New PCI standard for smartphone payments

Card acceptance for anybody?

Paying with a mobile phone is a popular method across the world especially in countries with high level of contactless payments. From technical perspective smartphones with NFC readers can facilitate payments with cards in the same manner as payment terminals. Many acquirers have explored this technology to bring a service offering that would enable them to rapidly onboard small merchants without the need of preparing and deploying a classic payment terminal.

Several companies across the world have entered the race to develop a viable smart device payment solutions and they received provisional security approvals from payment associations. Such solutions are already operated by many acquirers across the world. It is even possible to process transactions with a cardholder verification using PIN.

Limitations of use

There will always be limitations to the usage of your mobile phone as a payment terminal. Simple things such as incoming call in the middle of the transaction processing can be a real nuisance. Smartphones also usually have much weaker NFC antennas than custom designed payment terminals. Reading a card from a contactless chip in a smartphone can be tricky. Many card issuers still do not provide contactless  cards to their clients. So in some countries the majority of card holders cannot make a payment on a terminal, which does not have a contact reader. In such cases, the smart device would still require an external card reader.

New classes of merchants 

For small merchants, the solution can be very efficient and useful. It does not require any special hardware and can be deployed almost instantly by simply downloading the required apps to the mobile phone and pairing the app with the merchant account. But instead of replacing classic payment terminals, these “SoftPOS” solutions are likely to target new types of merchants, who only need to accept payments occasionally or be flexible and mobile. The solution is perfect for users such as taxi drivers, craftsmen, couriers, event merchants etc. 

Security Implications

The payment associations require that their payment cards and associated card validation methods are processed in an equipment validated against relevant PCI compliance standards. This has prevented the use smart devices to be used as a POS terminal since no off-the-shelf smart device have been validated against PCI standard. To support these new solutions, PCI CPOC and PCI SPOC standards have been introduced for solutions processing contactless payments smartphones or PIN entry on smartphones. Using both at the same time without the use of external PCI PTS compliant device was not possible however. Well not until till now.

PCI Mobile Payments on COTS (MPoC) Standard Requirements

PCI SSC announced the new PCI MPoC standard on November 16, 2022. This standard outlines the requirements for solutions that provide the acceptance of contactless payments with card validation methods on a smart devices. However the SSC has not yet published the Program Guide for this standard that should provide more insight on the applicability, validation and synergy with other PCI standards. We will monitor the progress by the standard finalization and bring additional articles once the Program Guide is published.

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!