8th Feb 2022: This article was originally written before Apple announced their Tap-to-Phone solution, so much of it is written from an Android context, however the rules and regulations from PCI and card schemes surrounding such solutions still apply to iOS, I just expect Apple to have a more closed-loop approach that what is currently available on Android.

SoftPOS technology can turn most modern smartphones into a contactless payment terminal, but this innovation is not simply a step forward from the hardware we use today.

Traditionally, a payment terminal at a Point of Sale is a dedicated piece of hardware, approved by the PCI Security Standards Council as a PIN Transaction Security (PTS) Point of Interaction (POI) device. Its job is to securely collect data from a payment card and the cardholder’s PIN and send this data, encrypted, to the retailer’s payment provider to process the transaction.

What started as fairly standard payment terminals with a small screen, rubber-buttoned keypad and plugged into the till has become feature rich with Bluetooth and Wi-Fi connectivity, high-definition touch screens and cameras. Some terminal manufacturers have gone bigger for a more interactive experience with customers, while some have gone smaller for taking payments on the go.

While the hardware evolution is taking place, innovators in the industry realised that almost everyone already has a device, with cameras, Bluetooth, Wi-Fi, a high-definition touch screen and NFC, in their pocket. Their mobile phone. Enter SoftPOS.

“SoftPOS” is colloquially what the industry calls “Contactless Payments on Commercial Off-The-Shelf devices” or CPoC for short. In 2019, after years of pilot schemes from these innovators dating back to 2014, the PCI Security Standards Council defined a standard for taking contactless payments from any piece of hardware that does not need to be approved as a payment terminal (PTS POI). This means any phone, tablet, watch, kiosk, taxi, TV or fridge, could be used to make a contactless payment provided the software running on that device is compliant with PCI’s CPoC standard — there are a few caveats to that though which we’ll come on to later.

When you tap your card on a payment terminal, your card receives some power from that device using electromagnetic induction, this means the chip on your card can process data and respond to commands in the few hundredths of a second that your card is in range of the device, it’s powered on, exchanged data with the payment terminal, and powered off. The same process is in play with CPoC, except that this is using the device’s NFC chip rather than an NFC chip in the payment terminal.

This brings us to the first hurdle — NFC chips in phones were never designed to read cards. Firstly, they are rarely as strong as the NFC chip in a payment terminal. For a payment terminal to be PTS POI approved it must be able to read a card from about 5cm within 100ms. Neither of these values is mandated for CPoC solutions and a high-end phone is more likely to read a card from 2cm within 500ms. This means that it’s far more likely that when you tap your card on a phone that it doesn’t read the first time and you are asked to tap again. Secondly, do you know where your NFC chip is on your phone? Could you walk up to a shop assistant and tap your card within 2cm of the NFC chip on a phone you’ve never seen before?

NFC chips are almost always on the back of your phone, usually in the top half, but not always in the middle. Google publish some helpful schematics of their Pixel devices, but for most manufacturers, it’s harder to find the exact spot.

I’m also only really talking about phones because not many other devices have NFC chips, not even the tablets.

Unfortunately, there’s no silver bullet here — the software providers need a good understanding of the hardware their solution works best on (and assume the retailer doesn’t put the device in a case or cradle), retailers need to know where the NFC hotspot is on their phones, and customers need to be told or shown where that spot is every time. In most real-world pilots, the most effective method has been for the shop assistant to take the customer’s card and tap it for them.

The crux of the CPoC standard is to ensure that the software is designed to be secure, very secure, which is tough because operating systems on mobile phones are certainly not secure — they get jailbroken/rooted, you can plug them into your laptop and see all the processes that are running, see what’s in memory, install any app from anywhere created by anyone that’s not been vetted by anyone. All this means the CPoC software must live in its own secure panic room, watching through its monitors for anyone snooping around outside. And what if someone replaces your panic room’s live camera feed with a pre-recorded video, obscuring their attack?

In software terms, this means doing a lot of checks, and doing checks on the code that’s doing the checks, and checking the checks have been done — every risk to the software probably needs at least 2 layers of protection. So that’s checking for debuggers, jailbroken devices, code that has been modified since it was written, operating systems that have known vulnerabilities. The list goes on.

