Publication Date: April 2023
Today, merchants want to differentiate themselves by providing new experiences for their customers. With Mobile point-of-sale (mPOS) and TapToMobile terminal technology, merchants are able to leverage commercial off-the-shelf (COTS) devices, such as smartphones or tablets, to accept payment and offer new experiences at the point of interaction. However, while similar, mPOS and TapToMobile solutions have different functionality and are governed by different security standards.
In this white paper, the U.S. Payments Forum seeks to educate the payments industry on the value of mPOS and TapToMobile solutions and how they differ from each other and from traditional POS solutions. It also details key Payment Card Industry (PCI) security standards considerations and Level 3 EMV testing requirements and their impacts on implementation.
Traditional POS, mPOS and TapToMobile Comparison
While the basic functionality of traditional POS, mPOS and TapToMobile solutions are similar, the form factors and technology can differ greatly.
- Traditional POS: A traditional POS solution uses a purpose-built device for payment acceptance, which may be tethered or untethered to a countertop. These solutions include payment terminals designed primarily as payment acceptance devices. They typically support magnetic stripe, contact/contactless EMV and PIN entry-based transactions.
- mPOS: An mPOS solution leverages a COTS device, such as a smartphone or tablet, combined with additional hardware components for card reading, PIN entry and receipt printing. These solutions typically support magnetic stripe, contact/contactless EMV and PIN entry-based transactions.
- TapToMobile: A TapToMobile solution, which can also be considered an mPOS, takes advantage of the built-in near field communication (NFC) capabilities of a COTS device (e.g., a smartphone or tablet) and uses it to complete contactless transactions with a card or mobile wallet. Because these solutions leverage consumer-grade devices, they do not contain embedded contact chip and/or magnetic stripe readers, which means that they can only complete contactless transactions.
It’s important to note that, as with a traditional POS solution, PIN entry can also be supported on mPOS and TapToMobile solutions. PIN entry on an mPOS device can be handled via a physical PIN pad, which is connected through a cable or wirelessly to the COTS device. However, unlike traditional POS solutions, the touchscreen on the COTS device can be used as a digital PIN pad for mPOS and TapToMobile solutions. Terms such as “PIN on Glass,” “PIN on Mobile” or “PIN on COTS” may be used somewhat interchangeably in the market.
PCI SSC Considerations
The PCI Security Standards Council (PCI SSC) publishes data security standards for solutions that enable merchants to accept payments using a terminal, smartphone, tablet or other NFC-enabled COTS device. So far, three mobile security standards have been published: Contactless Payment on COTS (CPoC®), Software-based PIN Entry on COTS (SPoC®), and Mobile Payments on COTS (MPoC™).
- CPoC: CPoC is a PCI SSC standard that is designed for secure payment acceptance for emerging payment channels. CPoC can currently only accept contactless transactions with non-PIN cardholder verification methods (CVMs) without additional hardware (e.g., adding a PIN pad or external card reader).
- SPoC: PCI SSC has also published the SPoC standard to support the COTS device itself accepting PIN entry without the need for an external PIN pad device. This solution must include a PCI SSC PTS-certified card reader and a COTS device running a PCI SSC SPoC-certified PIN acceptance application.
- MPoC: PCI SSC recently released a new mobile standard, MPoC. This new standard builds on the existing CPoC and SPoC standards. The goal for MPoC is to create a security standard that is objective-based and modular and can be used for a wide range of payment acceptance channels with different verification methods. Please note that MPoC is currently out of scope for this white paper but is included as a placeholder for possible future updates.
- Pilot Software Solutions: During PCI SSC’s development of the CPoC, SPoC and MPoC standards, payment networks have run pilots of each solution type with acquirers. These pilots were approved to be implemented with close as possible to business-as-usual (BAU) processes (and device limitations); for example, the same functional and security laboratories that test traditional POS solutions have been used to test pilot solutions to manage usability, interoperability and risk. As soon as a relevant PCI SSC standard is published, a solution developer has a given amount of time to have their solution reviewed, approved and listed by PCI SSC.
Level 3 (L3) Testing and Certification
L3 is an end-to-end EMV certification between a merchant and a card brand and is related to the actual software application running on a device and its connection to the acquirer. L3 checks the integrity of the payment chain by testing every type of possible transaction that the payment acceptance device is capable of. Currently there are no features unique to mPOS that require a special L3 testing and certification test case.
For example, aside from using different values, no special EMV card authentication method (CAM)/offline data authentication (ODA) test cases are needed for mPOS. L3 testing and certifications leverage existing contact and/or contactless test cases. Please note, however, that the message format may include unique indicators that are required to identify mPOS activity; this may vary from processor to processor and by payment network.
During the L3 intake process, it is important to know whether the EMV certification will be for an mPOS or TapToMobile solution. Due to subtle differences between an mPOS and a TapToMobile solution, stakeholders must be aware of any applicable indicators that would need to be included in EMV authorization transactions.
Note: The information in this document does not replace payment networks’ specific policies and guidelines for deploying mPOS and TapToMobile terminals. Payments industry stakeholders are advised to consult with their acquirers, processors and payment networks for additional information, policies and guidelines for deploying mPOS and TapToMobile solutions.
To download the full white paper, please fill out the form below:
If you are a member, the white paper can be download on the members only page here: https://protected.uspaymentsforum.org/introduction-to-mpos-and-taptomobile-solutions/
Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, any of which requirements may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.