Home Home / Insights / Blog

EU Payment Modernisation: What Android POS Hardware Must Support in 2026

2026-07-02    Author : ZCS

The European Union's payment regulatory landscape has been in sustained motion for the better part of a decade. PSD2 — the Second Payment Services Directive — came into full enforcement in 2019 and introduced Strong Customer Authentication as a mandatory transaction security layer. The EMV migration that followed card fraud surges across European markets is now complete in most member states, but the certification requirements it entrenched remain rigorous. GDPR imposes data handling obligations on every device that touches customer payment information. And PSD3, the third iteration of the Payment Services Directive, is advancing through the EU legislative process with hardware-relevant implications for open banking and SCA exemption frameworks.
For hardware buyers — whether ISVs building EU-market payment applications on an open SDK Android POS architecture, distributors supplying terminal fleets to European merchants, or procurement teams standardising hardware across EU member states — these regulatory developments translate into a specific, auditable hardware compliance floor. A terminal that meets the floor operates legally and can be certified by EU acquirers. One that does not may process transactions but exposes the merchant, the acquirer, and the ISV to regulatory and financial liability.
This guide maps the EU hardware compliance requirements in technical terms, explains what each regulation demands at the device level, and identifies the procurement decisions that determine whether a terminal fleet is EU-ready before it ships.

 

Pos terminal support EMV

 

1. PSD2 and Strong Customer Authentication: The Hardware Layer


What SCA requires and why it is a hardware question

Strong Customer Authentication, defined in Article 97 of PSD2 and elaborated in the European Banking Authority's Regulatory Technical Standards (RTS on SCA), requires that electronic payment transactions be authenticated using at least two of three independent factors: something the customer knows (PIN, password), something the customer has (a card, a device), and something the customer is (a biometric). For in-person card transactions at a POS terminal, SCA is implemented through the EMV chip-and-PIN flow — the chip provides the "something you have" factor, the PIN provides the "something you know" factor.
The hardware implication is direct: a POS terminal operating in the EU must support PIN entry as a transaction authentication method. This means either an integrated PIN pad on the terminal itself, or a connected external PIN Entry Device (PED). Contactless-only terminals without PIN support cannot satisfy SCA for transactions above the contactless limit.

The European Banking Authority's SCA technical standards define the contactless transaction exemption: contactless payments below €50 (or the equivalent in local currency for non-euro EU member states) are exempt from SCA under Article 11 of the RTS, provided the cumulative contactless spend since the last SCA does not exceed €150 and the number of consecutive contactless transactions since the last SCA does not exceed five. Above either threshold, SCA is required — meaning the terminal must be capable of collecting PIN when the exemption ceiling is reached.
SCA contactless threshold compliance: EU POS terminals in 2026 must support PIN entry for transactions exceeding the €50 contactless SCA exemption or when the cumulative €150 / five-transaction ceiling is reached. Confirm the terminal includes an integrated PIN pad or a certified external PED to prevent SCA non-compliance at the point of transaction.


SCA and SoftPOS: the emerging hardware configuration

SoftPOS — the use of a GMS-certified Android terminal's NFC controller to accept contactless card payments without a separate hardware payment reader — is an increasingly adopted configuration in EU markets. The European Payments Council's guidelines on SoftPOS deployment and EMVCo's Software-Based PIN Entry on COTS (SPoC) specification define the security framework under which SoftPOS can satisfy SCA requirements.
SoftPOS with PIN on Glass — where the customer enters their PIN directly on the merchant's Android device touchscreen — requires the terminal to hold a SPoC certification, which involves security evaluation of the PIN entry isolation from the Android OS. This is a hardware-level certification: the terminal's secure element or trusted execution environment must be evaluated and approved. A GMS-certified Android terminal does not automatically hold SPoC certification; the two are independent. Confirm both for terminals intended to run SoftPOS with PIN support in EU markets.

