In this article you will find information about the ways of having and going live with the MPoC Softpos product.

For a company to have an MPoC product, there are multiple certifications required to be accomplished. Because of the complexity and the cost of certifications, and the long certification and development timeline, some companies prefer to buy it in a SaaS model from the companies which are providing end-to-end payment service compliant with MPoC Softpos. But obviously the biggest disadvantage of this approach is the fees paid for each transaction and the dependency and limitations to the third party when you have your own custom requirements.

Alternative to the SaaS model, for the companies that prefer to develop it in-house: L2 Kernel certification is the starting point of the Softpos roadmap. It is basically the engine between the card and terminal, covering all EMV functions defined in the card scheme books and EMVCo Contact and Contactless books. It is a very specific domain and requires specialized resources and tools. A company should consider the following steps to develop its own L2 Kernels, which eventually are going to be used in their MPoC Solution:

• L2 Kernel development

• L2 Kernel Test Tools

• Type approval in the Lab

After L2 Kernel certifications are completed, the second step is to complete MPoC Security Evaluation with the labs accredited by PCI.

In the MPoC Security Evaluation, there are 5 major domains with different sets of requirements. A company aiming to have MPoC Softpos should comply with all these domains to get listed in the PCI as an MPoC Software/Solution provider.

• Domain 1: Core cryptography and security

• Domain 2: MPoC SDK Integration

• Domain 3: Attestation & Monitoring

• Domain 4: MPoC Software Management

• Domain 5: MPoC Solution (Merchant Management)

Because of the different domains and complication levels, in the MPoC administrative documents PCI provides some flexibility to the vendors who are getting MPoC Security Evaluation.

Certification Paths

Single Certification Path (Monolithic Certification): Covers all domains in one certification.

2-phased certification Path (MPoC Software + MPoC Solution): MPoC Software mainly covers the most complicated Domain 1, and MPoC Solution mainly covers Domain 2, which is more related with the MPoC SDK Integration.

The first path (option) is to develop and have certification in one shot with all domains. This one is called MPoC Monolithic certification. Once it is completed, the company can start its L3 certification and go live.

The second path (option) is buying MPoC Software from a third party (there are vendors already listed on the PCI website, which already went through the MPoC Software Security Evaluation and are approved) and developing MPoC Solution on top of it. This is a cost- and time-saving path, as MPoC Software covers the most complicated MPoC requirements defined under Domain 1. And as MPoC Software also contains certified L2 Kernels already in it, in the MPoC Solutions Certification the company only needs to complete MPoC App development according to Domain 2, and either develop A&M or supply it also from a third party. You get MPoC Software from the vendor and develop your own MPoC App (UI) on top of it. In brief, to shorten the certification cost and timeline, MPoC Software can be supplied from a vendor and MPoC Solutions certification can be done with the lab by just performing the remaining requirements in the MPoC Specification.

After outlining the main MPoC certifications and process steps to launch a SoftPOS product, there are three approaches that most companies use in their SoftPOS development roadmaps.

Notes:

• Even if the monolithic approach is selected, given the L2 kernel’s specialized resource needs and tooling/certification costs, it is more sensible to buy L2 kernel libraries from third parties.

• This article does not cover L3 certification; however, as with traditional terminals, SoftPOS solutions also require L3 after all other certifications are completed.

• After L2 kernels are certified, they must be re-certified every 3 years. After MPoC certification is completed, delta certifications are required annually, and full re-certification is required every 3 years.

• To develop MPoC Software or a Solution and become an MPoC vendor, PCI imposes strict requirements beyond the five domains mentioned above: the company must have a strong corporate structure and a mature software development lifecycle, validated by PCI SLC or compliant with MPoC Appendix A.

• In addition to the main methodologies mentioned in this article, there are other methodologies as well, such as acquiring MPoC Software from a third-party vendor and using that vendor’s A&M as a SaaS service.

About us: At CYNTE Technologies, all MPoC modules are developed in-house, so we offer flexible engagement; from a single L2 kernel module to a complete MPoC solution, aligned to your business plan.