SoftPOS app should be implemented by considering many critical success factors. SoftPOS technology brings enormous opportunities in the payment business, but it may be a failure if SoftPOS solution is not planned and implemented in the right way. There are many factors for success such as defining project goals correctly, payment scheme relationships, a well-defined project plan, and risk management.
In this article, we will identify critical factors to consider when implementing a SoftPOS app. The first step to consider is SoftPOS vendor selection. SoftPOS is a new technology and there are not many SoftPOS vendors in the market. It is of utmost importance to understand the capabilities of the SoftPOS solution
1. Does SoftPOS Vendor have EMV Level 2 Kernel certifications?
EMV is a payment standard managed by EMVCo (www.emv.com) EMV Level 2 kernel certification is a mandate to launch a SoftPOS app. The solution should be certified for all EMV contactless kernels needed in the project. You need to check if the SoftPOS vendor has the right certifications. Payment schemes have modified their existing EMV specifications for SoftPOS. Having traditional EMV kernel certification may not work for the SoftPOS app. You need to check which payment scheme has which specifications. For example, Visa has Tap to Phone specification specifically for SoftPOS. Similarly, MasterCard has Tap on Phone. You need to check the version of the specification. You also need to check if there is any sunset or deadline for existing specifications.
2. Does SoftPOS SDK provide an extensive set of APIs to give all flexibility to POS applications?
SoftPOS app should be designed by considering different business and technical needs. The SoftPOS SDK provided by SoftPOS vendor should provide all required APIs to the POS application. Incorrect and insufficient APIs may restrict the POS application from implementing various functions. For example, in specific markets, EMV kernel needs to give control to POS application during application selection and after reading EMV payment data to allow POS application to perform certain functions. Lack of flexibility in the SoftPOS SDK may require re-certification of EMV L2 kernel costing a lot of money and time.
3. Does SoftPOS App support the different market and business needs?
There is an increasing number of POS systems and applications due to the various needs of different market segments and regions. For example, restaurant and hotels businesses require different transaction types and user experiences on the POS application. From the market need perspective, the U.S market has some additional requirements from Europe and other markets. U.S market requires POS app developers to implement special application selection logic for U.S Common Debit to support domestic debit networks. On the other hand, the European market has other regulations such as Strong Customer Authentication (SCA). All these requirements require modified transaction flows which SoftPOS SDK should support.
SoftPOS SDK needs to support different business and market requirements.
4. Is SoftPOS SDK designed based on a Cloud EMV Kernel?
Downloading and maintaining EMV kernel application and EMV configurations to mobile phones may bring significant operational and technical overhead. It is difficult to push different versions of EMV configuration files and maintain all these files on mobile devices. Having a small change on an EMV parameter will require updating all mobile phones in the field. Having an EMV kernel on the cloud eliminates this overhead. There is no need to download EMV parameters and EMV payment applications on mobile phones in the cloud solution. Cloud EMV kernel makes it easy to change EMV parameters which will take immediate effect. It is straightforward to maintain and manage EMV config files and EMV kernel releases.
5. Does SoftPOS SDK provide EMV transaction data to troubleshoot issues?
As SoftPOS technology is a new technology, it is quite possible to have some issues during EMV L3 certification, pilot, and production phases. For example, an incorrect EMV parameter may cause transaction declines. Or an incorrect transaction data sent to the acquirer may result in online declines.
The ability to see complete EMV data and transaction APDUs and real-time transaction monitoring would significantly help to fix transaction issues immediately. Hardware-based EMV kernels may not be able to provide these kinds of extensive data. However, it is possible to offer them with SoftPOS SDK. If the Vendor supports the Cloud-based EMV kernel, all EMV data will always be stored in the cloud, giving significant advantage in monitoring and troubleshooting.
6. Does SoftPOS SDK seamlessly adapt to existing POS applications?
POS solutions in the market are managed by Terminal Management Systems (TMS). TMS performs operations such as application management, EMV configuration management, and transaction management. SoftPOS SDK should provide APIs to adapt to existing TMS systems quickly. For example, POS vendors may want to maintain EMV configuration with their current TMS system. APIs provided by the SoftPOS SDK should make it very easy to define EMV parameters and assign them to terminal groups.
