Tap on Phone

Implementation Guide
October 2021

© 2020 Mastercard. Proprietary and Confidential. | 1

Contents

1: Overview ...............................................................................................................................................................3

1.1 What is Tap on Phone? .................................................................................................................................................................. 3

1.2 Who is this guide for? .................................................................................................................................................................... 3

1.3 What is this guide intended for? .................................................................................................................................................... 3

2: Process ..................................................................................................................................................................4

2.1 PCI timeline .................................................................................................................................................................................... 4

2.2 Suggested market criteria .............................................................................................................................................................. 4

2.3 Solution options ............................................................................................................................................................................. 4

2.4 Certification step details ................................................................................................................................................................ 5

3: FAQs ......................................................................................................................................................................9

3.1 General ........................................................................................................................................................................................... 9

3.2 Certification and development ...................................................................................................................................................... 9

3.3 Merchant-focused ........................................................................................................................................................................ 12

3.4 Pilots.............................................................................................................................................................................................12

4: Glossary ............................................................................................................................................................... 14

5: Resources ............................................................................................................................................................ 15

© 2021 Mastercard. Proprietary and Confidential. | 2

1: Overview
1.1 What is Tap on Phone?
Tap on Phone (ToP) is a contactless acceptance solution that is low cost, low maintenance, and peripheral-free for
merchants. Tap on Phone can support NFC-enabled mobile devices1 to function as point-of-sale devices that accept
contactless electronic payments (i.e. contactless cards, mobile wallets, wearables).
• Tap on Phone can be deployed on many devices with an embedded NFC antenna that allows read/write
functionality (e.g. Android operating systems).
• Merchants can download a dedicated Tap on Phone app. After initializing the app and completing account set
up, merchants can complete test transactions to confirm readiness for accepting contactless payments.
• At the time of purchase, the merchant will open the Tap on Phone app and enters the purchase amount. The
customer will then tap their contactless card or device against the NFC antenna on the merchant’s mobile
device. Once the purchase is complete, the merchant can send an SMS or email receipt to the customer or print
the receipt using an external printer.
• Tap on Phone transactions are protected using the same security and encryption technology offered with EMV® chip
cards throughout the world, and they use the same switching process as traditional POS transactions.
See the Tap on Phone Merchant Guide in the Resources section of this document on page 14 to learn more aboutTap
on Phone use cases, benefits and overall functionality.

1.2 Who is this guide for?

This guide is for any entity that develops, deploys or uses Tap on Phone solutions, including:
• Acquirers, payment facilitators, and solution providers.
• NFC-enabled mobile device manufacturers and OS developers that will host Tap on Phone apps.
• Merchants who use or are interested in using Tap on Phone solutions, including those who have a direct
relationship with a Mastercard acquirer.
• Sub-merchants who use the services of a payment facilitator.
• Issuers and others in the payment industry interested in Tap on Phone.

1.3 What is this guide intended for?

This guide is intended to define the components of a Tap on Phone solution and provide guidance on how to enable and
begin distributing a secure solution.
• Tap on Phone solutions are built around three solution elements: the merchant’s existing NFC-enabled mobile
device (COTS device), a Tap on Phone payment application (PCI CPoC™ application), and a back-end environment
that engages in attestation, monitoring, and payment processing as part of the solution.
• The integrity of both the Tap on Phone payment application on the mobile device and on the host system are
critically important to maintaining the security of transaction data and to helping prevent data compromise
incidents.
• All Tap on Phone solutions must comply with PCI CPoC standards and relevant EMVCo and Mastercardtesting
requirements. For Tap on Phone with PIN, the PCI standards have not yet been published. A Security
Principles Review must still be undertaken to launch a Pilot

1. Mobile device is referred to as COTS in PCI standards for Tap on Phone without PIN. Please refer to the glossary on page 13 for COTS definition.

