MPoC certification tips
How to certify your SoftPOS solution with MPoC ?
The new MPoC security standard enables SoftPOS providers to certify that their solutions for contactless payment on COTS meet the security requirements, ensuring the accurate protection of cardholder data in a tap on phone / tap to phone / tap on mobile environment. It is a crucial challenge for SoftPOS solution providers to ensure that their products integrate the highest level of protection of sensitive data and comply with the new PCI MPoC standard. It has become the sine qua non condition to deploy SoftPOS products on the field that meet the international payment standards and security requirements. The adoption of SoftPOS technology by merchants and consumers depends on convenience and reliability.
Payment solution providers, whether they develop their own product or integrate third party components, must prove compliance with the latest requirements described in the MPoC standard.
The modular approach of the specification enables all stakeholders involved in the development of a SoftPOS product to focus on their fields of expertise to provide best-in-class secure products.
Who is MPoC standard for ?
SoftPOS providers must meet the PCI MPoC security requirements in order to be listed as approved providers on PCI website. They can submit their solution to MPoC evaluation as a “monolithic MPoC solution”, meaning that they are responsible for all parts and components of their solution : payment software, payment application, data security mechanisms and back-end systems.
The flexible approach of the MPoC standard also enables the combination of different secure components to be certified as a “composite MPoC solution”. In that case, vendors shall partner with certified third parties listed as approved SDK software providers or attestation and monitoring service providers.
Hence the PCI Security Standard Council has identified 3 types of MPoC products that shall be submitted to MPoC evaluation :
Flexible evaluation divided into 5 domains
According the type of solution provided, organizations involved in the development of a SoftPOS solution shall meet the requirements defined in one or more of the 5 domains in the specification.
The first 2 domains describe the security features of the payment software and payment application integration.
MPoC software core requirements gathers the requirements related to secure software, security lifecycle processes, integrity protection. It also includes modules related to payment acceptance and CVM.
MPoC application integration domain gathers requirements related to the integration and usage of a MPoC software SDK and security of the overall MPoC application.
The 3 other domains cover the management of the back-end operations, the management of the software and security elements of the software and the overall payment application :
The attestation and monitoring domain specifically describes the backend attestation and monitoring environments, where the device used as a SoftPOS is going to be checked, enrolled or disabled in case of vulnerability.
MPoC software management domain describes the security requirements for the distribution and maintenance of the software SDK or MPoC application. It also defines the key management process and software update management.
The 5th domain applies to all SoftPOS solution providers who must manage the overall environment and third parties involved ; certified MPoC components used in the solution, the merchant identification, or the security of the back-end system.
Define your scope of certification
The division of the specification into domains and modules enable payment solution providers to build their products using third party MPoC approved partners. Then the scope of evaluation of their products is defined accordingly :
If you developed and managed all parts of SoftPOS
If you selected a certified software SDK solution
If you selected a certified SoftPOS software SDK and certified attestation & monitoring service
For more information about how Alcinéo can help you optimize the scope of your MPoC evaluation, read our article HERE