Understanding MPoC: Mobile Payments on Commercial Off-The-Shelf Devices

Author Picture
Jonathan Jacobs
A phone on a table with the blue PCI logo and the words Understanding MPoC around it.

If you're in the mobile payments industry, you've likely encountered terms like SoftPOS (Software Point of Sale), PIN on Glass (entering a PIN on a device not specifically built for payments) or Tap on Phone (using a card or mobile wallet on a general-purpose device, also known as a Commercial-Off-The-Shelf device or COTS).

The latest evolution in terms of compliance is PCI MPoC (Mobile Payments on COTS) - a globally recognised standard for enabling secure payment acceptance on a COTS device. Being MPoC Certified ensures that a solution meets the highest security and compliance standards for mobile payments.

Moving Beyond Traditional Hardware

Historically, merchants relied on purpose-built payment terminals provided by acquirers, payment facilitators or aggregators. These terminals certified under the PCI PTS (PIN Transaction Security) standards were designed exclusively for secure payment acceptance.

While SoftPOS technology - which turns COTS devices into payment terminals - has gained traction, it previously lacked full recognition as a certified terminal solution. MPoC bridges this gap, offering a robust security framework that legitimises and standardises payment acceptance on COTS devices.

Unpacking MPoC

What is MPoC?

MPoC (Mobile Payments on COTS) is a security framework that ensures the safe capture and processing of sensitive information on merchant-operated devices, such as smartphones and tablets.

Key features include:

  • Secure PIN entry on COTS devices
  • Card acceptance on general-purpose devices
  • Mitigation of vulnerabilities in mobile payment environments

By adhering to MPoC Standards, providers can build trust with customers while ensuring compliance with global security requirements.

Who needs to be MPoC Certified?

MPoC's modular framework allows flexibility in building and validating mobile payment solutions. The following questions can help determine its applicability and the type of validation or listing required for someone to determine if they need an MPoC Certification:

  1. Are you offering merchants a solution to accept payments?

If yes, an MPoC Solution Provider listing is required. Solution providers oversee the implementation and management of MPoC solutions, ensuring all requirements are met, including those fulfilled by third parties.

  1. Are you providing an SDK to solution providers, enabling their merchants to accept payments on COTS devices?

If yes, an MPoC Software Vendor listing is necessary. At Halo Dot, we offer an isolated SDK for building payment solutions, requiring us to validate our role as software developers, supports and distributors.

  1. Are you providing services to solution providers to enable their merchants to accept payments on COTS devices?

If yes, you may require an MPoC Service listing. These providers support MPoC solutions through operational services and software.

What do you need to be MPoC Compliant?

Navigating MPoC compliance can feel complex and confusing. While MPoC 1.1 is available, the program guide is still pending and the process varies across schemes (as at the 5th of February 2025). Some key variances include:

  • One scheme allows compliance simply by embedding an already MPoC certified SDK into your application, such as the Halo.SDK.
  • Another scheme requires self-certification of the application, enabling solution providers to achieve compliance.

Card Dipping and MPoC

While contactless payments dominate in markets like Europe, card dipping remains essential in regions like South America. Unlike traditional hardware terminals that include a built-in slot for inserting cards, COTS devices lack that functionality.

To bridge this gap, Halo Dot introduces the Secure Card Reader with Pin (SCRP). The SCRP is a physical card reader assess under the PCI PTS SCRP Approval Class and listed on the PCI PTS website.

The SCRP pairs seamlessly with COTS devices to enable the dipping/inserting of cards. Additionally, Halo Dot's SDK is MPoC Certified, supporting contactless payments, PIN on Glass and Card dipping with PIN entry on Glass via the SCRP. This comprehensive solution meets diverse payment requirements without compromising on security or compliance.

Halo Dot's Stance on MPoC

Halo Dot recognises the need for solution providers to undergo proper certification or assessment to ensure compliance. Just as PCI listings validate hardware, MPoC aims to standardise trust and transparency in mobile payment solutions.

We remain committed to guiding partners through the MPoC compliance journey, helping them achieve the highest security and compliance standards while enabling seamless, secure mobile payments.

Author
Jonathan Jacobs
Publication Date
February 5, 2025

More posts

May 23, 2024

Understanding Payment Devices and Making the Right Choice

Understanding the differences between purpose-built and COTS devices in payments, including the emergence of SoftPOS technology for businesses to accept payments seamlessly on existing devices.

Author Picture
Jonathan Jacobs
September 2, 2024

Securing Debit Orders with Halo Dot

Enhance security and prevent Debit Order fraud with Halo Dot. Learn how this system protects consumers and businesses in the banking industry.

Author Picture
Melissa Kramer
March 10, 2021

Nedbank’s New Tap on Phone – a First in Africa – Enables Safe and Secure Contactless Payments

Nedbank introduces tap-on-phone for safe and secure contactless payments, a first in Africa. This is an innovative solution that benefits small businesses and enhances customer experience.

Author Picture
Halo Dot Writer
Halo Dot LogoPart of Capital Appreciation
About Us
Products
Compliance
FAQs
Resources
Contact Us
Johannesburg
// South Africa
Cape Town
// South Africa
Amsterdam
// Netherlands
Miami
// USA
LinkedIn Logo
YouTube Logo