Virtual POS: technical guide and conversion at PayOk
- Virtual POS: The technical and business infrastructure to scale your online payments
- What a virtual POS is and why it defines your business profitability today
- The real impact of the virtual POS on conversion, treasury and margin
- Technical architecture: how the virtual POS works behind the scenes
- Regulatory compliance: PSD2, PCI-DSS v4.0 and 3DS2
- AML/CFT in the virtual POS: the obligation no one explains to merchants
- Admin panel security: the most silent risk of the virtual POS
- 2026 trends: what’s coming and you cannot ignore
- Virtual POS in action: sector‑specific use cases
- Payment facilitator vs traditional models: why premium acquiring wins
- Real questions merchants ask about the virtual POS
- What is a virtual POS and how does it work exactly?
- How much does a virtual POS cost in Spain in 2026?
- Is 3D Secure mandatory with my virtual POS?
- What is the difference between a payment gateway and a virtual POS?
- How long does it take to receive my funds?
- Does my company need PCI-DSS certification for using a virtual POS?
- Does the virtual POS impose AML/CFT obligations on the merchant?
- The virtual POS is no longer infrastructure: it is competitive advantage
- Sources and related reading
Virtual POS: The technical and business infrastructure to scale your online payments
The exact problem: Friction at checkout destroys margins. If your gateway rejects legitimate transactions, settles at T+7 (depending on risk), or your integration fails to comply with PSD2 and PCI-DSS v4.0, you are paying an invisible tax on every euro you bill. As the CEO of an entity regulated by the Bank of Spain, I process transactions daily. What I write here is what works — and what destroys margins — in production.
What this guide solves: The most complete resource on virtual POS in Spanish. With the technical, regulatory and business formula I apply so every merchant maximizes authorization rate, reduces processing costs, and avoids regulatory penalties.
By the end of this guide you will master:
- The real architecture of a virtual POS and why it defines your authorization rate
- How to apply PSD2, SCA, PCI-DSS v4.0 and AML/CFT without destroying conversion
- The quantified impact on treasury, margin and cash flow
- Why premium acquiring saves you between 15% and 30% compared to aggregators
- SoftPOS, 2026 trends and how to secure your POS admin panel
What a virtual POS is and why it defines your business profitability today
Technical definition: what a payments architect understands
A virtual Point of Sale terminal is not a simple payment form. It is an encrypted communication node that orchestrates the exchange of financial messages under the ISO 8583 standard or RESTful APIs between four actors: your merchant, the acquiring bank, the card networks, and the buyer’s issuing bank.
Its mandatory technical components in 2026:
- Hosted Fields / iframes: Capture card data in an environment isolated from the merchant’s domain, eliminating the most expensive PCI scope
- Risk engine: Velocity checks, device fingerprinting, IP geolocation and ML scoring in milliseconds
- 3DS Server: Interface with the issuer’s ACS to trigger SCA when risk justifies it
- Network tokenization: Replaces the real PAN with an EMV token linked to the device and merchant. The card number never touches your servers
- Webhooks and event buses: Asynchronous server-to-server notifications to keep the ERP synchronized in real time
Business definition: what matters to the merchant
A high-performance virtual POS controls three metrics that directly impact the merchant’s profit and loss:
- Authorization rate: Every percentage point of improvement equals, for a €5M/year merchant, €50,000 in recovered revenue without additional acquisition spend
- Days sales outstanding (DSO): The difference between T+1 and T+7 for a €500K/month merchant means €116,000 permanently immobilized
- Processing cost: The difference between blended and Interchange++ pricing can represent 0.3% to 0.8% of volume in annual fee savings
Our perspective: regulated Payment Institution, not a technology reseller
We operate as a Payment Institution regulated by the Bank of Spain (BE 6928) under the Spanish transposition of the PSD2 Directive through Royal Decree-Law 19/2018 and the Payment Services Act 16/2009.
