Press Release

PCI SSC Publishes New Standard for Mobile Payment Solutions

The PCI Mobile Payments on COTS (MPoC) Standard Provides Flexibility in Mobile Payments Acceptance and Mobile Payment Acceptance Solutions Development

WAKEFIELD, Mass., 16 November 2022 — Today the PCI Security Standards Council (PCI SSC) published a new standard designed to support the evolution of mobile payment acceptance solutions. PCI Mobile Payments on COTS (MPoC) builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) Standards, which individually address security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device. The PCI MPoC Standard aims to provide increased flexibility not only in how payments are accepted, but in how COTS-based payment acceptance solutions can be developed, deployed, and maintained.

PCI MPoC is a new, flexible mobile standard and program for payment solution development. It provides a modular, objective-based, security standard that supports various types of payment acceptance channels and consumer verification methods on COTS devices. PCI MPoC combines many of the aspects of the existing PCI SPoC and PCI CPoC standards, primarily by including the entry of both PIN and contactless cardholder data on the same COTS device.

“As the payment acceptance landscape continues to grow, merchants, vendors, and solution providers are seeking new ways to accept and process payments,” said Emma Sutcliffe, SVP Standards Officer, PCI SSC. “The PCI MPoC Standard recognizes that there are different ways in which a card-based payment may be accepted in face-to face-environments through the use of commercial off-the-shelf (COTS) products, such as mobile phones and tablets.”

Many of the requirements within the standard will be familiar to those who were already working with the existing PCI SPoC and PCI CPoC standards; however, MPoC is structured to provide a separation of the ‘technical’ or ‘development’ aspects from the ‘operational’ aspects. This allows for MPoC to add flexibility by creating the ability to address market needs which may otherwise have been infeasible under existing PCI SPoC or PCI CPoC programs.

“It’s hard to say what the future of payments will be, but we know that payments can’t be a one-size-fits-all. There will continue to be a place for dedicated payment terminals, but increasingly there is a place for other types of solutions as well,” said Andrew Jamieson, Vice President Solutions, PCI SSC. “At the Council, we want to allow for innovation, flexibility, and agility in how our standards address these new payment acceptance methods. At the same time, this innovation needs to support a sufficient level of security that allows for the confidence in these solutions that is required for their broad adoption. It is the goal of MPoC to strike this balance.” 

Vendors of card present payment acceptance technologies and solutions will be interested in the PCI MPoC standard as it may provide new types of solutions for them to address in their markets. Similarly, entities who deploy or use terminals – acquirers and merchants – may be interested to see what controls are put into place to secure the technologies they may well be using next year and into the future.

The PCI MPoC Standard was developed with input from the global payments industry over two Request for Comments (RFC) periods this year, yielding approximately 900 pieces of feedback from 37 companies. The RFCs provided insight into how the market may seek to use COTS-based payment acceptance solutions, and these comments were adopted into the standard, materially affecting the requirements and how they are to be assessed.

The PCI MPoC Standard is now available in the Document Library on the PCI SSC website. The PCI MPoC Program Guide is expected to be published in the coming months.

About the PCI Security Standards Council

The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.