 

2. EMV Certification in the EU: What the Requirements Actually Cover


The three-layer EU EMV certification structure

EMV certification in the EU operates across three layers, each with distinct requirements and certification bodies:
EMVCo Level 1 certifies the physical and electrical interface between the terminal and the card — the hardware layer. An L1 certification is issued for a specific terminal hardware configuration: a change to the NFC antenna, card reader mechanism, or PIN pad hardware requires re-certification.
EMVCo Level 2 certifies the payment application running on the terminal — the transaction flow, data processing, and cryptographic operations. An L2 certification is issued for a specific application version; a software update that changes payment flow logic requires re-certification.
Scheme-level certification (Visa, Mastercard, Maestro, American Express, UnionPay International, and domestic EU schemes including Cartes Bancaires in France, Girocard in Germany, Bancomat in Italy, and others) validates that the certified hardware and application work correctly within each network's specific implementation of EMV. A terminal may hold EMVCo L1 and L2 but still require separate certification from each payment scheme before a European acquirer will connect it.For reference, ZCS's Z90 handheld terminal holds PCI PTS 5.x, EMV Contact Terminal L1 & L2, EMV Contactless Terminal L1, Visa payWave, Mastercard PayPass, and UnionPay certification — illustrating the layered certification stack a fully compliant handheld device carries across hardware, application, and scheme levels.
The procurement implication: when a vendor claims "EMV certified," confirm which of these three layers the certification covers, which schemes are included, and whether domestic EU schemes relevant to the target deployment market are among them. A terminal certified for Visa and Mastercard but not for Cartes Bancaires cannot be deployed at French merchants without a significant certification gap.

 

 


Domestic EU scheme requirements by market

Several EU member states operate domestic debit and payment schemes that maintain independent certification requirements alongside the international card networks:

  • ● Germany: Girocard (formerly ec-cash) is the dominant domestic debit scheme, processed through the Deutsche Kreditwirtschaft infrastructure. Girocard certification requires terminal approval through a German banking association process separate from Visa/Mastercard certification.

  • ● France: Cartes Bancaires (CB) is the domestic scheme covering the majority of French bank-issued debit cards. CB certification requires terminal approval through the Groupement des Cartes Bancaires.

  • ● Italy: Bancomat is the domestic ATM and debit network with POS acceptance requirements. PagoBancomat certification is required for terminal acceptance of Italian debit cards.

  • ● Netherlands: iDEAL, while primarily an online payment method, is extending into POS contexts. Terminal support for iDEAL QR at physical checkout is an emerging requirement for Dutch merchant deployments.

According to the European Central Bank's payment statistics, domestic scheme transactions account for a substantial share of card payment volume in Germany and France — markets where a terminal without domestic scheme certification will decline a material proportion of customer cards.
EMV certification scope for EU deployment: EU POS terminals require EMVCo L1/L2 certification plus scheme-level approval from all relevant networks — including domestic schemes (Girocard, Cartes Bancaires, Bancomat) in addition to Visa and Mastercard. Confirm scheme coverage explicitly for each target member state before deployment.

 

3. GDPR and POS Hardware: Data Handling Obligations at the Device Level


What GDPR means for terminal hardware configuration

The General Data Protection Regulation applies to any processing of EU residents' personal data — which in a POS context includes cardholder name, card number (PAN), transaction history, and any loyalty or identity data collected at the point of sale. GDPR's hardware-relevant implications cluster around three areas: data minimisation at the device level, data residency for cloud-connected terminals, and data retention and deletion capability.
Data minimisation requires that terminals process only the personal data necessary for the transaction. A terminal that logs full PAN data locally — rather than a truncated token — is processing more data than necessary for its function and creates unnecessary GDPR exposure. Confirm that the terminal's payment application implements PAN tokenisation at the device level and that local storage does not retain unmasked card data beyond the transaction session.
Data residency is the requirement most frequently overlooked in hardware procurement. Cloud-connected POS terminals that transmit transaction data to a backend server must ensure that data is stored within the EU or in a country deemed adequate by the European Commission under Article 45 GDPR. A terminal whose TMS or payment application backend is hosted exclusively in a non-adequate third country — without a Standard Contractual Clause arrangement — is processing EU residents' data in violation of GDPR's transfer restrictions, and the hardware configuration that enables that transmission is part of the compliance chain.
Data deletion capability requires that the terminal can be wiped of all stored personal data when a merchant offboards, when a terminal is decommissioned, or when a data subject exercises their right to erasure. A terminal without a verified factory reset function that removes all application data — not just the user-visible data — cannot be reliably compliant with GDPR Article 17.
GDPR data handling for EU POS terminals: cloud-connected POS terminals processing EU cardholder data must implement PAN tokenisation at device level, route data to EU-resident or GDPR-adequate backends, and support verified full data deletion on decommission. Be mindful of confirming TMS backend data residency if you plan to deploy cloud-connected terminals in EU member states or markets with GDPR territorial scope.


