SISA Joins Global Group of PCI Recognized Labs to Perform Security Evaluations of Payment Acceptance Devices and Solutions
SISA’s PCI SSC Accredited MPoC Laboratory
A PCI SSC-recognized laboratory for evaluating and certifying mobile payment solutions on COTS devices. SISA helps SoftPOS vendors, SDK providers, and payment solution companies navigate MPoC evaluation from initial scoping through to PCI SSC listing.
TABLE OF CONTENT
The Challenge
MPoC Readiness Can Be Difficult Without the Right Security and Evaluation Expertise
As SoftPOS adoption grows, organizations need to prove that their mobile payment solutions can securely support payment acceptance on COTS devices. But meeting MPoC requirements is rarely straightforward. From mobile platform security and SDK dependencies to backend attestation and solution-wide controls, vendors often face technical, operational, and evaluation challenges that can slow down readiness and listing.
Difficulty understanding whether the product, SDK, or full solution falls within the right MPoC evaluation scope
Complexity in addressing security requirements across software, backend services, and operational environments
Limited internal expertise in platform-level security across Android and iOS ecosystems
Challenges validating white-box cryptography, secure channels, and SDK integrations
Readiness gaps that lead to rework, extended timelines, and delays in PCI SSC listing
Need for clear guidance through evaluation, reporting, and ongoing assessment requirements
Our Approach
Five step approach
Comprehensive MPoC Evaluation Across Every Pathway
SISA’s MPoC Laboratory supports the full range of evaluation pathways under the MPoC Standard, from focused software reviews to complete solution validation. Our approach is designed to help organizations prepare effectively, address gaps early, and move toward listing with confidence.
End-to-end evaluation of MPoC SDKs and applications, covering secure software lifecycle, integrity protection, SDK integration validation, and application-level security testing.
Assessment of backend Attestation and Monitoring environments, including device attestation policies, baseline management, anomaly detection capabilities, and operational security controls.
Full validation of complete MPoC solutions, including software management, cryptographic key lifecycle, merchant onboarding, multi-entity coordination, and payment environment compliance.
Preparation and submission support for Integration Reports, along with guidance for entities using the Vendor Verification process to isolate SDK integrations.
Specialized testing for MPoC environments, including mobile application security, white-box cryptography analysis, secure channel validation, backend API testing, and attack costing aligned to the MPoC Standard.
Service Offerings
End-to-End Evaluation Services for MPoC Readiness and Listing
MPoC Software Evaluation for SDKs, applications, and related software components
Attestation & Monitoring Service Evaluation for backend operational environments
Full MPoC Solution Evaluation across Domains 4 and 5
Integration Report Preparation and Vendor Verification Support
MPoC-focused Penetration Testing across mobile, cryptographic, and backend layers
Readiness Assessments and Gap Analysis before formal evaluation
BENEFITS
Accelerate MPoC Validation with Stronger Technical Confidence
Faster Path to PCI SSC Listing
Gain a clearer and more structured route to PCI SSC listing for your SoftPOS and MPoC solutions, reducing ambiguity across evaluation stages and helping you move forward with confidence.
Reduced Rework and Delays
Early readiness assessments and focused gap identification help minimize rework, avoid repeated testing cycles, and keep your validation timelines on track.
End-to-End Security Assurance
Strengthen confidence across your entire solution, covering mobile applications, SDK integrations, backend services, and overall architecture aligned to MPoC requirements.
Stronger Platform-Level Security Confidence
Validate critical platform controls across Android and iOS environments, including device security, cryptographic protections, and secure execution environments.
Continuous Support Beyond Evaluation
Benefit from ongoing support across evaluation, reporting, and post-listing requirements, including change assessments and annual validation needs.
WHY SISA
Why Organizations Choose SISA for MPoC Evaluation
Deep Payment Security Expertise
SISA brings strong experience across PCI DSS, PIN, 3DS, P2PE, and the Software Security Framework, giving clients a broader view of how MPoC fits within the payment security ecosystem.
Advanced Platform Security Knowledge
Our evaluators bring hands-on expertise across Android and iOS, including TrustZone, hardware-backed keystores, Secure Enclave, Data Protection, and other platform-level controls.
Specialized White-Box Cryptography Analysis
We assess software-protected cryptography, obfuscation strength, and resistance to advanced attack techniques in line with MPoC Appendix B requirements.
Complete Evaluation Coverage
SISA supports all five MPoC domains within a single engagement, helping reduce fragmentation and improve consistency across the evaluation process.
Global Delivery Capability
Our teams support clients across regions, helping organizations coordinate evaluation efforts regardless of where development and operations teams are located.
Support Beyond the Assessment
We help before, during, and after evaluation with readiness support, gap analysis, annual checkpoints, and change assessments throughout the listing lifecycle.
Want to know more?
