Most teams think getting the hardware certified is enough. It is not even half the job.

PCI PTS classifies devices at the hardware level. Visa and Mastercard classify transactions at the message level. Those are two different systems, and they do not automatically agree with each other. If your authorization message says “attended” when the terminal is physically unattended — or vice versa — the scheme enforces the wrong rules. Every time.

Three things worth understanding:

1️⃣ Schemes never inspect the hardware. They read the message.

The attended or unattended determination is inferred entirely from data elements in the ISO 8583 authorization message — specifically DE 25 (POS Condition Code), DE 22 (POS Entry Mode), and scheme-specific environment subfields. An unattended terminal must carry a consistent signal across all three: terminal type set to CAT, DE 25 set to 02, and environment subfields declaring cardholder-present with no attendant. Get any one of those wrong and the scheme applies the wrong business rules — CVM selection, floor limits, interchange routing, and risk scoring all downstream of that signal.

2️⃣ The terminal application and the gateway are jointly responsible — and jointly exposed.

The terminal application sets the environment indicators based on its configured context. The acquirer or gateway is responsible for passing them through to the scheme correctly. A mismatch produces wrong CVM sets, mispriced interchange, distorted issuer risk scoring, and a clean path to scheme fines or compliance edits. This is not an edge case. It surfaces during L3 testing, scheme compliance monitoring, and acquirer audits. The message must reflect the physical reality of how the cardholder interacts with the terminal — not what the hardware is certified as.

3️⃣ One device, two configurations, two completely separate certification stories.

The same SmartPOS hardware model can run an attended retail application in one deployment and an unattended kiosk application in another. But for any given transaction, the classification is binary — and the two deployments require different EMV kernel parameters (Tag 9F35, CVM lists, TAC values), different ISO 8583 field values, and separate L3 certification cycles. Unattended certification is not an extension of attended certification. It is a different test plan. And if the deployment is “semi-attended” — self-checkout, pay-at-table — clarify with your acquirer exactly which side of that binary the authorization message needs to declare, because PCI PTS only recognizes two states.

If you are building or certifying POS or SoftPOS systems: align your hardware certification, EMV kernel configuration, and ISO 8583 message coding before you test — not after the first compliance edit comes back.

Configuration consistency is not a best practice. It is a compliance requirement.

Full breakdown on corebaseit.com: 🔗 https://corebaseit.com/posts/attended_and_unattended_pos/

#Payments #POS #EMV #ISO8583 #SoftPOS #SmartPOS #L3Certification #PaymentArchitecture #Acquiring #PaymentSecurity #PCI #Fintech #corebaseit