CPoC, COTS, and MPoC — What's the Difference?

These three terms often appear together in SoftPOS documentation and are easy to confuse because they’re closely related — but each describes a different layer within the same ecosystem.

COTS is the platform, not a payment standard

COTS (Commercial Off-The-Shelf) is simply a mainstream commercial mobile device — a smartphone or tablet sold widely on the market, not dedicated terminal hardware.

COTS is the hardware platform that payment solutions run on. By itself, it doesn’t define how payments work, has no security standard of its own, and doesn’t distinguish between PIN and no-PIN.

COTS answers the question: “Which device?”


CPoC and MPoC: Two standards, one platform

Both CPoC and MPoC are standards that let a COTS device accept contactless payments (NFC). The main difference lies in the level of PIN security.

CPoCMPoC
Full nameContactless Payments on COTSMobile Payments on COTS (PCI)
Also known asTap on Phone without PINTap on Phone with PIN
PIN supportNoYes
Governing standardEMVPCI DSS
Transaction limitUsually capped by local regulationNo limit (with PIN)
Implementation complexityLowerHigher
Best forSmall merchants, low-value transactionsAny size, high-value transactions

CPoC and MPoC answer the question: “Which payment standard runs on COTS?”


How the three concepts relate

COTS (hardware)
  ├── CPoC (payments without PIN)
  └── MPoC (payments with PIN — PCI standard)

In other words: an iPhone or Android device is COTS. A payment app installed on it can be certified under CPoC or MPoC — or both, depending on the use case.


When to use CPoC, and when to use MPoC?

Choose CPoC when:

  • The merchant mainly handles small transactions (below the regulatory no-PIN threshold)
  • You want fast onboarding with fewer certification requirements
  • Examples: street vending, table-side payment, markets

Choose MPoC when:

  • You need to handle transactions of unlimited value
  • The environment requires strict PCI DSS compliance
  • The merchant is large or has high fraud risk
  • Examples: retail chains, financial services, logistics

What are the Big Four using?

Among the four largest state-owned commercial banks, only Vietcombank and Agribank have launched SoftPOS products under their own brand. VietinBank and BIDV had not announced an equivalent solution as of early 2026.

BankProductStandardLaunchNotes
VietcombankVCB Tap to PhoneCPoC → MPoC*2023-04-25First of the Big Four, supports Visa/MC/JCB/NAPAS
AgribankAgribank SoftPOSMPoC*2025-06-12Aimed at household businesses and rural areas
VietinBank(not yet launched)A VNPAY partner but no product of its own
BIDV(not yet launched)Signed a comprehensive partnership with VNPAY in 10/2022

* VNPAY — the technology provider for both banks — earned PCI DSS CPoC certification in December 2022 and upgraded to MPoC in May 2025, renaming the product to PhonePOS.

VNPAY is the shared infrastructure layer

Worth noting: both Vietcombank and Agribank use the VNPAY platform as the underlying technology layer — the banks white-label this solution under their own brands. VNPAY is currently the only Vietnamese company holding both global PCI CPoC and MPoC certifications.

Why don’t VietinBank and BIDV have their own SoftPOS yet?

Both are ecosystem partners of VNPAY (QR Pay, eKYC, digital services) but have not invested in deploying a merchant SoftPOS under the bank’s brand. Merchants of these two banks can access VNPAY PhonePOS directly through VNPAY’s channel rather than through the bank’s app.

Sacombank — not one of the Big Four — was actually the SoftPOS pioneer in Vietnam, launching back in 2020.


The UX perspective

From the end user’s side (the customer), the CPoC/MPoC difference is almost invisible — they just see a “Tap card” screen and may or may not be asked to enter a PIN. But from a flow-design standpoint:

  • CPoC: a simpler flow — tap → confirm → done
  • MPoC: requires an additional secure PIN-entry screen on the COTS device, ensuring the UX isn’t disrupted when moving to the PIN step

Securing PIN entry on a commercial touchscreen is a significant UX challenge — you need to ensure that bystanders can’t read the PIN while still keeping the experience smooth.


References