When a merchant integrates the virtual POS of a payment facilitator, they automatically inherit:
- Safeguarding of funds in segregated accounts supervised by the Bank of Spain
- PCI-DSS Level 1 certification of the acquirer → With fields hosted by the acquirer, your PCI scope is reduced to SAQ-A
- EBA/GL/2018/05 (fraud reporting) and EBA/GL/2019/04 (SCA) compliance framework
- AML/CFT obligations under Law 10/2010
- Protection against fines for data breaches or AML/PBCFT non-compliance
The real impact of the virtual POS on conversion, treasury and margin
Industry benchmarks and proprietary data
| Metric | Industry benchmark | With payfac acquiring |
|---|---|---|
| Authorization rate (domestic cards) | 92% - 95% | 96% - 98% |
| Authorization rate (international cards) | 82% - 88% | 90% - 94% |
| Checkout abandonment due to friction | 18% - 25% | 8% - 12% |
| Chargeback ratio (e-commerce retail) | 0.5% - 1.2% | <0.4% |
| Settlement days | T+3 to T+7 (depending on merchant risk) | T+1 to T+2 (depending on merchant risk) |
| Processing cost (blended vs I++) | 1.8% - 2.5% | 1% - 2.9% |
How the virtual POS reduces cart abandonment
70% of carts are abandoned, and a poor payment experience is responsible in 20% of cases. A bad integration that redirects to an outdated banking page can sink conversion by up to 20%. The factors a poorly optimized virtual POS amplifies:
- Redirection outside the domain: Every exit from the domain adds 12% - 18% abandonment
- Unnecessary SCA: Triggering 3DS on low-risk transactions without an exemption engine increases friction without reducing fraud
- False positives: Overly aggressive antifraud rules reject legitimate buyers. A 12% rejection rate in a €5M/year business blocks €600,000 in sales
- Poor mobile optimization: Over 70% of online purchases in Spain start or finish on mobile
- Insufficient payment methods: Not offering Bizum, Apple Pay or Google Pay in 2026 means losing conversion in the most active segment of the Spanish market
Reducing checkout time by 1 second can increase conversion by up to 8%. For a €2M/year e‑commerce business, that means €160,000 in additional revenue without touching the acquisition budget.
Real case: €450,000 recovered in one year
During my time as a financial introducer in acquiring, an electronics e‑commerce business generating €5 million annually was operating with a traditional bank applying a 12% false‑positive rejection rate. After migrating to a gateway with dynamic fraud rules and Machine Learning, we reduced those rejections to 3%. Result: €450,000 in recovered sales in the first year, without increasing the marketing budget by a single euro.
Direct effect on cash flow
A merchant processing €500,000/month with T+7 settlement has €116,000 permanently immobilized. With T+1, that capital is released. At an average external financing cost of 4.5%, the difference between T+1 and T+7 equals €5,220/year in implicit financial savings for that volume. Aggregators also add a rolling reserve of 5%–15% for 90–180 days: for a €50,000/month merchant, that means between €2,500 and €7,500 permanently immobilized without accruing interest.
Technical architecture: how the virtual POS works behind the scenes
Step‑by‑step data flow: from checkout to settlement
- Initiation and encryption (0–200ms): The customer enters their data. The POS JS libraries capture the payload and encrypt it via TLS 1.3 before it touches your server. The PAN goes directly to the acquirer’s servers.
- Tokenization (200–400ms): The acquirer replaces the PAN with an EMV Network Token linked to the device and merchant (Visa Token Service / Mastercard DES). This token is what gets stored for subscriptions and one‑click payments.
- Risk evaluation and 3DS decision (400–800ms): The engine analyzes more than 150 variables: IP, device fingerprint, typing velocity, BIN history, geolocation, purchase pattern. If it qualifies for an SCA exemption (TRA), it proceeds frictionlessly. If risk signals appear, it triggers 3D Secure 2.2.
- Authorization through card networks (800–2,500ms): The ISO 8583 message travels to the issuing bank, which verifies funds and account status. It responds with an approval or a specific decline code (05 – Generic decline, 51 – Insufficient funds, 54 – Expired card…).
- Capture, reconciliation and settlement: Authorization only blocks funds. At end‑of‑day, the capture batch finalizes the charge, settling into the merchant’s account in T+1 or T+2 (depending on merchant risk).
API integrations and infrastructure requirements
REST vs. SDK: when to use each
REST API with Hosted Fields: Maximum control over the checkout. You design the form, manage the flow, and receive JSON responses. The PAN remains isolated in iframes: PCI scope is SAQ‑A. Recommended for volumes above 50,000 transactions/month or custom payment logic. Compatible with WooCommerce, Shopify, Magento and PrestaShop via plug‑and‑play modules for merchants without a dedicated development team.
