PCI Mobile Payments on COTS (MPoC) builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) Standards, which individually address security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device. The PCI MPoC Standard aims to provide increased flexibility not only in how payments are accepted, but in how COTS-based payment acceptance solutions can be developed, deployed, and maintained.
PCI MPoC is a new, flexible mobile standard and programme for payment solution development. It provides a modular, objective-based, security standard that supports various types of payment acceptance channels and consumer verification methods on COTS devices. PCI MPoC combines many of the aspects of the existing PCI SPoC and PCI CPoC standards, primarily by including the entry of both PIN and contactless cardholder data on the same COTS device.
The council’s officials stated that as the payment acceptance landscape continues to grow, merchants, vendors, and solution providers are seeking new ways to accept and process payments. The PCI MPoC Standard recognises that there are different ways in which a card-based payment may be accepted in face-to face-environments, using commercial off-the-shelf (COTS) products, such as mobile phones and tablets.
Many of the requirements within the standard will be familiar to those who were already working with the existing PCI SPoC and PCI CPoC standards. However, MPoC is structured to provide a separation of the ‘technical’ or ‘development’ aspects from the ‘operational’ aspects. This allows for MPoC to add flexibility by creating the ability to address market needs which may otherwise have been infeasible under existing PCI SPoC or PCI CPoC programmes.
Vendors of card present payment acceptance technologies and solutions will be interested in the PCI MPoC standard as it may provide new types of solutions for them to address in their markets. Similarly, entities who deploy or use terminals (acquirers and merchants), may be interested to see what controls are put into place to secure the technologies they may well be using in 2023 and into the future.
The PCI MPoC Standard was developed with input from the global payments industry over two Request for Comments (RFC) periods this year, yielding approximately 900 pieces of feedback from 37 companies. The RFCs provided insight into how the market may seek to use COTS-based payment acceptance solutions, and these comments were adopted into the standard, materially affecting the requirements and how they are to be assessed.
The PCI MPoC Standard is now available in the Document Library on the PCI SSC website. The PCI MPoC Program Guide is expected to be published in the near future.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now