PCI standards, standards, regulations and compliance
PCI MPoC is expected to work together with the dedicated payment terminal standard
Akshay Asokan (asokan_akshaya) •
November 18, 2022
Payment card security group PCI Security Standards Council has a new standard that aims to enable commercial devices to support multiple payment inputs, including contactless cards and cardholder verification methods.
See also: Live Webinar | How to achieve your zero-trust goals with advanced endpoint strategies
The standard allows a single device to process the contactless card data and the PIN entered by the consumer.
Consumers around the world are increasingly using contactless payment methods, and Aite-Novarica estimates a global growth of 37.8% between 2020 and 2021. Forrester, in its annual research for the National Retail Foundation, found that most US merchants already accept Apple Pay. and PayPal.
The new standard – officially called PCI Mobile Payment on COTS, or MPoC – targets payment software vendors and service providers whose solutions range from applications used to accept user account data to software used to authenticate and monitor back-end payment data . .
“This was done in direct response to feedback we heard from our community,” said Andrew Jamieson, PCI SSC’s vice president of solution standards. “The PCI MPoC standard allows both contactless card data and PINs to be entered into a single COTS device for the same transaction, and supports the use of external card readers if desired.”
The new standard is quite different from the board’s previous, separate standards for PIN entry devices and contactless payment devices, Jamieson said in an email to Information Security Media Group. “The ‘operational’ aspects are decoupled from the ‘development’ aspects, allowing for future flexibility in designing and creating solutions,” he wrote. He said the standard supports software development kits to build mobile payment applications, and allows you to build a single application from multiple software development kits.
“The market was looking for greater flexibility, the ability to tailor solutions to fit smaller market niches, and the goal was for large deployments.”
Some retailers have responded to the rise in consumer demand for contactless payments by using devices not specifically designed to process payments. The standard takes that into account, as well as the different threat models posed by different payment solutions, Jamieson said. However, the standards will not completely drive dedicated payment terminals out of the market, he predicted.
General-purpose devices cannot provide physical security, which means “these devices still have a place in situations where an MPoC solution may not be the best fit,” he said.
“Just as physical payment cards have not been replaced by Apple Pay or Android Pay, I expect the use of phones or tablets to accept payments to co-exist with dedicated payment terminals.”