Of course, what any unscrupulous individual will be after is your card data, so any CPoC software must use strong cryptography, and all keys are exchanged securely. Most payment devices use a method called DUKPT which stands for Derived Unique Key Per Transaction, this means every transaction is encrypted with a different key, and the actual key used in the transaction is never passed into or out of the software. I won’t go into the details of the encryption algorithms used here, but suffice to say, there are keys derived from keys, encrypted by other keys, encrypted by other keys and so on.

CPoC solutions can choose to perform their secure cryptography in two main ways:

Both of these have their advantages and disadvantages.

Not all devices have a TEE, so we are now restricting our available hardware from “anything” to devices that have a strong NFC chip, to devices with a TEE (realistically this is the high-end devices only, such as the Samsung Galaxy range). And if a weakness is found in a TEE’s implementation, replacing the phone once the manufacturer has fixed it may be the only solution. But TEEs do offer strong protection, that’s proven and continually tested by white hat hackers and security researchers.

White-boxes on the other hand offer a completely software-based security approach meaning they can be installed on any device, and if a security issue was to be found then they can be replaced through a software update. The downside is that PCI consider these less secure than TEEs and to mitigate that white-boxes need to be re-built with new cryptographic material every month, this means a software update every month.

The COVID-19 pandemic has lead to changes in contactless payment limits in Europe and across the world. In the UK, the contactless transaction limit was £30 pre-pandemic, then became £45, and will soon become £100. This value is always a trade-off between customer experience and risk (everyone would rather not enter their PIN until they realise if their card was stolen then it could be used to buy something without any form of verification from the thief).

If a retailer needs a traditional payment terminal to collect any payment over £100, there’s little value in using a SoftPOS solution. So if I want to buy my next car on SoftPOS, it needs to become as unlimited as any card terminal.

There are 2 ways do to that, firstly, support Apple/Google/Samsung Pay. This is no different in a SoftPOS solution than it is in a traditional payment terminal and today, this is a trivial exercise that I won’t go into here. But not everyone uses these methods and not all cards can be added to Apple Pay, so we’re going to need to use a card and PIN.

Now we start seeing Olympic numbers of hurdles.

Hurdle 1: If you’re in the UK, you’ve probably never used your PIN on a contactless payment and that’s because the UK is an “offline PIN” country. This means your PIN is checked by your card and not by your bank — when you change your PIN it’s changed on your card, and when you exceed your maximum number of PIN attempts it’s the card that’s been counting. In a contactless transaction, you tap your card then take it away, if you had to enter your PIN then you’d have to tap your card again after the PIN so your card can check it. Researchers have also identified several risks with verifying offline PINs with contactless cards.

It will take time for this to change. Each card is issued with an online and/or offline PIN capability, and so not only do the schemes and banks need to agree and implement the capability, they also need to replace all their customer’s cards.

Hurdle 2: CPoC doesn’t allow a customer to enter their PIN, it explicitly forbids it. At the time of writing, there is a standard for “Software PIN on Commercial Off-The-Shelf devices”, or SPoC for short. This defines how a PIN can be securely captured on a phone’s screen instead of a traditional hardware terminal. However, the PIN and card data must be combined to process the payment, and PCI have yet to formally define how that’s done. So if someone wants to implement SPoC, they need to use a hardware terminal to read the card data still (Square Reader is an example of this). This isn’t the end of the story though, the major card schemes (Visa and MasterCard) do have their own pilot schemes which allow a CPoC solution with PIN entry called Tap-to-Phone, and the PCI standards to allow this will follow.

Hurdle 3: I think I can guess the code…

This seems like a problem that wouldn’t affect a phone, but research has shown that it’s possible to identify a code entered into a phone from fingerprints and general grime on the phone screen. The fact that every customer and therefore PIN is different mitigates this somewhat, but what about the phone’s camera? It’s pointing right at the customer and their hand. And did you know it’s possible to tell where on the screen someone touches based on the data from the phone’s gyroscope? Or that just because you can’t see an app on screen doesn’t mean it cannot pick up touches on your screen? A SoftPOS solution must prevent or mitigate all of these.

