Mobile Payments on COTS (MPoC)


Mobile Payments on COTS (MPoC)

PCI Mobile Payments on COTS (MPoC) builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) Standards which individually address the security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments, using a smartphone or other commercial off-the-shelf (COTS) mobile device. The PCI MPoC standard aims to provide increased flexibility not only in how payments are accepted, but in how COTS-based payment acceptance solutions can be developed, deployed, and maintained. 

PCI MPoC is a new, flexible mobile standard and program for payment solution development. It provides a modular, objective-based, security standard that supports various types of payment acceptance channels and consumer verification methods on COTS devices. PCI MPoC combines many of the aspects of the existing PCI SPoC and PCI CPoC standards, primarily by including the entry of both PIN and contactless cardholder data on the same COTS device.

Important Information


Intended Audience

For entities developing, deploying, or managing solutions which accept both PIN and contactless cardholder data on the same COTS device.


MPoC Documents

Find all of the related documents in the PCI SSC Document Library.


Listings & Professionals

PCI SSC encourages merchants and their acquirers to use the PCI SSC listing in selecting a PCI-listed MPoC Solution that meets their needs.

Independent PCI-Recognized MPoC Laboratories evaluate MPoC solutions against the requirements of the PCI MPoC Standard and in accordance with the PCI MPoC Program Guide.


Training Information

The Payment Card Industry Professional is an individual, entry-level certification in payment security information and provides you with the understanding to help your organization build a secure payment environment. Becoming a PCIP demonstrates a level of understanding that can provide a strong foundation for a career in the payments security industry.

Compliance programs for all PCI SSC standards are managed by the payment brands. Questions about which entities need to validate compliance to any PCI SSC standard, or whether use of a PCI-listed product is required and for which entities, should be referred to the payment brands. Contact information for the payment brands is in FAQ #1142.