Table of Contents
Updated by 11.20.2023
PCI SSC Moves Full Steam Ahead With Mobile Payments Standard
The Payment Card Industry Security Standards Council (PCI SSC) is serious about supporting the evolution of mobile payment acceptance solutions. In its latest display of such support, the Council has published a standard dubbed “PCI Mobile Payments on COTS” (MPoC); the “COTS” stands for “commercial off the shelf” mobile device. Let’s take a look at what merchants need to know about this development.
How Does COTS Mobile Device Work?
MPoC builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COS (CPoC) standards. These standards individually address security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf mobile device.
The standard was developed with input from the global payments industry over two Request for Comments (RFCs) periods in 2022. About 37 companies submitted approximately 900 pieces of feedback which, according to a statement issued by the Council when the standard was released, offered “insight into how the market may seek to use COTS-based payment acceptance solutions”. Respondents’ comments were “adopted into the standard, materially affecting the requirements and how they are to be assessed”.
Why Is COTS Mobile Device Effective?
MPoC is designed in part to yield increased flexibility in how mobile payments are accepted. However, it is also intended to afford equal flexibility when it comes to the development, deployment, and maintenance of COTS-based payment acceptance solutions. Consequently, it is modular and objective-based, supporting various types of payment acceptance channels and consumer verification methods on COTS devices. It combines myriad aspects of the existing PCI SPoC and PCI CPoC standards, primarily by including the entry of both PIN and contactless cardholder data on the same COTS device.
“Many of the requirements within the standard will be familiar to those who were already working with the existing PCI SPoC and PCI CPoC standards”, the PCI SSC statement reads. “However, MPoC is structured to provide a separation of the ‘technical’ or ‘development’ aspects from the ‘operational’ aspects. This allows (it) to add flexibility by creating the ability to address market needs, which may otherwise have been infeasible”.
What Options Has COTS Mobile Device?
Because it is modular, the standard offers different certification options and supports offline transactions and software-based PIN entry. The latter can be completed on the same COTS device that interacts with the NFC-enabled consumer payment method, including debit and credit cards, wearable devices, and mobile wallets.
MPoC incorporates a wealth of robust security requirements that must be met in order for solutions to be deemed compliant with it. For example, provisions must be made to protect cryptographic keys, and solutions must be resistant to advanced reverse engineering and tampering with mobile applications.
Additionally, as one aspect of the attestation and monitoring system, solutions must offer visibility into threats and compromises of the COTS platform. They must also prevent assets like cardholders’ primary account numbers (PANs) and PIN data from being disclosed or manipulated.
Table of Contents