MPoC — Mobile Payments on COTS — is the PCI standard that lets an ordinary NFC smartphone or tablet accept contactless payments securely, with no dedicated terminal hardware. It consolidates the earlier SPoC and CPoC standards into one modular framework covering both contactless acceptance and PIN entry. If you're launching a SoftPOS or tap-to-phone product, MPoC is the certification acquirers and card brands expect.
Breaking down the acronym
MPoC stands for Mobile Payments on COTS, and COTS stands for Commercial Off-The-Shelf — standard consumer devices like phones and tablets that were never purpose-built to take payments. The standard, published by the PCI Security Standards Council, defines how those everyday devices can accept payments securely enough to satisfy the card brands.
In plain terms: it's the rulebook that makes "tap your card on my phone" a legitimate, approvable way to get paid.
What SoftPOS is, and how it fits
SoftPOS (software point of sale) is the technology; MPoC is the security standard it's certified against. A SoftPOS app uses the phone's built-in NFC radio to read a contactless card or wallet, with no external reader. The appeal is obvious — $0 hardware cost, instant deployment to any compatible device, and a path into acceptance for merchants who'd never buy a traditional terminal. But to run live, that software has to prove it handles cardholder data safely on a device the developer doesn't control. That's what MPoC certifies.
How MPoC supersedes SPoC and CPoC
MPoC didn't appear from nowhere. It unifies two earlier, narrower PCI standards into a single, more flexible one.
| Standard | Covered | Status |
|---|---|---|
| SPoC | Software-based PIN entry on COTS, usually with a separate card reader | Superseded by MPoC |
| CPoC | Contactless acceptance on COTS, no PIN | Superseded by MPoC |
| MPoC | Contactless acceptance and PIN entry on one off-the-shelf device, modular architecture | Current standard |
The practical upgrade: under MPoC, a single consumer phone can take a contactless tap and capture a PIN where one is required, under one modular, outcome-based standard — instead of stitching together two older specs with separate hardware assumptions.
Who needs it
ISVs & software platforms
Embedding tap-to-phone acceptance into an existing app — ordering, field service, delivery, any flow that should end in a payment.
Acquirers & payment facilitators
Bringing a branded SoftPOS product to merchants as a lower-friction alternative to shipping hardware.
OEMs & device makers
Launching tap-to-phone capability across a device line and needing a certified, repeatable acceptance stack.
What certification involves
An MPoC engagement combines secure application development, an attestation and evidence package, and a structured assessment against the standard's modular requirements — covering the software, the monitoring and attestation backend, and the way the solution detects a compromised device. A focused, well-scoped program can target certification in around 90 days. Solutions that bake in the security architecture and evidence from the start certify far faster than ones that treat compliance as a bolt-on at the end.
Frequently asked questions
What is MPoC certification?
What does COTS mean?
How does MPoC relate to SPoC and CPoC?
What is SoftPOS?
How long does MPoC certification take?
Who needs MPoC certification?
Launching tap-to-phone? Get it certified.
Our MPoC Certification Program targets PCI MPoC certification in 90 days — or we keep working until you're there.
See the MPoC program