← Insights

Build vs buy

You do not have to become a payments company

Bolt EV · 7 May 2026 · 7 min read

The job you didn’t apply for

You set out to operate charging sites. Somewhere along the way you discovered you were also running a payments operation: holding card data, integrating an acquirer, generating tax-legal receipts in every country you touch, fielding chargebacks, and quietly maintaining all of it while the standards underneath shift.

Nobody decided to become a payments company. It accreted. A driver needs to pay at an unattended machine, AFIR makes the card reader non-optional on high-power DC, and suddenly the roadmap carries a payments workstream that never ships.

Here is the uncomfortable part: none of that work makes your network better than the one down the road. It is table stakes that costs like a moat.

What “owning payments” actually contains

When a charge point operator (CPO) says it will “handle payments itself,” it is signing up for a stack most teams never fully price out:

  • PCI-DSS scope. Not a certificate you frame — an architecture you live inside. The moment card data touches your systems, your servers, networks, logging, and access controls inherit the scope (PCI Security Standards Council). The cheapest posture is the one where sensitive data never lands in your estate at all, and engineering that boundary is itself a project.
  • Acquirer integrations. One acquirer is an integration. Multiple acquirers across multiple countries is a routing problem: different APIs, different capture and refund semantics, different settlement timing, different failure modes. Each one drifts on its own release schedule.
  • A fiscal regime per country. Not a PDF emailed to the driver, but a receipt the tax office will accept. In most of Europe that means a country-specific round trip: a fiscal signature requested from an invoicing provider, returned to the unattended terminal, embedded in the receipt. OCPI’s payments module stops at the financial-advice layer; it carries nothing for the country-specific fiscal signature. You build that bridge per country, and you maintain it as each country’s rules change.
  • Dispute and exception handling. The happy path is a rounding error in the total work. The real cost is the non-happy path: refunding the unused portion of a pre-authorization hold, a partial capture when a session ends early, a finalization that fails after the energy was delivered, a charger and an acquirer that disagree about what happened. Each needs an owner, a runbook, and reconciliation.
  • Pre-authorization strategy. A subtle one, and entirely yours to get wrong. One fixed hold, incremental re-auth, or a driver-declared target — the choice swings your decline rates, your driver experience, and your cash flow. OCPI’s payments module standardizes the pieces around the edges: a Terminal object, a Financial Advice Confirmation carrying the captured total, a preauthorize amount on the tariff (OCPI DirectPayment). It says nothing about which strategy to run. That judgment, and its consequences, sit with you.

Read that list again and ask which item a driver will ever thank you for. None of them. They thank you for chargers that work and sites that are where they need to be.

The cost you can’t see on the quote

The build-vs-buy conversation usually fixates on the build: the sprint count, the integration, the launch. That number is the small one.

The expensive number is staying correct forever.

Acquirer APIs deprecate endpoints. OCPI versions advance. Your CSMS ships releases. AFIR’s requirements phase in — new high-power units already need the contactless reader, and existing ones face a 2027 retrofit deadline. A tax authority rewrites its signature format. None of these arrive on your schedule, and each one can quietly break the path between a driver tapping a card and you getting paid.

And the failures are silent. Picture the most ordinary version: a driver charges, the capture succeeds, money moves — but the fiscal-signature request times out, and no valid receipt is ever issued. Nothing alerts. The session looks settled on every dashboard you have. Months later, in an audit, you learn that a slice of your sessions billed real money against receipts the tax office never accepted, and now you are reconstructing them by hand. That is one failure mode out of dozens, and it lived entirely in the gap between “the payment worked” and “the books are correct.”

A payments stack is not a feature you finish. It is a standing liability that needs a team to keep it alive.

The day you stop maintaining it is the day it starts failing — and rarely as loudly as the audit. A pre-authorization hold that never releases and ties up a driver’s funds. A reconciliation gap between the CDR and the settlement file that no one is watching. You hear about it from angry drivers, not from a metric. That recurring cost — the on-call rotation, the regression suite against a moving acquirer, the per-country fiscal maintenance, the PCI audit cadence — is the part that never appears on the original estimate and never goes away.

Differentiation is the wrong word for it

The strategic question is brutally simple: does any of this make you win?

Your edge is the network and the sites. It is uptime, location, the DC charger that actually delivers its rated power on a cold morning — a unit that costs far more than an AC point and lives or dies on reliability. It is coverage where drivers are stranded without it. Nobody chooses a charging stop because the operator wrote an elegant incremental re-authorization scheme.

Payments is infrastructure. Like the road to the site, you need it to be there and to be correct, and there is no prize for paving it yourself. Every engineer you assign to maintaining acquirer integrations is an engineer not assigned to the thing drivers actually pick you for.

This is the standard pattern of every mature industry: the layer that everyone needs and nobody differentiates on gets built once, by someone whose entire job is keeping it correct, and the rest of the market plugs in.

Plug in a layer, don’t staff a team

“Buy” here does not mean handing your business to a processor and renting back access to your own customers. That is the trap that makes operators want to build in the first place — the fear of losing the merchant relationship and eating card-not-present economics on small sessions.

The neutral model is different. You stay the merchant. Funds settle to your own acquirer, on card-present terms. That distinction is not cosmetic. A real card tapped at the machine is card-present, the low-risk economics built for in-person retail. An app or web form that takes a card the machine never sees is card-not-present, carrying the higher markups built for fraud-prone remote commerce — the kind that quietly devours a slow AC session. The money never routes through Bolt. We are not in the flow, never the Merchant of Record, never holding your cash.

What plugs in is the engine, not the bank account. Bolt bridges payments over OCPI so it rides on any charger, any CSMS, any modern terminal — never a bespoke POS welded to one charger model. It runs:

  • the pre-authorization strategy, the partial captures, and the refund of the unused hold;
  • the failed-finalization recovery and the reconciliation when the CDR and the acquirer disagree;
  • the country-specific fiscal signature, carried both ways, so the driver leaves with a receipt the tax office accepts rather than a PDF.

And when the acquirer API moves, or OCPI versions, or a country rewrites its rules, that is the engine’s problem to absorb — built once for the whole market.

This isn’t theoretical. Optechain holds an OCPI Full Contributor membership in the EV Roaming Foundation — a seat at the table where the spec is maintained. When OCPI moves, we are in the room, not chasing it from the outside; ad-hoc terminal payments are being standardized as the DirectPayment use case the payments module now carries.

Because it is a layer and not a lock-in, you can swap your terminal, change acquirer, or add a country without re-platforming. The driver flow stays the same everywhere: park, walk to a machine they’ve never seen, key in an amount, tap a card — Apple Pay and Google Pay included, because a contactless reader takes wallets too — charge, get status by link, get a legal receipt by link, unplug to stop.

The honest accounting

So price it out honestly. Owning EV payments yourself means PCI scope you architect around, an acquirer integration per market, a fiscal round trip per country, a dispute-and-exception function, a pre-authorization strategy you have to get right, and the standing cost of keeping every piece correct as the ground moves — in exchange for zero competitive advantage.

The alternative is to treat payments as what it is: a layer you plug in and a problem someone else maintains, while you keep your acquirer, your CSMS, and your full attention on the network and the sites that are the only things a driver ever chose you for.

You do not have to become a payments company. You just have to refuse to.

Run this on your network.

Bolt is the payments layer for EV charging — any terminal, any acquirer, any CSMS, and your bank stays yours.