The much anticipated first draft release of the MPoC standard will be distributed to industry experts for comment by PCI SSC in early 2022. We think it will be a very big deal for several reasons.
We all know the payments industry loves its acronyms, and now there’s a new one to add to your vocabulary – MPoC, which stands for Mobile Payments on COTS (Consumer Off-The-Shelf devices).
Not everyone will be aware that PCI has had the MPoC standard in development, but everyone should care. MPoC might just be the biggest thing in payments since EMV. But before we get into this, it helps to understand the background of how and why MPoC has come about.
A brief history of software-based payments
Many of the world’s fastest developing economies have very low card payment penetration. Historically this has been due to low card issuance and the relative high cost of card acceptance and acceptance terminals. It was a bit of a chicken and egg situation; why issue cards if merchants can’t afford to accept them? And, why spend on an acceptance solution when cards have low market penetration? And so, the main forms of payment in these regions tended to be cash, and more recently incorporated QR code.
Governments the world over are working to reduce the use of cash. Cash provides much greater opportunity for tax evasion, fraud and money laundering, and there is a higher cost to processing cash transactions. Furthermore, since COVID, the push to card payments has accelerated because consumers regard cash as less hygienic.
About four years ago, SPoC (Software-Based PIN Entry on COTS) solutions started being developed as a lower cost alternative to the mPOS solutions that accepted PIN, with a view to transform payments in regions with low card acceptance. At that stage, many countries had recognised that chip and signature solutions were not fit for purpose and had mandated chip and PIN, which uses the full security of EMV. SPoC allowed for lower cost card readers that also met the chip and PIN mandate, but at a reduced cost of specialist payment hardware.
By making payments securely accessible using readily available consumer devices like smartphones and tablets (which most people in developed markets already have and ownership is growing exponentially in emerging markets) combined with a low-cost card reader, it reduced the cost of payment acceptance. However, even the cost of a card reader (albeit lower) and its inconvenience as an additional device to keep charged and paired to a phone was still off putting for small merchants.
It didn’t take long before the obvious question was asked; why do we need hardware at all? Enter CPoC (Contactless Payments on COTS). CPoC makes card payments significantly more accessible for merchants; all they need is an NFC-enabled Android device. No other hardware is required and therefore the only cost to accepting a payment is the transaction fee. Android penetration in developing markets is high with over two billion devices with NFC, and this makes the barriers to card acceptance for merchants almost zero. Additionally, Apple is under increasing pressure from regulators to open its NFC channel to allow alternatives to the Apple Wallet to make payments, which will enable Apple devices to be used by merchants to accept payments too. We think this could happen in 2022.
Often, new technology enters the market ahead of regulations, and that’s exactly what happened with SPoC and CPoC. PCI mobilised a taskforce to create standards for these new software-based payments solutions to ensure they were robust and secure enough to be used for payment acceptance, but given the newness of the solutions, writing certification standards for something that has never existed before took time. So, in recognising the value and importance of SPoC and CPoC solutions and to bridge the gap, the global card schemes Visa and Mastercard issued waivers, which allowed these type of solutions to be deployed to market in the absence of PCI standards. The SPoC standard was released in April 2018 shortly followed by the CPoC standard.
The rest of the world wanted in on software-based payments
As SPoC and CPoC solutions began to proliferate, more merchants around the world became interested in these new software-based payment acceptance solutions. While the cost of payment acceptance was not a barrier for many, the opportunity to reduce costs while also looking at new ways to innovate within the customer experience was very attractive. Suddenly there was a much broader spectrum of merchant looking to use SPoC and CPoC solutions, from large tier 1 companies through to street merchants. And with this came some additional challenges.
There was a lot of pressure on developers of software-based payment solutions and Payment Service Providers (PSPs) to meet the rising demand from merchants globally. Developing solutions to meet the two standards (SPoC and CPoC) was often complicated, and at times the standards conflicted one another. Furthermore, scheme waivers solutions were moving ahead of those developing to the PCI standards because the requirements, cost and time required to meet these standards was significantly more.
And this brings us up to speed today.
Eventually all solutions will need to meet PCI standards, but the waivers are good for limited pilots, which makes this path an attractive option for solution developers as it provides a faster route to market at a lower development cost. However, it also raises the question of whether the solutions developed under scheme waiver will eventually be able to meet the rigorous PCI standards, and is this a risk to merchants investing in solutions that may not pass muster down the track?
