MPoC certification tips

How to certify your SoftPOS solution with MPoC ?

SoftPOS - MPoC security certification tips

The new MPoC security standard enables SoftPOS providers to certify that their solutions for contactless payment on COTS meet the security requirements, ensuring the accurate protection of cardholder data in a tap on phone / tap to phone / tap on mobile environment.  It is a crucial challenge for SoftPOS solution providers to ensure that their products integrate the highest level of protection of sensitive data and comply with the new PCI MPoC standard. It has become the sine qua non condition to deploy SoftPOS products on the field that meet the international payment standards and security requirements. The adoption of SoftPOS technology by merchants and consumers depends on convenience and reliability.

Payment solution providers, whether they develop their own product or integrate third party components, must prove compliance with the latest requirements described in the MPoC standard.

The modular approach of the specification enables all stakeholders involved in the development of a SoftPOS product to focus on their fields of expertise to provide best-in-class secure products.

Who is MPoC standard for ?

SoftPOS providers must meet the PCI MPoC security requirements in order to be listed as approved providers on PCI website. They can submit their solution to MPoC evaluation as a “monolithic MPoC solution”, meaning that they are responsible for all parts and components of their solution : payment software, payment application, data security mechanisms and back-end systems.

The flexible approach of the MPoC standard also enables the combination of different secure components to be certified as a “composite MPoC solution”. In that case, vendors shall partner with certified third parties listed as approved SDK software providers or attestation and monitoring service providers.

Hence the PCI Security Standard Council has identified 3 types of MPoC products that shall be submitted to MPoC evaluation :

Flexible evaluation divided into 5 domains

According the type of solution provided, organizations involved in the development of a SoftPOS solution shall meet the requirements defined in one or more of the 5 domains in the specification. 

The first 2 domains describe the security features of the payment software and payment application integration. 

The 3 other domains cover the management of the back-end operations, the management of the software and security elements of the software and the overall payment application :

Define your scope of certification

The division of the specification into domains and modules enable payment solution providers to build their products using third party MPoC approved partners. Then the scope of evaluation of their products is defined accordingly :

If you developed and managed all parts of SoftPOS

If you selected a certified software SDK solution

If you selected a certified  SoftPOS software SDK and certified attestation & monitoring service

For more information about how Alcinéo can help you optimize the scope of your MPoC evaluation, read our article HERE