4 min read

How to build a PCI MPoC v1.1 solution based on Cryptomathic’s Mobile Application Security Core (MASC) Software

Boris Schumperli : 13. February 2025

Mobile App Security MASC Payment Security
How to build a PCI MPoC v1.1 solution based on Cryptomathic’s Mobile Application Security Core (MASC) Software

The primary objective of the PCI MPoC (Mobile Payment on COTS) standard is to ensure that robust security mechanisms are in place for secure mobile payments on commercial off-the-shelf (COTS) devices, such as Android smartphones. 

By nature, COTS devices cannot be inherently trusted. The MPoC security model relies on mechanisms that support attestation, continuous monitoring, anomaly detection, and proactive responses. 

Adopting the MPoC security model is fundamental for enabling secure mobile payments and ensuring the integrity of Point-of-Sale (POS) transactions. 

PCI MPoC Standard Version 1.1 introduces greater flexibility in building and certifying compliant MPoC solutions 

In this document, we will give an overview of the main components of an MPoC solution and present how Cryptomathic’s Mobile Application Security Core (MASC) software can be used to implement either a PCI MPoC compliant solution or service. 

 Overview of an MPoC Solution 

 

Generalized MPoC use case with a COTS device and the surrounding environment. 

An entire MPoC solution is a set of components and processes that support mobile payment acceptance and protection of account data on a COTS device. At a minimum, the solution includes the MPoC Application and the back-end systems and environments that perform attestation, monitoring, and payment processing. Below is a breakdown of the front-end and back-end.  

On the front end:

1. The COTS: commercial off-the-shelf device, typically an Android or iOS device. 

2. Optionally, some extra hardware (e.g. connected card readers) can be used to read contact, contactless or magstripe cards. Fortunately, COTS with NFC capabilities can be used without extra hardware

3. The MPoC application: the mobile payment software application implemented and running on the COTS. This application can make use of the different device functions e.g to capture entry of cardholder PINs or account-data, via the device screen or card reader.   

On the back-end: 

4. Attestation and Monitoring component: mainly in charge of monitoring the health of the device, detect any anomalies and respond to detected threats. 

5. Payment and PIN processing: in charge of processing the payment transactions or the PIN processing once captured by the MPoC application. 

 

Note that the MPoC application running on the COTS can be monolithic or build upon existing PCI MPoC certified software like SDKs. The PCI MPoC standard defines different security requirements for the software components that compose an MPoC solution. It is also possible to build an MPoC solution that would rely on a certified Attestation and Monitoring service. Below, we give an overview of the security requirements of PCI MPoC.  

PCI MPoC Security requirements 

The following section provides an overview of PCI MPoC security requirements. 

PCI MPoC requirements are organized in different domains and sub-modules: 

Domain 

Topic of requirement 

1- MPoC Software Core Requirements 

This domain defines the foundational security requirements for MPoC software. Key areas include vulnerability management, secure cryptographic operations, and secure communication. 

2- MPoC SDK Integration 

This domain focuses on the integration of MPoC SDKs with applications to ensure secure operations.  

3- Attestation and Monitoring 

This domain ensures continuous monitoring and attestation of the security posture of MPoC applications. 

4- MPoC Software Management 

This domain addresses the management and maintenance of MPoC software, including updates and secure storage. 

5- MPoC solution 

Comprehensive requirements for the end-to-end MPoC solution, including user guidance and compliance reporting.  

 

What is MASC, and how does it help meet PCI MPoC requirements?  

MASC is a software suite composed of MASC Core and backend Assurance Service. These components address some of the core requirements in MPoC Software Core Requirements (Domain 1) and Attestation and Monitoring (Domain 3). 

 Mobile application developer relies on MASC Core SDK to secure their mobile payment application and Module 1A-CORE requirements by using among other mechanisms: 

  • Application integrity protection 
  • Cryptographic and random generation operations  
  • Configuration data protection 
  • Secure storage 
  • Network stack protection 

MASC Core SDK offers a set of toolboxes to protect an application against static and dynamics threats to cover the Module 1B-COTS-based MPoC Software Protection. It includes among others: 

  • Anti-debug and hooking prevention by crashing the app 
  • Prevent memory dumping exposing sensitive keys and data 
  • Rooted/jailbroken device detection, 
  • Emulator/debugger detection, 
  • Data and code obfuscation, 
  • Whitebox cryptography, 
  • Device binding 

MASC Core SDK sentinels, along with the back-end Assurance Service’s Monitor and Reaction Engine, provide attestation and monitoring as defined by PCI MPoC. These components help meet the requirements outlined in Module 1C (Attestations and Monitoring Software) and Domain 3 (Attestation and Monitoring). 

These services allow to monitor the health of the device where the mobile application is running and to detect and to react to anomalies by blocking or crashing the app:  

  • Rooted/jailbroken device detection, 
  • Emulator detection, 
  • Screen sharing detection, 
  • Keyboard and accessibility provider blacklist 

Together, the MASC software suite—including the MASC Core SDK and back-end Assurance Service—meets PCI MPoC security requirements across multiple domains (Core, SDKs, and A&M). It can be leveraged to develop a PCI MPoC-compliant solution or service. 

Cryptomathic MPoC implementation protected with our Mobile Application Security Core and connected to Obsidian for PIN management and MASC back-end service for attestation and monitoring.  

How to use Cryptomathic MASC to implement a PCI MPoC solution for PIN-entry application? 

Below is an example of the implementation of a PCI MPoC solution for PIN entry using MASC. The MASC SDK protects the MPoC application and guarantees a secure communication to the back-end systems. The MPoC application with an integrated MASC SDK automatically monitors the communication through MASC’s attestation and monitoring back-end service. The PIN is processed and stored in the Cryptomathic Obsidian platform only after successful attestation and monitoring approval. 

The diagram depicts the full solution and is composed of: 

- An MPoC application integrated with the MASC SDK. 

- An OBSIDIAN PIN processing and MASC backend Assurance Service. The Assurance Service provides the attestation and monitoring. 

Conclusion 

Cryptomathic’s MASC and Obsidian solution provides robust security measures and compliance capabilities tailored to meet the PCI MPoC Standard Version 1.1. By addressing each domain’s specific requirements, MASC enables secure mobile payment operations on COTS devices, helping businesses maintain compliance and consumer trust in an evolving threat landscape. 

About Cryptomathic. Cryptomathic is a leading provider of security solutions, offering advanced technologies to secure digital payments, identities, and communications globally. With the Mobile Application Security Core, Cryptomathic delivers unmatched protection and compliance for mobile applications in the payment ecosystem.