Tap-to-phone is the fastest-growing acceptance category in payments, and PCI MPoC is the standard that gates it. 192 individual security requirements. Accredited labs. Mandatory annual pen tests. Visa and Mastercard mandates already in effect. Paying.co's MPoC Certification Program is the end-to-end engagement that takes ISVs, acquirers, and OEMs from app to certified-and-shipping. In 90 days. Backed by a written guarantee — if we miss it, we keep working at no additional cost until your solution is on the PCI approved list.
Tap-to-phone has three groups of companies trying to ship it — and each one comes into PCI MPoC with a different problem to solve. We've built the program to match. Whether you're an ISV layering tap-to-phone onto your existing software, an acquirer launching a branded SoftPOS app for your merchants, or an OEM integrating MPoC into device firmware, the engagement is shaped to the work that actually needs doing.
You already have a vertical SaaS product — field service, restaurant ordering, healthcare scheduling — and you want to add tap-to-phone so customers can take a payment without leaving your app. MPoC is the security spec that makes that shippable on Visa and Mastercard rails. We do the heavy lifting end-to-end while you stay focused on your roadmap.
Talk to usYou're an acquirer or PayFac who wants to give your merchants a branded tap-to-phone product without building it from scratch. We deliver the certified MPoC stack under your brand — SDK or full-app — with your gateway and processor wired in. White-label ready, with the certification in your name.
Talk to usYou build Android-based devices — phones, rugged terminals, enterprise hardware not intended for public purchase — and you want MPoC compliance baked in at the firmware/OS layer. We bring deep COTS evaluation experience, secure SLC pedigree, and direct lab relationships to get your hardware listed and shipping.
Talk to usMPoC isn't one task. It's an engineering project, a security project, a documentation project, and a lab project running in parallel. The program covers every piece — technical, procedural, and administrative — so the only thing you're tracking is the calendar.
We start with a full technical gap analysis against all 192 PCI MPoC requirements across five domains — software integrity, attestation and monitoring, backend security, vulnerability resilience, and key management. You get a written readiness report on day one and a fixed-cost path to certification on day three.
We harden the SoftPOS application against the MPoC software integrity and attestation requirements — tamper detection, root/jailbreak resilience, code obfuscation, runtime monitoring. If you have an existing app, we adapt it. If you don't, we build it. Either way, you ship a passable artifact.
MPoC requires the back end to be PCI DSS certified, the PIN processing to be PCI PIN compliant, and the development to follow Secure SLC. We bring you to alignment on all three — existing controls leveraged where possible, gaps closed where not.
We bring the accredited security lab — we already work with the labs PCI recognizes for MPoC. We deliver the evidence pack, sit the lab review with you, run the mandatory pen test through Flaw.co, and get you onto the PCI approved list. End-to-end administrative ownership.
PCI MPoC is the toughest security spec PCI has ever issued. 192 requirements across five domains, with dependencies on PCI DSS, PCI PIN, and Secure SLC compliance underneath. Most companies trying to ship tap-to-phone either lose 12 months figuring it out themselves, or pay several different consultancies to handle the pieces — then spend more time integrating their advice than building the product.
Paying.co is one of the few teams that has the bench depth to deliver MPoC certification as one engagement. We bring the SDK hardening, the secure SLC pedigree, the backend DSS expertise, the pen testing via Flaw.co, and the direct relationships with the accredited labs PCI recognizes. We start every project with a written gap analysis, scope to a fixed cost, and back the entire engagement with a 90-day delivery guarantee. If the cert hits past 90 days because of work on our side, we keep going until it ships — no additional charge.
Tap-to-phone is the fastest-growing acceptance category in payments. SoftPOS is projected to be a $27.7B market by 2030. Visa and Mastercard are mandating MPoC compliance for SoftPOS solutions. The window to be early is open right now. We exist to help you walk through it.
Talk to our MPoC teamPCI MPoC v1.1 breaks 192 requirements into five security domains. Most teams that fail certification fail because one of the five was treated as an afterthought. The program treats all five as first-class engineering work — from day one.
Tamper detection, code obfuscation, anti-debugging, root and jailbreak resilience, runtime integrity checks. The mobile app survives a hostile device — because in MPoC, that's the assumption you have to build around.
The attestation server validates device posture in real time. We wire it to the SDK, the backend, and the runtime hooks so policy violations terminate transactions before card data is exposed.
PCI DSS for the payment processing back end. PCI PIN for PIN handling. We bring you to alignment on both — existing controls leveraged where they exist, gaps closed where they don't. Lab evidence packaged.
PCI MPoC requires development against the Secure SLC standard. We bring an SLC pedigree to the work and document the lifecycle controls the lab needs to see — threat modeling, code review, vulnerability response, change control.
Annual penetration testing of mobile + backend is a hard MPoC requirement. We run the first-year pen test through Flaw.co, our AI-powered offensive security platform, and hand back a clean remediation pack on the first pass.
Cert programs are notorious for slipping. The MPoC Certification Program comes with six commitments backed by the engagement contract — not a sales deck. If we miss any of them because of work on our side, the engagement continues at no additional cost until we land it.
From contract signature to PCI approved list in 90 calendar days. If we miss the date because of work on our side, we keep going at no additional cost until you're listed. In writing.
One scope, one price, no scope creep. We quote a flat fee on day three of the project after the gap analysis. The number you see is the number you pay — even if the lab needs a second pass.
We run a full internal pre-assessment before submitting to the accredited lab. Most failures happen on the official pass — we move that failure mode forward, fix it on our dime, and submit a clean package.
The PCI MPoC listing is in your company name, not ours. We deliver the cert, the artifact, and the listing as your asset — the way every reputable cert engagement should work.
PCI MPoC mandates an annual penetration test of mobile + backend. We bundle the first year through Flaw.co at no extra cost — mobile app, attestation server, backend infrastructure, full remediation pack.
MPoC requires annual re-verification. We commit to a fixed renewal rate for year-two recertification — same scope, same team, same delivery promise. No surprise pricing the year after.
Every MPoC engagement follows the same three-phase shape. You always know what's happening this week, what's happening next week, and what the lab is doing in parallel. Status meetings every Friday. Slack channel open the whole time.
Full gap analysis against all 192 PCI MPoC requirements on day one. Fixed-cost engagement quoted on day three. Engineering starts week two — SDK hardening, attestation server, backend DSS alignment, PIN compliance, Secure SLC documentation. By day 30, you have an MPoC-ready artifact.
Internal pre-assessment against the same evidence pack the lab will see. We find and fix everything before the lab does. Mandatory penetration test runs through Flaw.co on mobile + backend. Remediation pack handed back. Evidence package finalized and submitted to the accredited security lab.
Lab assessment runs against the cleaned evidence pack. We sit the review with you, respond to lab questions in real-time, and handle PCI's submission process. By day 90, your solution is on the PCI approved list — in your name, with your branding, ready to ship.
Tell us where you are today — existing SoftPOS app, idea phase, or somewhere in between — and which audience you fit (ISV, acquirer, or OEM). We'll come back with a written gap analysis, a fixed-cost scope, and a 90-day delivery plan backed by our guarantee.