There are also challenges for tier 1 merchants that have already invested in bespoke, ruggedised retail tablets because the PCI standards for SPoC and CPoC do not always account for these types of non-COTS Android devices. Additionally, in the EU, PSD2 means that every fifth contactless transaction must enter a PIN regardless of transaction amount, which makes PCI CPoC unsuitable because it does not currently have a standard that includes contactless plus PIN. Furthermore, new and inventive use cases for the software are being identified using a payment credential outside of performing a payment transaction, and these were not considered when the PCI standards were written.
Even though the SPoC and CPoC standards are still relatively new, it was obvious that the increasing demand would mean they would be outgrown quickly. And this meant a new, broader, more flexible standard was required – MPoC.
How is MPoC expected to be different?
Where CPoC addressed the cost dilemma for accepting card payments, MPoC needs to address the solution provider issues if it is to satisfy the large-scale opportunities that are demanding the product. The MPoC standard should have greater flexibility to address things like more use cases and implementation scenarios, different device types, best of breed components and complexity. Where the SPoC and CPoC standards contained requirements, MPoC needs to contain objectives. Shifting to objectives focuses on what the solution must do as opposed to what it must have (although in saying this, there still needs to be requirements in MPoC), allowing more technical and distribution options. It’s also a consolidation, which means solution providers will only need to achieve and maintain one standard instead of two, and this should mean solutions can come to market faster. Competition breeds innovation and excellence, so this can only be a good thing for the evolution of software-based payments.
One of the key differences in MPoC is that it is expected to allow modularity in the development of solutions. In other words, multiple vendors can collaborate to create an end-to-end solution, which means they can concentrate on the specific aspect of the solution they have expertise in. Modularity also brings greater freedom because components can be introduced into existing solutions– this will be game changing for merchants that have already invested in payments solutions as it means they can still utilise software-based payments without entirely replacing their existing kit.
MPoC should include provision for PIN cardholder verification (CVM). This will enable Acquirers and PSPs to develop compelling merchant propositions globally and will also accommodate Europe’s PSD2 requirements. As described above, the previous CPoC standard did not allow for PIN.
So, to summarise, our hopes are that MPoC will provide for:
- More flexible definition of COTS
- Provide for PIN
- Provide for more flexibility in how end-to-end solutions are developed and distributed
- No compromise on security
- Provide for off-line or perhaps store and forward utility to meet demand where a persistent online connection isn’t always available
MPoC will transform the payments industry
If at first you don’t succeed, try, try and try again? Third attempts are well known for being the occasion that truly succeeds. We predict that payments will become an SDK and card acceptance will be completed through an interface. You can therefore safely expect to see an influx of software-based payments solution providers entering the market; however, it is likely that the majority of MPoC solutions will not include PIN. PIN entry is incredibly difficult to do securely on COTS; having developed software-based solutions with PIN here at MYPINPAD, we can attest to this. It’s also an incredibly congested space with regards to patents; again, we know because we have over 100 of them. While there is an enormous market out there that won’t require PIN (merchants with transaction sizes that will never sit above the contactless threshold), there are many high value or experience driven scenarios that will. The important thing is that the merchant proposition caters for it and is compelling. And we can’t forget the EU and PSD2 requiring every fifth transaction to require a PIN – a highly effective method to mitigate fraud and sustain consumer confidence. So, solutions with PIN will still be incredibly important and there won’t be as many of them to choose from.
The modularity factor will increase the quality of the solutions coming to market; when you are combining vendors with their specific areas of expertise you should expect best of breed. However, with this also comes some challenges, specifically around the linking of modules that have been developed by different companies. For PSPs, multiple vendors collaborating on a single solution will add complexity in the commercial and support models. Furthermore, you could reasonably expect that solutions with multiple vendors may take longer to get to market. Most likely, solution providers that can develop an end-to-end solution under one roof will be quickest to market and provide a more attractive commercial model.
Solution providers that have already achieved SPoC and CPoC certification will see the benefits of having obtained these and there will be a transition roadmap to MPoC. We’d expect that after a set number of years, SPoC and CPoC will sunset and MPoC will remain as the standard for software-based payments (and other use cases).
And finally, there is the environmental impact to consider. Software-based payments should have a smaller environmental footprint. People already have COTS devices, so there is an immediate reduction in the production, packaging, freight and disposal of specialist payment acceptance devices. See our recent blog.
So, there you have it. Software is the future of payments and we expect MPoC to cement this moment in history. It’s an incredibly exciting time for everyone in the payments ecosystem, and beyond.