When banks, fintechs, and payment service providers evaluate Android payment terminals for deployment, PCI PTS certification is the first qualification that separates compliant hardware from everything else. A PCI PTS certified Android payment terminal has passed rigorous testing by an accredited laboratory to verify that its hardware and firmware protect cardholder PIN data throughout the transaction lifecycle. Terminals without this certification are not approved for PIN-based debit transactions by major card networks and carry significant compliance risk.

SUNMI has built its entire P-Series payment terminal lineup around PCI PTS certification, making it one of the few Android hardware manufacturers with a broad portfolio of certified devices across multiple form factors. This article explains what PCI PTS certification means, why it matters for your terminal procurement decisions, and which SUNMI devices carry current certifications.

What is PCI PTS certification?

PCI PTS (Payment Card Industry PIN Transaction Security) is a set of security requirements published by the PCI Security Standards Council that governs the physical and logical security of devices that accept PIN entry for payment transactions. Any device where a cardholder enters their PIN must meet PCI PTS requirements to be approved for use by major card networks including Visa, Mastercard, American Express, and Discover.

The certification evaluates three critical security domains:

1. Physical security: The device must be tamper-resistant. If someone attempts to open the device, access its internal components, or attach a skimming device, the terminal must detect the intrusion and destroy sensitive data (including encryption keys) before it can be extracted.

2. Logical security: The firmware and software running on the device must isolate PIN entry from all other functions. The PIN must be encrypted immediately upon entry using strong cryptographic methods, and the clear-text PIN must never be accessible to any application, process, or external interface.

3. Device management: The terminal must support secure firmware updates, key injection, and configuration changes. Management interfaces must be authenticated and encrypted to prevent unauthorized access.

PCI PTS certification versions evolve over time, with each new version introducing stricter requirements. The current versions most commonly seen in production are PCI PTS 5.x and PCI PTS 6.x, with version 6.2 being the latest. Older versions eventually reach their expiration dates, after which card networks no longer accept transactions from terminals carrying only the expired certification.

When we advise payment service providers on terminal procurement, the PCI PTS version is one of the first data points we check. A terminal certified to PCI PTS 6.x will have a longer useful life than one certified to 5.x, simply because it will remain compliant further into the future.

Why PCI PTS certification matters for your business

Deploying payment terminals without PCI PTS certification exposes your organization to financial, legal, and operational risks that far outweigh any short-term cost savings on hardware. Here is why certification is non-negotiable for serious payment operations.

Card network compliance: Visa, Mastercard, and other card networks require that all PIN-accepting terminals in their ecosystem carry current PCI PTS certification. Deploying non-certified terminals violates your merchant agreement and network operating rules. If a data breach occurs on a non-certified device, your organization bears full liability.

Acquirer requirements: Acquiring banks and payment processors audit the terminal hardware used by their merchants and ISOs. Non-certified terminals will fail these audits, potentially resulting in suspended processing privileges.

Insurance and liability: Cyber liability insurance policies typically include clauses requiring PCI-compliant infrastructure. A breach involving non-certified terminals could void your coverage and leave your organization responsible for fraud losses, forensic investigation costs, and card network fines.

Consumer trust: High-profile data breaches involving payment terminals have eroded consumer confidence in card-present payments. Deploying certified hardware demonstrates your commitment to protecting cardholder data.

According to the Nilson Report, global card fraud losses exceeded $33 billion in 2024, with card-present fraud remaining a significant category. PCI PTS certified terminals are specifically engineered to prevent the physical attack vectors (skimming, shimming, eavesdropping) that drive card-present fraud.

The bottom line: if your terminals accept PIN entry, PCI PTS certification is a requirement, not a feature. Any vendor selling payment terminals without this certification for PIN-debit use cases is either uninformed or hoping you will not ask.

SUNMI PCI PTS certified payment terminals

SUNMI’s P-Series payment terminals are purpose-built for financial transactions and carry PCI PTS certifications across the lineup. All P-Series devices also hold EMV L1 (contactless reader interface) and EMV L2 (payment kernel) certifications from major card organizations.

Here is a breakdown of SUNMI’s certified payment hardware:

SUNMI P2 SE

The P2 SE is a handheld payment terminal with a built-in thermal printer, designed for table-side payments, delivery, and field service. It carries PCI PTS 6.0 certification and supports chip and PIN, chip and signature, magstripe, contactless (NFC), and QR code payments. The device runs SUNMI OS on Android and includes PayPass (Mastercard) and PayWave (Visa) certifications.

