PCI have recently released the new standard and compliance program for Mobile Payments on Commercial off-the-shelf devices (MPoC). This blog is the first of a series discussing Mobile Payments and the security requirements that need to be met. This one describes the compliance environment and the history of how it has reached this point.
Background
Historically, point-of-sale (POS) devices were stand alone and designed for the purpose. They were sealed, only ran dedicated software from the manufacturer and integrated all the necessary security features. The dedicated hardware made them more expensive and less flexible than merchants expected. Merchants wanted more flexibility in acceptance (support for loyalty schemes and other forms of payments) and integration into their systems. This drove some vendors, especially Chinese ones, to build hardware platforms then run a variant of Android as the OS enabling a more app-based approach, thereby making availability of integrations and functionality in the form of apps easier. This still provided all the hardware security but brought software security to the forefront especially related to cohabitation of apps. The availability of commercial off-the-shelf (COTS) Android tablets provided interesting possibilities and drove the development of dongle type devices that accepted the card and enabled the entry of a cardholder PIN (personal identification number) where the merchant interacted with the tablet enabling other integrations and apps. The development of dongle devices also enabled the possibility of a mobile POS where a mobile phone runs an app to provide the merchant POS functionality and connectivity to the Payment Service Provider (PSP). With the proliferation of contactlessness payments and the support for near-field communication (NFC) on the mobile phone, this made the need for a device to perform card acceptance unnecessary leaving PIN entry as the only function that could not be performed on the phone. The payment schemes have been trialing contactless acceptance and PIN entry on mobile devices and now the security requirements have come together under PCI with the release of the PCI MPoC standard.
Standards History
PCI SPoC (Software-Based PIN Entry on COTS) initial release April 2018
PCI SPoC is a security standard that allows merchants to accept PIN-based payments using commercial off-the-shelf (COTS) devices such as smartphones and tablets. SPoC provides a secure environment for entering PINs and encrypting sensitive payment data, ensuring the protection of cardholder information during transactions. The PIN is entered on the device but a dongle (SCRP Secure Card Reader - PIN) performs the card acceptance and performs the PIN encryption.
PCI CPoC (Contactless Payments on COTS) initial release December 2019
PCI CPoC is a security standard that allows merchants to accept contactless payments (cards, phones and wearable devices) using commercial off-the-shelf (COTS) devices such as smartphones and tablets. It is specifically for transactions below the contactless limit that do not require PIN. It removes the need for a SCRP for contactless transactions.
PIN on Glass Certification (by Mastercard and Visa)- initial release 2020
A key limitation of the PCI CPoC standard was the inability to enter a cardholder PIN for higher-valued transactions on the touchscreen display of the phone or tablet accepting the payment. Mastercard and Visa came up with this standard enabling contactless payments with PIN to be performed on the merchant’s phone or tablet. This removed the need for a SCRP for contactless payments.
PCI MPoC (Mobile Payments on COTS)- initial release November 2022
PCI MPoC brings together PCI SPoC, PCI CPoC and PIN on Glass to deliver the complete Mobile Payment standard. It supports all card acceptance using the COTS device for contactless acceptance or via a SCRP for chip or magstripe and adds the ability to perform PIN entry using just the COTS device. It defines a number of architectures and the security requirements associated with them together with the attestation and monitoring requirements.
Complete standards for mobile acceptance and PIN entry on COTS devices have been taken some time but the release of PCI MPoC brings together a supportive compliance framework. Cryptomathic has solutions that help secure the mobile device, deliver security functions associated with key management and encryption and support device attestation / monitoring. See here for more information.