The world of payments is in a constant state of evolution, and the advent of mobile payments has been a cornerstone in this journey.
Merchants can accept payments from a wider range of devices, including smartphones, tablets, and even wearables. This is a game-changer for businesses of all sizes, as it will make it easier for them to accept payments from their customers, no matter what device they’re using.
As technological advancements continue to reshape how we transact, one standard stands out as a catalyst in this evolution: Mobile Payments on COTS (MPoC). This standard is revolutionizing payment acceptance, offering a modular and secure approach to mobile transactions.
In its essence, MPoC represents a convergence of previous standards, SPoC (Software-based PIN Entry on COTS) and CPoC (Contactless Payments on COTS). This amalgamation creates a more flexible framework, enabling a broader range of solutions to facilitate payment acceptance on Commercial Off-The-Shelf (COTS) devices.
This standard aims to enable mobile payment solutions to accommodate various payment acceptance channels and methods for verifying cardholders. For instance, a solution might cater to a COTS-native NFC interface exclusively, omitting PIN entry. Meanwhile, another solution could be engineered to embrace COTS-native NFC interfaces, allowing contactless card entry with PIN, while also accommodating PCI PTS SCRP devices.
MPoC is only applicable to attended and semi-attended devices, where merchant personnel are physically present to assist and oversee the payment process. For instance, self-checkout kiosks are compatible with MPoC, but vending machines and ticketing machines are not.
MPoC’s strength lies in its modular approach, which allows for the development of both monolithic and composite solutions. These solutions integrate various MPoC products providing a tailored approach to meet diverse market needs :
- MPoC Software: This includes all software necessary to implement the core functionalities required by the MPoC Solution. including the functionality for accepting account data (optionally including the cardholder PIN) on COTS devices. The MPoC Software must implement at least one form of COTS-native account data entry, either COTS-native NFC or COTS-native PIN entry.
The scope of MPoC Software also covers attestation components, backend functionalities, and any APIs provided. - Attestation and Monitoring Service: This service oversees the attestation and monitoring functionalities of a listed MPoC Software Product. However, it cannot be utilized by an MPoC Solution that doesn’t utilize an MPoC Software Product supported by that specific Attestation and Monitoring Service.
- MPoC Solution: This refers to the collective components and processes supporting mobile payment acceptance while ensuring the protection of account data on a COTS device. The minimum components within this solution include the MPoC Application, attestation system, and the backend systems and environments responsible for performing attestation, monitoring, and payment processing.
MPoC’s Security and Test Requirements
Security is a major concern in the world of payments, and MPoC addresses this comprehensively through its five domains. These domains cover every aspect from software development and integration to backend operations and solution management, ensuring a robust and secure ecosystem for mobile payments.
- Domain 1: MPoC Software Core Requirements: The core module includes essential security requirements like secure software development and lifecycle processes, integrity protection, protection of sensitive information, and secure communication channels. Additionally, there are optional modules and sections tailored to MPoC Software supporting different payment acceptance or cardholder verification methods, such as COTS-native NFC or COTS-native PIN entry.
- Domain 2: MPoC Application Integration: Covers requirements for securely integrating and using MPoC Software within the MPoC Application, ensuring overall application security.
- Domain 3: Attestation and Monitoring: Covers service providers operating the backend attestation and monitoring environments. These providers are responsible for maintaining the baseline security of COTS platforms, interpreting and responding to collected data from these platforms, and ensuring the security of the attestation and monitoring environments.
- Domain 4: MPoC Software Management: Encompasses aspects such as secure signing and distribution of MPoC Software and Applications, as well as key management for these software products and backend systems. Multiple entities within an MPoC Solution may fall under this domain.
- Domain 5: MPoC Solution: This domain covers the security requirements and test procedures for MPoC Solution providers who manage the interactions between all parties within an MPoC Solution. This includes ensuring the security of MPoC-specific decryption or payment switching environments. The MPoC Solution provider also takes responsibility for ensuring that any associated MPoC Applications not already listed as part of an MPoC Software Product meet the standard’s requirements and are included as part of their MPoC listing.
The security model of an MPoC Solution relies in large part (but not entirely) on mechanisms that support attestation and monitoring (to
ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present), and response (controls to alert
and take action). The online nature of COTS devices provides opportunities to extend these capabilities to back-end monitoring systems.
Some COTS devices have special built-in security features like a secure element (SE)or trusted execution environment (TEE). These features can store or process sensitive info in a secure way, or help confirm the authenticity of the COTS device.
Since these are COTS devices, we can’t assume everything about them is known or trusted. It’s important for MPoC Software to have its own safeguards that make it hard for someone to figure out how it works or tamper with its code when it’s running on these uncertain platforms.
The Impact and Future Potential of MPoC
The impact of MPoC extends across the payments industry, catching the attention of vendors, acquirers, and merchants alike. Its potential to drive innovation while ensuring security standards are met heralds a new era in mobile payments.
The development of MPoC has been a collaborative effort, drawing insights from industry engagement and feedback. This collaborative approach has shaped MPoC into a standard that not only meets but anticipates the needs of the dynamic payments landscape.
MPoC is expected to become widely used as SoftPOS solutions revolutionize how we make payments. This standard will promote the development of disruptive SoftPOS technology and potentially transform the payment acceptance environment. MPoC allows payment terminals to be more versatile, making it harder to distinguish between dedicated terminals and SoftPOS devices.
By reducing the cost of setting up payment acceptance, MPoC will enable more merchants to accept card payments, but it will also change the market for payment terminals.
The ease of replicating and scaling software compared to hardware suggests that the payment acceptance platform provider landscape may become more concentrated in the future.
In conclusion, MPoC is more than a standard; it’s a driving force shaping the future of mobile payments. Its modular approach, coupled with robust security measures, positions it as a key enabler for innovation and trust in the realm of digital transactions. As we move forward, MPoC stands tall as a cornerstone in the evolution of how we pay, reflecting the convergence of security, flexibility, and technological advancement in the palm of our hands.
