If you’ve been working with payment solutions like I have, especially in face-to-face (f2f) transactions, online payments, and backend payment integrations—you’ve probably encountered the ever-evolving security requirements from PCI SSC (Payment Card Industry Security Standards Council). With more merchants adopting mobile-based payment solutions, PCI has introduced a new framework called PCI-MPoC (Mobile Payments on COTS). This is something I’ve recently explored while working on SoftPOS and Traditional POS implementations, and I’d like to share the fundamentals with you.
What is PCI-MPoC?
PCI-MPoC is the latest security standard for mobile payments on commercial off-the-shelf (COTS) devices, think smartphones and tablets acting as payment terminals. Unlike previous standards (PCI-SPoC and CPoC), which focused on PIN-on-mobile and contactless payments separately, PCI-MPoC is more flexible and allows both PIN entry and contactless transactions on the same device.
Why PCI-MPoC Matters?
For businesses and developers working on SoftPOS solutions, PCI-MPoC offers a way to turn any smartphone into a secure payment terminal. It opens doors for new merchants who don’t want to invest in dedicated payment hardware. However, with this flexibility comes the responsibility of implementing strict security measures, which is where the PCI-MPoC framework comes in.
How PCI-MPoC Works?
PCI-MPoC consists of several key components:
1. Application Security
Your SoftPOS app needs to follow security guidelines, including:
- Secure PIN entry (if your app allows PIN-based transactions)
- Real-time transaction monitoring to detect anomalies
- Tamper detection to prevent unauthorized access to sensitive data
2. Device Security
COTS devices (smartphones/tablets) are not purpose-built payment terminals, so they require additional security measures, such as:
- Ensuring the OS and software are always updated
- Detecting whether the device is rooted or jailbroken
- Securely storing cryptographic keys
3. Cloud-based Monitoring & Attestation
Unlike traditional payment terminals, PCI-MPoC allows continuous security monitoring via the cloud. This means the solution provider must have an attestation system that:
- Monitors device health and compliance
- Enforces remote updates and security patches
- Disables compromised devices from processing transactions
Comparison: PCI-SPoC vs. PCI-CPoC vs. PCI-MPoC
| Feature | PCI-SPoC (PIN-on-Mobile) | PCI-CPoC (Contactless) | PCI-MPoC (New Standard) |
| PIN Entry | Yes | No | Yes |
| Contactless | No | Yes | Yes |
| Device Security | Local security controls | Device attestation | Cloud-based attestation |
| Continuous Updates | No | No | Yes |
| Cloud Monitoring | No | No | Yes |
As you can see, PCI-MPoC is the next evolution that merges PIN and contactless while ensuring cloud-based security compliance.
Implementing PCI-MPoC in Your SoftPOS Solution
If you’re working on a SoftPOS or mobile-based payment system, you’ll need to align your development with PCI-MPoC guidelines. Here’s how you can get started:
1. Ensure Secure PIN Entry (If Required)
If your app supports PIN-based transactions, PCI requires the use of an isolated secure PIN entry module. This ensures:
- PIN data is never stored or transmitted in plaintext
- Tampering attempts are detected and blocked
- Input is handled through a secured screen overlay
2. Use Attestation APIs for Device Security
Most payment solutions now integrate device security attestation to check for rooted devices or security risks before allowing transactions. Here’s a quick example using Google’s SafetyNet API:
public async Task<bool> VerifyDeviceIntegrity(string nonce)
{
using (var httpClient = new HttpClient())
{
var response = await httpClient.PostAsync(
"https://www.googleapis.com/androidcheck/v1/attestations",
new StringContent(JsonConvert.SerializeObject(new { nonce }), Encoding.UTF8, "application/json")
);
var result = await response.Content.ReadAsStringAsync();
return result.Contains("basicIntegrity"); // Ensure device is not rooted
}
}If a device fails the attestation check, transactions should be blocked to prevent fraud or tampering.
3. Implement Remote Monitoring & Compliance Checks
Your SoftPOS solution must integrate with a backend system that can:
- Push security updates remotely
- Check real-time compliance status
- Disable non-compliant devices
Here’s a simplified example of a backend API check for a SoftPOS device:
[HttpPost("/verify-device")]
public IActionResult VerifyDevice([FromBody] DeviceStatus status)
{
if (status.IsRooted || !status.IsSecure)
{
return Unauthorized("Device not compliant with PCI-MPoC");
}
return Ok("Device is secure");
}4. Encryption & Secure Communications
All transaction data should be encrypted using TLS 1.2 or higher, ensuring that data is never exposed during transit. Use libraries like BouncyCastle for encryption in .NET applications.
public static byte[] EncryptData(string data, string publicKey)
{
var rsa = new RSACryptoServiceProvider();
rsa.FromXmlString(publicKey);
return rsa.Encrypt(Encoding.UTF8.GetBytes(data), false);
}Challenges & Considerations
While PCI-MPoC provides more flexibility, it also brings challenges:
- Increased reliance on cloud monitoring (requires always-on internet)
- Strict compliance audits before going live
- Device variability (different phone models, OS versions, etc.)
If you’re building a PCI-MPoC-compliant solution, be prepared for continuous testing, monitoring, and security enhancements.
PCI-MPoC is a game-changer for the payments industry, allowing businesses to accept payments securely on everyday smartphones and tablets. If you’re working on a SoftPOS or mobile payment solution, understanding PCI-MPoC is crucial to ensuring compliance and security. While the requirements may seem complex, they ultimately help protect merchants and consumers from fraud.
