entered onto the touch screen of the device after the contactless tap), where the card issuer has enabled (not all cards in the UK are currently enabled). Or some providers/acquirers/processors have enabled face to face eCommerce transactions whereby a QR code can be displayed to the cardholder if the card being used cannot complete the transaction using PIN on Glass. In this scenario the card holder can scan the QR code with their device and be taken to a hosted payment page to make payment online (and typically using 3DS as the SCA).
March 2026: Flexibility in Contactless Limits
From March 2026, banks and payment providers have the control over contactless limits as the £100 contactless cap was removed by the FCA.
Whilst at present most high-street banks have decided to retain the £100 cap, in the future banks could allow higher contactless limits and therefore there would be less reliance on PIN on Glass or face to face eCom options.
If higher limits roll out and as issuer support for Pin on Glass grows, the friction that previously slowed SoftPos adoption will reduce.
Will Manufacturers Shift From PCI PTS to SoftPos‑First Solutions?
If friction in SoftPos reduces, could we see a shift in the coming years towards a SoftPos first hardware proposition:
1. A rise in SoftPos‑native hardware ecosystems
Terminals that look like card machines, but are not PCI PTS certified devices.
2. Lower cost of entry for solution providers
Acquirer accreditation occurs once per SoftPos solution and not per kernel or device range. This could be not only in attended, but also unattended payment scenarios.
3. Quicker Go To Market and Launch of New Solutions
New models can launch without the PCI PTS certification and per kernel or device type accreditation.
Conclusion
SoftPos is not an alternative to traditional card machines today. While friction exists in specific authentication scenarios, changes to UK contactless limits and the growing maturity of PIN on Glass are accelerating its viability, but it will not replace traditional card terminals just yet. SoftPos is a good complimentary solution working alongside a card terminal for queue busting and where businesses have bricks and mortar as well as on the move payment needs
For manufacturers and solution providers, faster routes to market, lower certification costs, and greater hardware flexibility via SoftPos First solutions, could in the near future, offer a fundamentally lower‑friction path than PCI PTS‑certified terminals. But we are not there today. Time will tell if higher contactless limits are embraced by consumers.