PCI MPoC Consultancy

Guiding SoftPOS vendors through the full PCI MPoC lifecycle. From initial gap assessment and security architecture review to lab evaluation preparation and ongoing annual compliance management across all 5 domains and 192 security requirements.

Speak to Our Experts

The importance of PCI MPoC compliance

PCI MPoC (Mobile Payments on COTS) is the security standard governing solutions that accept PIN and contactless payments on commercial off-the-shelf mobile devices. If you develop, deploy, or manage a SoftPOS solution, your product must be evaluated and listed by the PCI Security Standards Council.

Listing Requirement

Your MPoC Solution cannot process payments until it is evaluated by a PCI-recognised laboratory and listed on the PCI SSC website. Preparation is critical to a successful first-time evaluation.

Annual Maintenance

Continued listing requires annual penetration testing, vulnerability assessments, and ongoing compliance with all operational requirements across Domains 3, 4, and 5.

Complex Ecosystem

MPoC solutions involve multiple entities: software vendors, A&M service providers, payment processors, and solution providers. Each has specific responsibilities under the standard.

What to expect from our MPoC consultancy

We combine deep knowledge of the PCI MPoC v1.1 standard with hands-on mobile security expertise and understanding of payment processing flows to guide you through every stage of compliance.

Gap Assessment

We assess your solution against all applicable MPoC requirements across the 5 domains, identifying gaps and producing a clear roadmap to evaluation readiness.

Security Architecture Review

Review of your MPoC solution architecture including COTS-based software, back-end A&M systems, payment processing, cryptographic design, and secure channel implementations.

Domain 1: Software Security

Guidance on secure software lifecycle, cryptography, key management, software protection mechanisms, attestation components, and account data handling requirements.

Domain 3 & 4: Operations

Helping you build compliant A&M policies, monitoring systems, software distribution processes, key management operations, and COTS baseline management.

Lab Evaluation Preparation

Preparing your documentation, evidence packs, and test harnesses for submission to PCI-recognised laboratories. We ensure you are ready before the evaluation begins.

Annual Compliance Management

Ongoing support including annual penetration testing (Req 1A-1.3 and 4A-3.1), vulnerability assessments, and compliance monitoring to maintain your listing.

MPoC entities we support

MPoC Software Vendors

Companies developing the core MPoC Software including SDKs and applications. We guide you through Domain 1 requirements, secure software lifecycle (Appendix D), and annual vulnerability assessments.

MPoC Service Providers

Entities operating Attestation and Monitoring services or payment processing for MPoC solutions. We help with Domain 3 operational requirements and back-end security.

MPoC Solution Providers

The overall entity responsible for the complete MPoC Solution. We ensure all requirements are met across all parties, including third-party management (Domain 5) and full solution integration.

How it works

1

Solution Understanding

We map your MPoC solution architecture, identify all entities involved, and determine which domains and modules apply to your specific implementation.

2

Gap Assessment

Detailed analysis against all applicable MPoC requirements. We produce a compliance matrix showing your current state and what needs to be addressed.

3

Remediation Roadmap

A prioritised plan with clear actions for your development, operations, and security teams to close gaps and meet requirements.

4

Implementation Support

Hands-on guidance as you implement software protections, A&M systems, key management processes, and operational controls required by the standard.

5

Penetration Testing

We deliver the specialist penetration testing required before listing: MPoC Software vulnerability assessment (1A-1.3), interface testing (4A-3.1), and back-end environment testing (Appendix A).

6

Lab Evaluation Preparation

Final readiness review, documentation preparation, and evidence pack assembly before you engage with your PCI-recognised laboratory.

7

Annual Maintenance

Ongoing compliance support with annual penetration testing, vulnerability assessments, COTS baseline reviews, and change management guidance to maintain your listing.

Why work with Third Eye Security

Payment Security Expertise

We understand EMV protocols, payment processing flows, and the specific attack vectors targeting SoftPOS solutions. This is specialist knowledge, not generic consulting.

Pentest and Consultancy Combined

We provide both the consultancy guidance and the annual penetration testing under one roof. No need to coordinate multiple vendors for your compliance programme.

Standard Deep Knowledge

We know the MPoC v1.1 standard inside out, including the attack costing framework (Appendix B), secure software lifecycle (Appendix D), and all testing methodologies.

Long-term Partnership

MPoC compliance is ongoing. We support you year after year with annual assessments, change reviews, and evolving threat landscape guidance.

Ready to start your MPoC compliance journey?

Whether you are preparing for initial listing or need ongoing compliance support, our team can help. Let's discuss your solution.

Book a Consultation