PCI Council Launches Flexible Mobile Payments Standard

Written by

The PCI Security Standards Council (PCI SSC) has published a new standard designed to improve the security of mobile-based payments and ease compliance efforts.

The council, a cross-industry payment card group responsible for the ubiquitous PCI DSS standard, said the launch recognizes the different security requirements for regular versus mobile payments.   

Its new standard, Mobile Payments on COTS (MPoC), builds on existing standards that cover solutions enabling merchants to accept cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device. These standards are known as PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC).

MPoC combines the two by including PIN and contactless entry on the same COTS device.  It’s designed to be a more flexible, modular standard supporting different types of payment acceptance channels and consumer verification methods on COTS devices.

“As the payment acceptance landscape continues to grow, merchants, vendors, and solution providers are seeking new ways to accept and process payments,” said Emma Sutcliffe, SVP standards officer at the PCI SSC.

“The PCI MPoC Standard recognizes that there are different ways in which a card-based payment may be accepted in face-to-face environments through the use of COTS products, such as mobile phones and tablets.”

Compliance with the standard should be relatively straightforward to those familiar with PCI SPoC and PCI CPoC, as many of the requirements are the same, the PCI SSC said.

MPoC has also been designed to separate the ‘technical’ or ‘development’ elements from the ‘operational,’ enabling the standard to evolve to address market needs more seamlessly, it added.

This is often a criticism of standards in the technology and security space – that they fail to keep pace with the speed of innovation in the market.

The announcement will be of interest to both vendors of card present payment acceptance technologies and the acquirers and merchants which buy and deploy the solutions.

“It’s hard to say what the future of payments will be, but we know that payments can’t be a one-size-fits-all,” said Andrew Jamieson, VP of solutions at the PCI SSC.

“At the council, we want to allow for innovation, flexibility, and agility in how our standards address these new payment acceptance methods. At the same time, this innovation needs to support a sufficient level of security that allows for the confidence in these solutions that is required for their broad adoption.”

Led by Google Pay and Apple Pay, use of mobile wallets surged during the pandemic, according to the US National Retail Federation (NRF).

What’s hot on Infosecurity Magazine?