© 2021 Mastercard. Proprietary and Confidential. | 3

2: Process
2.1 PCI timeline
Expected Tap on Phone PCI standards roadmap:

Dec 2019: Tap on Phone Tap on Phone Tap on Phone with PIN
without PIN [PCI CPoC] without PIN business standards anticipated
standards published as usual [PCI CPoC] by 2H'22 [Tap +PIN]

2019 2020 2021 2022

2020-2021: Commercial rollouts of Tap on

Development and pilots for Phone without PIN [PCI CPoC] and Mastercard
Tap on Phone without PIN pilots for Tap on Phone with PINin advance of
[PCI CPoC] industry standards

Timeline Considerations
✓ Mastercard Commercialization of PCI CPoC:
• Following the publication and after a preparation period, PCI recognized CPoC laboratories will start
evaluating solutions under the new CPoC standard. Any solution that successfully meets these standardswill
be listed as an approved PCI CPoC Solution by the PCI Council, listed on the PCI Council website and enabled
for full commercialization. Mastercard will continue supporting providers and innovators around the world
with guidance and best practices.
*For Tap on Phone with PIN pilot considerations, click here.

2.2 Suggested market criteria

When considering which markets to deploy Tap on Phone to, the following assessment criteria and rationale may
be helpful:

NFC-enabled mobile device is required as acceptance

High smartphone penetration
device for Tap on Phone transactions
Contactless cards and devices are required to make
High contactless card and device penetration
Tap on Phone payments.

2.3 Solution options

Below are options for entities looking to develop or deploy a Tap on Phone solution:
1. Tap on Phone without PIN (PCI CPoC):
i. PCI-Compliant Commercial Solution: Develop and certify proprietary solution against published PCI CPoC
standard
ii. Engage with Approved Vendor: Commercial agreement with vendor that offers an approved PCI CPoC
solution
2. Tap on Phone with PIN (Pilot-only):
i. Develop Solution: Develop and approve solution against Mastercard Security Principles for online PIN
support
ii. Engage with Approved Vendor: Commercial agreement with vendor that offers a Mastercard Security
approved solution
© 2021 Mastercard. Proprietary and Confidential. | 4
 2: Process

Solution Options
Tap on Phone without PIN Tap on Phone with PIN
(PCI CPoC) (Pilot only)
i. PCI Approved CPoC ii. Engage with i. Pre-PCI non- ii. Engage with
Commercial Solution Approved Vendor Commercial Solution Approved Vendor

Step 1: N/A N/A

Contactless License

Step 2: EMVCo is working on defining an evaluation process for MPOS. In the meantime, Acquirers will need to
L1 EMVCo receive a waiver from Mastercard. See Step 2 of the certification details for more information

Step 3:
L2 Mastercard * *

Step 4: Security Evaluation

(PCI CPoC or Mastercard *
* **
Security Principles)

Step 5:
N/A N/A
Pilot Enrollment Form

Step 6:M-
TIP

*Engage with your chosen approved vendor/Mastercard MPOS team to determine whether additional certification reviews apply.

**Pilots for CPoC with PIN requires security evaluation against Tap +PIN security principles by Mastercard accredited labs.

2.4 Certification step details

Step 1: Contactless Development License
Contactless Development License: A vendor or solution provider that is interested in undertaking a contactless project like Tap
on Phone with Mastercard must first obtain a Contactless Development License (or have an existing license that covers the
proposed activity). Vendors are required to enter into a license agreement with Mastercard before developing and selling
contactless-enabled equipment. All cards, devices, and readers used for performing contactless transactionsmust be approved
and licensed by Mastercard prior to their use. Please reach out to contactless@mastercard.com to start the process and
receive the Company Onboarding form.

Solution Provider Submits: 1. Company Onboarding form -> to be sent to contactless@mastercard.com

2. Contactless Development License agreement (once step 1 is complete)

Solution Provider Receives: Contactless Development License

© 2021 Mastercard. Proprietary and Confidential. | 5

2: Process
Step 2: Level 1 Testing (EMVCo)
EMVCo is currently discussing the future criteria for Tap on Phone solutions and working on defining an evaluation
process for MPOS. A waiver process is being developed, please contact mposprogram@mastercard.com.

Notes:
• All solutions must meet EMVCo contactless standards. Please reference the architecture and general
requirements document on the EMVCo website.
• Contactless Level 1 testing is a requirement for NFC-enabled solutions. The waiver process is being
developed - details available soon.
• EMVCo recently announced an Early Adopter Programme to support evaluating COTS devices for contactless
payment acceptance against the EMV Contactless Interface Specification. Additional detailson the program
are available on the EMVCo website.

