MPoC Software Core Requirements
Secure software, cryptography, key management, software protection, attestation software, account data entry, PIN entry, and offline transactions. Our Req 1A-1.3 assessment covers this domain.
Flagship Service
Specialist security testing for Mobile Payments on COTS (SoftPOS) solutions. We help MPoC Software vendors, service providers, and solution providers meet the annual penetration testing and vulnerability assessment requirements mandated by PCI MPoC v1.1.
Get Your MPoC Pentest QuoteThe PCI MPoC standard requires that every listed MPoC Solution undergoes penetration testing before initial listing and at least annually thereafter. This is not optional. Without a compliant penetration test report, your PCI-recognised laboratory cannot complete their evaluation, and your solution cannot be listed or maintain its listing.
The penetration testing required by MPoC is significantly more specialised than a standard web application or network pentest. It requires testers who understand EMV payment protocols, mobile security, and the specific threat model of accepting payments on commercial off-the-shelf devices.
If you develop MPoC Software (including SDKs and applications), you need an annual vulnerability assessment (Req 1A-1.3) covering all supported platforms, plus penetration testing as part of your secure software lifecycle.
If you operate Attestation & Monitoring (A&M) services or payment processing for MPoC solutions, you need annual penetration testing of your back-end environment and the interfaces receiving data from MPoC Software.
If you are the overall entity responsible for an MPoC Solution (combining software, services, and merchant management), you need the full scope of penetration testing across all components prior to listing and annually.
What the standard says: "A vulnerability assessment has been performed on the MPoC Software prior to initial assessment and at least once per year thereafter."
Scope: All aspects of the MPoC Software including all platform types supported (iOS, Android). Any code executing in the same memory space or that could impact security of in-scope MPoC functionality must be considered.
What the standard says: "A penetration test has been performed on the interfaces between the COTS-based MPoC Software and back-end environments (e.g., A&M, payment processing and/or remote kernel) prior to the validation and listing of an MPoC Solution or A&M service provider, and at least once per year thereafter."
Key difference: This test simulates a malicious instance of COTS-based MPoC Software using a valid, authenticated secure channel to attack back-end systems. It confirms that the MPoC Software has been securely integrated into the overall solution.
What the standard says: "Penetration tests are performed at least annually... The penetration-testing methodology should be based on industry-accepted approaches and incorporate both application-layer and network-layer testing."
Scope: The perimeter and critical systems in the back-end environment, testing from both inside and outside the network. Must verify that segmentation controls are operational and effective.
What the standard says: Segregation controls included in scope of the A&M penetration testing process must be validated.
We review your MPoC solution architecture - understanding the relationships between your COTS-based software, back-end A&M systems, payment processing, and any third-party components. This shapes our test plan.
Based on MPoC's domain structure and the attack costing framework in Appendix B, we develop a threat model specific to your solution. This ensures testing covers the most relevant attack vectors.
Vulnerability assessment of the COTS-based MPoC Software on all supported platforms. Includes reverse engineering, runtime analysis, and testing of software protection mechanisms.
From the perspective of a malicious MPoC application with valid authentication, we test all interfaces to back-end systems. This is the core Req 4A-3.1 assessment.
Network and application-layer penetration testing of the back-end environment, including A&M systems, payment processing, and segmentation validation per Appendix A.
Comprehensive report mapped to specific MPoC requirements, with severity ratings aligned to the attack costing framework. Vulnerabilities flagged for consideration during evaluation attack costings.
Once your team remediates findings, we verify the fixes and provide a clean retest report suitable for submission to your PCI-recognised laboratory.
High-level findings overview suitable for leadership and your MPoC Solution provider management team.
Detailed vulnerability descriptions with proof-of-concept evidence, impact assessment, and step-by-step remediation guidance.
Each finding mapped to the specific MPoC requirement(s) it relates to, ready for your evaluator to review.
Vulnerability data formatted for consideration in your evaluator's attack costing calculations per Appendix B.
Clear, actionable fix recommendations your developers can implement. Prioritised by severity and compliance impact.
Verification report confirming remediation of identified issues, provided as evidence for your annual evaluation.
Understanding where penetration testing fits within the broader MPoC standard:
Secure software, cryptography, key management, software protection, attestation software, account data entry, PIN entry, and offline transactions. Our Req 1A-1.3 assessment covers this domain.
Secure integration of MPoC SDKs and application security. Covered in our mobile application vulnerability assessment.
A&M policy, monitoring operations, and operational security. Segregation controls tested as part of our Req 3C-1.2 assessment.
Software distribution, key management operations, COTS baseline management, and back-end security. Req 4A-3.1 and 4A-3.2 are our core interface and back-end pentest scope.
Third-party management, merchant identification, and overall solution governance. Informs our testing scope and report structure.
Whether you are preparing for initial listing or need your annual assessment, we can help. Tell us about your solution and we will provide a fixed-fee proposal within one business day.
Get Your Quote