The terminal as a GDPR data processor

Under GDPR's controller-processor framework, the entity operating the POS terminal is typically the data controller (the merchant), while the hardware vendor, ISV, and acquirer operate as data processors. The hardware vendor's data processing obligations — including security measures under Article 32 and data breach notification under Article 33 — apply to any personal data that passes through or is stored on the terminal.
For hardware buyers evaluating EU-market terminals, this means requesting the vendor's Data Processing Agreement (DPA) and confirming that the DPA covers the specific data processing activities the terminal performs. A vendor that cannot produce a GDPR-compliant DPA is not a viable hardware partner for EU deployment, regardless of the terminal's technical specifications.

 

4. Contactless Payment Hardware: The EU Limit Landscape in 2026


Contactless limits by member state

The EU does not mandate a single contactless transaction limit; the EBA's SCA RTS sets a €50 per-transaction ceiling for the EEA; issuers may set lower thresholds but not higher; non-euro markets apply the local-currency equivalent, and post-Brexit UK sets its own limit independently of the RTS. As of 2026, the limits vary:
 

Member State Contactless Limit (SCA exempt)
Germany €50
France €50
United Kingdom* £100
Netherlands €50
Italy €50
Spain €50
Poland 100 PLN (≈€23)
Sweden 400 SEK (≈€35)

*United Kingdom is not an EU member state and is not subject to the SCA framework; limit shown reflects UK contactless payment regulation.

The hardware implication: a terminal deployed across multiple EU member states must be configurable per market for the applicable contactless limit, cumulative spend ceiling, and consecutive transaction counter — all of which determine when SCA is required. This is a TMS configuration parameter that must be set per country profile, not a fixed hardware characteristic. Confirm that the terminal's payment application supports per-market contactless parameter configuration before deploying a multi-country EU fleet.


NFC hardware requirements for EU contactless

The EU contactless payment infrastructure operates on ISO 14443 Type A and Type B — the international NFC standard supported by Visa payWave, Mastercard PayPass/Contactless, and all major EU domestic schemes that have migrated to contactless. FeliCa (NFC-F) is not required for EU POS deployment.
However, the NFC implementation quality matters significantly in EU markets. The
EMVCo NFC performance specifications define antenna performance requirements that determine whether a terminal can reliably read contactless cards and devices at standard counter distances (0–4 cm). A terminal with a poorly tuned NFC antenna may pass basic EMV L1 contactless certification but exhibit read failures in practice — particularly with cards that have weaker antenna coupling, which is common in older European bank-issued cards.
Request the terminal vendor's NFC performance test results against the EMVCo contactless analog test suite, not just the L1 certification status. Antenna performance is a hardware characteristic that cannot be improved through firmware updates.

 

5. PSD3 and the Horizon: Hardware Implications of Forthcoming EU Regulation


What PSD3 changes at the hardware level

The European Commission's proposal for PSD3 — the Third Payment Services Directive — and the associated Payment Services Regulation (PSR) are advancing through the EU legislative process as of 2026, with full implementation expected by 2027–2028. While the legislative text continues to evolve, several provisions have hardware-relevant implications that procurement teams planning 5-year deployment cycles should monitor.
Open banking at the POS: PSD3 expands open banking obligations and may introduce POS-level requirements for payment initiation service providers (PISPs) to offer account-to-account payment alternatives at physical checkout points. The hardware implication is QR code display capability for A2A payment initiation — a requirement that mirrors the infrastructure already deployed in Southeast Asian markets and that EU terminals should be evaluated for now, even if the mandate is not yet in force.
SCA exemption framework revision: PSD3 is expected to revise the SCA exemption thresholds and introduce new exemption categories for low-risk transactions identified through transaction risk analysis (TRA). The hardware implication is that terminals must be able to receive real-time TRA signals from the acquirer and apply the appropriate authentication path — a function that depends on the terminal's API architecture and the TMS configuration layer.
Data portability: PSD3 strengthens data portability rights, which in a POS context increases the practical importance of verified data export and deletion capability at the terminal level — reinforcing the GDPR hardware requirements described above.

