SISA’s PCI SSC Accredited MPoC Laboratory

A PCI SSC-recognized laboratory for evaluating and certifying mobile payment solutions on COTS devices. SISA helps SoftPOS vendors, SDK providers, and payment solution companies navigate MPoC evaluation from initial scoping through to PCI SSC listing.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

The Challenge

MPoC Readiness Can Be Difficult Without the Right Security and Evaluation Expertise

As SoftPOS adoption grows, organizations need to prove that their mobile payment solutions can securely support payment acceptance on COTS devices. But meeting MPoC requirements is rarely straightforward. From mobile platform security and SDK dependencies to backend attestation and solution-wide controls, vendors often face technical, operational, and evaluation challenges that can slow down readiness and listing.

Difficulty understanding whether the product, SDK, or full solution falls within the right MPoC evaluation scope

Complexity in addressing security requirements across software, backend services, and operational environments

Limited internal expertise in platform-level security across Android and iOS ecosystems

Challenges validating white-box cryptography, secure channels, and SDK integrations

Readiness gaps that lead to rework, extended timelines, and delays in PCI SSC listing

Need for clear guidance through evaluation, reporting, and ongoing assessment requirements

Our Approach

Five step approach

Comprehensive MPoC Evaluation Across Every Pathway

SISA’s MPoC Laboratory supports the full range of evaluation pathways under the MPoC Standard, from focused software reviews to complete solution validation. Our approach is designed to help organizations prepare effectively, address gaps early, and move toward listing with confidence.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

End-to-end evaluation of MPoC SDKs and applications, covering secure software lifecycle, integrity protection, SDK integration validation, and application-level security testing.

Assessment of backend Attestation and Monitoring environments, including device attestation policies, baseline management, anomaly detection capabilities, and operational security controls.

Full validation of complete MPoC solutions, including software management, cryptographic key lifecycle, merchant onboarding, multi-entity coordination, and payment environment compliance.

Preparation and submission support for Integration Reports, along with guidance for entities using the Vendor Verification process to isolate SDK integrations.

Specialized testing for MPoC environments, including mobile application security, white-box cryptography analysis, secure channel validation, backend API testing, and attack costing aligned to the MPoC Standard.

Service Offerings

End-to-End Evaluation Services for MPoC Readiness and Listing

MPoC Software Evaluation for SDKs, applications, and related software components

Attestation & Monitoring Service Evaluation for backend operational environments

Full MPoC Solution Evaluation across Domains 4 and 5

Integration Report Preparation and Vendor Verification Support

MPoC-focused Penetration Testing across mobile, cryptographic, and backend layers

Readiness Assessments and Gap Analysis before formal evaluation

BENEFITS

Accelerate MPoC Validation with Stronger Technical Confidence

Faster Path to PCI SSC Listing

Gain a clearer and more structured route to PCI SSC listing for your SoftPOS and MPoC solutions, reducing ambiguity across evaluation stages and helping you move forward with confidence.

Reduced Rework and Delays

Early readiness assessments and focused gap identification help minimize rework, avoid repeated testing cycles, and keep your validation timelines on track.

End-to-End Security Assurance

Strengthen confidence across your entire solution, covering mobile applications, SDK integrations, backend services, and overall architecture aligned to MPoC requirements.

Stronger Platform-Level Security Confidence

Validate critical platform controls across Android and iOS environments, including device security, cryptographic protections, and secure execution environments.

Continuous Support Beyond Evaluation

Benefit from ongoing support across evaluation, reporting, and post-listing requirements, including change assessments and annual validation needs.

WHY SISA

Why Organizations Choose SISA for MPoC Evaluation

Deep Payment Security Expertise

SISA brings strong experience across PCI DSS, PIN, 3DS, P2PE, and the Software Security Framework, giving clients a broader view of how MPoC fits within the payment security ecosystem.

Advanced Platform Security Knowledge

Our evaluators bring hands-on expertise across Android and iOS, including TrustZone, hardware-backed keystores, Secure Enclave, Data Protection, and other platform-level controls.

Specialized White-Box Cryptography Analysis

We assess software-protected cryptography, obfuscation strength, and resistance to advanced attack techniques in line with MPoC Appendix B requirements.

Complete Evaluation Coverage

SISA supports all five MPoC domains within a single engagement, helping reduce fragmentation and improve consistency across the evaluation process.

Global Delivery Capability

Our teams support clients across regions, helping organizations coordinate evaluation efforts regardless of where development and operations teams are located.

Support Beyond the Assessment

We help before, during, and after evaluation with readiness support, gap analysis, annual checkpoints, and change assessments throughout the listing lifecycle.

Want to know more?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Foresight. Perspective. Leadership

 MAR 12, 2026
SISA Joins Global Group of PCI Recognized Labs to Perform Security Evaluations of Payment Acceptance Devices and Solutions
BLOG
JAN 21, 2026
Inside Today’s Payment Fraud Operations: Five Trends Dominating the Landscape
BLOG
SEPT 30, 2025
Ghost-Tap: How Hackers Exploit NFC and Mobile Payments

FAQs

Mobile Payments on COTS (MPoC) is a flexible security standard that enables merchants to securely accept PIN and contactless payments directly on commercial off-the-shelf (COTS) devices, like smartphones and tablets, without requiring dedicated payment hardware.

