What is a virtual POS or iPOS?

A virtual POS (virtual point of sale terminal) is a payment gateway that allows any business to accept online payments using credit cards, debit cards, or other electronic payment methods. It performs the same function as a physical card terminal, but operates entirely in a digital environment, integrated into the merchant’s website, app, or payment link.

Unlike an in‑person terminal, the virtual POS processes card‑not‑present (CNP) transactions. This means the cardholder does not physically insert their card; instead, they enter their details through a secure form in the ecommerce checkout.

Its architecture connects three main actors: the merchant, the acquiring bank (which processes the transaction), and the issuing bank of the customer’s card. The entire flow is executed in milliseconds.

How a virtual POS works

The technical process of a transaction through a virtual point of sale terminal follows this sequence:

• Payment initiation. The customer selects their products and proceeds to checkout. The virtual POS collects the amount, currency, and order details.
• Data capture and encryption. The buyer enters their card number, expiry date, and CVV in a form protected with TLS encryption. Certified providers apply tokenization, replacing the real PAN with a token that protects sensitive data.
• Strong customer authentication (2FA). The system triggers the 3D Secure 2 protocol, requesting the issuing bank to verify the cardholder’s identity. This may involve biometric validation, an approval in the banking app, or an SMS code. It is mandatory under PSD2, except for regulated exemptions.
• Authorization. The acquirer sends the request to the card scheme (Visa, Mastercard), which forwards it to the issuer. If funds are available and authentication is successful, the transaction is approved.
• Confirmation. The virtual POS notifies both the merchant and the customer in real time. Funds remain on hold until settlement, executed according to the agreement with the acquirer.

Regulatory impact and security requirements of a virtual POS

Operating a virtual POS requires compliance with a strict regulatory framework designed to protect both consumers and merchants.

The Directive (EU) 2015/2366 (PSD2) mandates strong customer authentication (SCA) for most electronic payments. The EBA’s RTS define the applicable exemptions: low‑value transactions, transaction risk analysis (TRA), and trusted beneficiaries. A virtual POS that does not properly support 3D Secure 2 will generate declines and shift fraud liability to the merchant.

The PCI DSS v4.0 standard establishes 12 technical and organizational requirements for any entity that stores, processes, or transmits card data. Tokenization significantly reduces the merchant’s PCI scope, but does not eliminate all obligations.

Regarding anti‑money laundering, Law 10/2010 and the 5th AML Directive classify payment institutions as obliged entities. This directly affects transaction monitoring and the onboarding of high‑risk businesses.

Operational advantages and disadvantages of a virtual POS

Balancing security and conversion is the key operational challenge. Applying 3D Secure indiscriminately adds unnecessary friction. Applying exemptions without criteria increases fraud. The calibration of anti‑fraud rules, velocity checks, and risk scoring determines whether a virtual POS is profitable or problematic.