SUNMI P2 LITE SE

The P2 LITE SE is a cost-optimized handheld terminal targeting high-volume, price-sensitive deployments. It carries PCI PTS 6.x certification — covering the full PCI PTS 6.x family including EMV L1/L2, POI, and cardholder data protection — along with PayPass and PayWave for contactless NFC payments. This model is ideal for PSPs deploying large fleets where per-unit cost is a primary consideration without compromising on security certification.

SUNMI P3

The P3 is a premium handheld terminal with a larger display and more processing power. It carries PCI PTS 6.2 certification, the latest version available, which means it will remain compliant with card network requirements further into the future than terminals certified to older versions. The P3 runs SUNMI OS based on Android 11 and meets the highest security standards in the industry.

SUNMI P3H

The P3H is a countertop payment terminal with a docking station, designed for fixed checkout environments including retail counters, bank branches, and unattended kiosks. It carries PCI PTS and EMV certification with the same security architecture as the P3 in a stationary form factor.

All of these devices are available through Rosper’s product catalog with US and Canadian inventory.

Shared EMV Common Kernel

A significant technical advantage of SUNMI’s approach is the shared EMV Common Kernel that runs across all P-Series devices. When SUNMI obtains a new EMV Level 3 payment certification (such as the POSRouter certifications announced in August 2023 via PR Newswire), that certification extends to new P-Series models without requiring a separate certification process for each device. This accelerates time-to-market for new hardware and reduces certification costs for PSPs.

How PCI PTS certification works alongside EMV certification

PCI PTS and EMV certification serve different but complementary purposes in the payment security ecosystem. Understanding the distinction helps PSPs evaluate terminal compliance more accurately.

PCI PTS governs the physical and logical security of the terminal hardware, focusing on PIN protection and tamper resistance. EMV certification covers the payment application layer and has three levels: L1 (physical card reader interface), L2 (payment kernel software), and L3 (complete end-to-end transaction flow with the acquirer).

SUNMI payment terminals carry all three EMV levels plus PCI PTS certification. L2 certifications cover Mastercard, Visa, American Express, JCB, D-PAS, and UnionPay. This layered approach means every component of the transaction has been independently tested and certified.

Both certifications are mandatory for production deployments. A terminal with EMV certification but without PCI PTS is not approved for PIN entry. A terminal with PCI PTS but without EMV L3 cannot process chip card transactions through the card network.

The risks of deploying non-certified terminals

The Android ecosystem includes thousands of devices capable of reading NFC signals and processing basic transactions. However, the vast majority of these devices lack PCI PTS certification and are not suitable for processing card-present payments involving PIN entry. Here are the specific risks of deploying non-certified hardware.

Tamper vulnerability: Non-certified devices have not been tested for physical tamper resistance. An attacker with brief physical access could install a skimming overlay or PIN-capture device without triggering any alarm. PCI PTS certified terminals detect physical intrusion and automatically wipe encryption keys.

PIN exposure: A compromised application on a non-certified device could potentially capture clear-text PINs. Certified terminals encrypt PINs at the point of entry in hardware-isolated secure elements inaccessible to the application layer.

Key management gaps: Non-certified devices typically lack secure key storage and key injection infrastructure. If encryption keys are stored in software rather than in a hardware security module, they are vulnerable to extraction.

Regulatory and audit risks: Deploying non-certified terminals violates card network operating rules, can result in suspended processing privileges, and triggers immediate flags during compliance audits. The cost of replacing every non-certified device always exceeds any initial hardware savings.

For a practical comparison of different SUNMI terminal form factors, see our SUNMI V3 series buying guide.

SUNMI OS: the security layer between Android and payments

One common concern about Android payment terminals is whether the Android operating system is inherently secure enough for financial transactions. The answer is that stock Android is not, which is exactly why SUNMI developed SUNMI OS for Payment.

SUNMI OS adds four critical security layers: a secure boot chain that cryptographically verifies every firmware component before the device starts, application sandboxing that isolates payment apps from all other processes, disabled consumer features (USB debugging, developer options, unauthorized app installation are restricted by default), and OTA update integrity that prevents tampered firmware from being installed.

The combination of PCI PTS certified hardware and SUNMI OS creates a defense-in-depth approach where physical security, firmware integrity, application isolation, and cryptographic key protection work together to protect cardholder data.

