PCI

Blog space

MPoC, SPoC and CPoC: A revolution in secure mobile payments

Inside this article:

  • See how MPOC, sPOC and CPOC are redefining payment innovation for business.
  • Explore essential certification needs and technical hurdles for secure payment apps.
  • Gain insights to secure your digital business and lead in mobile payments.
MPOC sPOC CPOC

In today’s world of digital payments, traditional payment terminals are gradually giving way to innovative solutions based on smartphones and tablets. MPoC (Mobile Payments on COTS), SPoC (Software-based PIN Entry on COTS) and CPoC (Contactless Payments on COTS) represent a new era in payment acceptance, enabling ordinary mobile devices to be transformed into secure payment terminals. This article provides a comprehensive overview of these solutions, their differences, applications, and the requirements for providers wishing to enter this dynamically developing market. 

The origins of mobile payment solutions on COTS devices 

Limitations of traditional payment solutions 

Traditional payment systems are based on dedicated terminals certified in accordance with the PCI PTS POI (PIN Transaction Security minus Point of Interaction) standard. These specialised devices are designed solely for the secure acceptance of payments, which ensures a high level of security but also generates significant limitations: 

  • High implementation and maintenance costs minus dedicated terminals require substantial investment, particularly for small and medium-sized enterprises. The cost of purchase, installation, servicing and replacement creates a barrier to entry for many businesses. 
  • Limited mobility minus traditional terminals are usually stationary or have limited mobility, which makes it difficult to accept payments in locations without permanent infrastructure. 
  • Long implementation time minus the process of ordering, delivering, installing and configuring traditional terminals can take weeks or months. 
  • Lack of functional flexibility minus dedicated terminals offer limited possibilities for extending functionality and integrating with other business systems. 

What are COTS devices? 

COTS (Commercial Off-The-Shelf) are commercial devices available on the mass market, such as smartphones, tablets or other mobile devices equipped with NFC technology. Unlike dedicated payment terminals, COTS devices are designed for a wide spectrum of applications, making them much more accessible and cost-effective. 

Key characteristics of COTS devices include: 

  • Mass availability and competitive prices 
  • Built-in communication capabilities (NFC, Bluetooth, WiFi, 4G/5G) 
  • Regular software updates 
  • Application ecosystem and integration capabilities 
  • Familiar user interface for end-users 

MPoC, SPoC and CPoC – definitions and differences 

Software-based PIN Entry on COTS (SPoC) 

SPoC is a standard developed by the PCI Security Standards Council that enables secure PIN entry directly on a COTS device. The solution consists of three key elements: 

  • Secure Card Reader for PIN (SCRP) minus an external card reader certified in accordance with PCI PTS requirements. The SCRP supports contact, contactless and optionally magnetic stripe cards. 
  • PIN CVM application minus software installed on the COTS device, responsible for the secure entry of the customer’s PIN. 
  • Monitoring and attestation system minus a remote service provided by the SPoC solution provider, which monitors the entire solution for potential security threats. 

The key feature of SPoC is the separation of card data entry (read by the SCRP) from PIN entry (entered on the COTS device), ensuring a high level of transaction security. 

Contactless Payments on COTS (CPoC) 

CPoC enables the acceptance of contactless payments directly on a COTS device using the built-in NFC interface. Unlike SPoC, CPoC does not require an external card reader, but it has certain limitations: 

  • No PIN support minus CPoC does not support PIN entry, which limits transactions to amounts below the contactless limit (usually 100 PLN in Poland). 
  • Contactless payments only minus the solution supports only contactless cards and mobile payments (Apple Pay, Google Pay, contactless BLIK). 
  • Security architecture minus card data is read and processed directly by the application running on the COTS device, using white-box cryptography mechanisms and remote attestation. 

