How to Navigate PCI MPoC Compliance

Smartphones have indisputably changed how consumers pay for goods and services. By 2026, more than 60% of consumers worldwide will use mobile wallets and payment apps, such as Apple Pay, Google Pay, and Samsung Pay.

It isn’t just consumers who enjoy the ease and convenience of mobile financial transactions. Merchants are also shifting their payment processing to mobile through Software Point of Sale (SoftPOS) technology. Unlike traditional POS devices or even “dongles,” like Square, where consumers swipe or tap their payment cards on a terminal or other device, SoftPOS doesn’t require additional hardware. Today, all a merchant needs is an NFC-enabled mobile device (like a smartphone or a tablet) and a mobile POS app to sell goods and/or services to its customers.

By 2027, more than 34.5 million merchants will use SoftPOS technology to accept customer payments. With the increase in popularity, these mobile applications and devices are quickly becoming prime targets for malicious actors. Merchants using these might be subject to man-at-the-end (MATE) attacks, POS malware, and man-in-the-middle (MiTM) attacks, among others.

To account for this shift in the industry and evolving threat vectors, the Payment Card Industry (PCI) has designed a security standard called PCI MPoC. Developers of mobile applications with SoftPOS functionality must become familiar with and comply with the requirements outlined in PCI MPoC to avoid costly risks.

PCI Standards are evolving to keep pace with the increased usage of SoftPOS technology

Before diving into the PCI standard designed for SoftPOS applications, let’s quickly review the many industry-specific acronyms:

• Point-of-sale (POS) terminal: The hardware used to process payments, where consumers can swipe or tap their card or mobile wallet and authorize the payment.
• Commercial-off-the-shelf (COTS) devices: Devices like smartphones or tablets that are widely available on the market.
• Software Point of Sale (SoftPOS): Software that turns the merchant’s COTS device into a point-of-sale terminal for processing payments.
• Near-field communication (NFC): Technology that allows short-range communications between two devices — the SoftPOS device receiving the payment and the device initiating the transaction.
• Mobile Payments on COTS (MPoC): A series of requirements to guide how SoftPOS applications protect their end users’ data and block fraudulent transactions.

The PCI MPoC Standard

The Payment Card Industry (PCI) standards govern how cardholder data — card numbers, PINs, and personally identifiable information (PII) — are used throughout a financial transaction. In 2022, the organization released PCI Mobile Payments on COTS (MPoC), which outlines the latest security requirements for SoftPOS apps.

“The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.”

This standard is changing how mobile payment app developers approach security because it’s more objective-based rather than prescriptive. While it provides minimum resiliency requirements, it leaves the “how” up to developers. This results in greater flexibility in both the SoftPOS applications’ design and the security measures implemented.

Why PCI MPoC compliance is vital to SoftPOS application publishers

Because SoftPOS payments don’t require a physical point-of-sale terminal or external card reader that plugs into a mobile device, using them removes a degree of separation between the threat actor and the SoftPOS app. There is no intermediary device for the threat actors to target, so instead, they target the mobile application directly.

Lack of compliance with PCI MPoC standards may signify the presence of vulnerabilities that could expose the mobile application, the merchant, and the customer to attack. Credit card fraud, brandjacking, and data theft are just some possible outcomes that can erode trust and damage the mobile app’s brand. The financial implications can be severe, including loss of revenue, compounding chargeback fees, and regulatory fines.

Additionally, major credit card companies, like VISA and Mastercard, are pressuring mobile payment app providers to secure their apps against reverse engineering or tampering through PCI MPoC certification. Depending on the situation, either the credit card company or the merchant is responsible for refunding a fraudulent transaction and any related chargeback fees. Regardless of who foots the bill, fraudulent transactions can damage the reputation of both the merchant and the credit card company — so it’s in everyone’s interest to avoid them.

Merchants should implement mobile payment processing applications that can protect them against fraud. Mobile SoftPOS apps that obtain stringent PCI MPoC compliance certification demonstrate commitment to protecting their end users from fraudulent transactions and compliance with regulatory requirements. For these reasons, mobile app security is both a compliance requirement and a strategic imperative for mobile payment app providers.

Adopting security tools that support PCI MPoC compliance

1. Protect the SoftPOS application

SoftPOS applications process large quantities of sensitive data — personally identifiable information (PII), bank account information, transaction-related data, and so on — which can be stolen or exploited for fraudulent transactions. PCI MPoC’s primary objective is to safeguard that sensitive data, which requires robust protection mechanisms. Specifically, MPoC requires this sensitive data to be encrypted as soon as it's available in the app, and each payment transaction needs to be encrypted with a unique encryption key.

These measures include (but aren’t limited to):

• Management of authentication credentials: Ensuring all credentials, API keys, and tokens are encrypted.
• Code hardening: Using obfuscation or encryption to make the mobile app’s code illegible to unauthorized parties attempting to analyze or tamper with the code. This is particularly important in the areas of code where sensitive information is being used or transmitted.
• Mobile runtime application self-protection (RASP) checks: Monitoring the application and the environment it’s running in for suspicious activity, such as dynamic analysis or tampering. This includes client-side RASP checks, which can identify an integrity violation when the mobile app is operating offline and trigger the appropriate response (i.e., terminating the app). According to PCI MPoC, any integrity violations identified by RASP checks must also be reported to a backend attestation and monitoring service.
• TLS, SSL, or certificate pinning: Secures communications between the mobile app and the backend server, protecting them from tampering.