For a complete look at how SUNMI OS integrates with the broader payment ecosystem, see our SUNMI payment solution overview.

Additional security certifications SUNMI terminals hold

Beyond PCI PTS, SUNMI payment terminals hold a comprehensive set of industry certifications that address different aspects of payment security and regional compliance.

Card organization certifications: The chip reader (EMV L1) and payment kernel (EMV L2) installed on SUNMI terminals have passed certification from EMV (the consortium), Mastercard (PayPass/TQM), Visa (PayWave), American Express (AE CE), JCB, D-PAS, and UnionPay. These certifications confirm that the terminal correctly implements each card network’s transaction protocols.

P2PE component certifications: SUNMI’s Remote Key Injection (RKI) solution has achieved CA/RA (Certificate Authority/Registration Authority) and KIF (Key Injection Facility) component certifications under PCI PIN and P2PE (Point-to-Point Encryption) standards. This means the key injection process itself meets PCI security requirements, not just the terminal hardware.

Regional certifications: SUNMI terminals have obtained payment-related certifications in multiple countries and regions, including the United States, United Kingdom, Germany, Portugal, Brazil, India, Japan, Malaysia, Vietnam, and Indonesia. For PSPs operating across the US and Canada, the North American certifications ensure compliance with local card network requirements.

SUNMI terminals also carry FCC (US), IC (Canada), CE (Europe), and RoHS certifications. This layered certification approach is what separates a true PCI PTS certified Android payment terminal from a generic Android device with a card reader attached.

How to verify PCI PTS certification before purchasing

Before deploying any payment terminal, PSPs should independently verify its PCI PTS certification status. Here is a practical verification process:

1. Check the PCI SSC device listing: The PCI Security Standards Council maintains a public database of approved POS devices at pcisecuritystandards.org. Search for the manufacturer and model to confirm certification status.
2. Verify the PCI PTS version: Higher versions (6.0, 6.2) have longer remaining lifespans before expiration.
3. Check EMV certification: Verify EMV L1, L2, and L3 certifications for the card networks you need.
4. Request documentation: Ask your vendor for copies of actual certification letters.
5. Confirm expiration dates: Terminals certified to older versions may only have a few years of remaining compliance.

When you request a quote from Rosper for SUNMI payment terminals, certification documentation is included as part of the procurement package. All SUNMI devices ship with a 3-year warranty (SUNMI Care Standard) from our 8 warehouses across the US and Canada, with delivery in 2-7 business days.

Frequently asked questions

What does PCI PTS certified mean for a payment terminal?
A PCI PTS certified payment terminal has passed testing by an accredited laboratory verifying that its hardware and firmware meet the Payment Card Industry PIN Transaction Security standards. This certification confirms the device provides tamper resistance, PIN encryption at the point of entry, secure key storage, and authenticated firmware updates. It is mandatory for any terminal that accepts cardholder PIN entry.

Which SUNMI devices are PCI PTS certified?
SUNMI’s P-Series payment terminals carry PCI PTS certifications. The P2 SE is certified to PCI PTS 6.0, the P3 is certified to PCI PTS 6.2 (the latest version), and the P2 LITE SE and P3H also hold PCI PTS and EMV certifications. All P-Series devices additionally carry EMV L1 and L2 certifications from Mastercard, Visa, American Express, JCB, and other card organizations.

What is the difference between PCI PTS and EMV certification?
PCI PTS governs the physical and logical security of the terminal hardware, focusing on PIN protection and tamper resistance. EMV certification covers the payment application layer, verifying that the terminal correctly processes chip card transactions according to card network specifications. Both certifications are required for a terminal to process PIN-based chip card transactions in production.

Can a regular Android tablet be used as a PCI PTS certified payment terminal?
No. Consumer Android tablets and smartphones lack the tamper-resistant hardware, secure PIN entry mechanisms, and hardware security modules required for PCI PTS certification. While SoftPOS technology enables contactless-only payments on some certified Android devices, any terminal accepting PIN entry must have purpose-built PCI PTS certified hardware.

How long does PCI PTS certification last?
PCI PTS certifications are tied to specific version numbers that have defined sunset dates set by the PCI Security Standards Council. Terminals certified to newer versions (such as PCI PTS 6.2) will remain compliant longer than those certified to older versions. PSPs should check the expiration date of a terminal’s certification version before making procurement decisions to ensure adequate remaining compliance lifespan.