After years of hard work, including a lot of feedback from the community, PCI SSC has finally released their new security standard for accepting card payments on merchant devices like smartphones or tablets. It is called Mobile Payments on Commercial Off-The-Shelf (MPoC). The new standard has the potential to replace individual Tap-to-Phone plus PIN (TTP+PIN) pilot initiatives.
What does the new standard entail?
The new PCI MPoC standard integrates the existing use cases from the CPoC and SPoC standards, and also adds new payment functionality and new ways of certification. Most notably, the new payment functionality includes PIN-based transactions without an additional security device attached to the merchant’s smartphone and adds support for offline transactions. Because of the modular design of the standard, future functionality can be integrated easily. Such development completes the evolution from highly specialized and physically secured POS terminals to the use of smartphones as Point-of-Sale (POS) terminals. This should also ultimately lead to an even broader acceptance of credit and debit card payments in small shops and mobile locations.
Most importantly, the new standard enables modular certification, it allows for the certification of MPoC Software (including an application or SDK on the device) next to the certification of a complete MPoC Solution. It is also possible to only certify Attestation and Monitoring as a Service. With this, the new MPoC Standard better aligns with the distinct worlds of mobile application development and payment acceptance.
Another goal that PCI had when developing the standard is to give solution providers more flexibility in how to achieve the security objectives. This means that the security and test requirements are less prescriptive than those in CPoC and SPoC. Instead, the focus is more on meeting the security objectives and less on how this is exactly achieved.
Riscure MPoC evaluation service
Riscure has already received all the required accreditations in Mobile Security both from EMVCo and PCI SSC and individual payment schemes. Equally, Riscure is part of the participating organizations that provided feedback and helped shape the current standard. This knowledge and extended experience in Mobile security evaluations allows us to accommodate our customers’ needs in evaluating their Products and Solutions in line with the MPoC standard.
Watch our webinar to learn more about MPoC
Being a new standard, it’s expected that vendors will have many questions about its content. Watch the full webinar to understand the ins and outs of MPoC and how Riscure can help vendors evaluate & improve their security based on the new standard. The topics discussed in the webinar were:
- The different certification options, including roles and responsibilities
- The different MPoC application and SDK types
- The risk-based approach
- The relationships with other PCI standards like DSS, PIN and Secure Software Framework
- The several Domains in the standard and how they relate to each other
- Some specific requirements that we believe need special attention
To access the full webinar recording, fill out the form below!