7. Does SoftPOS SDK easily adapt to POS Terminal Management Systems?
SoftPOS SDK should provide APIs to easily adapt into existing TMS systems. For example, POS vendor may want to maintain EMV configuration with their existing TMS system. APIs provided by the SoftPOS SDK should make it very easy to define EMV parameters and assign it to terminal groups.
8. Are all CVM methods supported by SoftPOS SDK?
Different markets have different CVM (cardholder verification method) requirements. While the European market mandates PIN, the U.S market doesn’t support it currently. Signature is a preferred way along with CD CVM in the U.S. SoftPOS vendor should ensure that the solution supports all CVM methods, including PIN, signature, and CD CVM.
9. Does SoftPOS vendor provide web portals to manage EMV configuration?
EMV parameters are very complex binary parameters. These parameters have a lot of bits and meanings inside them. In the current hardware-based EMV kernels, these parameters are generally managed in XML or text files.
SoftPOS technology brings great opportunities where EMV parameters can be defined in web UIs. Having this will eliminate the risk of incorrect parameters, and it will give users the to change parameters quickly when there is an issue.
10. Is SoftPOS SDK compliant with PCI CPOC?
PCI CPOC certifications are given to the entire POS application. POS vendor should go to a new CPOC certification after integrating with the SoftPOS app. Having this, the POS vendor should ensure that the SoftPOS SDK meets all PCI CPOC requirements. It is crucial to get full support from the Vendor during the certification process as most of the certification requirements apply to the SoftPOS SDK.
11. Does Vendor have PCI Certifications?
SoftPOS vendor should be certified for :
- PCI DSS
- PCI P2PE
You should ask vendor if they have all these certifications or if their solution meets this certification requirement by integrating with another vendor.
12. How does SoftPOS vendor manage acquirer and other keys?
SoftPOS vendors should clearly define how they onboard acquirer keys and encrypt the account and PIN data. This process should be compliant with PCI P2PE and PCI CPOC requirements. The solution should ensure the security of acquirer keys and any other keys. Any leakage during key management and key injection processes will cause huge security issues and loss of trust in the market.
SoftPOS vendors should also clearly define how they manage relationships with acquirers to get keys with securely with accepted key exchange processes. The solution should implement key exchange procedures according to PCI and Visa rules.
13. Payment scheme relationships
Mastercard, Visa, Amex, and Discover have defined modified EMV kernel specifications to address the SoftPOS business case. They have also updated their certification processes. It is crucial to know payment scheme specifications and procedures and get the necessary support during various project phases.
14. Acquirer integration and EMV Level 3 Certification requirements
For SoftPOS technology, payment schemes have defined new data fields to send to the acquirer in authorization message. This requires an enhancement of existing acquirer integration and a repeat of EMV Level 3 certification tests. At the beginning of the project, the SoftPOS vendor should discuss with the acquirer for the integration process and ensure both sides put enough resources. Acquirer and vendor need to get the required EMV L3 tools for the certification.
15. SLA agreement
Unlike traditional POS systems, the SoftPOS app requires cloud services for various operations such as monitoring transactions, attestation controls, EMV configuration management, EMV kernel. These services require defining SLAs to meet the needs of merchants.
16. Maintenance and support
As SoftPOS is a new technology, there might be unexpected things during the SoftPOS app implementation. It might be an issue requiring a simple fix or massive changes such as a requirement to repeat EMV L2 certification, EMV L3 certification, a missing security requirement, and so forth. It is crucial to ensure that the SoftPOS Vendor will fix any issues and repeat certification if required. It is also essential to get full support from the Vendor during the certification process.
17. Merchant onboarding experience
Merchants will have different onboarding experiences to activate the SoftPOS app on their mobile phones. In the hardware POS business, POS terminals come to the merchant’s hand already installed and in a secure way. However, for SoftPOS, merchants need to download the app from the app store. Merchants may be concerned about the authenticity of the POS software. There should be a mechanism provided by the SoftPOS Vendor or implemented by the POS system to guide merchants step by step. POS customer service should give the best support to merchants during this new process for merchants.
