PCI Standards, Standards, Regulations and Compliance
PCI MPoC Expected to Work Together with Standard for Dedicated Payment Terminals
Akshaya Asokan (asokan_akshaya) •
November 18, 2022
Payment card security group PCI Security Standards Council has a new standard aimed at allowing merchant devices to support multiple payment inputs including contactless cards and methods of cardholder verification.
The standard allows a single device to process contactless card data and a consumer-entered PIN.
Consumers around the world are increasingly using contactless methods for payment, and Aite-Novarica estimates a 37.8% global growth in such payments from 2020 to 2021. Forrester, in an annual study conducted for the National Retail Foundation, concluded that the most many US merchants already accept Apple Pay. and PayPal.
The new standard – its official name is PCI Mobile Payment on COTS, or MPoC – targets payment software vendors and service providers whose solutions range from applications used to accept user account data to software deployed for certification and monitoring of payment data. .
“This was done in direct response to the feedback we heard from our community,” said Andrew Jamieson, vice president of solution standards at PCI SSC. “The PCI MPoC standard allows both contactless card data and PINs to be entered into the same COTS device, for the same transaction, and also supports the use of external card readers if these are desired.”
The new standard is completely different from the council’s previous, separate standards for PIN entry devices and contactless payment devices, Jamieson said in an email to Information Security Media Group. “The ‘functional’ aspects have been separated from the ‘developmental’ aspects, allowing additional flexibility in how solutions are designed and created,” he wrote. He said the standard supports software development tools to create mobile payment applications and enables a single application to be built from multiple applications.
“The market has been looking for increased flexibility, the ability to tailor solutions to fit smaller market niches and also target large deployments.”
Some retailers have responded to the increase in consumer demand for contactless payment by using devices not specifically made for payment processing. The standard takes that into account, as well as the different threat models presented by various payment solutions, Jamieson said. However, the standards will not completely push dedicated payment terminals out of the market, he predicted.
General-purpose devices cannot provide physical security, which means “there remains a place for these devices in situations where an MPoC solution may not be appropriate,” he said.
“In the same way that physical payment cards have not been replaced by the use of Apple Pay or Android Pay, I expect that the use of phones or tablets to accept payments will co-exist alongside dedicated payment terminals.”