How payment companies are building SoftPOS solutions on AWS
The needs for dedicated card machines (or readers) tied to point-of-sale (POS) systems have historically restricted certain micro-merchants from adoption of electronic payments. New advancements in payments technology and standards have led to the development of software point-of-sale (SoftPOS).
SoftPOS is a software-based solution that transforms near field communication (NFC)-enabled smartphones into a contactless payment terminal without the need for additional equipment (such as a card reader). The recent cloud-based innovation is further lowering the barrier to accept payments.
According to Juniper Research, the total number of merchants deploying SoftPOS solutions globally will surpass 34.5 million by 2027, up from six million in 2022. SoftPOS adoption is being driven by the increasing use of contactless payments—with contactless volumes expected to rise from 195 billion in 2022 to 408 billion by 2027.
SoftPOS solutions tap into a previously underserved group of micro-merchants and small businesses. The solutions can help grow merchant acceptance while adding to the portfolio of value-added services these businesses can offer to their customers. The services can also be targeted to specific verticals such as restaurants, taxis, food trucks, and retail.
The portability of SoftPOS devices can assist with reducing wait times in lines and provide flexible checkout points (for example, curbside or in-aisle). As a result, there is also an opportunity to provide SoftPOS solutions for large retailers and Internet of Things (IoT) players as well.
What is SoftPOS and how does it work?
SoftPOS is a revolutionary new technology which allows merchants to accept card payments directly on their commercially off-the-shelf (COTS) device without the need for any additional hardware. The acceptance device is typically a merchant-operated smartphone. The payment can be initiated by a contactless credit card, contactless debit card, or mobile wallet. Since SoftPOS is using the merchant’s mobile device only, there is no external device and as a result does not support insertion or swiping of the card.
The standards to develop and test a SoftPOS solution are provided in the Payment Card Industry (PCI) Contactless Payments on COTS (CPoC) Program Guide and Security and Test Requirements documents. There is also the PCI Software-based PIN Entry on COTS (SPoC) Program Guide. It provides a software-based approach for protecting PIN entry on a wide variety of COTS devices and the new industry standard by PCI, Mobile Payments on COTS (MPoC), which was published in November 2022. The MPoC standard introduces modularity and new use cases, including support for offline transactions. When a merchant is temporarily experiencing bad internet connectivity, they can shift to their system’s offline mode to continue accepting payments until the system regains internet connectivity.
SoftPOS is supported by Android and iOS operating systems. In order to accept SoftPOS payments, merchants will need to have:
- A supported device
- A merchant account through their payment processor
- A SoftPOS app which is connected to the merchant account
The first step for a merchant to enable their phone or device to accept payments is to download a dedicated SoftPOS app. The merchant will need to register their business and complete the merchant onboarding. It includes the know your customer (KYC) and know your business (KYB) process. Once everything is set up, the merchant can open the SoftPOS app during a purchase and enter the transaction amount. The cardholder will tap their contactless card or device against the NFC antenna area of the merchant’s device. Upon completion of the transaction, the merchant can send a short message service (SMS), email the receipt to the customer or print the receipt with an external printer.
A SoftPOS solution includes the merchant’s NFC-enabled mobile device (such as, a COTS device), the SoftPOS application, and the backend environment (which includes an attestation and monitoring service along with payment processing services). We will go into further detail about each of these components in the following sections.
SoéPay’s SoftPOS system and why they chose AWS
Based in Hong Kong, SoéPay was founded in 2019 and became a subsidiary of SPECTRA Technologies Holdings Co. Ltd. in 2021. SoéPay aims to enable merchants to accept different kinds of payments in any form and deliver a more robust, secure, and fast one-stop payment experience.
With over 30 years of industry expertise, SPECTRA Technologies Holdings Co. Ltd. (SPECTRA) has established a global presence, delivering top-notch payment terminals, peripherals, and solutions.
As a subsidiary of SPECTRA, SoéPay introduces SoftPOS, an innovative software-based contactless payment solution. By leveraging the power of NFC-enabled Android mobile devices, SoftPOS transforms any Android smartphone or tablet into a secure payment terminal. Offering support for more than 20 payment methods and payment links, SoéPay SoftPOS presents merchants with an economical, all-in-one, and highly secure payment solution.
In 2021, SoéPay successfully launched the first PCI-CPoC compliant SoftPOS solution in Hong Kong. SoéPay’s SoftPOS enables the new model of payment acceptance as a service. For example, in the Hong Kong Computer and Communications Festival (HKCCF) 2021, SoéPay SoftPOS achieved +506% transaction activities during the four-day exhibition with 500K attendances.
SoéPay decided to develop their SoftPOS solution on the AWS Cloud because of the range of services available, the cost efficiency, and, most importantly, AWS is compliant with the Payment Card Industry Data Security Standard (PCI DSS).
AWS enabled SoéPay to build a SoftPOS solution which included a payment gateway, terminal management system, and merchant portal in just three months. They achieved PCI DSS compliance in just six months; compared to the timeframe of two years in an on-premises environment. In addition, SoéPay was able to reduce approval times for new merchant onboarding to two days. Building on AWS made it possible for SoéPay to achieve a faster time-to-market with a leaner team than in an on-premises environment.
A SoftPOS application reads card data during the payment transactions. All data read is encrypted and sent to the payment gateway for transaction processing. The application also sends attestation data of the COTS device and application itself to the attestation and monitoring service.
