The PCI Security Standards Council (PCI SSC) has published a new standard designed to support the evolution of mobile payment acceptance solutions. PCI Mobile Payments on COTS (MPoC) builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) Standards which individually address security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments, using a smartphone or other commercial off-the-shelf (COTS) mobile device. The PCI MPoC Standard aims to provide increased flexibility not only in how payments are accepted, but in how COTS-based payment acceptance solutions can be developed, deployed, and maintained.
PCI MPoC is a new, flexible mobile standard and program for payment solution development. It provides a modular, objective-based, security standard that supports various types of payment acceptance channels and consumer verification methods on COTS devices. MPoC combines many of the aspects of the existing PCI SPoC and PCI CPoC standards, primarily by including the entry of both PIN and contactless cardholder data on the same COTS device.
Many of the requirements within the standard will be familiar to those who were already working with the existing PCI SPoC and PCI CPoC standards; however, MPoC is structured to provide a separation of the ‘technical’ or ‘development’ aspects from the ‘operational’ aspects. This allows for MPoC to add flexibility by providing for approval of three different types of MPoC Products – an MPoC Software Product, an MPoC Attestation and Monitoring Service, and an MPoC Solution.
MPoC Solutions may be developed independently of any other listed MPoC Products, in the same way that the PCI SPoC and PCI CPoC programs operate, but with the introduction of the additional MPoC Product types, an MPoC Solution may also be created by integrating one or more MPoC Software Products, or MPoC Attestation and Monitoring Services. This flexibility is intended to allow for more diversity in the types of MPoC Solutions, creating the ability to address market needs which may otherwise have been infeasible under existing PCI SPoC or PCI CPoC programs.
Vendors of card present payment acceptance technologies and solutions will be interested in the PCI MPoC standard as it may provide new types of solutions for them to address in their markets. Similarly, entities who deploy or use terminals – acquirers and merchants – may be interested to see what controls are put into place to secure the technologies they may well be using next year and into the future.
The PCI MPoC Standard was developed with input from the global payments industry over two Request for Comments (RFC) periods this year, yielding approximately 900 pieces of feedback from 37 companies. The RFCs provided insight into how the market may seek to use COTS-based payment acceptance solutions, and these comments were adopted into the standard, materially affecting the requirements and how they are to be assessed.
The PCI MPoC Standard is now available in the Document Library on the PCI SSC website. The PCI MPoC Program Guide is expected to be published in the coming months.