Step 3: Level 2 Testing (Mastercard accredited functional laboratories)

Solution providers are advised that Step 3 and Step 4 below can and, when possible, should be done concurrently.
Below is a breakdown of the Level 2 contactless kernel approval process:
1. Contact the Mastercard Approvals Chip Certification Acceptance Devices team by sending an email to
chip_certification_ad@mastercard.com. The provider will receive a Tap on Phone Registration form called ICS
(Implementation Conformity Statement) and related Level 2 functional approval documentations.
2. The provider will send back the Tap on Phone Registration form and the Mastercard Approvals team will assign
a registration number and send a related test plan called TEPS (Terminal Evaluation Plan Summary).
3. Vendor sends TEPS to their chosen accredited lab for L2 testing. Once complete, the lab issues a test reportto
Mastercard and the vendor/solution provider.
4. Mastercard reviews and assesses results.

Solution Provider Submits: The Registration Form, Test Plan and a Tap on Phone solution to be tested by
chosen lab.
Registration form to be sent to chip_certification_ad@mastercard.com

Solution Provider Receives: Functional Test Assessment Summary (TAS)

For a list of all EMVCO labs please visit the EMVCo’s approved service provider list located on the EMVCo website.
For a list of labs that are currently accredited by Mastercard for L2 testing of Tap on Phone solutions contact
chip_certification_ad@mastercard.com.

Notes:
• All solutions must comply with the latest Mastercard contactless reader specifications, all test environment
requirements and all applicable performance and implementation requirements (response times, visual and
audio indications etc.). This can be found on Mastercard Connect® > Chip and Chip-related Publications or by
contacting chip_certification_ad@mastercard.com.
• Solutions going through Level 2 functional testing must be identical to the solutions submitted to the PCICPoC
Security Evaluation.
• Any functional changes to the Tap on Phone solution that are done after functional approval shall be
assessed by chip_certification_ad@mastercard.com.

© 2021 Mastercard. Proprietary and Confidential. | 6

2: Process

Step 4: Security Evaluation: PCI CPoC / Mastercard Security Principles

1. Tap on Phone [PCI CPoC] solutions ONLY: PCI CPoC
Following publication of the PCI CPoC standard by the PCI Council in December 2019, all solution providers ofTap
on Phone [PCI CPoC] Solutions are required to submit their solutions to a PCI recognized CPoC security laboratory
for evaluation per the PCI CPoC standard. A list of PCI recognized security laboratories is availableon the PCI
website.
2. Tap on Phone with PIN [Tap +PIN] solutions ONLY: Mastercard Security Principles
We are supporting ToP with PIN pilots and Mastercard-approved laboratories will continue evaluating any ToP
with PIN solution under the Mastercard Security Principles document (“Embedded Contactless Readingwith PIN
for MPOS Pilots”). Baseline CPoC compliance for Tap +PIN pilots is not expected but is recommended as it might
enable solution providers to go to market faster once PCI standards for Tap +PINare in place.
In order to facilitate the evaluation process prior to the actual testing of the solution, security laboratories mayoffer
the following services to solution vendors and providers:
1. Guidance on designing POIs that meet PCI CPoC security requirements
2. Review of the vendors POI design, responses to questions via email or phone, participation in conference callsto
clarify requirements, and performance of a preliminary physical security assessment on a vendor’s hardware.
3. Guidance on bringing a vendor’s POI into compliance with the PCI CPoC standard, if areas of non-complianceare
identified during the evaluation.

Solution Provider Submits: CPoC: Solution as per PCI requirements

Tap on Phone with PIN Pilots: Solution as per Mastercard Security Principles

Solution Provider Receives: CPoC: Security report from labs → MA review and risk assessment → Review by
PCI Council → If approved, published to PCI website
Pilots: Provider receives Security report and attestation from lab + MA review
and risk assessment

Notes:
• If any changes are made to the solution after the security review, the solution will need to be re-reviewedby
a lab.
• For SDK integrated solutions, either a full security review or an integration review may be required. For more
information, please visit the SDK Integration security review section of the FAQ.

© 2021 Mastercard. Proprietary and Confidential. | 7

2: Process

Step 5: Pilot Enrollment Form (Tap +PIN only)

After the solution vendor has successfully completed the L2 testing and security evaluation, their chosen acquirer will
sign Mastercard’s enrollment form. For more details, reach out to mposprogram@mastercard.com.

Solution Provider Submits: Pilot Plants/Terms

Solution Provider Receives: Signed enrollment form

Notes:
• This step is only applicable for Tap +PIN solutions.