Redirection (Hosted Payment Page): The customer leaves the domain. Zero PCI scope but a 12%–18% conversion impact. Only advisable when legal traceability outweighs conversion.
Webhooks and critical event management
Without webhooks, you depend on polling or user redirection to confirm payments, creating inconsistencies in inventory and accounting. Critical events in production:
- Payment captured: Charge confirmed → trigger automatic fulfillment
- Payment failed: With ISO 8583 decline code for smart retry logic
- Chargeback created: Activate documentary defense within 7 business days
- Refund processed: Reconcile in accounting without manual intervention
Minimizing PCI-DSS scope through tokenization
With the Hosted Fields + tokenization architecture, the merchant operates under SAQ‑A regardless of volume: 22 requirements, fully manageable internally without a QSA audit. We convert the card into a harmless alphanumeric token. You store the token; the acquirer stores the sensitive data in military‑grade cryptographic vaults. PCI‑DSS v4.0 is mandatory as of March 2025. Any merchant that has not updated its controls is non‑compliant.
Regulatory compliance: PSD2, PCI-DSS v4.0 and 3DS2
Obligations under PSD2 and SCA exemption management
The PSD2 Directive requires applying Strong Customer Authentication (SCA) using two of three factors: knowledge, possession and inherence. Operational success depends on the exemption engine:
| Exemption | Condition | Requested by |
|---|---|---|
| Low value | ≤ €30 (max. 5 consecutive or €100 accumulated) | Acquirer / Issuer |
| TRA (Transaction Risk Analysis) | Issuer fraud rate <0.01%, transaction ≤ €500 | Acquirer |
| Trusted beneficiary | Customer has whitelisted the merchant | Issuer |
| MIT – Recurring subscription | First charge with SCA, subsequent ones without authentication | Merchant / Acquirer |
| Corporate payment | Corporate card with centralized processes | Acquirer |
With the exemption engine, between 65% and 75% of transactions authenticate with no visible friction. Disabling 3DS to “improve conversion” without solid data usually results in more fraud and more chargebacks in the medium term.
PCI-DSS v4.0 levels and their real economic impact
| Level | Transactions/year | Requirement | Estimated cost |
|---|---|---|---|
| Level 1 | >6 million | Annual on‑site QSA audit + quarterly ASV | €50,000 – €250,000 |
| Level 2 | 1 – 6 million | Annual SAQ + quarterly ASV | €15,000 – €50,000 |
| Level 3 | 20,000 – 1M (e‑commerce) | Annual SAQ + quarterly ASV | €5,000 – €15,000 |
| Level 4 | <20,000 (e‑commerce) | Recommended annual SAQ | €500 – €5,000 |
3DS2: minimal friction, minimal fraud, liability shifted
3D Secure 2.2 transmits more than 150 data points to the issuing bank, compared to the 15 of 3DS1. Between 65% and 80% of transactions authenticate in the background without the user seeing any pop‑up. When authentication occurs, the merchant obtains liability shift to the issuer in case of fraud: if the bank authenticated the transaction and a chargeback occurs, the bank pays — not you.
The key technical distinction between 3DS1 and 3DS2 that impacts your business:
- 3DS1: Mandatory redirection + SMS OTP → abandonment rate of 25%–40%
- 3DS2: Background authentication + native biometrics (Face ID, fingerprint) → residual abandonment of 3%–8%
- Additionally: The per‑transaction cryptogram generated by 3DS2 validates origin (token, device and exact timestamp). The network verifies it before authorization: if it fails, the transaction is declined for security integrity
AML/CFT in the virtual POS: the obligation no one explains to merchants
The most ignored topic in any payments guide — and one of the most operationally severe risks. Using a virtual POS does not exempt the merchant from obligations under the Spanish AML/CFT Law 10/2010. Payment institutions are obliged entities with duties of due diligence, continuous monitoring and reporting of suspicious activity to SEPBLAC.
Transaction laundering: the risk that destroys a MID
Suspicious transactions occur when an undeclared seller processes payments through the virtual POS account of an apparently legitimate merchant. FATF and the EBA identify this as one of the fastest‑growing AML/CFT risk vectors in e‑commerce.
