PCI MPoC Penetration Testing

Specialist security testing for Mobile Payments on COTS (SoftPOS) solutions. We help MPoC Software vendors, service providers, and solution providers meet the annual penetration testing and vulnerability assessment requirements mandated by PCI MPoC v1.1.

Get Your MPoC Pentest Quote
5 Security Domains
Annual Testing Required
v1.1 Current Standard (Nov 2024)

Why MPoC penetration testing matters

The PCI MPoC standard requires that every listed MPoC Solution undergoes penetration testing before initial listing and at least annually thereafter. This is not optional. Without a compliant penetration test report, your PCI-recognised laboratory cannot complete their evaluation, and your solution cannot be listed or maintain its listing.

The penetration testing required by MPoC is significantly more specialised than a standard web application or network pentest. It requires testers who understand EMV payment protocols, mobile security, and the specific threat model of accepting payments on commercial off-the-shelf devices.

Who needs MPoC penetration testing?

MPoC Software Vendors

If you develop MPoC Software (including SDKs and applications), you need an annual vulnerability assessment (Req 1A-1.3) covering all supported platforms, plus penetration testing as part of your secure software lifecycle.

MPoC Service Providers

If you operate Attestation & Monitoring (A&M) services or payment processing for MPoC solutions, you need annual penetration testing of your back-end environment and the interfaces receiving data from MPoC Software.

MPoC Solution Providers

If you are the overall entity responsible for an MPoC Solution (combining software, services, and merchant management), you need the full scope of penetration testing across all components prior to listing and annually.

MPoC penetration testing requirements explained

Requirement 1A-1.3

MPoC Software Vulnerability Assessment

What the standard says: "A vulnerability assessment has been performed on the MPoC Software prior to initial assessment and at least once per year thereafter."

Scope: All aspects of the MPoC Software including all platform types supported (iOS, Android). Any code executing in the same memory space or that could impact security of in-scope MPoC functionality must be considered.

What we test:

  • Static and dynamic analysis of the MPoC application
  • Software protection mechanisms (obfuscation, anti-tampering, anti-debugging)
  • Cryptographic implementation review
  • Runtime manipulation and hooking attempts
  • Data storage and leakage analysis
  • Platform-specific attack vectors on all supported OS versions
Requirement 4A-3.1

Interface Penetration Test

What the standard says: "A penetration test has been performed on the interfaces between the COTS-based MPoC Software and back-end environments (e.g., A&M, payment processing and/or remote kernel) prior to the validation and listing of an MPoC Solution or A&M service provider, and at least once per year thereafter."

Key difference: This test simulates a malicious instance of COTS-based MPoC Software using a valid, authenticated secure channel to attack back-end systems. It confirms that the MPoC Software has been securely integrated into the overall solution.

What we test:

  • All back-end entry points that parse and process data from MPoC Software
  • Payment and PIN processing back-ends
  • Attestation and Monitoring (A&M) service interfaces
  • Cloud/remote kernel systems (where applicable)
  • Authenticated API abuse and injection attacks
  • Business logic attacks from a compromised client perspective
  • Secure channel manipulation and downgrade attacks
Note: The MPoC evaluation itself cannot be considered a penetration test. A separate testing and reporting process must be implemented. We provide this as an independent assessment.
Appendix A - A.4.2.5

Back-end Environment Penetration Test

What the standard says: "Penetration tests are performed at least annually... The penetration-testing methodology should be based on industry-accepted approaches and incorporate both application-layer and network-layer testing."

Scope: The perimeter and critical systems in the back-end environment, testing from both inside and outside the network. Must verify that segmentation controls are operational and effective.

What we test:

  • External network penetration testing of the back-end environment perimeter
  • Internal network penetration testing including lateral movement
  • Application-layer testing of all back-end services
  • Segmentation validation between payment processing and corporate networks
  • Access control testing between A&M systems and other environments
  • Privilege escalation and credential harvesting
Requirement 3C-1.2

A&M Segregation Controls

What the standard says: Segregation controls included in scope of the A&M penetration testing process must be validated.

What we test:

  • Segregation between A&M service environments and other systems
  • Access controls preventing unauthorised access to monitoring data
  • Isolation of attestation processing from general corporate infrastructure
  • Network segmentation effectiveness and rule validation

Our MPoC testing approach

1

Solution Architecture Review

We review your MPoC solution architecture - understanding the relationships between your COTS-based software, back-end A&M systems, payment processing, and any third-party components. This shapes our test plan.

2

Threat Model Development

Based on MPoC's domain structure and the attack costing framework in Appendix B, we develop a threat model specific to your solution. This ensures testing covers the most relevant attack vectors.

3

Mobile Application Assessment

Vulnerability assessment of the COTS-based MPoC Software on all supported platforms. Includes reverse engineering, runtime analysis, and testing of software protection mechanisms.

4

Interface Penetration Testing

From the perspective of a malicious MPoC application with valid authentication, we test all interfaces to back-end systems. This is the core Req 4A-3.1 assessment.

5

Back-end Infrastructure Testing

Network and application-layer penetration testing of the back-end environment, including A&M systems, payment processing, and segmentation validation per Appendix A.

6

Reporting & Remediation Support

Comprehensive report mapped to specific MPoC requirements, with severity ratings aligned to the attack costing framework. Vulnerabilities flagged for consideration during evaluation attack costings.

7

Retesting & Clean Report

Once your team remediates findings, we verify the fixes and provide a clean retest report suitable for submission to your PCI-recognised laboratory.

What you receive

Executive Summary

High-level findings overview suitable for leadership and your MPoC Solution provider management team.

Technical Report

Detailed vulnerability descriptions with proof-of-concept evidence, impact assessment, and step-by-step remediation guidance.

Requirement Mapping

Each finding mapped to the specific MPoC requirement(s) it relates to, ready for your evaluator to review.

Attack Costing Input

Vulnerability data formatted for consideration in your evaluator's attack costing calculations per Appendix B.

Remediation Guidance

Clear, actionable fix recommendations your developers can implement. Prioritised by severity and compliance impact.

Retest Report

Verification report confirming remediation of identified issues, provided as evidence for your annual evaluation.

The 5 MPoC domains

Understanding where penetration testing fits within the broader MPoC standard:

Domain 1

MPoC Software Core Requirements

Secure software, cryptography, key management, software protection, attestation software, account data entry, PIN entry, and offline transactions. Our Req 1A-1.3 assessment covers this domain.

Domain 2

MPoC SDK Integration

Secure integration of MPoC SDKs and application security. Covered in our mobile application vulnerability assessment.

Domain 3

Attestation & Monitoring

A&M policy, monitoring operations, and operational security. Segregation controls tested as part of our Req 3C-1.2 assessment.

Domain 4

MPoC Software Management

Software distribution, key management operations, COTS baseline management, and back-end security. Req 4A-3.1 and 4A-3.2 are our core interface and back-end pentest scope.

Domain 5

MPoC Solution

Third-party management, merchant identification, and overall solution governance. Informs our testing scope and report structure.

Ready to scope your MPoC penetration test?

Whether you are preparing for initial listing or need your annual assessment, we can help. Tell us about your solution and we will provide a fixed-fee proposal within one business day.

Get Your Quote