Exploring MPoC and Online/Offline PIN with Mastercard

Exploring MPoC and Online/Offline PIN with Mastercard

As we aim to understand the impact of the Mobile Payments on COTS (MPoC) Standard and Online/Offline PIN on the Yazara SoftPOS technology, we asked our partner Mastercard to give us their perspective.

We interviewed David Cutler, Vice President, Global Acceptance, Industry Standards – Tap on Phone, and Fernando Lourenço, Vice President, Cyber & Intelligence, Industry Standards at Mastercard to discuss the latest trends in digital payments today.

About MPoC

How will MPoC impact the payments industry?

MPoC standards, which build on both SPoC (Software-based PIN Entry on COTS) and CPoC (Contactless Payments on COTS), have the potential to significantly change and improve the payments industry. For example, the addition of PIN entry transactions without an external reader into the standards will allow one standard to cover all solutions, making products more attractive in PIN markets and allowing merchants to use one software driven device for all transactions, regardless of basket size or contactless limits.

Further, MPoC will allow solution developers to focus on one, unified product instead of multiple products by market.

David Cutler commented: “MPoC standards will open up additional use cases, such as offline operations and semi-attended scenarios, which will drive additional SoftPOS acceptance globally across different verticals.”

Which benefits -such as security, convenience, mobility, improved merchant onboarding, enhanced user experience- will the new MPoC standard provide to the merchants?

While there are several benefits that the new MPoC standard can offer, a few key examples that can be seen benefiting merchants include:

• The convenience factor: A single platform or SDK that can handle transactions of any size or reader type.
• Reader management: Merchants no longer need to worry about connecting payment readers via Bluetooth to their devices.
• Acceptance growth: More merchants can take advantage of SoftPOS acceptance due to the additional use cases allowed under MPoC, such as semi-attended and offline operations.

How is MPoC going to be integrated with the existing technology for acquirers?

For acquirers of all sizes, MPoC-approved solutions will be able to supplement and augment existing technology that merchants leverage today for acceptance. While SoftPOS historically was geared towards small merchants with small amounts of non-cash acceptance, MPoC-certified solutions are enabling merchants large and small to leverage SoftPOS solutions that seamlessly integrate into business systems. Broadly speaking, an evolution is seen from hardware-led, traditional acceptance to software, cloud-led – from small and large merchants alike. For example, large retail merchants can augment their checkout experience by adding SoftPOS solutions for queue-busting and self-checkout in store.

How is MPoC changing the offer for acquirers?

Acquirers can now offer low cost, flexible acceptance as part of their relationship with their ecosystem. For example, a large firm that deploys 20K devices in a delivery fleet could, in theory, now be enabled on employee devices versus purchasing devices.

What do you think are the greatest challenges that MPoC will bring to the technology providers, acquirers, or merchants?

This question can be broken down into two parts. The first relates to Device Eligibility and Functionality. Today, all MPoC approved solutions rely on supported device operating system versions – those continue to evolve. As a result, managing the devices in the market that are compliant with the supported operating system versions for customer security will be a challenge going forward.

Many developing markets are still reliant on older Android operating systems, this means that eligible devices could be reduced, unless solution developers dedicate the time and resources to support older operating system versions.

Also challenges are seen in the types of devices that want to be used on SoftPOS as not all devices work equally well, and so ensuring a robust L1 approach will be important for all players down the road.

Building on that are the challenges of acquirer onboarding. Previously, acquirers bought a plug-and-play solution for merchants. Now, they need to provide always-on support to merchants to ensure devices used by merchants are eligible and maintain eligibility for the future.

Shifting focus to understanding the challenges MPoC will bring to Technology Providers, there’s a couple things that come to mind:

• Solution developers need to remember and understand that MPoC requires continuous, ongoing maintenance from a security and functional perspective which means solution developers will need to conduct constant maintenance on their SDK or Solution (For example: Yearly maintenance by PCI).
• Also, new vulnerabilities can pop up at any time, so technology providers need to keep their solution one step ahead.
• Lastly, there are additional compliance requirements to maintain an MPoC Approved solution. In addition to PCI DSS, PCI requires the software to be certified with PCI SLC (security life cycle) and PCI SS (software security).

How is Mastercard planning to get involved in this game-changing technology?

Mastercard has been a first mover in this space since the introduction of SoftPOS – from developing and maintaining the standards to helping the ecosystem deploy pilots. To that end, Mastercard is supporting SoftPOS deployments today in more than 70 markets globally.

Also, Mastercard developed security principles so that pilots could be run to test new emerging use cases based on innovative SoftPOS technology.

Mastercard will continue to be a thought leader as the market transitions from Pilots to MPoC Certified Solution. As MPoC allows for new use cases, such as offline operations and semi-attended, the company is leading the way in working with the ecosystem, including partners like Yazara, to enable SoftPOS solutions in these spaces.

Mastercard is continuously looking to help develop new use cases that leverage SoftPOS technology.

About Online/Offline PIN

What is going to change for the merchants currently in offline PIN markets with the transition to online PIN?

A majority of markets around the globe currently process contactless transactions using online PIN. That said, some markets, including the UK, Canada, France, and Mexico, currently cannot process online PIN transactions or are in the process of transitioning from offline to online PIN (France).

For merchants in an online PIN market, customers who need to enter their PIN to complete a contactless only transaction will now be able to enter their PIN on the screen without dipping their card. Broadly, all chip cards have the ability to process transactions within an online PIN market, but it is the personalization by the issuer that would implement restrictions in the card profile.

Will merchants be able to use online PIN validation with their existing POS system?

Online or offline PIN impacts transactions on POS systems where the only option is contactless. Traditional POS systems are not contactless only and thus would require a customer to insert/dip their card if a contactless transaction requires PIN to be completed.

What is Mastercard’s view on online/offline PIN within the UK Market?

Until January 2023, Mastercard rules did not allow online PIN to be used in the UK due to perceived legacy infrastructure. Following discussions with all Mastercard issuers and acquirers, they were all found to be able to process online PIN transactions. To inform the UK market of this change, Mastercard AN6952 was published on 11 October 2022. Online PIN discussions are applicable to Contactless Only discussions.

When do you expect the UK market to accept online PIN transactions for contactless only solutions?

Online PIN transactions on contactless are currently available in the UK for Mastercard branded products.

Advances in POS technology have all but eliminated the need for offline PIN functionality on the contactless interface, such as depending on the CVM limit, in most cases, PIN validation happens at the card issuer via an online PIN process.

For markets such as the UK, can PIN verification for transactions above the established CVM limit, after a set number of contactless transactions, or when a cumulative total is exceeded, be verified via the online PIN process?

Yes. Within the UK, PIN verification for contactless transactions above the CVM, due to counter or cumulative total, can be verified through online PIN.

Mastercard’s understanding of the Canadian market is that an offline PIN process is still needed.

Concerning Canadian market requirements, is this consistent with Mastercard’s understanding and do you see the Canadian market pivoting, much like the UK, and if so, how soon?

Mastercard has no specific rules disallowing online PIN in Canada. Developers of contactless only solutions should confirm with acquirers’ ability to process online PIN.

Contact us and learn more about how we can work together. We will continue sharing with you the latest updates from Yazara. Stay tuned to our news and updates!

Other articles

Still have questions?

We’re here to help!