Hurdle 4: Accessibility. Accessibility is critical in any public setting and a solution that doesn’t allow the partially sighted to enter their PIN isn’t going to achieve mass adoption. Digital wallets like Apple Pay go a long way to solving this with fingerprint and facial recognition in place of a PIN, but that’s not available to everyone. Some SoftPOS solutions use a scrambled keypad to mitigate the gyroscope/camera risk, but good luck entering your PIN if you cannot see the keypad or where any of the numbers are on that keypad. Coming up with a solution that handles both accessibility and security well is a challenge.

As of today (8th February 2022), only Android phones support this due to their open nature allowing any app developer to read data from the NFC chip. However, Apple are not far behind on iOS — today they announces the 2020 acquisition of Mobeewave is coming to fruition and “Tap-to-Phone” will be rolled out later in the US in 2022.

Apple will use the phone’s secure element as the TEE, but it’s unclear how much of the security and processing will be done by Apple themselves and how much will be up to merchants and payment processors. If it’s anything like the existing Apple Pay solution for consumers then the effort will be light touch for both, with Apple taking care of the compliance side of things on the device.

This solution is likely to still be a fairly closed loop, with Apple controlling much of the experience, but will presumably be available for merchants to adopt with their chosen payment provider once said provider can accept Tap-to-Phone payment requests.

Android remains an open platform that doesn’t offer a Tap-to-Phone solution out the the box, so it’s up to developers to implement the full solution themselves. It’s a lot of work, but does maintain a level of competition amongst developers in this area which will promote further innovation.

Existing terminal manufacturers will not be troubled yet — they are all into the software game anyway and will roll out their own solutions if the SoftPOS concept really takes off, and chip-and-PIN and swipe transactions are still common across the world.

They are busy making their terminals fancier, using the Android operating system to make it easier for Point of Sale providers and retailers to run their own software on a terminal, easier to install, operate and monitor etc. All this reduces the gap between a traditional terminal and mobile phone or tablet, making them more appealing to larger retailers who would want to buy dedicated devices anyway — they aren’t going to be using their employees' personal phones like a small business might.

So where will SoftPOS go from here?

PCI will certainly publish the standard for CPoC solutions with a PIN, making rolling out solutions more standardised. Online PIN will become more ubiquitous (replacing offline PIN, and other mechanisms such as signatures still popular in the US). Device manufacturers are considering the implications of SoftPOS on their hardware design (NFC chips on the front, stronger NFC, more manufacturers taking up TEE).

SoftPOS is a fascinating innovation, questioning the terminal manufacturers place in the industry and challenging the status quo, but also highlights how difficult it can be to shift the payments landscape. As legacy methods begin to fade (cash, swipe) we start to see the next generation of payments being ushered in (digital wallets, By-Now-Pay-Later schemes, Open Banking). Phones, tablets and other devices can all take part in that next generation, but in the current generation, with so much legacy remaining, it’s an uphill battle to win over retailers who want to serve as many customers as possible with the quickest and most reliable payment experience they can offer; every customer with cash, every tap that fails, every time the customer needs to enter a PIN but can’t is a potentially lost customer.

SoftPOS may find it fits as a way of bringing card payments to smaller businesses that thought it was too hard or complicated — a plumber who relies on bank transfers only, a market stall relying on cash, the gig economy.

Or maybe the technology will find a different home outside of brick-and-mortar stores — your small business’s business banking app, so your bank can let you take card payments right from within their app. Or your favourite online shopping app, so you can tap your card on your own phone to pay when you checkout your basket rather than entering in card details or setting up an account.

If you’re looking for SoftPOS solutions in the market, you can head to the PCI Security Standard Council website for CPoC approved solutions:

https://www.pcisecuritystandards.org/assessors_and_solutions/cpoc_solutions

Or look at the Visa Ready program for a list of Tap-to-Phone approved solutions:

https://partner.visa.com/site/programs/visa-ready/tap-to-phone.html

Engineer and Architect in FinTech. https://www.linkedin.com/in/palmerd/

Love podcasts or audiobooks? Learn on the go with our new app.

Engineer and Architect in FinTech. https://www.linkedin.com/in/palmerd/