The consequences for the affected merchant:
- Immediate MID freeze and fund hold for up to 180 days
- Inclusion in the MATCH list: prevents opening a new account with any acquirer
- Report to SEPBLAC with potential sanctions under Law 10/2010
- Reputational damage no insurance policy covers
Specific AML/CFT obligations for merchants
Regardless of volume, any merchant using a virtual POS must:
- Ensure activity‑declaration consistency: Actual products sold, average ticket, jurisdictions and payment methods must match what was declared to the acquirer when signing the contract
- Monitor anomalous patterns: Repeated high‑value purchases at unusual hours, from unfamiliar countries, using cards from multiple issuers in a short interval
- Never share access with third parties: POS credentials and the MID are non‑transferable. Any use by an undeclared third party may be interpreted as suspicious activity
- Maintain updated corporate documentation: Articles of incorporation, legal representative, source of funds. If the administrator or ownership structure changes, the acquirer must be notified
AML/CFT configuration for high‑risk businesses
In verticals classified as high‑risk businesses (gambling, online gaming, high‑value travel, micro‑lending, crypto exchanges), configuration must be significantly stricter:
- Mandatory 3DS2 on virtually all transactions, especially new customers and higher‑risk countries
- Multivariable risk scoring: card country, IP, device, customer history, purchase pattern, BIN
- Aggressive velocity checks: dynamic limits per transaction and per day/month for new customers, expandable with history
- Reinforced KYC/KYB onboarding for sub‑merchants in marketplace models
- Written agreement with the acquirer on chargeback exposure limits and protocols for freezing suspicious payments
Admin panel security: the most silent risk of the virtual POS
Most payment security guides focus on the checkout. No one talks about the POS admin panel. It is the most silent attack vector — and the most damaging when exploited — because the external or internal attacker operates with the same credentials as the legitimate administrator.
The five real threats to the admin panel
1. Shared credentials without MFA: Multiple employees using the same admin user and no second factor. A disgruntled employee or a compromised credential has full access to refunds, settlement account changes and antifraud rules. PCI-DSS v4.0 (requirement 8.4.1) mandates MFA for all non-console access to the CDE from31 March 2025. This is not a recommendation — it is a regulatory obligation.
2. Modification of the settlement account: If an attacker changes the destination bank account for settlement, funds from days or weeks can be diverted before the finance team notices. Without an immutable audit log with timestamping, forensic reconstruction is impossible.
3. Silent deactivation of 3DS: Unauthorized access to the panel can disable strong authentication for all orders. Fraud rises, chargebacks spike, and by the time the risk team detects it, weeks have passed.
4. Internal refund fraud: The most common case involves employees processing refunds to their own cards. Without segregation of duties (the person who sells cannot authorize refunds) and without visible tokenization (employees should never see the full PAN), this fraud can go undetected for months.
5. Magecart-style skimming attack: Vulnerabilities in the POS plugin or the e-commerce CMS (outdated WooCommerce, unpatched Magento) allow JavaScript injections that steal card data in the customer’s browser before encryption. More than 500 Spanish online stores were affected in 2024.
Admin panel security checklist: what you must verify today
- MFA enabled for all admin users (TOTP or hardware key, never SMS only)
- Nominal users: each employee has their own access with minimum necessary privileges
- Segregation of duties: separate roles for sales, refunds, configuration and reporting
- Immutable audit log: who accessed, what changed, when and from which IP
- Automatic alerts for settlement bank account changes
- Monthly review of active users: immediate access removal during employee offboarding
- Tokenization enabled: no employee sees the full PAN in the transaction panel
- Updated POS plugins and modules with current security patches
- Formal incident response procedure including contact with the payment facilitator, bank, affected customers and, if applicable, the Spanish DPA (AEPD) under GDPR
2026 trends: what’s coming and you cannot ignore
Payment orchestration as critical infrastructure: Centralizing routing, methods, risk, data and acceptance is no longer optional for anyone who wants to scale with control. Complexity is no longer temporary: more countries, more methods, more regulation, more channels. Managing payments “piece by piece” is a real bottleneck.
Consolidated local methods: Bizum, iDEAL, Bancontact, MB Way are not a fad — they are user behavior. And behavior dictates conversion. In Spain, Bizum has captured 50% of e-commerce transactions via local payments in certain issuers. Not offering it in 2026 is incomprehensible.
