Publications

Navigating the PCI MPoC: A Standard for Mobile Payment Acceptance Security

13/03/2025

    In a recent webinar, Albert Martorell, HW with Security Boxes Technical Domain Manager from the cybersecurity area of Applus+ Laboratories, provided a detailed overview of the PCI MPoC standard. This article summarises the key points discussed, offering valuable insights into the structure, application, assessment criteria, technical requirements, and certification of the standard. Albert's presentation was part of a webinar titled PCI MPoC: Certifying SoftPost Security.

    Mobile Payment Ecosystem

    An everyday action, such as purchasing a product or service, relies on a complex ecosystem in which payment brands play a key role. These brands own and oversee the ecosystem, ensuring its security through various evaluations and certifications required for all stakeholders. PCI SSC is an association formed by all major payment brands and is responsible for providing guidance and requirements for PIN and PAN security. It manages a broad range of programmes designed to ensure the security of the payment ecosystem, including PCI DSS, PTS, PIN, P2PE, SSF, 3DS, MPoC, SPoC, CPoC, TSP, and Card Production.

    This ecosystem includes banks, merchants, and service providers, but also extends to manufacturers and developers of payment solutions. A payment transaction involves multiple parties: the consumer uses a merchant’s payment app, which interacts with a payment processor, attestation and monitoring services, to provide payment data to the acquirer. The acquirer then assesses the transaction's risk, coordinating with the payment brand and issuer for final acceptance.

    To operate within this ecosystem, solution providers must sell their payment solutions to merchants, while service providers supply their products and services to solution providers. However, all entities must first undergo functional and security evaluations. In terms of security, they must comply with both international standards (such as PCI) and local regulations (such as Common.SECC) before they can proceed with their business operations. At Applus+ Laboratories, we offer the expertise and certification services needed to navigate these requirements successfully.

    PCI MPoC Standard in Brief

    PCI MPoC (Mobile Payment on Commercial Off-The-Shelf) is a standard that enables payment acceptance on mobile devices such as a smartphone, tablet, or a POI device, and includes enterprise devices which are not intended for purchase or use by the public, while explicitly excluding bare-board devices like Raspberry Pi. This standard consolidates use cases from both the CPoC and SPoC standards.

    An eligible MPoC device must include at least a native COTS PIN entry or a contactless interface, along with one EMVCo-compliant card entry method (contact, contactless, or magnetic stripe). However, the product’s architecture remains fully open to developer innovation, provided it meets PCI MPoC requirements.

    A merchant-ready product under this standard is known as an MPoC Solution, which can be developed using either a monolithic (all-in-one) or modular approach. In a modular design, an MPoC Software component can be integrated with an MPoC Service, which includes MPoC Attestation & Monitoring (A&M) and Payment Services.

    PCI MPoC Version 1.1 Changes

    In November 2024, PCI released the new PCI MPoC v1.1 requirements while maintaining PCI MPoC v1.0.1. This makes version 1.1 an optional but valuable certification path for MPoC products.

    PCI MPoC v1.1 introduces greater flexibility for service and solution providers—an enhancement that had been widely requested by the industry. This flexibility begins with an expanded MPoC definition that now includes POI devices and enterprise devices not intended for public purchase or use. Additionally, it allows for the integration of one SDK within another, enabling MPoC SDKs to be embedded into non-payment SDKs (e.g., for transport use cases) and supporting multiple payment SDKs while segregating payment and Attestation & Monitoring (A&M) functions.

    Benefits of PCI MPoC Certification

    The new MPoC version incorporates the market’s most pressing demands, making certification more flexible and efficient, allowing for faster adoption. Applus+ Laboratories can support you throughout the entire MPoC certification process, covering both functionality and security, helping you identify the most valuable and suitable certification path for your needs.

    Webinar and Presentations

    Published on November 26th 2024, the version 1.1 of the PCI Mobile Payments on COTS (MPoC) Standard will provide increased flexibility in how payments are accepted and how COTS-based payment acceptance solutions can be developed, deployed, and maintained. In this webinar we'll explore more about the MPoC ecosystem and how it will transform the landscape of mobile payments, offering greater security, scalability, and efficiency for both merchants and consumers.

    Download the Presentation

     

    Watch the video of the webinar on Youtube

     

    Back to Publications

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel