PCI MPoC: The Evolution of Mobile Payment Security

Complete Guide to PCI Mobile Payments on COTS Standard v1.1

⚠️ Latest Update: PCI MPoC standard continues to evolve with enhanced SDK integration capabilities and improved flexibility for enterprise deployments.

PCI Mobile Payments on Commercial Off-The-Shelf (MPoC) represents a paradigm shift in mobile payment security, enabling the transformation of consumer smartphones and tablets into secure payment acceptance terminals. This revolutionary standard addresses the fundamental security challenges inherent in using untrusted COTS devices for sensitive payment processing.

What is PCI MPoC and Why It Matters

The Payment Card Industry Mobile Payments on Commercial Off-The-Shelf (PCI MPoC) standard is a comprehensive security framework developed by the PCI Security Standards Council. Unlike traditional payment terminals that rely on dedicated hardware, MPoC enables merchants to transform their everyday mobile devices into secure payment acceptance terminals through specialized software applications.

This revolutionary approach democratizes payment acceptance, making it accessible to businesses of all sizes while maintaining the highest security standards. The standard is particularly crucial for SoftPOS (Software Point of Sale) solutions, which are rapidly gaining adoption across global markets.

Nov 2022
PCI MPoC Standard Published - Initial framework established
2023-2024
Product certifications completed, industry feedback collected
2024
Enhanced standard released with improved flexibility and SDK integration
2025+
Market adoption accelerating - 34.5M merchants projected by 2027

Market Context & Business Drivers

SoftPOS Market Growth

The Software Point of Sale market is projected to reach $27.7 billion by 2030, driven by demand for flexible, low-cost payment acceptance solutions that eliminate dedicated hardware requirements. This growth represents a fundamental shift in how merchants approach payment processing.

Payment Scheme Mandates

Major payment brands including Visa and Mastercard are mandating PCI MPoC certification for SoftPOS solutions, with proprietary security pilots being sunset in favor of standardized compliance. This creates urgent compliance requirements for solution providers.

Enterprise Adoption

Large enterprises are deploying MPoC solutions for specialized use cases, leveraging enterprise devices not intended for public purchase to create tailored payment experiences across various industries including retail, hospitality, and transportation.

Key Differentiators from Legacy Standards

Objective-Based vs. Prescriptive: Unlike the prescriptive CPoC and SPoC standards, MPoC provides objective-based security requirements, allowing developers flexibility in implementation approaches while maintaining rigorous security outcomes.

Modular Architecture: Enables certification of individual components (SDKs, Services, Solutions) that can be integrated to create comprehensive payment systems.

Enhanced Integration: Current standards allow one MPoC SDK to integrate another, enabling embedding into non-payment SDKs and supporting complex enterprise use cases.

Technical Architecture & Components

MPoC Solution Architecture

COTS Device Layer
Android Smartphones & Tablets
MPoC Application
Payment Processing Interface
SRED
Secure Data Encryption
RASP
Runtime Protection
Key Mgmt
Cryptographic Keys
Secure Communication
TLS/SSL + Certificate Pinning
Payment Gateway
Transaction Processing
Monitoring
Real-time Attestation
HSM/KMS
Key Management
End-to-End Security
Device Attestation Code Integrity Data Encryption Threat Detection Compliance Monitoring

Core Technical Components

MPoC Software Products

SDKs & Libraries: Reusable components providing core security functionality including encryption, key management, and integrity checks.

Device Requirements: Native COTS PIN entry or contactless interface, plus EMVCo-compliant card entry method (contact, contactless, or magnetic stripe).

MPoC Solutions

Complete Systems: End-to-end payment acceptance platforms combining multiple components into merchant-ready solutions.

Integration Flexibility: Can incorporate pre-certified MPoC products or be developed as monolithic applications.

Attestation & Monitoring Services

Real-time Monitoring: Continuous assessment of device and application integrity, threat detection, and anomaly response.

Backend Certification: Must be PCI DSS certified or assessed against MPoC Appendix A requirements.

EMVCo Standards Alignment & Level 2 Kernel Support

Industry Coordination: PCI MPoC works alongside other industry standards to ensure comprehensive mobile payment security across the entire ecosystem.

TEE Integration: Advanced implementations can leverage Trusted Execution Environments (TEE) and virtual TEE solutions for enhanced security isolation.

Hardware Security Modules: Current standards allow FIPS 140-2 Level 2 HSMs in controlled environments, providing additional cryptographic protection.

EMV Level 2 Kernel Requirements

International Payment Schemes

Mastercard M/Chip Advance: Latest contactless kernel supporting enhanced security features including CDA, fDDA, and mobile payment optimization. Mandatory for all new implementations since April 2021.

Visa payWave: Comprehensive contactless solution with support for Quick VSDC, Visa Mobile (VMP), and enhanced fraud detection mechanisms. Includes support for mobile NFC and wearable payments.

Discover ZIP: Contactless payment kernel aligned with global EMV specifications, supporting both traditional contactless cards and mobile wallet implementations.

American Express ExpressPay: Contactless kernel supporting proprietary authentication methods and enhanced cardholder verification for premium card products.

Regional & Domestic Schemes

Interac Flash (Canada): Domestic debit contactless kernel with PIN-preferring capabilities and enhanced security for high-value transactions.

UnionPay QuickPass (China): Comprehensive contactless solution supporting both international and domestic Chinese payment requirements with local authentication methods.

JCB J/Speedy: Japanese contactless kernel with support for local market requirements and integration with domestic payment infrastructure.

Girocard Contactless (Germany): Domestic German debit scheme kernel supporting local PIN verification and SEPA compliance requirements.

Emerging Market Solutions

RuPay Contactless (India): National payment system kernel supporting India's domestic payment infrastructure with local authentication and regulatory compliance.

Eftpos Contactless (Australia): Domestic Australian debit scheme with enhanced security features and support for local market requirements.

Cartes Bancaires (France): French domestic scheme kernel supporting local authentication methods and regulatory requirements for the French market.

Bancontact/Mister Cash (Belgium): Belgian domestic payment scheme with support for local PIN verification and enhanced fraud detection.

Kernel Certification Requirements

EMVCo Level 2 Certification

All payment kernels must undergo rigorous EMVCo Level 2 testing to validate compliance with EMV chip specifications, including transaction flow, cryptographic functions, and error handling capabilities.

Scheme-Specific Approval

Each payment brand maintains additional certification requirements beyond EMVCo standards, including proprietary security features, risk management parameters, and brand-specific transaction flows.

MPoC Integration Compliance

Kernels integrated into MPoC solutions must demonstrate compatibility with SRED requirements, RASP protection mechanisms, and continuous monitoring capabilities for mobile payment environments.

Latest Technical Enhancements

SDK Integration Capabilities

One MPoC SDK can now integrate another MPoC SDK, enabling complex layered architectures and embedding payment functionality into broader application frameworks.

Non-Isolating SDK Support

Allows MPoC Applications to manage secure channels directly, providing greater flexibility in security architecture design.

Enhanced Self-Testing

Updated self-testing requirements for SDK integration scenarios, ensuring security integrity across complex component interactions.

Advanced Security Framework

Multi-Layer Security Architecture

Secure Reading and Exchange of Data (SRED)

Point of Interaction Encryption: Immediate encryption of cardholder data at the moment of capture, ensuring sensitive information never exists in plain text within the application memory.

Unique Transaction Keys: Each payment transaction encrypted with a unique key, preventing replay attacks and ensuring transaction isolation.

Runtime Application Self-Protection (RASP)

Dynamic Threat Detection: Real-time monitoring for tampering, debugging, reverse engineering attempts, and malicious runtime modifications.

Configurable Responses: Automated countermeasures including app termination, data wiping, and backend alerting when threats are detected.

Advanced Code Protection

Obfuscation & Hardening: Multi-layer code obfuscation making reverse engineering extremely difficult and time-consuming for attackers.

Anti-Debugging Measures: Detection and prevention of dynamic analysis tools, debuggers, and instrumentation frameworks.

White-box Cryptography: Software-only cryptographic implementations that protect keys even when the algorithm internals are visible to attackers, essential for COTS device environments.

Cryptographic Implementation

Key Management

Support for industry-standard key management including TR-31 and DUKPT (Derived Unique Key Per Transaction) protocols

Secure key derivation and rotation mechanisms

Hardware-backed key storage where available

White-box cryptography implementations for software-only key protection

White-box Cryptography Requirements

Isolated SDK Mandate: All isolated MPoC SDKs must implement white-box cryptography as the primary protection mechanism

Key Obfuscation: Cryptographic keys embedded within obfuscated algorithms making extraction computationally complex

Algorithm Hiding: AES, RSA, and ECC implementations secured against static and dynamic analysis

Hybrid Implementations: Combination of white-box and hardware-based protection where TEE/SE unavailable

Encryption Standards

AES encryption with appropriate key lengths

RSA 2048-bit support for legacy compatibility

Elliptic Curve Cryptography (ECC) for modern implementations

White-box implementations of all cryptographic primitives

Secure Communications

TLS/SSL with certificate pinning

Mutual authentication protocols

Protection against man-in-the-middle attacks

White-box protected session key establishment

White-box Cryptography Implementation Options

Commercial White-box Solutions

Intertrust whiteCryption: Comprehensive white-box cryptography platform supporting AES, RSA, ECC with advanced obfuscation techniques and key binding capabilities.

Cryptomathic MASC: Mobile Application Security Core providing white-box implementations integrated with device binding and attestation mechanisms.

Guardsquare DexGuard: Android-focused solution combining white-box cryptography with advanced code hardening and runtime protection.

Open Source & Custom Implementations

Academic Libraries: Research-based white-box implementations requiring additional hardening and commercial-grade obfuscation for production use.

Custom Development: Proprietary white-box solutions developed in-house, requiring extensive validation and testing against PCI MPoC requirements.

Hybrid Approaches: Combination of commercial tools with custom implementations for specific cryptographic operations.

Certification Considerations

PCI Lab Validation: All white-box implementations must undergo rigorous testing by PCI-recognized laboratories to validate resistance against known attack vectors.

Penetration Testing: White-box cryptography must withstand simulated attacks including differential analysis, template attacks, and fault injection scenarios.

Annual Reassessment: Continuous validation required to maintain certification as attack techniques evolve and new vulnerabilities are discovered.

Integrity & Attestation

Software Integrity Checks: Continuous verification using code signing, checksums, and digital signatures to detect unauthorized modifications.

Device Attestation: Real-time assessment of device security posture including OS integrity, root/jailbreak detection, and malware screening.

Behavioral Analysis: Machine learning-based anomaly detection to identify suspicious usage patterns and potential fraud indicators.

Threat Model & Attack Vectors

Primary Threat Categories

Man-at-the-End (MATE) Attacks

Attackers with physical access to the device attempting to extract cryptographic keys, reverse engineer the application, or modify its behavior.

Mitigations: Code obfuscation, white-box cryptography, runtime protection

Application Tampering

Modification of the application binary to bypass security controls, inject malicious code, or alter transaction flows.

Mitigations: Integrity checks, code signing verification, runtime tampering detection

Data Interception

Network-based attacks attempting to capture payment data in transit or through compromised communication channels.

Mitigations: End-to-end encryption, certificate pinning, secure channel establishment

Device Compromise

Malware, rooting/jailbreaking, or OS-level compromises that could provide attackers with elevated privileges.

Mitigations: Device attestation, OS integrity checks, sandbox enforcement

Social Engineering

Attacks targeting merchant personnel or customers to compromise payment processes or steal credentials.

Mitigations: User education, strong authentication, transaction monitoring

POS Malware

Specialized malware designed to target payment applications and steal card data from memory or during processing.

Mitigations: Memory protection, process isolation, behavioral monitoring

Advanced Persistent Threats (APTs)

Sophisticated attackers using multiple attack vectors simultaneously, including zero-day exploits, custom malware, and long-term reconnaissance to compromise payment systems at scale.

Defense Strategy: Layered security approach combining proactive monitoring, rapid incident response, and continuous security updates.

Comprehensive Compliance Matrix

192
Individual Security Conditions
3
MPoC Product Types
Annual
Recertification Cycle
100%
Backend PCI DSS Required

Prerequisite Certifications & Standards

PCI Data Security Standard (DSS)

Payment processing and remote kernel environments must maintain PCI DSS certification

Attestation & Monitoring backends require DSS or MPoC Appendix A assessment

PCI PIN Transaction Security

PIN processing backends must be PCI PIN certified

Hardware Security Module (HSM) requirements for PIN encryption

PCI Secure Software Lifecycle (SLC)

Development vendors must demonstrate SLC compliance

Assessment against MPoC Appendix D requirements

Testing & Validation Requirements

PCI-Recognized Laboratory Assessment

All MPoC products must be evaluated by accredited security laboratories with specialized mobile payment expertise and testing capabilities.

Annual Penetration Testing

Independent vulnerability assessment and penetration testing of the complete SoftPOS solution (mobile application + backend systems) required annually.

Continuous Monitoring Evidence

Demonstration of ongoing security monitoring, threat detection capabilities, and incident response procedures as part of certification maintenance.

Payment Scheme Flexibility

Visa Acceptance Model: Recognizing the complexity of full MPoC Solution certification, Visa now accepts three types of partial certifications: MPoC Solution (any variant), MPoC Software Product, and MPoC Service for faster market entry.

Multi-Scheme Support: Solutions supporting multiple payment brands beyond Visa must achieve complete MPoC Solution certification scope.

Advanced Implementation Strategies

Development Lifecycle Integration

Secure Software Development Lifecycle (SSDLC)

Design Phase: Threat modeling, security requirements definition, and architecture review to identify potential vulnerabilities early.

Development Phase: Secure coding practices, static analysis, and code review processes to prevent common security flaws.

Testing Phase: Dynamic application security testing, penetration testing, and security validation against MPoC requirements.

CI/CD Security Integration

Automated Security Scanning: Integration of security testing tools like AppSweep into build pipelines for continuous vulnerability detection.

Dependency Management: Regular scanning of third-party libraries and components for known vulnerabilities and license compliance.