Instant payments and liquidity impact: EU Regulation 2024/886 on instant payments requires all European PSPs to offer transfers in under 10 seconds at the same price as standard transfers. This changes treasury management for merchants who today wait T+3 from traditional banks.
AI in fraud: the arms race: Attackers use AI to create behavioral patterns that mimic legitimate users, generate voice deepfakes to bypass phone verification, and craft phishing emails without errors. The response is not “more rules”: it is real‑time behavioral analysis with models trained on the merchant’s own data.
Agentic commerce: Autonomous AI agents completing purchase tasks on behalf of users are arriving. Direct implication for the virtual POS: authentication based on human biometrics does not work when the agent acts without supervision. Authentication protocols for agentic transactions are the next regulatory frontier at the EBA.
Virtual POS in action: sector‑specific use cases
E-commerce retail: high volume, speed and local methods
For consumer e-commerce, the key is speed and method coverage. 70% of payments start on mobile. If your checkout is not mobile‑native, you are inviting abandonment.
- Technical: Hosted fields + one‑click pay + Bizum + Apple Pay/Google Pay
- Impact: Enabling Apple Pay in mobile checkout increases conversion by 10%–22%. Bizum is now the second most used payment method in Spanish e-commerce after cards
SaaS and subscriptions: zero involuntary churn
- Technical: Credential vault + tokenization + Account Updater + MIT. Account Updater automatically refreshes tokens for renewed cards without user intervention
- Impact: Reduction of involuntary churn by 20%–35%. For a platform with 10,000 subscribers at €19.90/month, this means retaining 300–700 additional customers every month
- Dunning: Retry at 24h, 3 days and 7 days with automatic customer notification on each failed attempt
B2B and services: Pay‑by‑Link and reduction of collection period
- Technical: Dynamic payment link via API or panel, embedded in PDF invoices or sent via WhatsApp/email
- Impact: Reduction of collection period from 45–60 days to 3–7 days. For a company with €500K in outstanding receivables, this frees €30,000–€55,000 in permanent working capital
Card terminal or virtual POS? Quick guide by sector
If you are evaluating when to use a physical terminal versus a virtual POS depending on your retail, hospitality or on‑site services model, we have a complete analysis: Virtual POS vs card terminal: definitive guide for Spanish businesses.
Real cost comparison for a €500,000/year merchant
| Model | Example | Cost per transaction | Estimated annual cost | Settlement |
|---|---|---|---|---|
| Blended aggregator | Stripe, PayPal | 1.5% – 2.9% + €0.25 | €8,500 – €15,700 | T+2 to T+7 |
| Traditional bank | CaixaBank, BBVA | 0.8% – 1.5% + fixed fee | €6,000 – €10,500 + fees | T+3 to T+5 |
| Payment facilitator acquirer | PayOk | 1% – 2.9% + €0.25 | €5,000 – €9,000 | T+1 to T+7 (depending on business risk) |
Advantages of a dedicated MID vs the aggregator model
- Own history: You build your independent risk profile with the schemes. Over time: better interchange rates and greater SCA exemption capacity
- Data control: All transactional data is exclusively yours. No competitor sees your volume
- No pool contamination: You do not share risk with thousands of other merchants. A mass attack on the aggregator’s network does not affect you
- Total transparency: Fully itemized Interchange++ model: you know exactly what the issuer charges, what the network charges, and the acquirer’s margin
Our 3D Secure Virtual POS for tangible products and Virtual POS for intangible services are designed specifically for each business type.
Real questions merchants ask about the virtual POS
What is a virtual POS and how does it work exactly?
A virtual POS is the system that manages authentication, authorization and capture of card payments in digital environments. It encrypts data via TLS 1.3, tokenizes the card number, evaluates risk and communicates with Visa/Mastercard networks and the issuing bank. The full cycle from clicking “Pay” to bank confirmation takes between 1.8 and 4.2 seconds.
How much does a virtual POS cost in Spain in 2026?
Aggregators apply blended fees of 1.4% – 2.9% + €0.25. With a payfac you save 15%–30% for volumes above €100,000/month. A 0.2% difference can mean thousands of euros per year. See details on our virtual POS pricing page.
Is 3D Secure mandatory with my virtual POS?