Step 6: M-TIP Testing (Level 3)

1. The acquirer orders an M-TIP service from a Mastercard accredited M-TIP Service Provider of their choice and
procures a qualified M-TIP test tool.
2. The acquirer downloads the latest Test Selection Engine (TSE) software (and TSE configuration file) from
Mastercard Connect and uses it to enter the details of their CPoC solution to generate the applicable testplan.
3. The acquirer executes the test plan, using their M-TIP test tool, and records the related test results and
transaction logs with TSE or their M-TIP test tool.
4. The acquirer sends the test results (TSE file) to their M-TIP Service Provider for validation.
5. An M-TIP Letter of Approval (LoA) is delivered upon successful execution of M-TIP.

Acquirer Submits: TSE file: Send to M-TIP Service Provider

Pilots: Mastercard email approval to proceed to M-TIP → M-TIP Service Provider

Acquirer Receives: M-TIP Service Provider generates report for MA → MA reviews and issues LoA

Notes:
• An M-TIP test can be initiated as soon as the Tap on phone solution has been granted a Level 2 Functional TAS(Test
Assessment Summary). If all the necessary security information and confirmation is shared with
chip_certification_ad@mastercard.com, a CCS (Component Conformity Statement), including functional and
security evaluation confirmations, could be released by Mastercard based on customer request.
• All software-based MPOS solutions must include the MPOS indicators in transaction data; more information in
FAQ on page 10.
• Solution providers who successfully pilot or certify a Tap on Phone solution will need to repeat Steps 1
through 6 above for future pilots of Tap on Phone with PIN [CPoC with PIN].
• M-TIP related online sources (M-TIP Process Guide, list of M-TIP test tools,TSE, etc.) are available to customers
through the Chip and Contactless Information Center on MastercardConnect.
• For a list of M-TIP Service Providers please visit the Chip and Contactless Information Center on Mastercard
Connect.
• For more information regarding M-TIP, please contact: chipservicesmanagement@mastercard.com or your
M-TIP Service Provider.

© 2021 Mastercard. Proprietary and Confidential. | 8

3: FAQs
3.1 General
What are Tap on Phone features?
Tap on Phone runs via mobile application on many NFC-enabled Android devices to support acceptance from
contactless-enabled cards and devices (e.g., smartphones and smart watches and wristbands). After consumers
complete their purchases with Tap on Phone, merchants can send a paperless receipt through SMS or email, or they
can print the receipt using an external printer. Acquirers can integrate Tap on Phone with additional businesssolutions
(e.g., invoicing, inventory management and analytics reporting) to provide incremental value to their merchant
customers.

How is Tap on Phone different from other POS solutions on the market?
Current solutions require additional hardware to accept digital payments. Tap on Phone enables merchants toaccept
contactless payments using the Android device they already own.

What are some of the use cases for Tap on Phone?

• Offer alternative to purchasing dedicated POS hardware.
• Support payment on delivery, displacing cash.
• Provide an immediate and quality customer experience with in-aisle checkout.
• Empower on-the-go vendors.
• Facilitate entertainment, sporting and philanthropic events.

Why Tap on Phone?

Tap on Phone is an ideal payment method for customers when they just need to pay and go. As a merchant, youcan
transform any enabled mobile device into a payment terminal. Each Tap on Phone transaction is protected through the
same technology as chipped card transactions but provides a faster and, therefore, more pleasant customer
experience.

Are Tap on Phone payments secure?

Yes: Tap on Phone payments are card present contactless EMV transactions and use the same security technology offered
as EMV chip cards that are deployed throughout the world.

3.2 Certification and development

Would I ever need to recertify my solution?
Yes, however it depends on the type of changes being made and the solution’s architecture. Please visit the
PCI Security Standards Council website for more information about security changes. Changes that could impactthe
functional evaluation should be communicated to chip_certification_ad@mastercard.com for assessment.

Does a solution with an embedded SDK need to undergo security reviews?

Yes. However, the security review required will depend on the approval status of the embedded SDK and the type of
integration. SDK integrators will likely need to go through one of the following types of security review:
1) Full security review: full evaluation of a solution whose embedded SDK has not been approved or evaluated
yet. Usually takes around 10 weeks.

