When people talk about “L3 certification,” they often treat it as a single, uniform process. It isn’t. EMV Level 3 focuses on validating integration of the acceptance device with its acceptance infrastructure (typically the acquirer/processor host path) — but the overall certification path for a C-TAP hardware terminal is very different from that of an Android SmartPOS or a SoftPOS running on a commercial off-the-shelf device. For traditional terminals, much of the EMV and PCI security burden sits with the terminal vendor. SoftPOS solutions must also satisfy PCI MPoC security and attestation requirements across the app, device, and backend — requirements that are specific to COTS‑based solutions rather than classic PCI PTS terminals. As a result, the scope, responsibility split, test surface, and failure modes differ significantly between these categories.
Understanding those differences isn’t academic. It determines how you architect your payment application, how you allocate certification budget, and how long the process will actually take.
Two Frameworks, One Name
Before comparing platforms, a precision that most teams miss: “L3” means different things depending on the context — and conflating them leads to scoping errors.
EMV L3 (General)
EMV L3 is the final stage of EMV terminal integration testing. It validates the integration between an EMV-approved acceptance device (L1 and L2 already complete) and a specific acquirer host and payment network. Key properties:
- Scheme and acquirer specific — Visa, Mastercard, Amex, and each acquirer define their own L3 test plans using EMVCo-qualified tools under the EMV L3 Testing Framework
- Scope is transaction correctness and brand rules — message mapping and field content (e.g., ISO 8583 or equivalent), reversals, partial approvals, contact and contactless flows, and exception paths
- Repeated per brand and per acquirer — passing Visa L3 does not satisfy Mastercard L3; each connection requires its own certification
C-TAP Terminal Certification
C-TAP is a SEPA-wide (Single Euro Payments Area), multi-brand, multi-acquirer terminal protocol with its own specification and terminal certification procedure, governed centrally by Acquiris — not by individual schemes or acquirers.
- Validates protocol conformance — that the terminal correctly implements C-TAP and the multi-acquirer / multi-brand behavior expected across Dutch, Belgian, and SEPA schemes
- Certified once per terminal type — once a terminal passes C-TAP certification, it can connect to any C-TAP acquirer that supports that version, without repeating the process per acquirer
- Centrally managed — Acquiris runs the program: vendor membership, self-cert plus accredited lab validation, and field acceptance testing (FAT) options
How They Relate
| Aspect | EMV L3 | C-TAP Terminal Certification |
|---|---|---|
| Primary purpose | Validate EMV device–host integration per brand/acquirer | Validate conformance to the C-TAP protocol and multi-brand/multi-acquirer rules |
| Owner / governance | Each payment scheme and acquirer, under EMVCo L3 framework | Acquiris, under the C-TAP specification |
| Protocol focus | EMV app behavior plus host protocol (e.g., ISO 8583 or equivalent) per brand | C-TAP terminal protocol, routing, brand selection, SEPA C-TAP rules |
| Test plans | Brand/acquirer-specific (scheme-defined L3 test plans using EMVCo-qualified tools) | C-TAP certification procedure and test suites managed by Acquiris |
| Repeatability | Required per brand and per acquirer connection | Once per terminal type; reusable across any C-TAP acquirer |
A C-TAP terminal still requires the usual EMV and security prerequisites (e.g., EMV L1/L2 and relevant scheme/security requirements) before deployment. C-TAP certification is a separate, centrally governed conformance program under Acquiris; in practice it standardizes the terminal–acquirer protocol inside the C-TAP ecosystem and can reduce the amount of repeated per-acquirer host-integration testing, but it doesn’t eliminate scheme prerequisites.
C-TAP Traditional Terminals: Certifying Your Configuration
On a traditional C-TAP terminal, the terminal vendor owns the bulk of the certification burden. The EMV L1/L2 kernel, PCI PTS hardware security, and scheme-specific contactless certifications are the vendor’s responsibility — handled before the device reaches you. As the integrator or acquirer, your scope is the host integration layer: validating that the terminal’s transaction flow connects correctly with your acquirer host under the scheme rules you intend to support. For C-TAP specifically, the Acquiris certification program also replaces the need for separate per-acquirer L3 runs across the SEPA C-TAP ecosystem.
What You’re Actually Certifying
You are not certifying the kernel — you are certifying your configuration of it:
- Parameter files and scheme profiles define how the kernel behaves for each card brand
- Terminal Action Codes (TACs) control risk management decisions
- CVM lists, floor limits, and contactless thresholds must be correctly declared and consistent with your environment classification
- The L3 test suite validates that your configuration produces the expected behavior across the required test cases
The kernel behavior is fixed. You configure it; you don’t build it. Integration is constrained but predictable. Fewer degrees of freedom means fewer ways to fail — and a more bounded certification scope.
Where Teams Go Wrong
The typical failure on a C-TAP certification is not a kernel bug. It’s a misconfigured parameter file: a wrong CVM limit, an incorrect TAC, or a mismatch between declared Terminal Type (Tag 9F35) and actual environment. The L3 test tools will find these — but they find them at certification time, which is expensive.