 

6. The EU-Ready Hardware Procurement Checklist

Compliance Area Requirement What to Confirm
SCA / PSD2 PIN entry capability for transactions above contactless exemption Integrated PIN pad or certified external PED
SCA / SoftPOS SPoC certification for PIN on Glass Independent of GMS certification — confirm separately
EMV L1 Hardware interface certification Certified for specific terminal configuration; re-certify on hardware change
EMV L2 Payment application certification Certified for specific application version
Scheme coverage Visa, Mastercard + relevant domestic schemes Girocard (DE), CB (FR), Bancomat (IT) for respective markets
Contactless limits Per-market SCA threshold configuration TMS-configurable per country profile
NFC performance EMVCo analog antenna test results Request test data, not just L1 certificate
GDPR — data minimisation PAN tokenisation at device level Confirm no unmasked PAN in local storage
GDPR — data residency TMS / backend hosted in EU or adequate country Request data residency documentation
GDPR — data deletion Verified full factory reset Confirm all application data removed, not just user-visible data
GDPR — DPA Vendor Data Processing Agreement Required before any EU deployment
PSD3 readiness QR display for A2A payments Min 480×320 screen resolution; QR API support

 

OEMODM-Service

 

7. Conclusion

EU payment compliance for Android POS hardware in 2026 is a multi-regulation, multi-layer requirement set. PSD2's SCA mandate defines the authentication hardware floor. EMV certification covers three independent layers — hardware interface, application, and scheme — each requiring separate confirmation. GDPR creates data handling obligations that extend from the device's local storage through the TMS backend's geographic location. And PSD3's forthcoming provisions signal that terminals procured today should be evaluated for forward compatibility with open banking and revised SCA frameworks.
The consistent pattern across all of these requirements is that they are confirmed at procurement — not resolved after deployment. A terminal that reaches a European merchant's counter without verified scheme coverage for that market, without SPoC certification for SoftPOS PIN entry, or with a TMS backend in a non-adequate third country is a compliance liability from day one.
For the TMS configuration architecture that manages these compliance requirements across a multi-country EU fleet — including per-market SCA threshold configuration, compliance audit logging, and firmware version tracking — see our guide to
deploying Android POS terminals across multiple countries.
For hardware requirements in adjacent markets outside the EU regulatory framework, see:

 

8. Frequently Asked Questions

Q1: What is the standard EU contactless payment limit for SCA exemption in 2026?
The EBA's SCA RTS sets a €50 per-transaction ceiling across the EEA for contactless payments exempt from Strong Customer Authentication, provided cumulative spend since the last SCA stays under €150 or fewer than five consecutive transactions occur. Non-euro markets apply the local-currency equivalent.
Q2: Why do Poland and Sweden show different contactless limits than eurozone countries?
Poland (100 PLN) and Sweden (400 SEK) are non-euro EU markets applying the local-currency equivalent of the €50 EBA ceiling. Currency conversion and national rate history produce different nominal figures, though both remain within the same underlying exemption threshold rather than exceeding it.
Q3: Does the United Kingdom follow the same contactless SCA rules as EU member states?
No. The UK is not an EU member state and is not bound by the EBA's SCA RTS post-Brexit. The Financial Conduct Authority regulates UK contactless limits independently, currently set at £100 per transaction — higher than the EU's €50 ceiling.
Q4: What must a POS terminal support to remain SCA-compliant above the contactless limit?
A terminal must support PIN entry once a transaction exceeds the €50 contactless threshold, or when cumulative spend reaches €150 or five consecutive transactions occur since the last authentication. This requires an integrated PIN pad or a certified external PIN Entry Device.
Q5: Can a single terminal configuration serve multiple EU countries with different contactless limits?
Yes, provided the payment application supports per-market parameter configuration. Contactless limit, cumulative spend ceiling, and consecutive transaction counter are TMS-configurable settings set per country profile, not fixed hardware characteristics, allowing one terminal model to serve multiple markets.

 

Have a Question? Write to Us!
Contact
ADD: Room 402, Dewisen Building, No. 16, Gaoxin Nan Seventh Road, Nanshan District, Shenzhen City, China,518000