EMV levels 1, 2 and 3
EMV certification comes in three levels, and they map onto the same stack you just built. As ID TECH describes the structure, a card reader "isn't just hardware. It's the hardware, plus embedded software, plus support for a set of payment networks," and the three levels test each of those in turn.
-
Level 1 covers the physical and electrical interaction between card and terminal. The hardware supplier owns this one, and it applies to both contact and contactless interfaces.
-
Level 2 covers the kernel software that performs EMV processing. EMVCo certifies the kernel at this level; its member bodies are Visa, Mastercard, Discover, Amex, JCB and UnionPay.
-
Level 3 covers end-to-end integration with your payment device software and the networks. This is the one you own.
Level 3 is where the application owner works with the acquirer to validate the full transaction flow, from the tap through the authorization host and back. EMVCo certifies Levels 1 and 2, but Level 3 means passing tests with each individual card brand against your actual solution. Completing it is the signal that the device is genuinely ready for deployment.
PCI and scheme approvals
EMV is only one of the gates. Running alongside it is PCI, the Payment Card Industry security regime. For terminals the relevant standard is PCI PIN Transaction Security (PTS), which governs Point of Interaction devices and evaluates protections such as physical tamper resistance, and key management across its modules. The current version, PTS POI v7.0, was released in May 2025 and tightens requirements around modern threats like biometric sensors and wireless connectivity. Beyond PTS, you're obligated to protect cardholder data throughout the system.
On top of all that, individual schemes impose their own approvals. The major card schemes each run separate programs, and these run in parallel with your EMV work. They run in parallel. That's the trap. A team can sail through EMV Level 3, then discover go-live is blocked because a single scheme approval was never started. Sequence PCI and the scheme programs early, alongside the EMV track, so the slowest approval sets your launch date.
Integrating with backend payment systems
The terminal is the visible endpoint of a chain that does the real work. Behind it sit three systems that decide whether a transaction lives or dies, and how your integration handles them shows up directly at the checkout. The first is the switch, which routes each transaction to the right network and translates between the ISO 8583 dialects the networks speak. The second is the authorization host, which carries the request to the issuer and brings back the response code in field 39, where 00 means approved and 51 means insufficient funds. The third is the layer of fraud and risk systems that screen the transaction before it's allowed through.
Latency and message handling across this chain shape everything the customer feels. If the authorization host is slow and your terminal handles the wait poorly, the screen freezes and the cashier reaches for cash. If a network drops mid-transaction, your failure handling decides whether the payment reverses cleanly or leaves a customer charged for nothing. The merchant sees the problem at the terminal.
There's an operational argument for consolidation here. A program that grows by bolting on a new acquirer relationship and a new integration for each payment method ends up with a tangle nobody can maintain. Pulling multiple acquirers and acceptance methods under one pos software engineering integration layer cuts the operational overhead and gives you a single place to reason about routing and screening. For payment terminal software development, that's a scoping decision worth making before you write the first connector, because it's painful to retrofit once the fleet is live.
Deploying and maintaining the fleet
For payment terminal software development, shipping the software starts the longest stage. With nearly 180 million payment terminals installed globally at the end of 2024 and the base growing 11% in a single year, every program that scales is a fleet operations problem wearing a software costume. The job now is getting the application onto thousands of devices and keeping it healthy for years.
That job runs through terminal management software, which handles the unglamorous work that decides whether your program survives contact with the real world:
-
Boarding and configuration, so a device knows which merchant it belongs to and which acceptance methods it's allowed to run.
-
Remote patching and over-the-air updates, because you cannot send a technician to every terminal every time a scheme rule changes.
-
Health monitoring, so you can see which devices are online and which are about to fail.
The real world fights all of this. Connectivity is patchy on portable and rural devices; an update you pushed reaches 80% of the fleet and strands the rest on old code. Consider a common failure pattern: you release an application patch that assumes a prerequisite operating system update, but a slice of the fleet never received that OS update because they were offline during the rollout. The patch installs, and those terminals brick or refuse payments in the field because the dependency is missing. That's why staged rollouts and real observability are not optional. You release to a small ring first and widen only once the data says it's safe.
Budget for this as a permanent line item. New scheme mandates and security patches arrive every year for the entire commercial life of the device, with PCI versions and certificates tied into the same cycle. The maintenance stage outlasts the build by years, and the programs that fail are the ones that funded the build and forgot the decade that follows.
Building production-grade terminal ecosystems
Pull the four stages back together and one decision is left in front of you. Do you assemble all of this payment terminal software development capability in-house, or bring in a team that has already shipped production terminal ecosystems? The honest answer depends on where your hard problems sit, and by now you can see they sit in certification and long-tail maintenance, with backend integration tied to both. The value is in delivering a complete ecosystem that can pass certification and stay maintainable.
EGS builds and delivers that full lifecycle, from the terminal application and EMV-bound transaction logic through certification and fleet operations, with backend integration built into the path that keeps a program running for years. If you're scoping a terminal program and want to pressure-test where your cost and risk actually sit, talk through it with a team that has done payment terminal software development end to end before committing your own.