Yes. PSD2 requires SCA for most electronic payments in the EEA. A well‑calibrated exemption engine keeps 65%–75% of your transactions frictionless. Disabling 3DS without solid data usually results in more fraud and more chargebacks in the medium term.
What is the difference between a payment gateway and a virtual POS?
The market uses both terms interchangeably. What matters operationally is whether the system includes its own risk engine, SCA exemption management and network tokenization. A gateway without these capabilities is just a communication channel — not a payment optimization tool.
How long does it take to receive my funds?
Low‑risk merchants receive settlement in T+1 (depending on business risk). Standard aggregators apply T+7 plus rolling reserves of 5%–15%. For a €200K/month merchant, the difference means €10,000–€15,000 in freed working capital.
Does my company need PCI-DSS certification for using a virtual POS?
With fields hosted by the acquirer, your PCI scope is reduced to SAQ‑A: 22 requirements without external audit. If you handle PAN data in your backend, you enter QSA audit territory with costs of €50,000+/year. PCI-DSS v4.0 is mandatory from March 2025.
Does the virtual POS impose AML/CFT obligations on the merchant?
Yes. Using a virtual POS does not exempt the merchant from Spain’s AML/CFT Law 10/2010. The activity declared to the acquirer must match reality. Processing payments for undeclared third parties (transaction laundering) can result in MID closure, fund holds up to 180 days and reporting to SEPBLAC.
The virtual POS is no longer infrastructure: it is competitive advantage
Merchants who treat the virtual POS as a commodity are giving away margin, settlement speed and data to competitors. Those who treat it as a strategic lever in 2026 will dominate their markets in 2028. Payment architecture is as critical as logistics or performance marketing.
At PayOk we audit your current integration for free: authorization rate, real processing cost, PCI scope, chargeback exposure and AML/CFT compliance. No commitment. In 48 hours you receive a technical report with improvement points and estimated financial impact.
- Un tpv virtual es el sistema que gestiona la autenticación, autorización y captura de pagos con tarjeta en entornos digitales. Opera cifrando los datos vía TLS 1.3, tokenizando el número de tarjeta, evaluando el riesgo y comunicando con las redes de Visa/Mastercard y el banco emisor. El ciclo completo desde que el cliente pulsa "Pagar" hasta que el banco confirma dura entre 1,8 y 4,2 segundos.
- Los agregadores aplican tarifas blended del 1,4% - 2,9% + 0,25 €. Con un payfac tendrás un con ahorro del 15% - 30% para volúmenes superiores a 100.000 €/mes. Una diferencia del 0,2% puede suponer miles de euros al año. Consulta el detalle en nuestra página de tarifas de tpv virtual.
- Sí, la PSD2 obliga a aplicar SCA en la mayoría de pagos electrónicos en el EEE. Un motor de exenciones bien calibrado mantiene el 65% - 75% de tus transacciones sin fricción visible. Desactivar 3DS sin datos sólidos suele traducirse en más fraude y más chargebacks a medio plazo.
- El mercado usa ambos términos indistintamente. Lo operativamente relevante es si el sistema incluye motor de riesgo propio, gestión de exenciones SCA y tokenización de red. Una pasarela sin esas capacidades es solo un canal de comunicación, no una herramienta de optimización de pagos.
- Los comercios de bajo riesgo reciben liquidación en T+1 (según riesgo del negocio). Los agregadores estándar aplican T+7 más rolling reserves del 5% - 15%. Para un comercio de 200K €/mes, la diferencia implica entre 10.000 € y 15.000 € de capital circulante liberado.
- Con los campos alojados en el hosting del adquirente, tu alcance PCI se reduce al SAQ-A: 22 requerimientos sin auditor externo. Si manejas datos PAN en tu backend, entras en auditoría QSA con costes de 50.000 €+/año. PCI-DSS v4.0 es obligatorio desde marzo 2025.
- Sí. El uso de un TPV virtual no exime al comercio de la Ley 10/2010 de PBCFT. La actividad declarada al adquirente debe coincidir con la realidad. Procesar pagos de terceros no declarados (transaction laundering) puede suponer el cierre del MID, retención de fondos hasta 180 días y reporte al SEPBLAC.
Was this post useful?
1 of 1 I found it useful
Leave a Comment