CPoC, COTS, and MPoC — What's the Difference?
These three terms often appear together in SoftPOS documentation and are easy to confuse because they’re closely related — but each describes a different layer within the same ecosystem.
COTS is the platform, not a payment standard
COTS (Commercial Off-The-Shelf) is simply a mainstream commercial mobile device — a smartphone or tablet sold widely on the market, not dedicated terminal hardware.
COTS is the hardware platform that payment solutions run on. By itself, it doesn’t define how payments work, has no security standard of its own, and doesn’t distinguish between PIN and no-PIN.
COTS answers the question: “Which device?”
CPoC and MPoC: Two standards, one platform
Both CPoC and MPoC are standards that let a COTS device accept contactless payments (NFC). The main difference lies in the level of PIN security.
| CPoC | MPoC | |
|---|---|---|
| Full name | Contactless Payments on COTS | Mobile Payments on COTS (PCI) |
| Also known as | Tap on Phone without PIN | Tap on Phone with PIN |
| PIN support | No | Yes |
| Governing standard | EMV | PCI DSS |
| Transaction limit | Usually capped by local regulation | No limit (with PIN) |
| Implementation complexity | Lower | Higher |
| Best for | Small merchants, low-value transactions | Any size, high-value transactions |
CPoC and MPoC answer the question: “Which payment standard runs on COTS?”
How the three concepts relate
COTS (hardware)
├── CPoC (payments without PIN)
└── MPoC (payments with PIN — PCI standard)
In other words: an iPhone or Android device is COTS. A payment app installed on it can be certified under CPoC or MPoC — or both, depending on the use case.
When to use CPoC, and when to use MPoC?
Choose CPoC when:
- The merchant mainly handles small transactions (below the regulatory no-PIN threshold)
- You want fast onboarding with fewer certification requirements
- Examples: street vending, table-side payment, markets
Choose MPoC when:
- You need to handle transactions of unlimited value
- The environment requires strict PCI DSS compliance
- The merchant is large or has high fraud risk
- Examples: retail chains, financial services, logistics
What are the Big Four using?
Among the four largest state-owned commercial banks, only Vietcombank and Agribank have launched SoftPOS products under their own brand. VietinBank and BIDV had not announced an equivalent solution as of early 2026.
| Bank | Product | Standard | Launch | Notes |
|---|---|---|---|---|
| Vietcombank | VCB Tap to Phone | CPoC → MPoC* | 2023-04-25 | First of the Big Four, supports Visa/MC/JCB/NAPAS |
| Agribank | Agribank SoftPOS | MPoC* | 2025-06-12 | Aimed at household businesses and rural areas |
| VietinBank | (not yet launched) | — | — | A VNPAY partner but no product of its own |
| BIDV | (not yet launched) | — | — | Signed a comprehensive partnership with VNPAY in 10/2022 |
* VNPAY — the technology provider for both banks — earned PCI DSS CPoC certification in December 2022 and upgraded to MPoC in May 2025, renaming the product to PhonePOS.
VNPAY is the shared infrastructure layer
Worth noting: both Vietcombank and Agribank use the VNPAY platform as the underlying technology layer — the banks white-label this solution under their own brands. VNPAY is currently the only Vietnamese company holding both global PCI CPoC and MPoC certifications.
Why don’t VietinBank and BIDV have their own SoftPOS yet?
Both are ecosystem partners of VNPAY (QR Pay, eKYC, digital services) but have not invested in deploying a merchant SoftPOS under the bank’s brand. Merchants of these two banks can access VNPAY PhonePOS directly through VNPAY’s channel rather than through the bank’s app.
Sacombank — not one of the Big Four — was actually the SoftPOS pioneer in Vietnam, launching back in 2020.
The UX perspective
From the end user’s side (the customer), the CPoC/MPoC difference is almost invisible — they just see a “Tap card” screen and may or may not be asked to enter a PIN. But from a flow-design standpoint:
- CPoC: a simpler flow — tap → confirm → done
- MPoC: requires an additional secure PIN-entry screen on the COTS device, ensuring the UX isn’t disrupted when moving to the PIN step
Securing PIN entry on a commercial touchscreen is a significant UX challenge — you need to ensure that bystanders can’t read the PIN while still keeping the experience smooth.
References
- Vietcombank launches VCB Tap to Phone — Dân trí (04/2023)
- VCB Tap to Phone expands Mastercard, JCB, and domestic cards (10/2024) — Vietcombank
- Agribank launches SoftPOS mobile payment solution (06/2025) — Agribank
- Agribank and VNPAY sign digital-transformation partnership (12/2025) — Công an nhân dân
- BIDV and VNPAY sign comprehensive partnership (10/2022) — BIDV
- VNPAY earns the first PCI CPoC certification in Vietnam — VNPAY
- VNPAY earns global MPoC certification, renamed to PhonePOS (05/2025) — Tuổi Trẻ
- Visa and VNPAY strengthen their SoftPOS partnership (06/2024) — Visa Vietnam