Security Gates: Automated blocking of deployments that fail security criteria or compliance checks.

Risk-Based Security Architecture

Defense in Depth: Multiple overlapping security controls to ensure that failure of any single protection mechanism doesn't compromise the entire system.

Zero Trust Model: Assumption that the device and environment are potentially compromised, requiring continuous verification and minimal trust assumptions.

Adaptive Security: Dynamic adjustment of security controls based on real-time risk assessment and threat intelligence.

Technology Stack Considerations

Platform-Specific Implementation

Android: TEE utilization, SafetyNet attestation, hardware-backed keystore integration

Backend Architecture

Microservices: Modular backend design enabling independent scaling and security boundary enforcement

Cloud Security: HSM-as-a-Service, secure container orchestration, and encrypted data storage

API Security: OAuth 2.0, JWT tokens, rate limiting, and API gateway security controls

Integration Patterns

SDK Integration: Current standards support for nested SDK architectures and non-payment SDK embedding

Service Mesh: Secure inter-service communication and traffic management

Event-Driven Architecture: Real-time security event processing and automated response mechanisms

Operational Security Framework

Security Operations Center (SOC) Integration

24/7 Monitoring

Continuous monitoring of MPoC applications and backend systems for security events, anomalies, and potential threats.

Integration with SIEM systems for correlation and automated alerting.

Incident Response

Defined procedures for security incident classification, containment, eradication, and recovery.

Automated threat response capabilities including device quarantine and transaction blocking.

Threat Intelligence

Integration with external threat intelligence feeds to identify emerging attack patterns and indicators of compromise.

Proactive security updates and countermeasures based on threat landscape evolution.

Performance & User Experience Optimization

Security-Performance Balance: MPoC implementations must balance rigorous security requirements with smooth user experience. Key considerations include:

  • Optimized cryptographic operations to minimize transaction latency
  • Intelligent caching strategies for security checks and validations
  • Progressive security loading to maintain responsive user interfaces
  • Battery optimization for continuous monitoring and protection services
  • Network efficiency for real-time attestation and monitoring communications

Market Deployment Strategies

Phased Rollout Approach

Pilot Programs: Limited deployment with select merchants to validate security controls and operational procedures.

Gradual Expansion: Geographic and segment-based rollout to manage risk and enable continuous improvement.

Full Production: Complete market deployment with comprehensive monitoring and support infrastructure.

Merchant Onboarding

Security Training: Comprehensive education on secure usage practices, threat awareness, and incident reporting.

Device Management: Policies for device provisioning, configuration, and lifecycle management.

Ongoing Support: Technical support, security updates, and compliance assistance programs.

Ecosystem Integration

Acquirer Partnerships: Integration with payment processors and acquiring banks for seamless transaction processing.

ISV Collaboration: Working with independent software vendors to embed MPoC capabilities into business applications.

Hardware Partnerships: Relationships with device manufacturers for optimized security implementations.

Future-Proofing & Evolution

Emerging Technologies & Trends

Quantum-Resistant Cryptography: Preparation for post-quantum cryptographic algorithms to protect against future quantum computing threats.

AI/ML Integration: Enhanced fraud detection, behavioral analysis, and automated security response using artificial intelligence.

5G & Edge Computing: Leveraging low-latency networks and edge processing for real-time security validation and response.

Biometric Authentication: Integration of advanced biometric technologies for enhanced user verification and fraud prevention.

Standards Evolution Timeline

2025-2026: Continued refinement of MPoC standards based on industry feedback and emerging threat landscape.

2027-2028: Potential next-generation standards incorporating lessons learned, new technologies, and expanded use cases.

Beyond 2028: Integration with next-generation payment technologies including central bank digital currencies (CBDCs) and IoT payment scenarios.

Industry Resources & Next Steps

Official Documentation

Access the complete PCI MPoC Standard, Program Guide, and Technical FAQs through the PCI SSC Document Library.

Review EMVCo SBMP guidelines for complementary security requirements.

Certification Partners

Engage with PCI-recognized laboratories for assessment and certification services.

Utilize pre-certified security solutions and SDKs to accelerate development timelines.

Community Engagement

Participate in PCI SSC Community Meetings for industry insights and networking.

Join working groups focused on mobile payment security and standards development.

Training & Education

Enroll in PCI SSC training programs for assessors, developers, and implementers.

Pursue continuing education credits (CPE) for professional development.

Getting Started Checklist

  • Assess current security posture against MPoC requirements
  • Develop comprehensive implementation roadmap and timeline
  • Engage PCI-recognized laboratory for pre-assessment consultation
  • Implement secure development lifecycle processes
  • Select and integrate certified security components and SDKs
  • Conduct thorough security testing and validation
  • Submit for formal PCI MPoC certification
  • Establish ongoing monitoring and compliance maintenance