© 2021 Mastercard. Proprietary and Confidential. | 9

2) Integration review: lightweight review of a solution integrating an SDK that has been evaluated before. The
 goal is to ensure that by integrating the SDK no security vulnerabilities are introduced into the final solution.
Most solution providers integrating SDKs will have to perform Integration reviews.
Note: In order to reduce the certification time, it is strongly encouraged that integrators evaluate their solutions using
the same security lab as their SDK providers.
The below flow chart can be used to check which type of security review will be required:

Are there any existing SDKs available for development with Tap on Phone solutions?
Yes, Mastercard has created a Contactless Reader SDK (including a selection module and kernel compliant with
Mastercard contactless specifications) that can be used to read contactless Mastercards. This is SDK is offered free of
charge. Please contact mposprogram@mastercard.com for further details.

© 2021 Mastercard. Proprietary and Confidential. | 10

3: FAQs

Are solutions required to go through EMVCo PCD Level 1 Approval Process?

Tap on Phone solutions are currently not required to go through the EMVCo PCD Level 1 Approval Process.Mastercard
is currently discussing the future criteria for Tap on Phone solutions with EMVCo.

Does the PCI CPoC standard support all EMV and magstripe transactions (contact
and contactless)?
No, CPoC solutions support only contactless transactions.

Does the PCI CPoC standard support offline transactions?

No, CPoC only supports only online transactions.

Do PCI CPoC Solutions require Mastercard approval?

As of December 4, 2019, all Tap on Phone without PIN solutions should follow the PCI CPoC certification process, which does
not require any pilot approval from Mastercard.

Do PCI CPoC solutions require M-TIP approval for use with Mastercard acceptance?
Yes, all MPOS solutions accepting Mastercard require M-TIP certification.

Does the PCI CPoC standard support PIN-required transactions? What happens with
transactions over the CVM limit?
No, the PCI CPoC standard does not currently support PIN-required transactions. Those transactions are out of scope
for approved PCI CPoC solutions.
For PIN-entry and/or transactions over the CVM limit, please consider developing and deploying a Tap on Phone with
PIN Pilot until the official PCI standard is available in in 2022. Any alternatives to PIN-entry will be regulated by the
corresponding standard (e-commerce, MPOS, etc.).

Are the Mastercard-approved security laboratories the same as PCI CPoC recognized
laboratories?
No, some laboratories are approved by both the PCI Council for CPoC security evaluations and Mastercard, whileothers
are not. Please, review the list of PCI-recognized CPoC laboratories on the PCI website:
https://www.pcisecuritystandards.org/assessors_and_solutions/pci_recognized_laboratories.

What is the MPOS indicators requirement?

Overview:
Mastercard is introducing new MPOS indicators in authorization and clearing messages to differentiate between
software- and hardware-based MPOS terminals and PIN entry support.
Hardware-based MPOS terminals are PCI-compliant card reader accessories (dongles) with a hardware-based PIN padpaired
with a merchant’s mobile device. Software-based MPOS solutions take advantage of merchant’s off-the-shelf mobile devices
for either PIN entry or for acceptance of contactless transactions, thus reducing the cost of payment terminals and promoting
card acceptance.
Requirements variations for MPOS:
Requirements applicable to regular POS terminals are slightly adapted for MPOS due to technology constraints, ordifferent
use cases for these type of terminals. The most important ones can be summarized as follows:
- Support of contact magstripe is made optional for MPOS in Europe Region
(RA001.18 not applicable to MPOS) (soon to be extended to rest of world)
- Support of signature (on both contact and contactless interfaces) and receipt printing has been made
optional for MPOS (ref to AN_1712)
© 2021 Mastercard. Proprietary and Confidential. | 11
3: FAQs

- MPOS transactions must be identified in authorization messages:

o DE 61 subfield 10 (Cardholder-Activated Terminal Level) must be set to ‘9’
(MPOS Acceptance Device)
- Additional fields must be configured for software-based MPOS solutions, as introduced in AN_1626:
o DE 22 subfield 2 (POS Terminal PIN Entry Mode) should be set to:
▪ ‘1’ (Terminal has PIN Entry Capability) or
▪ ‘2’ (Terminal does not have PIN entry capability) or
▪ ‘3’ (MPOS Software-based PIN Entry Capability)
DE 48 subelement 21 subfield 1 (MPOS Acceptance Device Type) should be set to:
▪ ‘0’ (Dedicated MPOS Terminal with PCI compliant dongle (with or without keypad)) or
▪ ‘1’ (Off the Shelf Mobile Device)

