Cyber Security Frameworks
Guiding SoftPOS vendors through the full PCI MPoC lifecycle. From initial gap assessment and security architecture review to lab evaluation preparation and ongoing annual compliance management across all 5 domains and 192 security requirements.
Speak to Our ExpertsPCI MPoC (Mobile Payments on COTS) is the security standard governing solutions that accept PIN and contactless payments on commercial off-the-shelf mobile devices. If you develop, deploy, or manage a SoftPOS solution, your product must be evaluated and listed by the PCI Security Standards Council.
Your MPoC Solution cannot process payments until it is evaluated by a PCI-recognised laboratory and listed on the PCI SSC website. Preparation is critical to a successful first-time evaluation.
Continued listing requires annual penetration testing, vulnerability assessments, and ongoing compliance with all operational requirements across Domains 3, 4, and 5.
MPoC solutions involve multiple entities: software vendors, A&M service providers, payment processors, and solution providers. Each has specific responsibilities under the standard.
What We Offer
We combine deep knowledge of the PCI MPoC v1.1 standard with hands-on mobile security expertise and understanding of payment processing flows to guide you through every stage of compliance.
We assess your solution against all applicable MPoC requirements across the 5 domains, identifying gaps and producing a clear roadmap to evaluation readiness.
Review of your MPoC solution architecture including COTS-based software, back-end A&M systems, payment processing, cryptographic design, and secure channel implementations.
Guidance on secure software lifecycle, cryptography, key management, software protection mechanisms, attestation components, and account data handling requirements.
Helping you build compliant A&M policies, monitoring systems, software distribution processes, key management operations, and COTS baseline management.
Preparing your documentation, evidence packs, and test harnesses for submission to PCI-recognised laboratories. We ensure you are ready before the evaluation begins.
Ongoing support including annual penetration testing (Req 1A-1.3 and 4A-3.1), vulnerability assessments, and compliance monitoring to maintain your listing.
Who We Help
Companies developing the core MPoC Software including SDKs and applications. We guide you through Domain 1 requirements, secure software lifecycle (Appendix D), and annual vulnerability assessments.
Entities operating Attestation and Monitoring services or payment processing for MPoC solutions. We help with Domain 3 operational requirements and back-end security.
The overall entity responsible for the complete MPoC Solution. We ensure all requirements are met across all parties, including third-party management (Domain 5) and full solution integration.
Our Process
We map your MPoC solution architecture, identify all entities involved, and determine which domains and modules apply to your specific implementation.
Detailed analysis against all applicable MPoC requirements. We produce a compliance matrix showing your current state and what needs to be addressed.
A prioritised plan with clear actions for your development, operations, and security teams to close gaps and meet requirements.
Hands-on guidance as you implement software protections, A&M systems, key management processes, and operational controls required by the standard.
We deliver the specialist penetration testing required before listing: MPoC Software vulnerability assessment (1A-1.3), interface testing (4A-3.1), and back-end environment testing (Appendix A).
Final readiness review, documentation preparation, and evidence pack assembly before you engage with your PCI-recognised laboratory.
Ongoing compliance support with annual penetration testing, vulnerability assessments, COTS baseline reviews, and change management guidance to maintain your listing.
Benefits
We understand EMV protocols, payment processing flows, and the specific attack vectors targeting SoftPOS solutions. This is specialist knowledge, not generic consulting.
We provide both the consultancy guidance and the annual penetration testing under one roof. No need to coordinate multiple vendors for your compliance programme.
We know the MPoC v1.1 standard inside out, including the attack costing framework (Appendix B), secure software lifecycle (Appendix D), and all testing methodologies.
MPoC compliance is ongoing. We support you year after year with annual assessments, change reviews, and evolving threat landscape guidance.
Whether you are preparing for initial listing or need ongoing compliance support, our team can help. Let's discuss your solution.
Book a Consultation