Attestation and monitoring service
The attestation and monitoring service is a critical component of a SoftPOS solution. It is continuously monitoring the COTS device and the SoftPOS application for any vulnerabilities. Real-time data from the device and the application is collected, shared, and analyzed for any threats or attacks. Based on the security and management policies, the monitoring system can terminate the payment transaction capability of a merchant payment application if there are signs the acceptance device has been compromised.
SoéPay provides a SoftPOS attestation and monitoring service which can be deployed on a customer’s cloud.
Payment processing services
The card data read by the SoftPOS app in the COTS device is encrypted and sent to the payment processing services. The payment processing services decrypt the card data and format from, typically, a JSON format into an ISO 8583 message or other required message format to be sent to the acquiring processor or payment service provider. Services such as risk management, PIN translation, and notifications are also applied at this time.
SPECTRA Payment Gateway Services (SPGS), a solution from SoéPay, provides payment processing services in the SoftPOS solution. SPGS contains serverless and containerized modules ready to be deployed in other AWS regions for high availability and performance improvement. It can also be white-labeled to other payment service providers or acquirers.
What companies typically use SoftPOS and what are the benefits?
Following are the main type of companies which could benefit from the adoption of SoftPOS:
- Small or micro-merchants and low transaction volume merchants who want a payment solution without expensive payment terminal costs. SoftPOS can be utilized with a less expensive COTS device.
- Large merchants who want a unified user experience (such as payment on delivery, self-checkout, consultative selling, or the ability to process payments for customers waiting in lines).
- POS vendors who want to simplify payments and do not need separate payment terminals. For example, if a retail shop is already using a tablet for checkout, payment can be simplified by integrating the POS to the SoftPOS solution.
SoéPay leverages AWS serverless architecture (as shown in Figure 2) to build the SoftPOS enabling them to handle spikes in traffic in a cost-efficient way.
Figure 2: SoéPay Reference Architecture on AWS
Following are the steps that make up the reference architecture:
1. The SoéPay mobile application includes two components, the Merchant App component and the Terminal App component. The Merchant App accepts the end customer’s contactless payment (such as a credit card or digital wallet) through an NFC interface or through a QR code. The Merchant App also supports a SoftPOS KYC and KYB onboarding process and value-added services.
2. The Terminal App will check whether the mobile is secure or hijacked, as part of the attestation and monitoring service.
3. The Terminal App encrypts and initializes the payment transaction. SoéPay uses Amazon API Gateway to create secure REST APIs receiving the payment transactions at scale.
4. AWS Lambda will check whether the session is valid.
5. Amazon DynamoDB stores part of the session information.
6. AWS PrivateLink establishes connectivity between SoéPay’s virtual private clouds (VPCs) and AWS services without exposing data to the internet. Amazon API Gateway can call the network load balancer (NLB) resource in the private subnet without exposing the NLB resource to the public internet.
7. SoéPay runs its microservices on AWS Fargate. AWS Fargate is a serverless, pay-as-you-go compute engine that lets SoéPay focus on building SoftPOS microservices without managing servers.
7.1 The on-premises payment hardware security module (HSM) stores the keys (such as Zone Master Keys (ZMKs)). The HSM validates the derived unique key per transaction (DUKPT) for each payment transaction used in the whole payment transaction process. SoéPay decrypts the messages encrypted at the Terminal App. Instead of running HSM on-premises, customers can now run payment cryptographic operations natively on AWS using newly launched AWS Payment Cryptography, announced on June 12, 2023.
7.2 Amazon Relational Database Service (Amazon RDS) stores payment transactions, including the payment processing status, such as approved or rejected. The end customer can then request to cancel the payment transaction based on the transaction ID in the future.
7.3 SoéPay encrypts the payment transaction’s sensitive data using an encryption key from an on-premises HSM. It converts the transaction message to the format required by the payment processor, such as ISO 8583 format.
8. SoéPay use a NAT gateway for the Amazon Elastic Container Service (Amazon ECS) cluster to access the AWS Fargate nodes in the private subnet to send encrypted payment transaction message to external payment processor. At the same time, external services cannot initiate a connection with those AWS Fargate nodes in the private subnet.
The AWS serverless architecture can automatically scale up to handle spikes in traffic and scale down when traffic becomes normal. Figures 3, 4 and 5 show the scalability of the system with the traffic spike by sales count during the Hong Kong Compute and Communications Festival (HKCCF) 2021 exhibitions and the Hong Kong Consumption Vouchers Schemes 2021.
Figure 5: Daily sales count before and after the second Hong Kong consumption voucher introduced on October 1st 2021
New technologies and capabilities are driving the evolution of physical POS, enabling more businesses around the world to process payments. Several factors will drive the adoption of SoftPOS solutions, including the rise of contactless payments, the diversification of payment form factors, and growing global smartphone usage.
This blog summarized the key modules of a SoftPOS solution and how SoéPay used AWS services to turn commercial mobile devices into a secure and scalable SoftPOS platform.
SoftPOS can allow small and micro-businesses to be able to accept contactless cards and mobile wallets without the need for additional hardware installation. It is part of the broader trend to make the merchant onboarding and payment acceptance process seamless for businesses.
For more information about how to work with AWS and to understand how AWS is supporting payment customers around the world to address payment needs, please contact your AWS Account Manager or visit AWS Financial Services – Payments.
Any discussion of reference architectures in this post is illustrative and for informational purposes only. It is based on the information available at the time of publication. Any steps/recommendations are meant for educational purposes and initial proof of concepts, and not as a full-enterprise solution.
Contact an AWS Representative to design an architecture that works best for your organization.