Wikipedia Draft:SoftPos

SoftPOS (Software Point of Sale) is a software-based solution that converts a standard smartphone into a contactless POS terminal also known as a Commercial Off-The-Shelf (COTS) device. Currently this functionality is available only for Android devices and merchants/sellers can download an app from the Google Play store, complete the paperwork with the acquiring bank and begin receiving payments on their personal smartphones and tablets using the device's integrated Near Field Communication (NFC) technology. All of this is accomplished without the use of any additional hardware.

Over cellular networks, transactions are then processed, authorized, and reconciled. SoftPOS authorizes all transactions online, because the offline is not supported due to security standards. NFC has grown in popularity in recent years. By 2021 all Android phones on the market have NFC capability, allowing them to accept payments. NFC devices can perform the following functions: -	Contactless reader mode – allows the device to accept softPOS payments from wearables, cards and mobiles. -	Contactless card emulation mode – allows the device to behave as a contactless smartcard to make a payment. -	Contactless peer-to-peer – allows the device to communicate with another NFC enabled device.

Where is the NFC chip located and where should the customers tap their card?
SoftPOS purchase transactions need the consumer to keep their card, smartphone, or wearable near the NFC antenna (located on the back side) within the acceptance device. This makes it possible for the two devices to communicate with each other. Since it is optimally positioned for 'card emulation' mode to make mobile wallet payments, the antenna can be placed at the top, center, or bottom of the device's back side. However, there is currently no standard location for the antenna placement. Some solutions display the contactless symbol on the device's screen or on a sticker on the device to navigate customers to where they should position their card or device to make a payment. SoftPOS and traditional POS terminals have different read ranges. The maximum distance range defined by EMVCo standards for reading a card or mobile wallet for a legacy terminal that is Level 1 approved is 4 centimetres. On a mobile device, this can be reduced to two centimetres.

Security standards
Card brands and PCI are in charge of regulating softPOS technology. These organizations collaborate to bring the most secure technology to the market. SoftPOS technology provides maximum security by utilizing EMV security methods in a software environment. SoftPOS providers must provide attestation services on the OS, software and hardware to monitor mobile phone activities in order to determine if an attacker is attempting to compromise your phone. If such fraud or suspicious activity is detected, the app on your phone is automatically deactivated. The primary goal of Monitoring/Attestation is to ensure that the softPOS solution's components are secure. The device operating system, contactless kernel, POS application, and backend systems are among these components. The ability to detect and respond to anomalies is critical to the softPOS solution's overall security. SoftPOS app doesn’t store any sensitive data on the mobile phone. The card number, PIN, track 2 data, and other critical and sensitive payment and card data are encrypted immediately when they are entered or read. This data remains always encrypted.

PCI DSS Standards
The PCI Contactless Payments on COTS (CPoC) certificate is required for all softPOS technology providers. Using an embedded (near-field communications) NFC interface, this solution enables contactless payment acceptance on a merchant's consumer device. PCI CPoC approval is independent of the card brands, but almost all of them accept PCI CPoC approval as sufficient for security review. PCI is planning to issue a new version of CPoC specs at the end of 2022, which will supporting PIN entry on the COTS devices (mobile phones, tablets, etc.) Payments brands allows PIN entry on the applications for pilot users from certificated companies. This is an exemption that can be requested by the softPOS company.

From here you can check all PCI CPoC certificated companies: https://www.pcisecuritystandards.org/assessors_and_solutions/cpoc_solutions?agree=true

Software-Based PIN Entry on COTS (SPoC) Solutions enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a physical Secure Card Reader for PIN (SCRP)

What is EMV?
EMV states for "Europay, Mastercard, and Visa” which a payment technical standard for smart payment cards (with PIN and Chip) as well as payment terminals (POS,mPOS, softPOS) and automated teller machines (ATMs) that can accept them. EMV Certification - Level 1 - Refer to the terminal chip reader for compliance with the mechanical and electrical protocols in the EMV Chip Specifications, which covers the transfer of data between the terminal and the card, smartphone, watch, or other device for making card-based payments. This includes tests to confirm how close the card/device and the reader need to be for information to flow. Card schemes does not require softPOS technology providers to have a Level 1 certificate. - Level 2 - Contactless Level 2 (L2) certification is concerned with the validation of the software that implements the payment functionality and that runs on the Level 1-certified device. This software is referred to as a payment kernel. The contactless payment brands to be supported (e.g. Mastercard/Maestro Contactless, VISA payWave, or American Express contactless) determine which of the payment kernels are to be implemented. Every softPOS technology provider should be certificated for Level 2. - Level 3 - Contactless Level 3 (L3) certification, or brand certification, ensures that the configuration of the software on the devices meets the brand requirements. In the case multiple payment brands are to be supported, all of the respective Level 3 certifications will have to be performed. Briefly explained Level 1 certification is the responsibility of the device hardware supplier, whereas Level 2 certification is the responsibility of the device software supplier. When it comes to Level 3 brand certification this is formally the responsibility of the acquirer, but they can delegate the Level 3 certification responsibilities to the merchants or the merchant processor in certain cases.

EMV Kernel
An EMV kernel is a set of functions that provides the processing logic and data that is required to perform an EMV contact or contactless transaction. The kernel is a part of the terminal payment application that support EMV functionality and is included in the EMVCo Level 2 approval process.