SISA’s PCI SSC Accredited MPoC Laboratory

A PCI SSC-recognized laboratory for evaluating and certifying mobile payment solutions on COTS devices. SISA helps SoftPOS vendors, SDK providers, and payment solution companies navigate MPoC evaluation from initial scoping through to PCI SSC listing.
The Challenge
MPoC Readiness Can Be Difficult Without the Right Security and Evaluation Expertise
As SoftPOS adoption grows, organizations need to prove that their mobile payment solutions can securely support payment acceptance on COTS devices. But meeting MPoC requirements is rarely straightforward. From mobile platform security and SDK dependencies to backend attestation and solution-wide controls, vendors often face technical, operational, and evaluation challenges that can slow down readiness and listing.
Difficulty understanding whether the product, SDK, or full solution falls within the right MPoC evaluation scope
Complexity in addressing security requirements across software, backend services, and operational environments
Limited internal expertise in platform-level security across Android and iOS ecosystems
Challenges validating white-box cryptography, secure channels, and SDK integrations
Readiness gaps that lead to rework, extended timelines, and delays in PCI SSC listing
Need for clear guidance through evaluation, reporting, and ongoing assessment requirements
Our Approach
Five step approach
Comprehensive MPoC Evaluation Across Every Pathway
SISA’s MPoC Laboratory supports the full range of evaluation pathways under the MPoC Standard, from focused software reviews to complete solution validation. Our approach is designed to help organizations prepare effectively, address gaps early, and move toward listing with confidence.
End-to-end evaluation of MPoC SDKs and applications, covering secure software lifecycle, integrity protection, SDK integration validation, and application-level security testing.
Assessment of backend Attestation and Monitoring environments, including device attestation policies, baseline management, anomaly detection capabilities, and operational security controls.
Full validation of complete MPoC solutions, including software management, cryptographic key lifecycle, merchant onboarding, multi-entity coordination, and payment environment compliance.
Preparation and submission support for Integration Reports, along with guidance for entities using the Vendor Verification process to isolate SDK integrations.
Specialized testing for MPoC environments, including mobile application security, white-box cryptography analysis, secure channel validation, backend API testing, and attack costing aligned to the MPoC Standard.
Service Offerings
End-to-End Evaluation Services for MPoC Readiness and Listing
MPoC Software Evaluation for SDKs, applications, and related software components
Attestation & Monitoring Service Evaluation for backend operational environments
Full MPoC Solution Evaluation across Domains 4 and 5
Integration Report Preparation and Vendor Verification Support
MPoC-focused Penetration Testing across mobile, cryptographic, and backend layers
Readiness Assessments and Gap Analysis before formal evaluation

BENEFITS
Accelerate MPoC Validation with Stronger Technical Confidence
Faster Path to PCI SSC Listing
Gain a clearer and more structured route to PCI SSC listing for your SoftPOS and MPoC solutions, reducing ambiguity across evaluation stages and helping you move forward with confidence.
Reduced Rework and Delays
Early readiness assessments and focused gap identification help minimize rework, avoid repeated testing cycles, and keep your validation timelines on track.
End-to-End Security Assurance
Strengthen confidence across your entire solution, covering mobile applications, SDK integrations, backend services, and overall architecture aligned to MPoC requirements.
Stronger Platform-Level Security Confidence
Validate critical platform controls across Android and iOS environments, including device security, cryptographic protections, and secure execution environments.
Continuous Support Beyond Evaluation
Benefit from ongoing support across evaluation, reporting, and post-listing requirements, including change assessments and annual validation needs.
WHY SISA
Why Organizations Choose SISA for MPoC Evaluation
Deep Payment Security Expertise
SISA brings strong experience across PCI DSS, PIN, 3DS, P2PE, and the Software Security Framework, giving clients a broader view of how MPoC fits within the payment security ecosystem.
Advanced Platform Security Knowledge
Our evaluators bring hands-on expertise across Android and iOS, including TrustZone, hardware-backed keystores, Secure Enclave, Data Protection, and other platform-level controls.
Specialized White-Box Cryptography Analysis
We assess software-protected cryptography, obfuscation strength, and resistance to advanced attack techniques in line with MPoC Appendix B requirements.
Complete Evaluation Coverage
SISA supports all five MPoC domains within a single engagement, helping reduce fragmentation and improve consistency across the evaluation process.
Global Delivery Capability
Our teams support clients across regions, helping organizations coordinate evaluation efforts regardless of where development and operations teams are located.
Support Beyond the Assessment
We help before, during, and after evaluation with readiness support, gap analysis, annual checkpoints, and change assessments throughout the listing lifecycle.
Want to know more?
Foresight. Perspective. Leadership
FAQs
Mobile Payments on COTS (MPoC) is a flexible security standard that enables merchants to securely accept PIN and contactless payments directly on commercial off-the-shelf (COTS) devices, like smartphones and tablets, without requiring dedicated payment hardware.
SPoC requires an external card reader, and CPoC only allows contactless payments without a PIN. MPoC combines and expands these capabilities, allowing both PIN entry and contactless acceptance directly on a standard mobile device screen.
Payment vendors must utilize an officially recognized lab to validate that their mobile payment applications, SDKs, and backend systems successfully isolate and protect cardholder data according to stringent PCI SSC testing requirements.
An MPoC solution consists of the Commercial Off-The-Shelf (COTS) device, the MPoC application (or SDK) running on the device, the backend monitoring systems that detect device tampering, and the secure decryption environment.
No, MPoC specifically enables secure payments on consumer devices lacking traditional hardware-based payment security. Instead, it relies on advanced software security, active backend monitoring, and attestation to detect if a phone has been compromised or rooted.
The timeline depends on whether the vendor is validating a full MPoC solution, just the mobile software, or an SDK. Because of the rigorous penetration testing required to ensure software isolation, evaluations typically span several months.
Yes, MPoC solutions are designed to be platform-agnostic. However, the MPoC Lab must validate the security mechanisms, backend attestation, and anti-tampering controls specifically for the operating systems the vendor intends to support.
Powered by our leading tech team, SISA operates an officially recognized MPoC testing lab. We conduct rigorous security evaluations and penetration testing on mobile payment solutions to fast-track your path to MPoC certification and market readiness.
MPoC solutions are rapidly adopted by the retail, transportation, and gig-economy sectors. It is ideal for micro-merchants, delivery services, and mobile vendors who want to accept secure, contactless, and PIN-based payments directly on everyday smartphones or tablets without specialized hardware.