A SoftPOS application is vulnerable to reverse engineering and tampering without these protections. If successful, a threat actor may gain access to what they need to escalate their permissions, modify the app, execute “brandjacking,” make fraudulent transactions, steal sensitive information, and more.

How DexGuard (Android) and iXGuard (iOS) help developers meet this requirement:

Guardsquare’s DexGuard and iXGuard provide comprehensive static and dynamic protection through multiple layers of code hardening. Our RASP injections include the most advanced strategies, including entry point, checkpoint, and spray injection techniques, as well as configurable invoked app termination.

Both tools are compiler-based, meaning they provide more robust protection than app shielding or wrapper solutions.

2. Real-time threat monitoring

Threat monitoring comes into play after a mobile app has been released to the market and provides information about what threats the app faces in real time. Not only does it track what protection mechanisms are being triggered, but it should also gather information on the threat actors themselves, the device and method they use to perform their attack, what version of the app is being attacked, and so on.

Within the context of PCI MPoC, threat monitoring is part of the broader attestation and monitoring requirements. The backend attestation process additionally tests the integrity of the COTS device and the app for signs of tampering, while the monitoring requirements focus both on monitoring of the correct execution of the attestation process as well as on the monitoring of the client-side app while in use.

How ThreatCast helps developers meet this requirement:

Guardsquare's RASP combined with ThreatCast real-time threat monitoring can be used as a critical feeder service for the broader attestation and monitoring solution. With ThreatCast's data integration capabilities, the attestation and monitoring solution can safely be fed, in real-time, with detected app and device integrity violations.

This threat monitoring data can be used to:

• Trigger the appropriate countermeasures.
• Continuously refine the configurations of protection mechanisms.
• Hone fraud-detection systems.
• Identify potential malicious users.
• Inform longer-term app development and security strategies.

ThreatCast allows developers to customize filters for specific threat vectors. When malicious activity triggers these filters, ThreatCast uses webhooks to send this data to a selected endpoint. In this case, that would be the required attestation and monitoring solution.

3. Detecting software vulnerabilities in a timely manner

PCI MPoC requires app publishers to establish a secure SDLC to support the design, development and release of SoftPos solutions. One of the most important components of an SDLC is implementing security testing to sweep the app’s code and 3rd party libraries after each build and search for vulnerabilities, such as exposed encryption keys. By resolving issues early, developers improve the app’s security posture, avoiding interdependencies on faulty components and costly impediments just before publication.

Specifically, MPoC requires SoftPos App vendors, or third parties on behalf of them:

• To perform security testing throughout the entire software lifecycle
• To check with security testing the entire code base, including detecting vulnerabilities in any third-party, open-source, and shared components and libraries
• To produce an inventory of identified vulnerabilities as result of the security testing

How AppSweep helps developers meet this requirement:

AppSweep, Guardsquare’s free mobile app security testing product, integrates seamlessly into the development process by allowing SoftPOS developers to scan their app after each build within their CI/CD pipelines. It automatically analyzes the app’s code and dependencies, including 3rd party, open-source or shared components, to identify security issues that threat actors could exploit. AppSweep provides an inventory report of all detected vulnerabilities, together with actionable recommendations, helping developers to remediate identified risks quickly and effectively.

AppSweep was recently recognized as the Best Mobile Security Solution in the 2023 Tech Ascension Awards.

Innovative FinTech Company Leverages Guardsquare to Mitigate Risk

This FinTech company serves retail, transportation, and hospitality businesses. In 2022, they launched a SoftPOS mobile application that allows merchants to accept contactless payments via their NFC-enabled Android devices. The company knew it needed to implement robust security measures to protect its customers from fraudulent transactions and data theft and to meet stringent compliance requirements.

DexGuard allowed the company to meet PCI MPoC and other relevant compliance requirements. DexGuard gave them peace of mind, and the company estimated it saved them the work of two to three full-time developers who would be required to maintain the same level of security.

Meeting the threat to mobile SoftPOS applications

The increase in SoftPOS popularity with merchants — and subsequent shifts in threats and security standards — means mobile payment app publishers must adapt accordingly.

Guardsquare empowers developers to integrate security into every facet of the development lifecycle while also monitoring and proactively responding to emerging threats in real time. Together, these tools provide a holistic approach to improving mobile app security and meeting PCI MPoC requirements.

Executive Summary (TL;DR)

• As more merchants adopt SoftPOS technology to process payments on their mobile devices, threat actors and compliance requirements will adapt accordingly.
• If a mobile device accepts contactless payments with a softPOS app, the publisher must become familiar with PCI MPoC compliance, especially if it plans to do business with the big four credit card networks.
• Here, we’ll dive into the three main requirements of PCI MPoC compliance for mobile apps and how adopting trusted security tools can support compliance efforts.