SmartPOS (Android-Based) Terminals: Certifying Your Application
On an Android-based SmartPOS, the L2 kernel may be provided by the manufacturer or a third-party SDK — but your application owns the transaction flow. The L3 certification concept (host integration, scheme compliance) is the same, but the responsibility split changes: the open platform means you own far more of what gets tested.
What You’re Actually Certifying
Your application orchestrates the full EMV sequence:
- Card detection and application selection
- CVM handling and risk management
- Online authorization and completion
- Error handling, fallback, and decline flows
You have more architectural freedom than on a C-TAP terminal — and more certification exposure. L3 test tools don’t just validate your configuration; they probe every decision your application makes.
The Responsibility Shift
On a C-TAP terminal, bugs in the transaction flow are usually the kernel vendor’s problem. On a SmartPOS, they are yours. If your CVM logic is wrong, your application selection is incorrect, or your error handling introduces a non-standard behavior, the L3 test suite will surface it — and you will need to fix it in your code, not in a parameter file.
This is the trade-off: more control over the user experience and transaction flow, but a broader certification scope and longer debugging cycles when something goes wrong.
SoftPOS (COTS-Based): Certifying Two Things Simultaneously
SoftPOS adds a third layer of complexity. SoftPOS runs EMV payment acceptance on a commercial off-the-shelf (COTS) device — a standard Android phone or tablet — without traditional PED hardware for PIN entry, unless you implement a certified PIN-on-COTS solution under PCI MPoC controls.
What Changes
For pure on‑device SoftPOS (no external reader):
- Contactless only — no chip insert, no magnetic stripe on the phone itself
- CVM is restricted — CDCVM and No CVM; no PIN on the device itself without a certified PIN-on-COTS solution under PCI MPoC (and, for legacy programs, SPoC)
- You are certifying against both EMV L3 and PCI MPoC (or PCI CPoC) simultaneously
The PCI MPoC (Mobile Payments on COTS) standard defines security requirements for SoftPOS solutions: software-based PIN entry, attestation, tamper detection, and back-end monitoring. These requirements run in parallel with the EMV L3 certification — they don’t replace it.
The Combined Scope
The attack surface is broader, and the certification scrutiny reflects it:
| Certification | Scope |
|---|---|
| EMV L3 | Transaction flow, CVM behavior, scheme compliance |
| PCI MPoC / CPoC | Software security, PIN protection, attestation, monitoring |
| Scheme approval | Visa Tap to Phone, Mastercard Tap on Phone — each separately |
Passing EMV L3 on a SoftPOS does not mean you are PCI MPoC compliant. Both must be achieved, and the timelines and test labs involved are often different.
The Real Difference
The distinction comes down to what certification is actually measuring on each platform:
| Platform | Certification is about proving… |
|---|---|
| C-TAP | Your configuration is correct |
| SmartPOS | Your application behaves correctly |
| SoftPOS | Your application is correct and your security architecture is sound |
EMV L3 — host integration — exists in all three. What differs is who owns it, what surrounds it, and how much of the total certification burden falls on you.
This matters when you are scoping a project, estimating timelines, or deciding which platform to build on. A team with experience certifying C-TAP terminals will underestimate the effort required for a SmartPOS certification. A team certifying SoftPOS for the first time will almost certainly underestimate the PCI MPoC scope.
Key Takeaways
“L3” is not one thing. EMV L3 is a scheme/acquirer-specific host integration test, repeated per brand and per acquirer connection. C-TAP terminal certification is a separate, Acquiris-governed protocol conformance program — certified once per terminal type and reusable across the C-TAP ecosystem. Conflating them leads to scoping errors.
C-TAP certification is configuration-driven. The kernel is pre-certified by the vendor. Your scope is parameter files, TACs, and CVM lists. Narrower, but precision matters.
SmartPOS certification is application-driven. You own the transaction flow, and the L3 test suite validates your application decisions — not just your settings.
SoftPOS certification is dual-track. EMV L3 and PCI MPoC (and, for legacy programs, CPoC/SPoC) run in parallel. Passing one does not satisfy the other. Budget and timeline accordingly.
Scheme approvals are additive. Visa, Mastercard, and other schemes each have their own approval processes. A terminal certified for Visa does not automatically meet Mastercard requirements, especially for SmartPOS and SoftPOS.
Get the platform decision right early. Changing from SmartPOS to SoftPOS — or between kernel vendors — mid-project means reworking your certification scope from scratch.
Further Reading
- POINT OF SALE SYSTEMS ARCHITECTURE — Volume 1 — the primary reference for terminal architecture, EMV flows, and certification
- EMVCo: What is EMV Level 3 Testing? — the authoritative definition of EMV L3
- EMVCo: EMV Level 3 Testing Framework
- Acquiris: Terminal Certifications — C-TAP certification program and procedure
- Acquiris: C-TAP Specification Highlights (PDF)
- PCI MPoC Standard — PCI Security Standards Council
- Visa Tap to Phone Program Guide
- Mastercard Tap on Phone Solution Requirements
- POS Terminal Environment Classifications — how attended, semi-attended, and unattended environments affect certification scope
- EMV for Developers — EMV fundamentals on this site