On Nov. 16, 2022, the Payment Card Industry Security Standards Council (PCI SSC) published the Mobile Payments on Commercial off-the-shelf (MPoC) security standard. The MPoC standard comprises a set of requirements for accepting payments on a commodity mobile device.
MPoC expands on existing standards enabling merchants to use a smartphone or other commercial off-the-shelf (COTS) mobile device to accept payments. The PCI Software-based PIN entry on COTS (SPoC) standard applies to tools using an external card reader paired with a mobile device that accepts a cardholder’s PIN. The PCI Contactless Payments on COTS (CPoC) standard covers technology using the near-field communication (NFC) receiver in a COTS device but doesn’t permit the cardholder to enter a PIN. MPoC supports both these use cases and adds additional payment acceptance options, including PIN entry for use with cards read through the COTS NFC receiver, offline payments and manual entry.
MPoC’s place in the history of payment card security
Payment terminals have traditionally used hardware and software custom-designed for payments. However, in recent years, commodity mobile phones and COTS devices have increasingly included the hardware required for accepting payments. When combined with a suitable app, these phones can function as payment acceptance
terminals. Let’s look back through the history of technologies developed to support the security of payment cards to get a sense of MPoC’s context within this evolution.
In the 1970s, electronic payment cards were introduced for use in ATMs and merchant payments. Magnetic stripes stored cardholder account information and were, unfortunately, easy to copy. Banks and card brands managed this security risk by adding PIN entry to transactions. Keeping the PIN secret was essential but complicated due to the number of links in the communication path from merchant to card issuer.
During this time, payment terminals were specifically developed and manufactured to support merchants’ and banks’ requirements for processing payments. Banks and payment brands introduced security rules permitting only hardened payment terminals to connect to the payment networks and requiring payment terminals to include anti-tampering mechanisms and undergo independent assessments by a security testing laboratory.
In the 1990s, smart payment cards replaced magnetic stripe cards. The smart payment card contained a small, copy-resistant computer chip that securely stored information. Although PINs were still in use, they did not play as critical a role in the security of smart cards as compared with magnetic stripe cards.
PCI was formed in 2006 with a remit to globally manage payment security-related standards, testing and certification programs. PCI developed the widely successful PIN Transaction Security (PTS) program, requiring payment terminals to meet minimum security standards before they can connect to payment networks.
As smartphones — most with a touch screen that allows for virtual PIN entry with appropriate software support — became widespread in the 2010s, PCI released SPoC as a set of security requirements for protecting PIN entry when used with a mobile phone and dedicated card reader.
Starting in 2015, vendors began integrating NFC technology into smartphones. This new hardware capability allowed mobile applications to interact with contactless payment cards and process transactions. In response, PCI created the CPoC program to test and approve such payment technologies. Due to security concerns, the CPoC program explicitly disallowed PIN entry. This limits CPoC-approved transactions to amounts below the PIN threshold, which varies by country but is commonly around $50-$100 (USD).
As mobile payment acceptance continues to gain momentum worldwide, MPoC is the next step in this evolution, allowing for PIN-based, card-present payments to be accepted and processed using a commodity mobile phone without needing dedicated hardware.
Key features of MPoC
In essence, MPoC is a testing and approval program for payment technologies that use COTS devices and an app instead of a dedicated payment terminal. With the publication of this standard, banks and card brands will likely require all COTS-based, card-present payment technologies to be MPoC-approved before they can connect to the payment networks.
Those familiar with SPoC and CPoC will find compliance with MPoC to be straightforward, as many of its requirements are the same as its two predecessor standards. However, there are several notable differences between MPoC and the standards that came before it. PCI designed MPoC to be flexible, modular and objective-based. MPoC combines CPoC and SPoC, allowing for both PIN entry and contactless entry on the same device. The standard supports a range of payment acceptance channels and consumer verification methods on COTS devices, supporting multiple ways of accepting card-based payments in environments where the payer and card are present.
Rather than assuming or mandating a one-size-fits-all approach to future innovative payment technologies, MPoC is designed to support new technologies as the payment acceptance landscape evolves. Many technology and security standards attract criticism for not keeping pace with innovation, but MPoC remains relevant by design, even as market needs evolve. Because MPoC is objective-based — in contrast with the prescriptive CPoC and SPoC standards — technology providers can implement their own approaches to several security-related decisions.
MPoC’s modular design separates technical and development elements from operational elements. Its modularity allows merchants to certify specific components and seamlessly integrate new technology into their existing technology instead of replacing it in its entirety.
SoftPOS market impacted by MPoC
As PCI developed the MPoC program to test and approve SoftPOS technologies (an umbrella term for payment acceptance technologies in which the only dedicated payment-related components are in the software), SoftPOS users will be the primary sector directly impacted by MPoC. Due to the low setup costs associated with SoftPOS, micro merchants comprise a major market. SoftPOS may also prove attractive to merchants who already have a compatible device (such as a PDA) and can now accept card-present payments without needing additional hardware.
Generally, MPoC can apply to vendors of card-present payment acceptance technologies as well as acquirers and merchants who buy and use them. MPoC-related payment acceptance platforms perform best when deployed in environments where contactless payments are common, and merchants have suitable phones, tablets and other devices with which they can execute the payment. Markets with high penetration rates of contactless payments and considerable interest in MPoC include Australia, Brazil, France, India, Malaysia, Poland, Singapore, South Africa and the U.K.
MPoC’s implications in the payment industry
Because the risk-averse payment industry necessitates many compliance requirements, PCI’s release of MPoC will help establish a way to legitimize SoftPOS technology architectures. MPoC assures stakeholders that the security implications of this new architecture have been considered and that SoftPOS is fit for purpose. MPoC-approved platforms are expected to achieve improved acceptance with banks and card brands, enabling them to compete more easily in the payment acceptance market.
As MPoC encourages the development and implementation of disruptive SoftPOS technology, the release of the MPoC standard may significantly impact the payment acceptance environment in the long term. MPoC permits payment terminals to have more features, narrowing the distinction between a dedicated payment terminal and a SoftPOS device. Lowering the setup cost of payment acceptance will enable more merchants to handle card payments but will also change the market dynamics for payment terminals. The ease of replicating and scaling software relative to hardware may lead to a consolidation of payment acceptance platform providers.
MPoC and UL Solutions testing services for the payment industry
UL Solutions is a leading PCI SPoC and CPoC testing provider with significant experience in this domain. We have invested in additional testing capacity to help our customers attain the approvals required for participation in the evolving payment acceptance market. Our trusted payment expertise can help you overcome the challenges and complex security requirements involved in integrating SoftPOS.