Short answer. SUNMI P2-series payment devices (P2, P2 Pro, P2 Mini, P2 Smartpad) are PCI PTS 6.X approved with EMV Level 2 contact and contactless kernel LOAs, online PIN entry, and SRED data protection. PCI PTS 6.X certifies the device hardware only — North American deployments still need EMVCo kernel verification and acquirer-specific certification before going live. Rosper, the authorized SUNMI distributor for the US and Canada, walks deployments through the full certification chain and supplies the LOA package within one business day.

The most common confusion we see in payment hardware procurement in the US and Canada goes like this: a buyer reads that the SUNMI P2 Pro is PCI PTS 6x certified, concludes that the device is “compliant,” and assumes there is no more work to do. The hardware is indeed certified. The work is not done. PCI PTS 6x is a specific kind of certification that covers a specific set of responsibilities, and the gap between “the device is certified” and “we can process live transactions” is where most payment deployments get stuck.

This post clears up the layers around PCI PTS 6x SUNMI payment devices, what it deliberately does not cover, and what a US or Canadian operator still needs from the acquirer side before the first real transaction runs. Rosper is the authorized SUNMI distributor for the US and Canada, and we work with ISVs and operators through payment certification every week. If you need a straight answer for a specific deployment, there is a contact path at the end.

What PCI PTS 6x SUNMI payment devices are

PCI PTS 6x SUNMI payment devices are certified under the Payment Card Industry PIN Transaction Security standard. It is the security standard for the hardware device that accepts payment cards and handles the PIN. The current generation is PCI 6.x, which replaces the older PCI PTS 5.X and 4.X generations.

PTS is a device-level standard. The certification evaluates the physical tamper resistance of the hardware, the security of the cryptographic processor, the behavior of the PIN pad, the protection of sensitive data in transit within the device, and the integrity of the firmware. A PTS 6.X approved device has passed a formal evaluation against a specific version of the PCI PTS requirements.

PTS is set and governed by the PCI Security Standards Council, the same body that sets PCI DSS. The two are related but different. DSS is a compliance program for the merchant and the service provider: how you handle card data across your network, storage, and processes. PTS is a certification program for the device: has this specific hardware model been evaluated and approved.

What PCI 6.x covers on a SUNMI payment device

PCI PTS 6x SUNMI payment devices include the P2 Pro, P2 Mini, P2 Smartpad, and CPad Pay. The certification on these devices covers:

• The PIN pad. PIN entry on the device is protected by the PTS-evaluated secure processor. The PIN is never exposed to the application layer in plaintext.
• The tamper response. The hardware detects physical tampering (drilling, probing, cold-boot attempts) and zeros out sensitive keys if an attack is detected.
• The cryptographic processor. Key storage, key injection, and cryptographic operations happen inside a boundary that PTS has evaluated.
• The firmware integrity. Firmware signing and boot verification ensure the device runs SUNMI firmware, not tampered firmware.
• The payment sandbox. The payment application’s data path, including the EMV kernel and the contactless kernels, runs within a protected zone.

What this means in plain English: the device hardware is trusted. An attacker who owns one of your terminals cannot easily dump the keys. A compromised POS app cannot see the PIN. The device itself is not the weak link.

What PCI PTS 6x does not cover

PCI 6.x does not cover:

• Your acquirer’s processor certification. Every acquirer has its own certification program that verifies the transaction messaging, the BIN ranges, the receipt format, and the edge-case behavior when talking to their specific host. PTS-approved hardware still needs to pass acquirer certification before it can process a live transaction.
• Your POS application’s handling of returned data. When the SUNMI payment app returns the masked PAN, the auth code, and the EMV tag data to your POS app, what happens next is your responsibility. If you log it to disk without encryption, you have a problem PTS does not solve.
• Your network architecture. PTS is about the device. PCI DSS is about everything else. DSS still applies to your store network, your back office, your back-end systems.
• Regulatory compliance outside PCI. Anti-fraud rules, state regulations, Canadian provincial rules, and card-brand-specific programs (for example, Visa and MasterCard operating regulations) sit on top of PTS.

The useful mental model: PTS makes the device a trusted component. Everything that happens above, below, or alongside the device is still subject to the broader compliance regime.

The EMV kernel layer

Inside the PTS boundary, a PTS-certified device also needs EMV kernel certification. EMV is the chip-card standard used globally for in-person card transactions. A PTS-approved device runs EMV kernels that have themselves been certified against EMV Level 1 (physical) and EMV Level 2 (logical) specifications.

On SUNMI P2-series devices, the current EMV kernel is EMV 100, which replaces the older EMV 001 on early P2 units. The kernel version is surfaced in the payment service settings and via an SDK API for ISV partners who need to read it. When your acquirer asks “which EMV kernel,” that is the source of truth.

Contactless payments are a separate set of kernels. Each card brand publishes its own contactless kernel specification:

• Visa PayWave (contactless Visa)
• MasterCard PayPass (contactless MasterCard)
• American Express ExpressPay (contactless Amex)
• Discover DPAS (contactless Discover)
• UnionPay QuickPass (contactless UnionPay)
• JCB Contactless (contactless JCB)

A SUNMI payment device bundles these kernels in its contactless stack, and each kernel has its own LOA (Letter of Authorization) that proves the kernel has been certified against the card brand specification. When a US acquirer asks for “the contactless kernel LOAs,” they mean this set of documents for the specific device model.

