Acquiring is the side of the card network that faces the merchant. It is where the money lands, where the risk is underwritten, and — with SoftPOS — where a R1,500 Android phone becomes a card terminal. This is the model, the players, and the standards that make it certifiable.
In the four-party model, a card payment involves the cardholder, the issuer (their bank), the merchant, and the acquirer — the bank or licensed entity that holds the merchant’s account, accepts the transaction on the scheme’s behalf, and settles funds to the merchant. The acquirer is who the merchant signs with, who underwrites the merchant’s risk, and who answers to the scheme if that merchant turns out to be fraudulent.
Most businesses never deal with an acquiring bank directly. They sign with a payment service provider (PSP) or a payment facilitator that sits between them and the acquirer. Understanding which role you are playing — acquirer, PayFac, ISO, or referral partner — decides your licensing, your liability, and your economics.
The single biggest decision in acquiring is how much of the merchant relationship — and risk — you take on.
| Model | What you do | Who carries risk | Onboarding |
|---|---|---|---|
| Payment facilitator (PayFac) | Sign sub-merchants under your own master merchant account; aggregate them | You do — you underwrite and monitor sub-merchants | Instant / near-instant; you own KYC |
| ISO / agent | Refer and service merchants for an acquirer; merchants get their own MID | The acquiring bank | Slower; the acquirer underwrites each merchant |
| Referral partner | Send leads to a PSP / acquirer | The PSP / acquirer | You don’t onboard at all |
| Acquiring bank | Hold the scheme licence; settle to merchants | You — fully, to the scheme | Full underwriting, regulated |
SoftPOS is the most important acceptance shift for emerging markets — it removes the terminal as a barrier to getting a merchant onto the card rails.
SoftPOS (also “Tap to Pay” or contactless-on-COTS) turns a commercial off-the-shelf phone or tablet into a contactless card-acceptance device — no dongle, no dedicated terminal. The phone’s NFC reader does the tap; the card data and cryptogram are handled in software with hardware-backed protection.
For years this was impossible to certify: a general-purpose phone is an untrusted environment. The PCI Mobile Payments on COTS (MPoC) standard changed that. MPoC consolidated the earlier CPoC (contactless acceptance) and SPoC (PIN entry) standards into one modular framework covering both the tap and PIN entry on-glass, backed by a mandatory attestation and monitoring service that continuously checks the device and app integrity.
Card-present contactless acceptance on the phone’s own NFC radio. Lowers the cost of acceptance dramatically — the lever for informal and micro-merchant inclusion.
High-value taps that need a PIN can capture it on the touchscreen, within the MPoC security model. No separate PIN pad.
MPoC requires a back-end that attests device/app integrity in real time and can disable acceptance if the environment looks compromised. This is the control that makes a phone trustworthy enough.
MPoC lets components (software, attestation, back-end) be certified independently and combined — unlike the monolithic CPoC/SPoC it replaces.
Many entry-level Transsion / low-end Android handsets ship without NFC, or with it disabled in firmware. Check the adapter at runtime — see the device-matrix work on know.2nth.ai. Your addressable device base is smaller than the spec implies.
MPoC’s monitoring service runs forever. Budget for it. “We certified once” is not how MPoC works.
Aggregating sub-merchants under your master MID means their fraud and chargebacks are yours until you can demonstrate controls. Schemes will hold you to sub-merchant monitoring thresholds.
Contactless and PIN-CVM ceilings are set per scheme and per country. Hard-code the right local limits; do not assume a global default.
Opinionated guidance — member tier. The reference material above stays open.
Choose the PayFac model when fast, self-service onboarding is your product (marketplaces, platforms, vertical SaaS), your sub-merchants are small, and you can build real underwriting + transaction monitoring. Skip it if you cannot staff risk — a single fraud ring can wipe out a thin-margin aggregator.
SoftPOS wins for micro-merchants, mobile/field sellers, and any programme where the cost or logistics of distributing terminals is the blocker. A traditional PIN-entry terminal still wins for high-volume lanes, where you need a physical PIN pad, or where the merchant’s staff should not handle their own phone for payments. Many estates run both.