SPoC requires an external card reader, and CPoC only allows contactless payments without a PIN. MPoC combines and expands these capabilities, allowing both PIN entry and contactless acceptance directly on a standard mobile device screen.

Payment vendors must utilize an officially recognized lab to validate that their mobile payment applications, SDKs, and backend systems successfully isolate and protect cardholder data according to stringent PCI SSC testing requirements.

An MPoC solution consists of the Commercial Off-The-Shelf (COTS) device, the MPoC application (or SDK) running on the device, the backend monitoring systems that detect device tampering, and the secure decryption environment.

No, MPoC specifically enables secure payments on consumer devices lacking traditional hardware-based payment security. Instead, it relies on advanced software security, active backend monitoring, and attestation to detect if a phone has been compromised or rooted.

The timeline depends on whether the vendor is validating a full MPoC solution, just the mobile software, or an SDK. Because of the rigorous penetration testing required to ensure software isolation, evaluations typically span several months.

Yes, MPoC solutions are designed to be platform-agnostic. However, the MPoC Lab must validate the security mechanisms, backend attestation, and anti-tampering controls specifically for the operating systems the vendor intends to support.

Powered by our leading tech team, SISA operates an officially recognized MPoC testing lab. We conduct rigorous security evaluations and penetration testing on mobile payment solutions to fast-track your path to MPoC certification and market readiness.

MPoC solutions are rapidly adopted by the retail, transportation, and gig-economy sectors. It is ideal for micro-merchants, delivery services, and mobile vendors who want to accept secure, contactless, and PIN-based payments directly on everyday smartphones or tablets without specialized hardware.

Hear what our customers say

We would highly recommend SISA to any organization seeking to enhance their data security and achieve certification. Their expertise, personalized approach, and thorough support set them apart from other providers. With their help, we were able to not only meet ISO 27001 requirements but also improve our overall security practices, giving us peace of mind in knowing that our data is protected.

Siddharth Paigwar

Manager - Cybersecurity, Finnable Technologies

Finnable logo

Our experience with SISA’s team through the rigorous HITRUST certification process exceeded our expectations. SISA’s team demonstrated deep expertise, a proactive approach and unwavering commitment to our success. Their invaluable guidance ensured we stayed on track. We highly recommend SISA to any organization pursuing HITRUST certification.

Rajkumar Aich

Senior Manager, Alorica

Alorica logo

SISA’s continuous support and regular audits, powered by their advanced monitoring and reporting tools, ensured that our ISMS remained up-to-date and effective against emerging threats. SISA’s team demonstrated a deep understanding of our unique needs and challenges. Their approach was not just professional but also highly collaborative.

Yazan Al-Mallah

Information Security Senior Officer, Network International

Network International logo

SISA’s support was especially invaluable as we navigated the complexities and nuances of this major new version of the PCI standards, particularly in our first year applying these requirements to new backend architecture. Their technical guidance, clarity in determining applicable criteria, insights into relevant evidence for our environment, and exceptional project management and follow-up added significant value to our engagement and made the entire process significantly smoother and more efficient.

Ben Roberts

CTO & CISO, Nutrislice Inc

Nutrislice logo

A heartfelt thank you to SISA’s team for their invaluable support and guidance throughout our ISO 27001 certification journey. Their expertise, dedication, and proactive approach made the process seamless and efficient. We truly appreciate your efforts in helping us strengthen our security framework and achieve compliance successfully!

Upendhra Neelam

GRC Specialist, Innoviti Technologies

Innoviti logo

We highly recommend SISA’s ISO 27001 certification and audit surveillance services to other organizations. The structured approach, deep expertise, and hands-on guidance significantly streamlined our compliance journey. A heartfelt thank you to SISA’s team for their invaluable support and guidance throughout our ISO 27001 certification journey. Their expertise, dedication, and proactive approach made the process seamless and efficient.

Devender Rewadia

AM - IT, Global Assure

Global Assure logo

SISA’s unwavering commitment to the project was key to success of all our engagements. Their balanced approach has been instrumental in helping us achieve our goals on the agreed timelines. Their dedication ensures that we can always count on them to deliver on time, every time.

Omar Elwy

Head of InfoSec GRC, eFinance

eFinance logo

SISA went beyond helping our Bank meet audit requirements; they added tangible value by strengthening our overall information security posture and enabling continuous improvement, which is critical for ongoing compliance and resilience.

Getachew Bualew

Team Leader, Commercial Bank of Ethiopia

Commercial Bank of Ethiopia logo

We are incredibly grateful to SISA for their unwavering support and expert guidance throughout our HITRUST Certification journey. The SISA team demonstrated an exceptionally proactive and professional approach. They exhibited extensive understanding of the HITRUST framework, helping us navigate compliance challenges with complete confidence and clarity. We highly recommend SISA to any organization seeking a reliable and knowledgeable advisor for their HITRUST or broader compliance initiatives.

Prashant Poojari

Senior Director - GRC, Exela Technologies

Exela Technologies logo

SISA’s support during our first-ever third-party Data Protection Impact Assessment was instrumental. Their comprehensive documentation templates enabled a swift rollout of internal policies and procedures for privacy. The audit team was highly responsive, providing round-the-clock assistance and addressing all queries from initiation to closure, including timely reminders and meticulous tracking. Keep up the excellent work!

Aditya Mathur

Senior Manager - Information Security, Go Payments

Go Payments logo