The momentum behind SoftPOS (Software Point of Sale) solutions continues to build. With the market set to grow to $27.7 billion by 2030, merchants looking for simple and low-cost digital payment acceptance solutions are capitalizing on this trend, opening them up to new markets and customers.
But there are challenges. SoftPOS solutions must deliver the seamless, consistent and trusted experience provided by traditional payment terminals, but cannot utilize the hardware-backed security foundations that are built into these devices. Therefore, any stakeholder wanting to bring a SoftPOS solution to market needs to take security measures seriously. Having the relevant security certifications ensures that the technology is fit for purpose and valuable payment data is protected.
The key security standard for SoftPOS solutions is Mobile Payments on COTS (MPoC™), issued by the Payment Card Industry Security Standards Council (PCI SSC). As a flexible, objective-oriented standard for payment solution development, it provides a set of modular requirements to certify secure payment acceptance solutions on commercial off-the-shelf (COTS) devices in a merchant-attended environment.
Two years on from the release of the standard, the first product certifications are now complete, and updates are being made to address stakeholder feedback, improving flexibility and utility. With the PCI Mobile Payments on COTS Security and Test Requirements v1.1 expected to be released later this year and payment scheme pilot security programs having been phased out, migration to MPoC is now mandated by the PCI SSC member payment schemes. Solution vendors need to understand the latest developments to ensure compliance with the standard and assure customers that every possible step has been taken to protect sensitive payments data.
Building on a foundation of flexibility.
PCI MPoC differs to its predecessors (Contactless Payments on COTS (CPoC) and Software-based PIN Entry on COTS (SPoC)) in that it provides more flexibility to address market needs. This standard is designed to allow mobile payment solutions to support multiple payment-acceptance channels and cardholder verification methods (encompassing what was covered by previous standards). However, PCI CPoC and PCI SPoC are not yet deprecated by the payment schemes.
It supports new use cases such as online PIN, offline transactions, manual entry of card data on the mobile device and remote kernels. The standard also supports the use of external Magnetic Stripe Readers (MSR) and external (contact and/or contactless) Secure Card Readers, either with or without PIN entry.
This gives merchants more ways to accept digital payments, providing customers with increased flexibility to choose how they would like to pay.
Understanding the requirements.
The PCI MPoC standard is designed to ensure that SoftPOS solutions undergo rigorous testing, keeping data secure. Therefore, the requirements for compliance are complex, with 186 individual security conditions that need to be met, and annual checks to ensure that solutions are protected against the shifting security landscape.
Beyond ensuring compliance with the PCI MPoC standard itself, solutions must also meet other existing PCI standards and provide evidence for this prior to PCI MPoC certification. For example:
The payment processing back-end and remote kernel environments must be PCI Data Security Standard (DSS) certified.
The software must have been developed by a PCI Secure Software Life Cycle (SLC)-compliant vendor.
Certain elements of the software (the Attestation and Monitoring back-end) must be compliant with the PCI Secure Software Standard (SSS) requirements.
The Attestation and Monitoring back-end must either be PCI DSS with Designated Entities Supplemental Validation (DESV) certified or assessed against PCI MPoC Appendix A security requirements by the MPoC security lab.
Evidence of independent penetration testing of the SoftPOS solution must be provided by the vendor on an annual basis to maintain PCI MPoC certification. For the first year of penetration testing, this can be offered as an additional service by the MPoC security lab.
While stringent, these security conditions are better suited to meet business requirements than previous standards. One illustration of this is the ability for Software Development Kits (SDK) and Attestation and Monitoring back-end systems to be certified as separate components first and then in combination, meaning that the full scope of these solutions is tested in several steps, rather than just the monolithic MPoC solution in one step. This modularity is giving more flexibility to solution vendors for their business model and enables even more solution combinations to be brought to market.
The objective-based nature of the standard also makes it less prescriptive than previous specifications, so technology providers can achieve compliance and ensure security while implementing the requirements in a way that makes sense for their particular business model.
Navigating payment scheme certification.
As with all PCI standards, any mandates, regulations, or rules regarding the MPoC requirements are provided by the PCI SSC member payment schemes, and stakeholders must navigate the nuances between them. And time is of the essence, as the proprietary security certification pilot schemes by Mastercard and Visa have been sunset. This means that solutions that have been certified as part of these programs need to migrate to MPoC or will no longer be authorized by the relevant payment schemes.
While the pressure is on to achieve compliance, in some cases payment schemes have recognized the burden of meeting the MPoC standard and have relaxed their requirements to support stakeholders. Visa has announced that in place of complete SoftPOS Solution (an MPoC Solution) certification, it will accept partial PCI MPoC certification. The three types of certifications accepted by Visa are now:
MPoC Solution (any variant).
MPoC Software Application.
MPoC Software SDK Isolated.
All solution providers and acquirers seeking a Visa Ready certification for their new or soon to expire SoftPOS solutions, must receive one of these three types of PCI MPoC certifications or receive a PCI CPoC certification from a PCI-recognized security lab. This approach aims to provide more flexibility and help bring SoftPOS solutions to market quicker, but it is only intended for Visa card payment acceptance. If other payment brands are supported, the complete scope for an MPoC Solution will apply.
Testing to ensure trust.
Even with concessions from payment schemes to support stakeholders in certifying their SoftPOS solutions, staying abreast of all the intricacies of the market, the complexity of the MPoC standard and the constantly evolving requirements from each individual payment scheme is extremely challenging.
Thankfully, Fime’s experts are on hand to provide extensive technical expertise in defining, designing, delivering and testing solutions. Whether it is delivering training sessions, helping to write the required evaluation documents or supporting you in developing solutions in line with the relevant security standards, we can help.
Find out more about how Fime can support your SoftPOS project.
To learn more about SoftPOS, you can also read the other blogs in our SoftPOS series. The first blog provides an introduction to SoftPOS, the second blog covers the hardware considerations, the third blog offers insight into the software complexities, and the fourth blog explores the security mechanisms which can protect SoftPOS solutions.