In the past, conventional payment methods such as cash and credit cards were the primary means of making purchases. However, with the widespread adoption of mobile technology, mobile payments have become an increasingly popular option for consumers. Today, mobile payments are essential for businesses to remain competitive and provide convenient payment options for their customers.

As mobile payment technology has evolved, so have the threats to security. Hackers and cybercriminals have become increasingly sophisticated in their methods, making it necessary to have standardized security measures in place to protect against data breaches and unauthorized access to payment card data.

Prior to the development of PCI’s Mobile Payments on COTS (MPoC) standard, Visa and MasterCard had each developed their own security measures for mobile payments. In 2010, Visa released its “Visa Ready” program, which provided guidelines for the secure acceptance of mobile payments on COTS devices. A year later, MasterCard released its “MasterCard Mobile” program, which had similar guidelines for the secure acceptance of mobile payments.

However, these separate programs created confusion for merchants, who had to navigate different requirements and guidelines depending on the payment card they were accepting. In response, the Payment Card Industry Security Standards Council (PCI SSC) first developed the Software-based PIN Entry on COTS(SPoC) standard then Contactless Payments on COTS(CPoC), and finally MPoC specification published to provide a single, unified set of guidelines for the secure acceptance of mobile payments on COTS devices.

SPoC standard is simply based on the idea that the card communication (cardholder data read) and the PIN entry be processed by separate hardware modules. So, as illustrated above, cardholder data is retrieved from the chip with the external card reader(SCRP) and the PIN is entered on the device from the COTS according to the SPoC requirements.

CPoC, on the other hand, as opposed to the SPoC, does not support PIN entry for payment transactions, and cardholder data is retrieved from the chip over the NFC interface of the COTS device. The reason why PIN entry is not supported in the CPoC model is to maintain the isolation between the PAN and Cardholder data and to prevent the correlation of these sensitive data which is to be processed by an application running on the same processor and memory.

Both for the CPoC and SPoC standards, the transaction is secured against tampering and unauthorized access, and data security is established with the keys stored in the secure memory of the payment environment (SPoC: SCRP + WhiteBox, CPoC: WhiteBox) with the help of remote Attestation and Secure Channel services.

Secure Channel service is one of the most important backend components of the COTS payment ecosystem. Contrary to the traditional payment terminals, COTS devices are more vulnerable to attacks due to keys are kept in the software components (Whitebox) of the COTS device and cryptographic calculations are also made in the COTS device`s processor, thus Chip Transaction and PIN data encryption keys kept on COTS devices are generated session based which this session logics are provided by the secure channel service running in backend servers.

Attestation Service, another crucial module, running in the backend environment ensures the security mechanism in the payment environment is intact and operational and there are no anomalies present in the solution with performing device Root, Tamper, Hook, Emulator detection and SSL Pinning etc.

On November 2023, the highly anticipated MPoC specification, the latest version of PCI`s COTS security standard was published by PCI. The new standard covers all CPoC and SPoC functionalities.

Contrary to SPoC and CPoC, MPoC allows the solution to support different payment acceptance channels, which means one solution may support both PIN and Cardholder Data entry from a COTS device, while another may support PIN entry from COTS device and Cardholder Data entry from the SCRP.

MPoC provides modular and objective-based standards. There are 3 main components that can be certified as separate products. e.g. A solution provider can develop and certify only the MPoC Software(SDK).

• MPoC Software(SDK)

• Attestation and Monitoring(A&M)

• MPoC Solution

With this approach Payment Service Providers(PSPs) are now able to get different MPoC components from different solution providers, which will provide them great flexibility e.g. A PSP with an MPoC solution with having the MPoC SDK from Vendor A and A&M Service from Vendor B would be able to replace its SDK with another one from Vendor C easily, though it comes with some challenges which MPoC requires integration certification with a limited scope.

And requirements are also grouped into 5 domains, which allows solutions providers to focus on only the requirements linked with their own software components. e.g. A&M Service solution provider only needs to focus on Domain 3 requirements.

• Domain 1: MPoC Software Core Requirements:

• Domain 2: MPoC Application Integration:

• Domain 3: Attestation and Monitoring

• Domain 4: MPoC Software Management

• Domain 5: MPoC Solution

There is no mention of any certain time defined yet but solutions certified against any standard (Pilot, CPoC, SPoC) prior to MPoC are valid for 3 years. Therefore, SoftPos solutions that are certified against Pilot Tap to/on Phone program, or SoftPos solutions that are certified against CPoC and SPoC standards will still be used for a couple more years but eventually, there will be a sunset. Starting from the second quarter of 2023, card schemes will be allowing the MpoC certification, only.

Overall, in conclusion, the MPoC standard helps to ensure that mobile payments can be securely accepted on COTS devices, providing merchants with a convenient and secure way to accept payments from their customers. It also helps to protect against data breaches and unauthorized access to payment card data, making it an essential standard for businesses looking to accept mobile payments. The development of the MPoC standard in 2011 brought much-needed clarity and consistency to the mobile payments landscape, streamlining the process for merchants and ensuring the security of mobile payments for consumers.