Skip to content

Certification overview

Building an in-store payment application requires compliance with both EMV Level 2 and PCI MPoC certification standards. switcloud is designed to simplify and accelerate this process by providing pre-certified components and adapting to the requirements of both PCI-PTS and COTS (commercial off-the-shelf) devices.

EMV Level 2 Certification

switcloud supports two distinct environments when it comes to EMV Level 2 (L2) compliance:

PCI-PTS Terminals

For PCI-PTS (PIN Transaction Security) terminals, EMV L2 certification is typically handled by the terminal vendor. These terminals ship with a certified kernel, and no additional L2 certification work is required by the application developer. switcloud integrates with this existing stack without introducing new certification scope.

COTS Devices (e.g., Android Tap-to-Pay)

For COTS devices, switcloud includes moka, a pre-certified EMV Level 2 kernel with available Letters of Compliance (LoC) for major payment brands. This significantly reduces the L2 certification burden. In some cases, especially when working with new or untested COTS hardware, additional brand-specific testing (e.g., kernel/hardware combination testing or integration validation) may be required. Switstack offers swittest, a managed EMV testing service that offers automated combination & integration testing due to its loopback mode.

PCI Certification

PCI certification requirements vary upon the type of hardware involved: traditional PTS devices or COTS devices.

PTS Devices

Traditional terminals already meet PCI security requirements. In this case, the security compliance is managed by the terminal vendor, and application developers do not need to perform MPoC certification.

switcloud leverages the PTS security to ensure cardholder data security.

COTS Devices - MPOC Certification

PCI MPoC (Mobile Payments on COTS) is a security standard required for Tap-to-Pay solutions using smartphones and similar devices. The effort for MPOC certification is significantly reduced using the switcloud certified components and documentation.

  • MPoC Software Component: A mobile SDK that runs locally on the device and handles payment logic securely.
  • MPoC Service Component: switcloud’s cloud infrastructure for payment orchestration, attestation, and monitoring (A&M), which is certified under MPoC Service requirements.

Development teams integrating switcloud with their payment applications are required to complete the final MPoC certification step which includes:

  • Demonstrating proper integration of switcloud’s certified components.
  • Completing documentation related to software development practices, release management, and security integration.
  • Undergoing a third-party lab assessment in accordance with MPoC guidelines.