For this In DE 22, SF 2, In DE48, SE21, SF1,

MPOS device type: (POS Terminal PIN Entry Mode) (MPOS Acceptance Device Type)
use a value of: user a value of :
External reader and software ‘3’ ‘0’
PIN entry (also known as SPoC)
Embedded reader and no PIN
entry (also known as CPoC w/ ‘2’ ‘1’
no PIN or Tap on Phone)
Embedded reader and software
PIN entry (also known as Tap on ‘3’ ‘1’
Phone w/ PIN)

Does Mastercard have sound and animation brand requirements?

We recommend that developers of Tap on Phone solutions integrate Mastercard's optional Checkout Sound and
Animation assets into their solutions.
Checkout Sound and Animation is a unique optional set of notes used to signal the approval of a Mastercard payment
transaction in both physical and digital POI environments. One of the primary use cases for the sound is at the time of
transaction approval at a POS. The Checkout Animation has been designed to accompany the Checkout Sound in
physical and digital POI environments. The Checkout Animation begins with the Mastercard Symbol, which with active
movement, evolves to create an illusion of motion when the animation is shown as a sequence, turning the
Mastercard Symbol into a checkmark.
Benefits of Checkout Sound and Animation:
• Consumer Transparency: At checkout, consumers seek reassurance that their transaction is both complete
and protected. Audio confirmation, in addition to a visual cue, can add to consumers’ trust in both the
payment method and the Merchant. Sound has the power to connect people’s hearts and minds to create
lasting associations.
• Consumer Trust: Mastercard’s Checkout Sound and Animation at checkout can help Partners strengthen
consumers' trust when they’re completing a purchase. It can give them peace of mind that their payment was
approved.
• Consistency: Mastercard Checkout Sound and Animation at checkout will have a consistent presence,
transaction after transaction, wherever consumers encounter Mastercard— at the point-of-sale. Whereverit
appears, it signals the trust consumers already have in Mastercard, which can translate to trust and loyalty for
Partners.
Please email mposprogram@mastercard.com to receive the Mastercard Sonic Brand at Checkout Partner IntegrationGuide
and Technical Standards

© 2021 Mastercard. Proprietary and Confidential. | 12

3: FAQs

3.3 Merchant-focused
How do I know if a customer can pay via Tap on Phone?
Physical Card: Look for the contactless indicator on the card – it’s usually on the front but may be on the back. If
you do not see the waves, the card won’t be able to tap.
Device: If the customer has a mobile wallet (e.g., a Mobile Banking issuer application with NFC capabilities: Apple
Pay®, Samsung Pay®, Google Pay®), they can Tap & Go® if they have previously loaded their card into theirmobile
wallet. Only the customer will know if they have done this.

Where does the customer tap?

The customer should take out their NFC card or enabled device, identify the NFC antenna and hold it in proximity untilthe
payment has been accepted. If available, a sticker can help indicate where the NFC antenna is located.

What if the transaction does not process?

Make sure your device has a data connection available/active, check that the mobile device cover is removed and
retry tapping.

Which operating systems are supported?

Tap on Phone software has only been developed on Android devices; however, other OS devices could choose to
support Tap on Phone in the future.

Do Tap on Phone solutions support all payment brands (Mastercard, Visa, etc.)?
A solution can support other payment brands if it is built with the brand’s EMV kernel and is approved by the brand.

3.4 Pilots
What’s happening with existing Tap on Phone pilots?
Mastercard aims to continue supporting its clients and assuring the continuity of existing projects/pilots. Any Tap on
Phone without PIN solutions that as of December 4, 2019, were in pilot phase or in the final steps of security evaluation
and pilot approval will be evaluated and reviewed by Mastercard’s security and acceptance teams to adjust the pilot
enrollment form, allowing a reasonable time frame for PCI CPoC certification without altering the continuity of the
acquiring business.

Can I start a new Tap on Phone pilot?