How this maps to SUNMI P2-series devices

The current SUNMI P2 family certifications look like this:

Model	PCI PTS	EMV kernel	Contactless kernels	PED
P2	6.X	100	Visa, MC, Amex, Discover, UnionPay, JCB, Flash	PCI-PED
P2 Pro	6.X	100	Visa, MC, Amex, Discover, UnionPay, JCB, Flash	PCI-PED
P2 Mini	6.X	100	Visa, MC, Amex, Discover, UnionPay, JCB, Flash	PCI-PED
P2 Smartpad	6.X	100	Visa, MC, Amex, Discover, UnionPay, JCB, Flash	PCI-PED
CPad Pay	6.X	100	Visa, MC, Amex, Discover (US-focused set)	PCI-PED

The LOA documentation package that SUNMI maintains for the P2 series covers EMV L1 Contact, EMV L2 Contact, EMV L1 Contactless, each of the card-brand contactless kernels listed above, Flash, PCI-PED, and TQM (Terminal Quality Management). Rosper can send the current LOA package on request for a procurement or certification review.

What US and Canadian operators still need to do

Knowing the PCI 6.x SUNMI payment devices are EMV-kernel-certified is the starting point, not the finish line. For a US or Canadian deployment, the remaining work is:

Pick an acquirer and pass their certification. Every acquirer (Fiserv, Chase Paymentech, Global Payments, Elavon, Moneris in Canada, Global Payments Canada, and a long tail of smaller processors) has its own device certification program. Ask them up front whether they have a live integration with SUNMI P2-series devices. Many do, either directly or through a gateway. The existing integration, if present, dramatically shortens certification time.

Decide on your semi-integrated mode. The way your POS app talks to the SUNMI payment app determines the integration surface. The four options and when each one fits are covered in detail here.

Design your data-handling path. The SUNMI payment app returns a sanitized response (masked PAN, auth code, EMV tag data). Decide where that data goes, how it is logged, and what is retained. This is your PCI DSS surface.

Plan your key management. If your acquirer does remote key injection, SUNMI devices support it. If your acquirer requires local key loading, you need the LKI (Local Key Injection) workflow in place. Rosper can help plan the key management approach.

Plan your receipt workflow. Decide whether the SUNMI payment app prints the receipt or your POS app does. Both are supported. The choice affects the user experience and the receipt-layout work.

A common misconception: “PTS 6.X is all I need”

We hear this often: “SUNMI P2 Pro is PCI PTS 6x certified, so we can process payments on day one.” That is not correct. PTS 6.X means the device has been independently evaluated and approved as a PIN transaction security boundary. Processing a live transaction requires:

• A PTS-approved device (yes, SUNMI P2 Pro is).
• EMV kernel certification (yes, SUNMI P2-series ships EMV 100).
• Contactless kernel certification for each card brand you want to support (yes, per the table above).
• Acquirer certification of the device on the acquirer’s host (your responsibility, with Rosper and SUNMI support).
• A signed merchant services agreement with the acquirer (your responsibility).
• PCI DSS compliance for your environment above the device (your responsibility).

Miss any of these and you do not have a live payment deployment. Have all of them and you do.

How Rosper helps with the PTS and EMV layer

Rosper is the distributor, not the acquirer. What we do in the PTS and EMV layer:

• Confirm the current PCI PTS 6x approval status for any SUNMI model you plan to deploy.
• Send the current SUNMI LOA package on request (EMV L1 and L2 Contact, L1 Contactless, card-brand contactless kernels, Flash, PCI-PED, TQM).
• Introduce you to US acquirers with existing live SUNMI integrations.
• Help you size the fleet for your deployment and handle the delivery logistics into your stores.
• Stand up your Partner Portal MDM and stage the payment app policies. See the SUNMI MDM Partner Portal guide for details.

We do not issue the merchant services agreement or provide acquiring services. That is the acquirer’s relationship with you.

Frequently asked questions

Q: Is the SUNMI P2 Pro PCI PTS 6x certified?
Yes. The SUNMI P2 Pro is PCI PTS 6x approved, as are the P2, P2 Mini, P2 Smartpad, and CPad Pay.

Q: Does PCI PTS 6x mean I can process live transactions on day one?
No. PTS is a device certification. Live transactions additionally require acquirer certification, EMV kernel certification (already in place on SUNMI), card-brand contactless certification (already in place), and PCI DSS compliance for your environment above the device.

Q: Which EMV kernel ships on SUNMI P2-series devices?
Current P2 Pro, P2 Mini, P2 Smartpad, and CPad Pay units ship with EMV kernel 100. Early P2 units running EMV 001 can be updated.

Q: Which contactless kernels are certified on SUNMI P2-series?
Visa PayWave, MasterCard PayPass, American Express ExpressPay, Discover DPAS, UnionPay QuickPass, and JCB Contactless. Flash is also included for legacy integrations.

Q: Can Rosper send the SUNMI LOA package for procurement?
Yes. Rosper can send the current SUNMI LOA package for the P2 family on request for procurement or certification review.

Q: Do I still need to do PCI DSS compliance if my device is PTS 6.X?
Yes. PTS covers the device. PCI DSS covers your broader environment, your network, your storage, your processes. The two are complementary.

Talk to Rosper about a compliant deployment

If you are planning a North American SUNMI payment deployment and want a clear walk-through of PCI PTS 6x, EMV, and acquirer certification, use our contact page. You can also start from the SUNMI P2 Pro product page or the CPad Pay page.

Further reading and external standards

• PCI SSC: PTS Approved Devices
• EMVCo: Contactless Specifications