PCI evaluations

PCI SSC published their newest security standard for software-based payment acceptance solutions in November 2022. Called PCI Mobile Payments on COTS (commercial off-the-shelf) (MPoC), the new standard combines three standards into one – PCI SPoC, PCI CPoC and ‘Tap To Phone’ pilot standards for payment networks.

PCI MPoC solution approval allows limitless world-wide deployment, while the PCI MPoC standard offers modularity and choice for supported functionality. Solutions can be tailored to market demands for EMV card types (contact, contactless, MSR), with/without PIN, etc.

The PCI MPoC is the natural successor of the different ‘Tap to Phone with PIN’ pilot programs of payment networks. These have been very successful but will be discontinued by mid-2023 and so all pilot-approved and new solutions need to achieve a PCI MPoC approval in the next couple of years.

Brightsight is experienced in the field of software-based payment solution evaluations, with a large number of developers achieving security approval (CPoC, SPoC, TTP) following our completion of a security evaluation. We are also one of the first recognized PCI MPoC laboratories in the world and can provide all the services needed to efficiently develop and certify a solution.

Brightsight is a market leader in the PCI PTS domain, having completed more than 500 PCI-PTS security evaluations that converted into new product approvals.

PIN Transaction Security (PTS) devices enable merchants to perform secure EMV-based payment transactions, offering the highest level of protection against unauthorized data compromise.

The most recent version of the PCI PTS Point of Interaction (POI) standard is 6.x and was released in January 2023.

The PCI SPoC (Software-based Payment on COTS) program was introduced in 2019 with the objective of bringing cost-effective and attractive solutions to the market that were able to support high-value payments with strong customer authentication (SCA). These solutions were expected to be very attractive to micro and small merchants.

A SPoC solution requires a COTS device used in connection with a SRED-approved Secure Card Reader – PIN (SCRP) and a back-end system responsible for overall security. PIN entry security and processing on the COTS device must be secured with a dedicated, sophisticated PIN CVM (cardholder verification method) application, while an inherent monitoring service should ensure functionality is only possible if the authenticity, integrity and security status of the COTS device are confirmed.

Established in 2019, the PCI CPoC (PCI Contactless Payments on COTS) program and standard were introduced to make it possible to accept low-value payments on cost-effective solutions.

It provides security and test requirements for payment solutions that enable EMV-based contactless payment acceptance on merchant mobile devices, such as smartphones and tablets, using near-field communication (NFC).

PCI CPoC solutions do not support PIN entry functionality and can therefore not be used for high value payment transactions.

3D Secure (3DS) prevents fraud in credit and debit card transactions that take place online. 3DS refers to the three domains involved in authorizing a transaction – acquirer, issuer and interoperability domains.

Developed in 1999, when e-commerce was still in its infancy, 3DS had been adopted by Visa under its ‘Verified’ branding (now ‘Visa Secure') by 2001. It is now used by other card issuers, including MasterCard and American Express.

Brightsight can provide demo applications with the SDK for both Android and iOS. Both will communicate with a test server and show how it fits into a mobile application project.