The PCI Mobile Payments on Commercial Off-The-Shelf (MPoC) is a new standard that supersedes and expands on current mobile acceptance standards. Riscure can help you understand, prepare, review, and certify your solution under the PCI MPoC program. We help you know where you are, and the path forward.
What does the MPoC standard entail?
The PCI MPoC standard integrates the existing use cases from the CPoC and SPoC standards, and also adds new payment functionality and new ways of certification. Most notably, the new payment functionality includes PIN-based transactions with or without an additional security device attached to the merchant’s smartphone and adds support for offline transactions. Because of the modular design of the standard, future functionality can be integrated easily. Such development completes the evolution from highly specialized and physically secured POS terminals to the use of smartphones as Point-of-Sale (POS) terminals. This should also ultimately lead to an even broader acceptance of credit and debit card payments in small shops and mobile locations.
Another goal that PCI had when developing the standard is to give solution providers more flexibility in how to achieve the security objectives. This means that the security and test requirements are less prescriptive than those in CPoC and SPoC. Instead, the focus is more on meeting the security objectives and less on how this is exactly achieved.
How can we help you?
Riscure is able to support any new and well-established solution provider in the softPOS space from the early stages of design to getting the solution listed by the PCI SSC. Our services can be accommodated to your technology and needs.
Benefits of working with Riscure
Riscure has received the required accreditation from PCI SSC to serve solution providers with the PCI MPoC security services. Equally, Riscure is one of the participating organizations that provided feedback and helped shape the current standard. This knowledge and extended experience in security evaluations allows us to accommodate our customers’ needs in evaluating their Products and Solutions in line with the MPoC standard.
Mobile device security track record
Riscure is the leading laboratory for mobile security evaluations. As of today, Riscure has completed more than 200 security evaluations on HCE (mobile wallets) solutions, 50 security evaluations of Tap-to-Phone solutions, and 25 OEM Pay security evaluations, making us not only an experienced laboratory but also the most efficient one.
We have the following experience and qualifications, which ensure that you will receive security advice meeting the highest international standards:
- Riscure was the first lab to perform security evaluations of HCE, OEM Pay (TEE-based), and Tap-to-Phone solutions, supporting the payment schemes to scale their security certification programs.
- Riscure was the first lab to perform Side-Channel Analysis (DCA) and Fault Injection (DFA) on White-box cryptographic solutions, developing and performing such testing since 2012. Since then Riscure worked with nearly all commercial WBC solution providers, enabling them to harden their solutions further.
- Riscure has performed over 25 OEM (TEE-based) Pay Security evaluations with multiple smartphone vendors.
- Riscure has performed over 250 security evaluations of mobile payment solutions for Android handsets, based on HCE, NFC, TEE, and Secure Elements.
- Riscure has performed over 80 security evaluations on Tap-to-Phone solutions.
- Riscure has performed over 25 security evaluations of mobile DRM solutions for Android and iOS.
- Riscure has performed over 25 security evaluations of mobile ID and biometric solutions.
- Riscure has performed multiple security evaluations on Android phones, including security reviews, logical testing, and fault injection using power or EM, targeting, for example, the boot process.