PCI Releases New Payment Standards for Mobile Devices

PCI Standards, Standards, Regulations & Compliance

PCI MPoC Expected to work alongside the standard for dedicated payment terminals

Akshaya Asokan (asokan_akshaya) •
November 18, 2022

PCI releases new payment standards for mobile devices
Image: Shutterstock

Payment card security group PCI Security Standards Council has a new standard aimed at enabling commercial devices to support various payment inputs, including contactless cards and methods for cardholder verification.

See also: Live Webinar | How to meet your zero trust goals through advanced endpoint strategies

The standard allows a single device to process contactless card data and a consumer’s entered PIN.

Consumers worldwide are increasingly using contactless methods of payment, and Aite-Novarica estimates 37.8% global growth of such payments from 2020 to 2021. Forrester, in an annual study conducted for the National Retail Foundation, concluded that most US retailers already accept Apple Pay. and PayPal.

Also Read :  Eastern’s new Duo Security login inconvenient to students – The Daily Eastern News

The new standard – its official name is PCI Mobile Payment on COTS, or MPoC – is aimed at payment software providers and service providers whose solutions vary from applications used to accept user account data to software deployed for back-end payment data attestation and monitoring.

“This was done in direct response to the feedback we heard from our community,” said Andrew Jamieson, vice president of solution standards at PCI SSC. “The PCI MPoC standard allows both contactless card data and PINs to be entered into the same COTS device, for the same transaction, as well as supporting the use of external card readers if desired.”

Also Read :  Synagogues tap into mobile apps like Venmo for collecting tzedakah – J.

The new standard is very different from the council’s previous, separate standards for PIN entry devices and contactless payment devices, Jamieson said in an email to the Information Security Media Group. “The ‘operational’ aspects have been separated from the ‘development’ aspects, allowing for further flexibility in how solutions are designed and created,” he wrote. The standard supports software development kits for creating mobile payment applications and allows a single application to be built from multiple software development kits, he said.

“The market has been looking for increased flexibility, the ability to adapt solutions to fit smaller market niches and also target large deployments.”

Some retailers have responded to the increase in consumer demand for contactless payment by using devices not specifically made for payment processing. The standard takes that into account, as well as the different threat models posed by different payment solutions, Jamieson said. However, the standards will not completely push dedicated payment terminals out of the market, he predicted.

Also Read :  AMD Radeon RX 7900 XT: Penultimate RDNA 3 graphics card unveiled for US$899

General-purpose devices cannot provide physical security, meaning “there remains a place for these devices in situations where an MPoC solution might not be the best fit,” he said.

“In the same way that physical payment cards have not been replaced by the use of Apple Pay or Android Pay, I expect the use of phones or tablets to accept payments to coexist alongside dedicated payment terminals.”


Leave a Reply

Your email address will not be published.