Mobile Payments on COTS (MPoC) 

MPoC is the latest and most versatile standard, combining the capabilities of SPoC and CPoC in one solution. Published by PCI SSC in November 2022, MPoC introduces: 

  • Modular approach minus the standard consists of three independent components: MPoC Software (SDK), Attestation and Monitoring (A&M), and MPoC Solution. 
  • Flexible implementation options minus providers can certify individual components separately or as a complete solution. 
  • Extended payment capabilities minus support for both contactless and PIN-based payments on the same COTS device. 
  • Offline transaction support minus under certain conditions, transactions can be performed without an internet connection. 

Summary of MPoC, SPoC and CPoC solutions 

Functionality SPoC CPoC MPoC 
PIN support ✓ (on COTS) ✗ ✓ (on COTS) 
Contactless payments ✓ ✓ ✓ 
External reader Required (SCRP) Not required Optional 
Offline transactions ✗ ✗ ✓ (limited) 
Modularity No No ✓ 
Transaction limits No limits Up to contactless limit No limits 
Year of standard publication 2018 2019 2022 

Examples of SoftPOS solutions on the Polish market 

Polskie ePłatności – PepPay 

Polskie ePłatności introduced the PepPay solution, based on technology from the Danish company Softpay.io. The application is designed for devices with Android 8.0 or newer, equipped with an NFC reader. PepPay supports: 

  • Payment methods: contactless payments with Visa and Mastercard cards, mobile wallets (Apple Pay, Google Pay), contactless BLIK, and Sodexo and Edenred cards. 
  • Business functionalities: transaction history, sending receipts by e-mail, integration with catering systems. 
  • Solution architecture: the application is based on a certified Softpay SDK, enabling rapid implementation while maintaining high security standards. 

eService – eService tom (formerly LikePOS) 

eService, part of the Global Payments group, offers the eService tom application terminal. The solution was developed in cooperation with Visa and underwent many months of pilot testing: 

  • Technical components: uses Visa Tap to Phone technology and proprietary PIN on Glass security solutions developed using an SDK provided by Yazara. 
  • Supported payments: contactless Visa and Mastercard cards, Google Pay, Apple Pay, contactless BLIK, with plans to extend to BLIK codes. 
  • Advanced functions: transaction history, refund and cancellation operations, predefined amounts, multiple confirmation options (e-mail, SMS, QR, printing via Bluetooth). 

Fiserv – PolCard Go 

PolCard Go from Fiserv is one of the first such solutions available on the Polish market. The application won the Payment Awards in 2020: 

  • PIN on Glass technology: transaction authorisation directly on the device screen with a dynamic digit layout to increase security. 
  • Certifications: confirmed by Visa and Mastercard, compliant with PCI standards. 
  • Integrations: App2App interface enabling full integration with courier and catering systems. 
  • Deployments: currently running on over 10,000 devices, with significant deployments for clients such as DHL (4,900 couriers) and Media Expert (450 suppliers). 

Softpos – ING eTerminal and Worldline Tap on Mobile 

The Polish company Softpos, in which Worldline holds shares, offers its solution under various brands: 

  • MPoC certification: Softpos was the first Polish company to obtain PCI MPoC certification for its solution. 
  • Distribution: the solution is available through implementation in other providers’ offerings – ING eTerminal, Worldline Tap on Mobile and Elavon Softpos. 
  • Functionalities: support for contactless payments with PIN, compliance with the latest PCI MPoC security standards. 

Variants of MPoC solution implementation 

The PCI MPoC standard offers various implementation options tailored to the needs and capabilities of different providers: 

Monolithic MPoC solution 


In this variant, the provider is responsible for all components of the solution: 

  • Advantages: full control over security and functionality, uniform architecture 
  • Challenges: high certification costs, long implementation time, requires broad technical expertise 

Component-based MPoC solution
 

Allows a solution to be built using certified components from different providers (as in most of the implementations described above): 

  • Advantages: faster time to market, ability to choose the best components, lower costs 
  • Challenges: integration management, dependency on external providers 

Variants according to system architecture

  • Dedicated SDK variant: the provider creates its own SDK with payment functions, which can be integrated by other application providers. 
  • Standalone application variant: a complete payment application operating independently on a COTS device. 
  • App-to-app variant: a solution using inter-application communication, where payment processing is handed over to a specialised payment application. 

