PCI Standards, Standards, Regulations and Compliance
PCI MPoC is Expected to Work in Accordance with the Standard for Dedicated Payment Areas
Akshaya Asokan (asokan_akshaya) •
November 18, 2022
The payment card security group PCI Security Standards Council has a new standard intended to allow commercial devices to support more payment inputs including contactless cards and cardholder authentication methods.
The standard allows a single device to process contactless card data and a PIN entered by the consumer.
Consumers around the world are increasingly using contactless payment methods, and Aite-Novarica estimates a 37.8% growth in such payments worldwide from 2020 to 2021. Forrester, in an annual survey conducted for the National Retail Foundation, concluded that most US retailers already accept Apple Pay. and PayPal.
The new standard – its official name is PCI Mobile Payment on COTS, or MPoC – is aimed at payment software vendors and service providers whose solutions range from applications used to receive user account data to software deployed to authenticate and monitor payment data in the background. .
“This was done in direct response to the feedback we heard from our community,” said Andrew Jamieson, vice president of standards solutions at PCI SSC. “The PCI MPoC standard allows both contactless card data and PINs to be embedded in the same COTS device, with parallel functionality, and to support the use of external card readers if that is required.”
The new standard differs significantly from the council’s previous, separate standards for PIN entry devices and contactless payment devices, Jamieson said in an email to Information Security Media Group. “The ‘operational’ aspects are separated from the ‘development’ aspects, allowing more flexibility in how solutions are developed and created,” he wrote. The standard supports software development tools to create mobile payment applications and allows a single application to be built with multiple software development kits, he said.
“The market was looking for increased flexibility, the ability to adapt solutions to fit smaller markets and to target larger applications.”
Some retailers have responded to consumers’ increasing demand for contactless payments by using devices that are not specifically designed for payment processing. The standard takes that into account, as well as the different threat models posed by different payment solutions, Jamieson said. Still, the standards won’t completely push dedicated payment terminals out of the market, he predicted.
General-purpose devices can’t provide physical security, which means “there’s still a place for these devices in situations where an MPoC solution might not be the best fit,” he said.
“In the way that physical payment cards have not yet been replaced by Apple Pay or Android Pay, I expect that the use of phones or tablets to accept payments will be accompanied by dedicated payment terminals.”