Yes, PIN entry transaction is an optional configuration of SoftPOS. If PIN entry is supported, a PIN CVM App is required as part of the SoftPOS solution. Please note that SoftPOS with PIN entry is now currently managed separately by the schemes as pilots, separate approval is required.

No, Standard SoftPOS supports Android only now. iOS cannot be supported as the NFC interface on iPhone is not opened yet as NFC reading device.

PCI CPoC is now the certification program for SoftPOS. For all new SoftPOS implementations, the SoftPOS product used has to be evaluated and certified against the PCI CPoC security requirements. The PCI CPoC evaluation is performed by any accredited PCI CPoC laboratory. The contactless kernels used in a SoftPOS solution will need to have Contactless L2 certifications as well. L3 certification would be the last step before roll-out. L3 is an end-to-end testing, it is similar to the existing L3 testing for traditional POS. At the moment, EMV L1 certification is not required for softpos product.

No. It is not necessary to have the back-end attestation & monitoring server hosted together with the transaction server. Most of the time, there are separated indeed. The back-end attestation & montoring server is used to monitor the health status of the softpos application and the device. It won’t touch the card data and transaction information, payment processing will still be the job of the transaction server. As such, it is not required to host the A&M Server together with the transaction server. In some countries, it is regulated that the transaction information has to stay within the countries and thus the transaction server has to be hosted locally. Since the A&M server doesn’t store and handle any transaction information data, the local hosting regulation doesn’t apply generally.

No. The A&M server possess the COTS and Application health data only. No card holder and transaction data should be transmitted to the A&M Server.

If the phone OS is updated, the impact will depend on if the update will affect the security features of the SoftPOS. If it leads to the changes of the SoftPOS security features, the SoftPOS will be required to have a PCI CPoC delta evaluation or full re-evaluation. Therefore, it is wise to select a SoftPOS SDK solution where its security features are immune to the update of OS.