Requirements for MPoC solution providers

Successful MPoC certification requires providers not only to be familiar with PCI standards but also to have the capability to implement advanced cryptographic procedures and application security controls. Meeting these requirements is essential to ensuring compliance with industry standards and safeguarding payment data in a COTS device environment. 

From implementing certified data processing procedures, through secure lifecycle management of cryptographic keys, to continuous application integrity monitoring – each element plays a crucial role in maintaining security. The following section outlines the set of requirements that every provider should meet before entering the MPoC market. 

PCI standards required for xPOC solution certification 

Providers planning to implement an MPoC solution must meet a number of certification requirements: 

  • PCI DSS (Data Security Standard): backend environments responsible for payment processing and remote kernel environments must hold PCI DSS certification. 
  • PCI PIN Security: backend systems processing PIN codes require certification compliant with the PCI PIN Security standard. 
  • PCI SSF (Secure Software Framework): software must be developed by a provider holding a PCI Secure Software Life Cycle (SLC) compliance certificate or be assessed by a PTS lab. 

Cryptographic key management requirements 
 

The security of MPoC solutions is based on advanced cryptographic mechanisms: 

  • Key generation: cryptographic keys used to encrypt PIN and payment data must be generated using processes ensuring unpredictability and uniform distribution. 
  • Key storage: use of secure hardware (HSM minus Hardware Security Modules) or equivalent software mechanisms with white-box cryptography. 
  • Lifecycle management: processes for key exchange, distribution and destruction in line with industry best practices. 

Application requirements 

  • Attestation and monitoring: MPoC solutions require continuous monitoring of application integrity and real-time detection of potential threats. 
  • Tamper protection: implementation of anti-tampering mechanisms, root/jailbreak detection, emulator and hooking detection. 
  • Secure communication channels: all data transmissions between solution components must use encrypted communication channels with end-to-end authentication. 

You think about MPOC? Here is sample project plan for an MPoC solution 

Preparing for MPoC certification can seem complex minus from requirements analysis, through documentation development, to the final audit. 

Below we present key elements based on our experience and strategic questions that should be addressed to maximise the chance of successful certification. 

Planning and analysis phase (months 1 to 2) 

Key strategic decisions

  • Choosing the implementation variant (monolithic vs component-based) 
  • Defining target platforms (Android, iOS) 
  • Analysing regulatory requirements in target markets 
  • Choosing the component certification model 

Key questions to resolve

  • Develop your own SDK or use an existing solution? 
  • Which functionalities will be key for target clients? 
  • What will be the solution’s monetisation model? 

Architecture design phase (months 2 to 4) 

Elements to design

  • Application security architecture 
  • Integration with backend systems 
  • Communication and session management protocols 
  • Attestation and monitoring mechanisms 

Key technical decisions

  • Choosing white-box cryptography technology 
  • Designing API interfaces 
  • Key management strategy 

Development and testing phase (months 4 to 10) 

Component development

  • Implementing the core SDK 
  • Developing a demonstration application 
  • Building backend systems 
  • Integration with attestation services 

Security testing

  • Penetration testing by an independent laboratory 
  • Vulnerability assessment in accordance with PCI MPoC requirements 
  • Testing in various usage scenarios 

Certification phase (months 10 to 14) 

PCI MPoC certification process

  • Selecting an accredited PCI laboratory 
  • Preparing technical documentation 
  • Conducting certification tests 
  • Obtaining listing on the PCI SSC website 

Commercialisation phase (months 14 to 18) 

Preparing for market launch

  • Developing marketing materials 
  • Training sales and support teams 
  • Pilot deployments with selected clients 
  • Optimising onboarding processes 

Challenges and benefits of xPOC solutions 

Despite the many requirements and implementation complexity, MPoC solutions bring numerous benefits for businesses using them. 