• CPoC (Tap on Phone without PIN): No, all Tap on Phone without PIN solutions that as of December 4, 2019,
had not initiated a security evaluation with an accredited laboratory for pilot approval under Mastercard
documentation will be required to submit their solution to a recognized PCI CPoC laboratory for evaluation
under the newly established PCI CPoC standard.
• Tap on Phone with PIN: Yes, Tap on Phone with Pin pilots are possible. For information on how to launch a
pilot, please refer back to section 2 (Process).

© 2021 Mastercard. Proprietary and Confidential. | 13

3: FAQs

How do I start a new Tap on Phone with PIN pilot?

Mastercard is aware of the current status of Tap on Phone technology and the existence of Tap on Phone with PIN
solutions that have been offered by several technology providers. We are supporting ToP with PIN pilots and
Mastercard-approved laboratories will continue evaluating any ToP with PIN solution under the Mastercard Security
Principles document (“Embedded Contactless Reading with PIN for MPOS Pilots”). Baseline CPoC compliance for Tap
+PIN is not expected, but is recommended as it might enable solution providers to go to market faster once PCI
standards for Tap +PIN are in place.

All third-party trademarks are the property of their respective owners.

Mastercard, Tap & Go®, and Mastercard Connect are registered trademarks, and the circles design isa
trademark, of Mastercard International Incorporated.
© 2021 Mastercard. All rights reserved.

© 2021 Mastercard. Proprietary and Confidential. | 14

4: Glossary
Contactless payments: A payment method that enables consumers
to purchase products and services via debit/credit cardor mobile
devices that use Near Field Communication.
CPoC: Contactless Payments on COTS, also known as Tap on Phone without PIN.
COTS: Commercial off-the-shelf device. A mobile device (e.g., smartphone or tablet) that is designed for mass-
market distribution.
Electronic payments: A transaction processed by an electronic medium, as opposed to a cash transaction or
payment by paper checks.
EMV®: A global standard for cards that uses chip technology to authenticate (and secure) chip-card transactions,taking
its name from the card schemes that developed it – Europay, Mastercard, and Visa.
Level 1 Testing: Level 1 (L1) testing is an EMV specification for cards, acceptance devices and mobile phones (in card
emulation mode) and is a requirement on NFC mobile device vendors. L1 certification ensures that the device meets
the lower-level electromagnetic and communication requirements. It includes operating distance tests, in which
reference cards are placed at a set of predefined positions in proximity to the device’s antenna.
Level 2 Testing: Level 2 (L2) certification validates the software, which implements the payment functionality thatruns
on the EMV-approved device. This software is referred to as a payment “contactless kernel” (also includes the
application selection module). The supported contactless payment schemes (Mastercard/Maestro, Visa, American
Express, etc.) determine which of the payment kernels will be implemented.
MPOS: Mobile point of sale, including mobile devices, tablets and wireless portables.
M-TIP testing: M-TIP (also known as Level 3 certification) ensures that the configuration of the software on the device
and the acquiring chain, including the acquirer host and the connection to Mastercard, meet the Mastercardbrand
requirements.
Near field communication (NFC): The technology that allows two contactless enabled devices (credit card, mobile
phones) and payment terminals to contact each other when they are in range, (e.g., contactless payments).
PCI DSS: The Data Security Standard published and maintained by the Payment Card Industry Security StandardsCouncil.
PCI DSS provides a baseline of technical and operational requirements designed to protect account data.
Security review: Following publication of the PCI CPoC standard by the PCI Council in December 2019, all solution
providers of Tap on Phone [PCI CPoC] solutions are required to submit their solution to a PCI-recognized CPoC security
laboratory for evaluation under the PCI CPoC standard. A list of PCI-recognized security laboratories is available on the
PCI website.
Software Development Kit: A tool that allows solution providers to integrate third-party features into their own
software, apps or platforms.

© 2021 Mastercard. Proprietary and Confidential. | 15

5: Resources
Mastercard Resources:
1. Tap on Phone Merchant Guide
2. Tap on Phone Pilot Case Studies
3. Tap on Phone Go-to-Market Guide
4. Tap on Phone Kernel SDK1

Please visit Mastercard’s Mobile Point-of-Sale Website to gain access to guides and case studies.

PCI Documents: Tap on Phone without PIN [CPoC]

1. PCI Security and Test Requirements
2. PCI Program Guide
3. PCI Technical FAQs

1. Mastercard’s Tap on Phone Kernel SDK information and request form can be found HERE.

© 2021 Mastercard. Proprietary and Confidential. | 16