Compliance
PCI Mobile Payments on COTS (MPoC)
PCI Security Standards Council (PCI SSC)
MPoC is the PCI standard for accepting payments on commercial off-the-shelf phones; it requires strong software protection and monitoring. Appsolid supports parts of those software-protection and on-device threat-monitoring requirements.
Note: This page is a mapping for orientation — not a claim of certification or verification. Secure coding and server-side controls remain your responsibility. Appsolid is an Android client-protection tool that supports some of these controls.
What this requires
It requires software protection (obfuscation, integrity, anti-tamper), attack detection/response, and monitoring/attestation. MPoC validation is only achievable through an accredited assessor.
How Appsolid maps
Software protection (obfuscation, integrity, anti-tamper)
SupportedDEX packing/encryption/O-MVLL + self-checksum/payload authentication (maps to MASVS R-2/R-4).
Attack detection & response (runtime)
SupportedRASP detection of rooting, emulators, hooking, debugging and Frida → exit (MASVS R-1/R-3).
Monitoring (field threat visibility)
SupportedPer-app threat dashboard + HMAC-signed webhooks reporting attacks from the field.
Payment processing & attestation backend
Your responsibilityPayment logic, attestation servers and key management are the solution provider's / your responsibility.
Your responsibility
- Server-side authentication/authorization, transport security (TLS) and API security.
- Signing-key management and release-pipeline security (Appsolid returns unsigned output by design).
- SDLC process — threat modeling, code review and vulnerability management.
- Formal assessment/certification through a qualified assessor.