Benefits

  • Reduced operational costs: eliminating the need to purchase, lease and service dedicated payment terminals significantly lowers the cost of entering the cashless payments market. 
  • Increased mobility: the ability to accept payments anywhere with internet access expands business opportunities, especially for mobile service providers. 
  • Quick deployment: application activation usually takes from a few minutes to a few hours, compared to weeks of waiting for delivery and installation of a traditional terminal. 
  • Integration with the mobile ecosystem: easy integration with other business applications, CRM systems, invoicing or inventory management. 

Challenges

  • Certification complexity: obtaining PCI MPoC certification is time-consuming and costly, requiring specialist payment security expertise. 
  • Security management: ensuring security on COTS devices, which were not designed solely for payments, requires advanced protection mechanisms. 
  • Platform fragmentation: differences between Android and iOS systems and their versions create challenges in delivering a uniform user experience. 
  • Price competition: the growing number of providers leads to price pressure, which can affect the profitability of solutions. 

The future of mobile payment solutions 

xPOC solutions represent the future of payment acceptance, especially in the small and medium-sized enterprise segment. The development of 5G, artificial intelligence and blockchain will continue to drive innovation in this area. 

Technological trends: integration with biometric technologies, augmented reality and the Internet of Things (IoT) will open up new possibilities for using COTS devices in payments. 
Regulations: further streamlining of security standards and harmonisation of regulatory requirements across different markets is expected. 
Market adoption: forecasts indicate dynamic growth in the SoftPOS market, with an expected growth rate exceeding 20% annually in the coming years. 

Patronusec –  your partner in secure payment transformation 

With the growing popularity of MPoC, SPoC and CPoC solutions, every payment service provider faces a key challenge: how to enter this dynamically developing market securely and effectively? Patronusec, as a leading expert in cybersecurity and IT compliance in Poland and Europe, offers comprehensive support at every stage of this process. 

Our experience in PCI certifications covers the full range of standards necessary for the implementation of mobile payment solutions. From PCI DSS requirements analysis, through PCI PIN Security certification, to the latest PCI SSF standard minus we provide a comprehensive approach that allows our clients to focus on business growth while we ensure compliance and security. 

The next step is yours 

If your company plans to introduce its own SoftPOS or wants to raise the security level of an existing solution, contact Patronusec today. We will accelerate the MPoC certification process, reduce operational risk and ensure that your application meets the highest requirements of payment organisations. Secure mobile payments start with a solid strategy minus and we will deliver it in full. 

With experience gained from more than 1,000 certification audits in 60 countries, we understand both the technical aspects of MPoC deployments and the business and regulatory challenges associated with entering the mobile payments market. 

Book a free consultation and see how we can help your organisation enter the era of mobile payments on COTS devices securely and effectively. At Patronusec, we know that security is a process that should be simple, effective and naturally integrated into your company’s daily operations – so you can fully focus on business growth.

p2pe
August 5, 2025 PCI

P2PE (Point-to-Point Encryption) – A guide to secure payment solutions for the retail industry

 Read more →
ISO 27001
October 29, 2025 Information Security

Risk and security analysis as the foundation for ISO 27001 implementation

 Read more →
February 25, 2024 vCISO

vCISO: an agile solution to boost business cyber resilience

 Read more →

Don't buy a pig in a poke -
request a free consultation and check how we can assist you.

Free consultation
Contact form

Use the contact form or contact us directly.

Patronusec Sp z o. o.

Head Office:
ul. Święty Marcin 29/8
61-806 Poznań, Polska

KRS: 0001039087
REGON: 525433988
NIP: 7831881739
D-U-N-S: 989454390
LEI: 259400NAR8ZOX1O66C64

To top