Tap to Pay and SoftPOS let your colleagues take card payments on standard smartphones. That means faster queues, cheaper kit and checkout anywhere on the shop floor.
The risk is simple: you are handling sensitive card data on off-the-shelf phones. Security needs to be built in, run every day and easy to prove to partners.
Work closely with your suppliers. Agree up front:
- Who does what, and when
- What proof of testing will you accept?
- How updates roll out, and how you handle emergencies like a lost device or a bad release
Track it all in a shared supplier portal so nothing slips. End-to-end governance platforms such as Retail Express help formalise responsibilities and timelines, from SDK upgrades to emergency revocations, so your team stays in control.
Start with the standard, then build your playbook
Build your SoftPOS programme around PCI’s Mobile Payments on COTS (MPoC). MPoC unifies the older SPoC and CPoC schemes and explains how to secure contactless acceptance and, where applicable, PIN on the same device, using everyday phones. Choose a solution designed and validated against MPoC. It reduces technical risk and clarifies what suppliers must prove before going live. The PCI Security Standards Council’s MPoC overview sets out the objectives and public listings; reference the MPoC overview, directly in supplier contracts and change control.
Write a playbook that stores can run
Once the baseline is set, create a simple operating playbook for store teams. Keep it practical:
- Device hand-out and return each shift
- What to do if a device is lost
- How to spot and report a tamper alert
- Who to call when a payment fails
Treat the phone like a cash drawer: tightly controlled, always accounted for, and never left unlocked.
Lock down the handset and the app
Think in layers. Use device attestation and jailbreak or root detection that blocks use, not just warns. Keep the OS and firmware up to date through MDM, restrict each device to an approved app list, and turn off screen capture during payment sessions. Add runtime checks for emulator use, debugger attach and overlay attempts. If you take payments on iPhone, Apple’s Tap to Pay security model explains how sessions are protected and how on-device PIN is assessed, which is useful for frontline and audit teams.
Data protection that survives the real world
Encrypt end to end, from the contactless read through tokenisation to the gateway. Keep keys in hardware-backed keystores wherever the device supports them. Do not store sensitive payment data on the handset, and make sure logs never contain PANs, track data or PINs. If you allow offline mode, cap ticket values and counts, record a clear reason code, and force a sync as soon as connectivity returns. These boundaries are operational as well as technical, so include them in training and monitor them through exception reports.
Make supplier collaboration your control centre
SoftPOS touches multiple third parties: app developers, payment SDK vendors, acquirers and device OEMs. Without structure, security becomes a chain of assumptions. A disciplined supplier collaboration model keeps everyone honest:
- Publish acceptance tests and MPoC scope in the supplier portal, with evidence templates suppliers must complete before release.
- Collect penetration-test summaries, SBOMs and vulnerability disclosures on a set cadence, and track remediation to closure.
- Coordinate OS deprecations, SDK end-of-support and forced upgrade dates with clear store-comms packs.
- Maintain a store-level rollout dashboard so lagging devices trigger reminders and are quarantined if needed.
Operational essentials
- Unique logins, short session timeouts and rapid remote wipe for lost devices.
- Private cellular or segmented Wi‑Fi with client isolation; unknown SSIDs blocked.
- Staged rollouts with the ability to pause and roll back if telemetry spikes.
- A simple incident script covering device quarantine, acquirer notification and rapid credential rotation.
Prove you’re in control
In the UK, partners expect you to show that card acceptance is both safe and resilient. Do not just promise it; keep evidence you can point to.
UK Finance’s guidance for retailers on contactless acceptance sets clear expectations for how you operate and communicate during outages and for higher-value transactions. Build those expectations into store drills and supplier SLAs, then practise them. Run the scripts, test the fallbacks, and record what happened. When partners check, you can show that your rehearsals match the real checks they will make.
